667434 – app-emulation/libvirt apparmor permissions issue with ovmf

Bug 667434 - app-emulation/libvirt apparmor permissions issue with ovmf

Summary: app-emulation/libvirt apparmor permissions issue with ovmf

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Matthias Maier

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-10-01 06:38 UTC by Dillon
Modified:	2019-04-20 08:00 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
emerge info (file_667434.txt,6.00 KB, text/plain) 2018-10-01 06:38 UTC, Dillon	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dillon 2018-10-01 06:38:52 UTC

Created attachment 548566 [details]
emerge info

When apparmor is enabled, qemu is not permitted to read OVMF UEFI files by libvirts apparmor-helper, this is AFAICT caused by a line in virt-aa-helper.c:

        "/usr/share/OVMF/",              /* for OVMF images */
        "/usr/share/ovmf/",              /* for OVMF images */
---
The in-tree ovmf binaries install to /usr/share/edk2-ovmf/. 
Could by fixed by moving it to ovmf and symlink edk2-ovmf back to it (What I did)
or by patching virt-aa-helper.c to permit the directory

Comment 1 Matthias Maier gentoo-dev

2018-11-04 05:08:32 UTC

Can you please try to add

  /usr/share/edk2-ovmf/* r,

to the apparmor configuration file usr.libexec.virt-aa-helper?

If that helps, we could simply add the line to the current patch under

  files/libvirt-4.5.0-fix_typo_in_apparmor_rule.patch

Comment 2 Larry the Git Cow gentoo-dev

2018-12-26 03:27:24 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa037df7c74c102d2b82689c4cfc0e804ee1ba8c

commit fa037df7c74c102d2b82689c4cfc0e804ee1ba8c
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2018-12-26 03:03:36 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2018-12-26 03:27:05 +0000

    app-emulation/libvirt: version bump to 4.10.0
    
     * fix apparmor rules, bug #667434
     * include netcat alternatives, bug #672992
    
    Closes: https://bugs.gentoo.org/667434
    Closes: https://bugs.gentoo.org/672992
    Package-Manager: Portage-2.3.52, Repoman-2.3.12
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 app-emulation/libvirt/Manifest                     |   1 +
 .../files/libvirt-4.10.0-fix_apparmor_rules.patch  |  14 +
 app-emulation/libvirt/libvirt-4.10.0.ebuild        | 387 +++++++++++++++++++++
 3 files changed, 402 insertions(+)

Comment 3 José Pekkarinen 2019-04-20 07:49:37 UTC

This bug is not properly addressed, as I see the following trying
to use apparmor and ovmf domains:

virt-aa-helper: error: /usr/share/edk2-ovmf/OVMF_CODE.fd
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition

The reason is that the patch add the correct path to the
libvirt-qemu abstraction, and the virt-aa-helper doesn't
use it.

Comment 4 José Pekkarinen 2019-04-20 08:00:33 UTC

Adding the line:

 profile virt-aa-helper /usr/libexec/virt-aa-helper {
   #include <abstractions/base>
+  #include <abstractions/libvirt-qemu>

   # needed for searching directories

Fixes it for me.

José.