Re: [libvirt] [PATCH 2/8] apparmor, virt-aa-helper: allow /usr/share/OVMF/ too
Hi Stefan,
On Thu, May 18, 2017 at 10:53:40AM +0200, Stefan Bader wrote:
From: Simon McVittie <smcv(a)debian.org>
The split firmware and variables files introduced by
https://bugs.debian.org/764918 are in a different directory for some reason.
Let the virtual machine read both.
Extended by Christian Ehrhardt to generalize FW test (simplifies
additional testing on firmware files in future).
If you want to credit this separately I suggest to split the ode that
itroduces testfw into one commit (attributed to Christian) and the code
that adds read access to OVMF into another one (attributed to Simon).
Cheers,
-- Guido
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
Signed-off-by: Stefan Bader <stefan.bader(a)canonical.com>
Acked-by: Guido Günther <agx(a)sigxcpu.org>
---
examples/apparmor/libvirt-qemu | 1 +
src/security/virt-aa-helper.c | 1 +
tests/virt-aa-helper-test | 24 ++++++++++++++++--------
3 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index a9020aa..e0988bb 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -70,6 +70,7 @@
/usr/share/vgabios/** r,
/usr/share/seabios/** r,
/usr/share/ovmf/** r,
+ /usr/share/OVMF/** r,
# access PKI infrastructure
/etc/pki/libvirt-vnc/** r,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index d976a00..dd166c2 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -512,6 +512,7 @@ valid_path(const char *path, const bool readonly)
"/vmlinuz",
"/initrd",
"/initrd.img",
+ "/usr/share/OVMF/", /* for OVMF images */
"/usr/share/ovmf/" /* for OVMF images */
};
/* override the above with these */
diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test
index 68e9399..73f3080 100755
--- a/tests/virt-aa-helper-test
+++ b/tests/virt-aa-helper-test
@@ -145,6 +145,20 @@ testme() {
fi
}
+testfw() {
+ title="$1"
+ fwpath="$2"
+
+ if [ -f "$fwpath" ]; then
+ sed -e "s,###UUID###,$uuid,g" \
+ -e "s,###DISK###,$disk1,g" \
+ -e "s,</os>,<loader readonly='yes'
type='pflash'>$fwpath</loader></os>,g"
"$template_xml" > "$test_xml"
+ testme "0" "$title" "-r -u $valid_uuid"
"$test_xml"
+ else
+ echo "Skipping FW $title test. Could not find $fwpath"
+ fi
+}
+
# Expected failures
echo "Expected failures:" >$output
testme "1" "invalid arg" "-z"
@@ -291,14 +305,8 @@ sed -e "s,###UUID###,$uuid,g" -e
"s,###DISK###,$disk1,g" -e "s,</os>,<kernel>$tm
touch "$tmpdir/kernel"
testme "0" "kernel" "-r -u $valid_uuid"
"$test_xml"
-if [ -f /usr/share/ovmf/OVMF.fd ]; then
- sed -e "s,###UUID###,$uuid,g" \
- -e "s,###DISK###,$disk1,g" \
- -e "s,</os>,<loader readonly='yes'
type='pflash'>/usr/share/ovmf/OVMF.fd</loader></os>,g"
"$template_xml" > "$test_xml"
- testme "0" "ovmf" "-r -u $valid_uuid"
"$test_xml"
-else
- echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd"
-fi
+testfw "ovmf (old path)" "/usr/share/ovmf/OVMF.fd"
+testfw "OVMF (new path)" "/usr/share/OVMF/OVMF_CODE.fd"
sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e
"s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g"
"$template_xml" > "$test_xml"
touch "$tmpdir/initrd"
--
2.7.4
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list