[Bug 1483071] Re: Error creating new VM with OVMF

Jean-Pierre van Riel Mon, 16 Nov 2015 02:57:05 -0800

A work-arround is to (ab)use the template file
/etc/apparmor.d/libvirt/TEMPLATE.qemu


---
profile LIBVIRT_TEMPLATE {
  #include <abstractions/libvirt-qemu>
  /var/lib/libvirt/qemu/nvram/*_VARS.fd rw,
}
---

I'm not too familiar with AppArmour, nor kvm/libvirt's security model,
but I assume the whole point of virt-aa-helper is to create custom per
VM apparmor profiles with domain specific file names, so *_VARS.fd is
technically insecure given all guest processes could in theory write to
the EFI/OVFM NVRAM image files and proper guest vs guest isolation
requires the fix in virt-aa-helper.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1483071

Title:
  Error creating new VM with OVMF

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1483071/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1483071] Re: Error creating new VM with OVMF

Reply via email to