virt-aa-helper restricts arm64 QEMU_EFI.fd binary

Bug #1538882 reported by Ali on 2016-01-28
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Undecided
William Grant

Bug Description

Attempting to use libvirt to start a VM on arm64 with the installed path of the qemu-efi package fails

$ /usr/lib/libvirt/virt-aa-helper -c -u libvirt-b9da2c01-cbd0-4ede-a026-f9f35ff5e9ba < template.xml
virt-aa-helper: error: /usr/share/qemu-efi/QEMU_EFI.fd
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition

This is because /usr/share/ is a restricted path in virt-aa-helper.c and an exception isn't made in restricted_rw for /usr/share/qemu-efi like it is for other firmware images like /usr/share/ovmf/

Also, although I haven't directly run into it /etc/apparmor.d/abstractions/libvirt-qemu should probably have entries for aarch64 as well to match the x86 counterparts:
/usr/lib/aarch64-linux-gnu/qemu/block-curl.so rm,
 /usr/lib/aarch64-linux-gnu/qemu/block-rbd.so rm,

William Grant (wgrant) on 2016-04-15
Changed in libvirt (Ubuntu):
assignee: nobody → William Grant (wgrant)
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.3.1-1ubuntu10

---------------
libvirt (1.3.1-1ubuntu10) xenial; urgency=medium

  * d/p/u/virt-aa-helper-apparmor-allow-usr-share-AAVMF-too.patch: Allow
    access to /usr/share/AAVMF/** and /usr/share/qemu-efi/** for aarch64 UEFI.
    (LP: #1538882)

 -- William Grant <email address hidden> Fri, 15 Apr 2016 12:08:21 +1000

Changed in libvirt (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers