911786 – app-emulation/libvirt-9.4.0-r3 UEFI VMs cannot start with AppArmor enabled

Bug 911786 - app-emulation/libvirt-9.4.0-r3 UEFI VMs cannot start with AppArmor enabled

Summary: app-emulation/libvirt-9.4.0-r3 UEFI VMs cannot start with AppArmor enabled

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal normal (vote)
Assignee:	Matthias Maier

URL:
Whiteboard:
Keywords:	PATCH

Depends on:
Blocks:

Reported:	2023-08-05 20:29 UTC by Stefan Bader
Modified:	2023-08-05 20:30 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/void-linux/void-packages/issues/32562
Package list:
Runtime testing required:	---

Attachments
Patch to add /usr/share/edk2-ovmf/ to the valid path list of virt-aa-helper (apparmor-uefi.patch,496 bytes, patch) 2023-08-05 20:29 UTC, Stefan Bader	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Bader 2023-08-05 20:29:04 UTC

Created attachment 867185 [details, diff]
Patch to add /usr/share/edk2-ovmf/ to the valid path list of virt-aa-helper

This issue was best described in

https://github.com/void-linux/void-packages/issues/32562

short summary: virt-aa-helper autogenerates apparmor profiles for VMs, with valid paths of UEFI firmware images hardcoded into the virt-aa-helper.c file.

The UEFI firmware files shipped with sys-firmware/edk2-ovmf-bin reside in
/usr/share/edk2-ovmf/
which is not part of the valid-path-list hardcoded in virt-aa-helper.c

As a workaround i currently use the attached patch in 
/etc/portage/patches/app-emulation/libvirt/apparmor-uefi.patch