Re: [PATCH] virt-aa-helper: allow common riscv64 loader paths

From: Christian Ehrhardt <christian.ehrhardt(a)canonical.com&gt; Riscv64 usually uses u-boot as external -kernel and a loader from the open implementation of RISC-V SBI. The paths for those binaries as packaged in Debian and Ubuntu are in paths which are usually forbidden to be added by the user under /usr/lib... People used to start riscv64 guests only manually via qemu cmdline, but trying to encapsulate that via libvirt now causes failures when starting the guest due to the apparmor isolation not allowing that: virt-aa-helper: error: skipped restricted file virt-aa-helper: error: invalid VM definition Explicitly allow the sub-paths used by u-boot-qemu and opensbi under /usr/lib/ as readonly rules. Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com&gt; --- src/security/virt-aa-helper.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-)