On 9/28/22 14:45, christian.ehrha...@canonical.com wrote: > From: Christian Ehrhardt <christian.ehrha...@canonical.com> > > Riscv64 usually uses u-boot as external -kernel and a loader from > the open implementation of RISC-V SBI. The paths for those binaries > as packaged in Debian and Ubuntu are in paths which are usually > forbidden to be added by the user under /usr/lib... > > People used to start riscv64 guests only manually via qemu cmdline, > but trying to encapsulate that via libvirt now causes failures when > starting the guest due to the apparmor isolation not allowing that: > virt-aa-helper: error: skipped restricted file > virt-aa-helper: error: invalid VM definition > > Explicitly allow the sub-paths used by u-boot-qemu and opensbi > under /usr/lib/ as readonly rules. > > Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> > --- > src/security/virt-aa-helper.c | 12 +++++++----- > 1 file changed, 7 insertions(+), 5 deletions(-)
Reviewed-by: Michal Privoznik <mpriv...@redhat.com> Michal