Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 911786 - app-emulation/libvirt-9.4.0-r3 UEFI VMs cannot start with AppArmor enabled
Summary: app-emulation/libvirt-9.4.0-r3 UEFI VMs cannot start with AppArmor enabled
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: Normal normal (vote)
Assignee: Virtualization Team
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks:
 
Reported: 2023-08-05 20:29 UTC by Stefan Bader
Modified: 2024-07-07 07:39 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Patch to add /usr/share/edk2-ovmf/ to the valid path list of virt-aa-helper (apparmor-uefi.patch,496 bytes, patch)
2023-08-05 20:29 UTC, Stefan Bader
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Bader 2023-08-05 20:29:04 UTC
Created attachment 867185 [details, diff]
Patch to add /usr/share/edk2-ovmf/ to the valid path list of virt-aa-helper

This issue was best described in

https://github.com/void-linux/void-packages/issues/32562

short summary: virt-aa-helper autogenerates apparmor profiles for VMs, with valid paths of UEFI firmware images hardcoded into the virt-aa-helper.c file.

The UEFI firmware files shipped with sys-firmware/edk2-ovmf-bin reside in
/usr/share/edk2-ovmf/
which is not part of the valid-path-list hardcoded in virt-aa-helper.c

As a workaround i currently use the attached patch in 
/etc/portage/patches/app-emulation/libvirt/apparmor-uefi.patch
Comment 1 Larry the Git Cow gentoo-dev 2024-07-07 07:39:22 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be9b86298e8627bd14928f0b61ef0b32148d90a8

commit be9b86298e8627bd14928f0b61ef0b32148d90a8
Author:     Michal Privoznik <michal.privoznik@gmail.com>
AuthorDate: 2024-07-07 05:40:13 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-07-07 07:38:30 +0000

    app-emulation/libvirt: Backport AppArmor fix
    
    When AppArmor is enabled and sys-firmware/edk2-ovmf-bin is
    installed then starting a guest under libvirt fails, because
    libvirt assumed different paths for UEFI. A fix was merged
    upstream so backport it.
    
    Resolves: https://bugs.gentoo.org/911786
    Signed-off-by: Michal Privoznik <michal.privoznik@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 ...per-Allow-RO-access-to-usr-share-edk2-ovm.patch | 33 ++++++++++++++++++++++
 ...t-10.0.0-r2.ebuild => libvirt-10.0.0-r3.ebuild} |  1 +
 ...t-10.1.0-r1.ebuild => libvirt-10.1.0-r2.ebuild} |  1 +
 ...virt-10.2.0.ebuild => libvirt-10.2.0-r1.ebuild} |  1 +
 ...t-10.3.0-r1.ebuild => libvirt-10.3.0-r2.ebuild} |  1 +
 ...irt-9.8.0-r2.ebuild => libvirt-9.8.0-r3.ebuild} |  1 +
 ...irt-9.9.0-r2.ebuild => libvirt-9.9.0-r3.ebuild} |  1 +
 7 files changed, 39 insertions(+)