lxd/apparmor/instance: Update instanceProfile to use start time firmw…

…are path

Rather than allowing access to all potential firmware directories.

Signed-off-by: Thomas Parrott <[email protected]>

lxd/apparmor/instance.go

@@ -26,6 +26,12 @@ type instance interface {
 	DevicesPath() string
 }
 
+type instanceVM interface {
+	instance
+
+	FirmwarePath() string
+}
+
 // InstanceProfileName returns the instance's AppArmor profile name.
 func InstanceProfileName(inst instance) string {
 	path := shared.VarPath("")
@@ -194,9 +200,18 @@ func instanceProfile(sysOS *sys.OS, inst instance) (string, error) {
 			return "", err
 		}
 
-		qemuFwPathsArr, err := util.GetQemuFwPaths()
-		if err != nil {
-			return "", err
+		vmInst, ok := inst.(instanceVM)
+		if !ok {
+			return "", fmt.Errorf("Instance is not VM type")
+		}
+
+		// Get start time firmware path to allow access to it.
+		firmwarePath := vmInst.FirmwarePath()
+		if firmwarePath != "" {
+			firmwarePath, err = filepath.EvalSymlinks(firmwarePath)
+			if err != nil {
+				return "", fmt.Errorf("Failed finding firmware: %w", err)
+			}
 		}
 
 		execPath := util.GetExecPath()
@@ -216,7 +231,7 @@ func instanceProfile(sysOS *sys.OS, inst instance) (string, error) {
 			"rootPath":          rootPath,
 			"snap":              shared.InSnap(),
 			"userns":            sysOS.RunningInUserNS,
-			"qemuFwPaths":       qemuFwPathsArr,
+			"firmwarePath":      firmwarePath,
 			"snapExtQemuPrefix": os.Getenv("SNAP_QEMU_PREFIX"),
 		})
 		if err != nil {

lxd/apparmor/instance_qemu.go

@@ -102,13 +102,9 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
 {{- end }}
 {{- end }}
 
-{{if .qemuFwPaths -}}
-  # Entries from LXD_OVMF_PATH or LXD_QEMU_FW_PATH
-{{range $index, $element := .qemuFwPaths}}
-  {{$element}}/OVMF_CODE.fd   kr,
-  {{$element}}/OVMF_CODE.*.fd kr,
-  {{$element}}/*bios*.bin     kr,
-{{- end }}
+{{if .firmwarePath -}}
+  # Firmware path
+  {{ .firmwarePath }}                         kr,
 {{- end }}
 
 {{- if .raw }}