Created attachment 867185 [details, diff] Patch to add /usr/share/edk2-ovmf/ to the valid path list of virt-aa-helper This issue was best described in https://github.com/void-linux/void-packages/issues/32562 short summary: virt-aa-helper autogenerates apparmor profiles for VMs, with valid paths of UEFI firmware images hardcoded into the virt-aa-helper.c file. The UEFI firmware files shipped with sys-firmware/edk2-ovmf-bin reside in /usr/share/edk2-ovmf/ which is not part of the valid-path-list hardcoded in virt-aa-helper.c As a workaround i currently use the attached patch in /etc/portage/patches/app-emulation/libvirt/apparmor-uefi.patch
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be9b86298e8627bd14928f0b61ef0b32148d90a8 commit be9b86298e8627bd14928f0b61ef0b32148d90a8 Author: Michal Privoznik <michal.privoznik@gmail.com> AuthorDate: 2024-07-07 05:40:13 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-07-07 07:38:30 +0000 app-emulation/libvirt: Backport AppArmor fix When AppArmor is enabled and sys-firmware/edk2-ovmf-bin is installed then starting a guest under libvirt fails, because libvirt assumed different paths for UEFI. A fix was merged upstream so backport it. Resolves: https://bugs.gentoo.org/911786 Signed-off-by: Michal Privoznik <michal.privoznik@gmail.com> Signed-off-by: Sam James <sam@gentoo.org> ...per-Allow-RO-access-to-usr-share-edk2-ovm.patch | 33 ++++++++++++++++++++++ ...t-10.0.0-r2.ebuild => libvirt-10.0.0-r3.ebuild} | 1 + ...t-10.1.0-r1.ebuild => libvirt-10.1.0-r2.ebuild} | 1 + ...virt-10.2.0.ebuild => libvirt-10.2.0-r1.ebuild} | 1 + ...t-10.3.0-r1.ebuild => libvirt-10.3.0-r2.ebuild} | 1 + ...irt-9.8.0-r2.ebuild => libvirt-9.8.0-r3.ebuild} | 1 + ...irt-9.9.0-r2.ebuild => libvirt-9.9.0-r3.ebuild} | 1 + 7 files changed, 39 insertions(+)
