From nobody Fri Dec 12 14:05:28 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	arc=fail (Bad Signature);
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1764098478581124.2604317789478;
 Tue, 25 Nov 2025 11:21:18 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id A59E144AC8; Tue, 25 Nov 2025 14:21:17 -0500 (EST)
Received: from [172.19.199.68] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 6B9E144C05;
	Tue, 25 Nov 2025 14:17:37 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id DD13741C64; Tue, 25 Nov 2025 14:17:17 -0500 (EST)
Received: from PH8PR06CU001.outbound.protection.outlook.com
 (mail-westus3azon11012028.outbound.protection.outlook.com [40.107.209.28])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (prime256v1) server-signature RSA-PSS (3072 bits)
 server-digest SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 521114496C
	for <devel@lists.libvirt.org>; Tue, 25 Nov 2025 14:17:15 -0500 (EST)
Received: from PH7PR12MB6834.namprd12.prod.outlook.com (2603:10b6:510:1b4::18)
 by MW6PR12MB9000.namprd12.prod.outlook.com (2603:10b6:303:24b::11) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9343.17; Tue, 25 Nov
 2025 19:17:08 +0000
Received: from PH7PR12MB6834.namprd12.prod.outlook.com
 ([fe80::f432:162b:b94e:d2cb]) by PH7PR12MB6834.namprd12.prod.outlook.com
 ([fe80::f432:162b:b94e:d2cb%6]) with mapi id 15.20.9343.016; Tue, 25 Nov 2025
 19:17:08 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No,
 score=-5.0 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00,
	DKIM_INVALID,DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=HTB+TABz57JokpC3eX1n+tTjMCnKBoXDq7xmIVFd8/4XR18tMLV8TtPcYRATdYKVHJzPvRL3vkEfmo4VB3GjIwrYZjMP9GbCzBCi25dmbo9lXEkk845/j9dQ4AAIKkRWfxXJlnHH9RkWKd4BucxSLpNGpqGoJzOLRLzICpR2oNqw/bLZ0A9l2SGmHo/TdoUyKORkYyi6ldnZAp/WHe2oAP/62wYlvDzgW4yLFvsuzufIPrzWjEI4Lat28BCc9H3JAfC+0YYkwTvxvgizwNDC0nnm7SWSZTawMAw9Jihlv1fRA9WJOho3O+p5NT4jZQQzkPGRcthljfwmTq3MczjTJg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=jUoUjyaAR6dIyTw7eE5UcDhSHBJZZefZm83rXfIYyNs=;
 b=RSwU1K8rxQs1dG7BY9bBhhDscvwN5qqBUpVLuFdQNUTmHrpMk+iWmFp+gfjnGMpMRKTzN5JrECJLqy4Hhb3hnvoLIRxCd0201ThtPwlivqoBAY7t2XX8/A6/NH5AnJkK1WRq1st6B94Ef7y0EaOE3bC0KNj8qOg+JsPoiz+R+g+N0MUUOQYlf0psqEobznA4rnqEV3G2dwl+taiiZSwxDvmn/SGTHTyV/3GdplylfYQpfaq/O5A0OxEvy9eMvTJr4NuxJHMN0DzVH4Nj/qRFL5ASVWZNNUb9uolxVu/YNcG5OW7niZwCW3o7tUlfnLp2sWNuO34V68uHXHkHJoKDFg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com;
 dkim=pass header.d=nvidia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=jUoUjyaAR6dIyTw7eE5UcDhSHBJZZefZm83rXfIYyNs=;
