abstraction /etc/apparmor.d/abstractions/libvirt-qemu contains only these rules: /usr/share/vgabios/** r, /usr/share/seabios/** r, since qemu has been updated, it's now using seavgabios instead of vgabios, so this rule should be added: /usr/share/seavgabios/** r, patch for app-emulation/libvirt --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -69,6 +69,7 @@ /usr/share/proll/** r, /usr/share/vgabios/** r, /usr/share/seabios/** r, + /usr/share/seavgabios/** r, /usr/share/ovmf/** r, # access PKI infrastructure
ALSO the rule is needed for UEFI domains using the new package sys-firmware/edk2-ovmf (it installs into /usr/share/edk2-ovmf/, whereas default rule is for /usr/share/ovmf/) as a result more full patch: --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -69,7 +69,9 @@ /usr/share/proll/** r, /usr/share/vgabios/** r, /usr/share/seabios/** r, + /usr/share/seavgabios/** r, /usr/share/ovmf/** r, + /usr/share/edk2-ovmf/** r, # access PKI infrastructure /etc/pki/libvirt-vnc/** r,
Also, (i won't file a new bug, it's about apparmor too) since qemu-2.10.0 was stabilized, dynamically created rules for virtual drive and nvram images should allow to lock these files (rule 'k') it was fixed in libvirt-3.7.0, so please bump in portage tree (now it's 3.6.0 only even in ~arch) or include these patches: https://libvirt.org/git/?p=libvirt.git;a=patch;h=580cdaa7e7ba9e03303e06ff7ed487b6908efd09 https://libvirt.org/git/?p=libvirt.git;a=patch;h=03fb4e3deaa18d292810b21c23e2f8e06a435821 The patch (for initial bug) for seavgabios patch and edk2-ovmf is actual (not fixed in upstream)
for libvirt-3.8.0-r1 and libvirt-3.9.0 the patch is still needed
Created attachment 504136 [details, diff] patch for libvirt-3.8.0-r1
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24cd72c425327c6e1267416c9f170eefdd7affb7 commit 24cd72c425327c6e1267416c9f170eefdd7affb7 Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2017-12-07 15:54:55 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2017-12-07 16:02:12 +0000 app-emulation/libvirt: Update apparmor profiles Closes: https://bugs.gentoo.org/629718 Package-Manager: Portage-2.3.16, Repoman-2.3.6 .../libvirt-3.10.0-fix_paths_for_apparmor.patch | 118 +++++++++++++++++++++ app-emulation/libvirt/libvirt-3.10.0.ebuild | 2 +- 2 files changed, 119 insertions(+), 1 deletion(-)
You have fully removed the profile 'usr.lib.libvirt.virt-aa-helper' in the new patch, but it should be renamed to 'usr.libexec.virt-aa-helper' with the fix (it's not necessary to change this part relative to previous version)
Created attachment 515826 [details, diff] correct patch the correct version of the patch, doesn't breaking usr.libexec.virt-aa-helper
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=002a0f6216825de8c045768a5baeeaf862339497 commit 002a0f6216825de8c045768a5baeeaf862339497 Author: aporilel <35788283+aporilel@users.noreply.github.com> AuthorDate: 2018-01-25 02:23:36 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2018-01-30 17:03:10 +0000 app-emulation/libvirt: fix apparmor patch Fixes: 24cd72c425327c6 ("app-emulation/libvirt: Update apparmor profiles") Closes: https://bugs.gentoo.org/629718 Closes: https://github.com/gentoo/gentoo/pull/6954 Signed-off-by: Matthias Maier <tamiko@gentoo.org> .../libvirt-3.10.0-r2-fix_paths_for_apparmor.patch | 77 +++++ app-emulation/libvirt/libvirt-3.10.0-r2.ebuild | 382 +++++++++++++++++++++ 2 files changed, 459 insertions(+)
the same problem (missing rule for seavgabios) in libvirt-6.1.0 and 6.2.0
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4d74d2fec11558f4de07a0411e143d5dbe2db72 commit a4d74d2fec11558f4de07a0411e143d5dbe2db72 Author: aporilel <aporilel@yandex.ru> AuthorDate: 2020-08-23 11:20:28 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-09-05 07:53:46 +0000 app-emulation/libvirt: add apparmor rule for seavgabios Closes: https://bugs.gentoo.org/629718 Signed-off-by: Anton Smirnov <aporilel@yandex.ru> Closes: https://github.com/gentoo/gentoo/pull/15255 Signed-off-by: Joonas Niilola <juippis@gentoo.org> .../libvirt-6.5.0-fix-paths-for-apparmor.patch | 82 ++++++++++++++++++++++ ...ibvirt-6.5.0.ebuild => libvirt-6.5.0-r1.ebuild} | 2 +- 2 files changed, 83 insertions(+), 1 deletion(-)
