On 9/28/22 14:45, christian.ehrhardt@canonical.com wrote:
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Riscv64 usually uses u-boot as external -kernel and a loader from the open implementation of RISC-V SBI. The paths for those binaries as packaged in Debian and Ubuntu are in paths which are usually forbidden to be added by the user under /usr/lib...
People used to start riscv64 guests only manually via qemu cmdline, but trying to encapsulate that via libvirt now causes failures when starting the guest due to the apparmor isolation not allowing that: virt-aa-helper: error: skipped restricted file virt-aa-helper: error: invalid VM definition
Explicitly allow the sub-paths used by u-boot-qemu and opensbi under /usr/lib/ as readonly rules.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- src/security/virt-aa-helper.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-)
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Michal