Bug 911786

Summary:	app-emulation/libvirt-9.4.0-r3 UEFI VMs cannot start with AppArmor enabled
Product:	Gentoo Linux	Reporter:	Stefan Bader <stefan.bader1>
Component:	Current packages	Assignee:	Matthias Maier <tamiko>
Status:	UNCONFIRMED ---
Severity:	normal	CC:	michal.privoznik, virtualization
Priority:	Normal	Keywords:	PATCH
Version:	unspecified
Hardware:	AMD64
OS:	Linux
See Also:	https://github.com/void-linux/void-packages/issues/32562
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	Patch to add /usr/share/edk2-ovmf/ to the valid path list of virt-aa-helper

Description Stefan Bader 2023-08-05 20:29:04 UTC

Created attachment 867185 [details, diff]
Patch to add /usr/share/edk2-ovmf/ to the valid path list of virt-aa-helper

This issue was best described in

https://github.com/void-linux/void-packages/issues/32562

short summary: virt-aa-helper autogenerates apparmor profiles for VMs, with valid paths of UEFI firmware images hardcoded into the virt-aa-helper.c file.

The UEFI firmware files shipped with sys-firmware/edk2-ovmf-bin reside in
/usr/share/edk2-ovmf/
which is not part of the valid-path-list hardcoded in virt-aa-helper.c

As a workaround i currently use the attached patch in 
/etc/portage/patches/app-emulation/libvirt/apparmor-uefi.patch