© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
7020100
(Get the code!)
The file placement of these
u-boot-qemu: /usr/lib/
opensbi: /usr/lib/
is not ideal.
Roms and helpers are usually meant to be in
/usr/share/qemu/
There you'd find firmwares, roms and such binaries.
But /usr/lib is explicitly prohibited, quote:
"""
/*
* Don't allow access to special files or restricted paths such as /bin, /sbin,
* /usr/bin, /usr/sbin and /etc. This is in an effort to prevent read/write
* access to system files which could be used to elevate privileges. This is a
* safety measure in case libvirtd is under a restrictive profile and is
* subverted and trying to escape confinement.
*
* Note that we cannot exclude block devices because they are valid devices.
* The TEMPLATE file can be adjusted to explicitly disallow these if needed.
*
* RETURN: -1 on error, 0 if ok, 1 if blocked
*/
static int
valid_path(const char *path, const bool readonly)
{
const char * const restricted[] = {
"/bin/",
"/etc/",
"/lib",
"/proc/",
"/sbin/",
"/sys/",
};
/* these paths are ok for readonly, but not read/write */
const char * const restricted_rw[] = {
"/boot/",
};
/* override the above with these */
const char * const override[] = {
};
"""
Due to that virt-aa-helper which usually is responsible to add paths mentioned in the guest config can not add them.
We can not change the on disc location, since they are out in the field.
Therefore I think for this particular case we want to add those path prefixes (matching the packaged location) to explicitly allow those, despite being under /usr/lib.
- /usr/lib/u-boot/
- /usr/lib/
I can create a patch for that and build PPAs with it.
If it works fine for us I can submit that to upstream and once accepted we'd drive those fixes into Jammy+Kinetic.