Re: [libvirt] [PATCH 2/8] apparmor, virt-aa-helper: allow /usr/share/OVMF/ too
On 19.05.2017 09:46, Guido Günther wrote:
Hi Stefan,
On Thu, May 18, 2017 at 10:53:40AM +0200, Stefan Bader wrote:
> From: Simon McVittie <smcv(a)debian.org>
>
> The split firmware and variables files introduced by
> https://bugs.debian.org/764918 are in a different directory for some reason.
> Let the virtual machine read both.
>
> Extended by Christian Ehrhardt to generalize FW test (simplifies
> additional testing on firmware files in future).
If you want to credit this separately I suggest to split the ode that
itroduces testfw into one commit (attributed to Christian) and the code
that adds read access to OVMF into another one (attributed to Simon).
Though Simon already added some testing (just limited to the one addition made
then). I guess I could re-submit Simon's patch as it was and create one
additionally which only changes the testing (for future use). Which then the
next (3/8) uses.
Cheers,
-- Guido
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
> Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
> Acked-by: Guido Günther <agx(a)sigxcpu.org>
> ---
> examples/apparmor/libvirt-qemu | 1 +
> src/security/virt-aa-helper.c | 1 +
> tests/virt-aa-helper-test | 24 ++++++++++++++++--------
> 3 files changed, 18 insertions(+), 8 deletions(-)
>
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index a9020aa..e0988bb 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -70,6 +70,7 @@
> /usr/share/vgabios/** r,
> /usr/share/seabios/** r,
> /usr/share/ovmf/** r,
> + /usr/share/OVMF/** r,
>
> # access PKI infrastructure
> /etc/pki/libvirt-vnc/** r,
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index d976a00..dd166c2 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -512,6 +512,7 @@ valid_path(const char *path, const bool readonly)
> "/vmlinuz",
> "/initrd",
> "/initrd.img",
> + "/usr/share/OVMF/", /* for OVMF images */
> "/usr/share/ovmf/" /* for OVMF images */
> };
> /* override the above with these */
> diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test
> index 68e9399..73f3080 100755
> --- a/tests/virt-aa-helper-test
> +++ b/tests/virt-aa-helper-test
> @@ -145,6 +145,20 @@ testme() {
> fi
> }
>
> +testfw() {
> + title="$1"
> + fwpath="$2"
> +
> + if [ -f "$fwpath" ]; then
> + sed -e "s,###UUID###,$uuid,g" \
> + -e "s,###DISK###,$disk1,g" \
> + -e "s,</os>,<loader readonly='yes'
type='pflash'>$fwpath</loader></os>,g"
"$template_xml" > "$test_xml"
> + testme "0" "$title" "-r -u $valid_uuid"
"$test_xml"
> + else
> + echo "Skipping FW $title test. Could not find $fwpath"
> + fi
> +}
> +
> # Expected failures
> echo "Expected failures:" >$output
> testme "1" "invalid arg" "-z"
> @@ -291,14 +305,8 @@ sed -e "s,###UUID###,$uuid,g" -e
"s,###DISK###,$disk1,g" -e "s,</os>,<kernel>$tm
> touch "$tmpdir/kernel"
> testme "0" "kernel" "-r -u $valid_uuid"
"$test_xml"
>
> -if [ -f /usr/share/ovmf/OVMF.fd ]; then
> - sed -e "s,###UUID###,$uuid,g" \
> - -e "s,###DISK###,$disk1,g" \
> - -e "s,</os>,<loader readonly='yes'
type='pflash'>/usr/share/ovmf/OVMF.fd</loader></os>,g"
"$template_xml" > "$test_xml"
> - testme "0" "ovmf" "-r -u $valid_uuid"
"$test_xml"
> -else
> - echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd"
> -fi
> +testfw "ovmf (old path)" "/usr/share/ovmf/OVMF.fd"
> +testfw "OVMF (new path)" "/usr/share/OVMF/OVMF_CODE.fd"
>
> sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e
"s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g"
"$template_xml" > "$test_xml"
> touch "$tmpdir/initrd"
> --
> 2.7.4
>
> --
> libvir-list mailing list
> libvir-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Attachments:
- signature.asc (application/pgp-signature — 819 bytes)