From d88443f1ff243e634ddb8576a363f7a91f8bcba1 Mon Sep 17 00:00:00 2001
Message-ID: <d88443f1ff243e634ddb8576a363f7a91f8bcba1.1772815314.git.jdenemar@redhat.com>
From: Andrea Bolognani <abologna@redhat.com>
Date: Fri, 6 Feb 2026 17:00:10 +0100
Subject: [PATCH] security: Mark ROMs as read only when using AppArmor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Before this, attempting to use a ROM that was not explictly
marked at read only resulted in an error at startup time.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit a32b4a60372eb7907ad05aae924e40dff095efdd)

https://issues.redhat.com/browse/RHEL-82645

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
---
 src/security/virt-aa-helper.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 29e844c7ff..3099e56ec3 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1021,7 +1021,15 @@ get_files(vahControl * ctl)
 
     if (ctl->def->os.loader && ctl->def->os.loader->path) {
         bool readonly = false;
+
+        /* Look at the readonly attribute, but also keep in mind that ROMs
+         * are always loaded read-only regardless of whether the attribute
+         * is present. Validation ensures that nonsensical configurations
+         * (type=rom readonly=no) are rejected long before we get here */
         virTristateBoolToBool(ctl->def->os.loader->readonly, &readonly);
+        if (ctl->def->os.loader->type == VIR_DOMAIN_LOADER_TYPE_ROM)
+            readonly = true;
+
         if (vah_add_file(&buf,
                          ctl->def->os.loader->path,
                          readonly ? "rk" : "rwk") != 0) {
-- 
2.53.0