Add a patch to make virt-aa-helper allow reading the new location of OVMF firmware

Closes: #812069

Add a patch to make virt-aa-helper allow reading the new location of OVMF firmware
a0b3e592 · Simon McVittie · Guido Günther · 2cbc1275 · a0b3e592 · a0b3e592
Commit a0b3e592 authored 9 years ago by Simon McVittie Committed by Guido Günther 9 years ago
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@ debian/Use-upstreams-polkit-rule.patch
 Allow-access-to-libnl-3-config-files.patch
 debian/apparmor_profiles_local_include.patch
 debian/libsystemd.patch
+virt-aa-helper-apparmor-allow-usr-share-OVMF-too.patch
--- a/debian/patches/virt-aa-helper-apparmor-allow-usr-share-OVMF-too.patch
+++ b/debian/patches/virt-aa-helper-apparmor-allow-usr-share-OVMF-too.patch
+From: Simon McVittie <smcv@debian.org>
+Date: Tue, 19 Jan 2016 21:27:57 +0000
+Subject: virt-aa-helper, apparmor: allow /usr/share/OVMF/ too
+
+The split firmware and variables files introduced by
+https://bugs.debian.org/764918 are in a different directory for
+some reason. Let the virtual machine read both.
+---
+ examples/apparmor/libvirt-qemu | 1 +
+ src/security/virt-aa-helper.c  | 1 +
+ tests/virt-aa-helper-test      | 7 ++++++-
+ 3 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
+index efb4873..9f996ab 100644
+--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
+@@ -67,6 +67,7 @@
+   /usr/share/vgabios/** r,
+   /usr/share/seabios/** r,
+   /usr/share/ovmf/** r,
+  /usr/share/OVMF/** r,
+ 
+   # access PKI infrastructure
+   /etc/pki/libvirt-vnc/** r,
+diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
+index 5de56e5..1a8f53e 100644
+--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
+@@ -570,6 +570,7 @@ valid_path(const char *path, const bool readonly)
+         "/vmlinuz",
+         "/initrd",
+         "/initrd.img",
+        "/usr/share/OVMF/",              /* for OVMF images */
+         "/usr/share/ovmf/"               /* for OVMF images */
+     };
+     /* override the above with these */
+diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test
+index 1d03f5f..7e7a032 100755
+--- a/tests/virt-aa-helper-test
+++ b/tests/virt-aa-helper-test
+@@ -296,8 +296,13 @@ if [ -f /usr/share/ovmf/OVMF.fd ]; then
+         -e "s,###DISK###,$disk1,g" \
+         -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/ovmf/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml"
+     testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml"
+elif [ -f /usr/share/OVMF/OVMF.fd ]; then
+    sed -e "s,###UUID###,$uuid,g"  \
+        -e "s,###DISK###,$disk1,g" \
+        -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml"
+    testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml"
+ else
+-    echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd"
+    echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd or /usr/share/OVMF/OVMF.fd"
+ fi
+ 
+ sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g" "$template_xml" > "$test_xml"