 b=CIZMdS+O8Mr41pe1wCmyv1rwEExxsC3YvCJ5hFOh6zk9Rugz1LLwpok2MfvuXERhBFdjAGrxvY4vbpjXipLq6rI7pMceqbH3cMxz4ZoKCYi4xaPaUIxdCjpL5rUIeuMyNRQaSBs4cBc6l/wdJZFNnooN2r6udcSWiG3L+UVrUDAD09UzF/9shO96D041SZyQ3zKidQ/itt01zy5QcaYzpz78Y7HWbYcXWZsvATsbgBpU4MVBlaNHTTxn/EFylouZw904H1DNYAEGD8G7iOv5FkE43MgaoqXFte/wesAPWDN6wlWO2t4T2xi6AdiCSqHPfHf6XylWlTAAGCcLa/YElA==
Authentication-Results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=nvidia.com;
To: devel@lists.libvirt.org
Subject: [RFC PATCH v3 2/4] qemu: Add cgroup, namespace,
 and seclabel setup for EGM memory device model
Date: Tue, 25 Nov 2025 11:17:02 -0800
Message-ID: <20251125191704.644477-3-nathanc@nvidia.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251125191704.644477-1-nathanc@nvidia.com>
References: <20251125191704.644477-1-nathanc@nvidia.com>
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: PH3PEPF000040A6.namprd05.prod.outlook.com
 (2603:10b6:518:1::55) To PH7PR12MB6834.namprd12.prod.outlook.com
 (2603:10b6:510:1b4::18)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: PH7PR12MB6834:EE_|MW6PR12MB9000:EE_
X-MS-Office365-Filtering-Correlation-Id: cc06b600-f151-4533-31a5-08de2c573a11
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|1800799024;
X-Microsoft-Antispam-Message-Info: 
 =?us-ascii?Q?1G7OhfA31YBxF++B2QDDQAKv8N44I8Y1U4UKbYLsPFKqyxP8ITfakGsu2Cci?=
 =?us-ascii?Q?CZPaBB8e4cflswnFNZ76apZHBq1Rmv1pdy9AhRwxdtp1+XvDguTcvrEp86Vb?=
 =?us-ascii?Q?KpyXBfcDUSj1LtY4b5ddi4O0Z98OnzXGKu4Ho29dygix2vOj05Wfh7DXQm8y?=
 =?us-ascii?Q?a1ED0LjjeWWuORQvLolmN/hvHuakz3bIFXx3VrqzOc9saje/oYQWYuxqzypa?=
 =?us-ascii?Q?TGOcnwqHTbaNqQe+3b7leIATMxYQ1U9oZNlp2RHRl9ws6hko05/Nuw+sTp0a?=
 =?us-ascii?Q?i9umO33d0DSJqv/rkF3vIF+VmM/RQPW/EUVlnhRpnQrD6qEHOWWf+s/5hBXD?=
 =?us-ascii?Q?j097UyTyPOz6PY29R+7hfqPGyiBZ7yDbYGMS0C/ZPzDfQjbX60ZYabDGU/jt?=
 =?us-ascii?Q?UFa5ZnB3zl0PW3L25FOKjVUOvQYvdGDAz64xmM40C0aZg/aNZNyN8sKHR+ii?=
 =?us-ascii?Q?KjQNp9l/UynzlgUabr95El8WTcsX5AS7BNdEVI9pOyrQQFA9qK/MXP1OKWT8?=
 =?us-ascii?Q?As4qwxfPoS4jCcVHZ6VJ80ZbZgjvnrOfJroS3XGY7YIp1Ihwi6EDCYKln4vW?=
 =?us-ascii?Q?Vd43z0YPC2TKdWQ//hTTjle8Og5zEWgXjTs6XhrlOgqfc9HVCfqnISoazKWl?=
 =?us-ascii?Q?exW/BwEeawEX0rK5fFRFWm3BXXB6n1EkFhPGCd7uB7duHRStbRuy0MoftAGR?=
 =?us-ascii?Q?SpKJjImAefFPq5tZddyCtMJlmAW/P8moxqmN6lCnY2J9rblLP1Hp0jZYXHp3?=
 =?us-ascii?Q?VMQ7Vz9h95gP3s4/krvBwFTt/z2dyfDpHJ49mrC9b2jNyHeX5ouoPgkLeVeB?=
 =?us-ascii?Q?oC+w0zXGbi6F1mNfX77PCwW/SaixoFnzl1IKBKuI0cnOUMDDgKsO3UbbA29I?=
 =?us-ascii?Q?YJsW7w530dgk/w/5/CNMWrCmoTqODRfte5ngB6dEA311PluNP7zZsRZHYt4g?=
 =?us-ascii?Q?exiawcZgmHBfDTxYqPikBOFz4emoYx/NSg1dPZ/zJLwEq6x/fc8EwPEs2o6e?=
 =?us-ascii?Q?nkirQmRE3J8p7brA/9QnzujqLS1YI75HuXUi5+5xJ9o3sQbgbqR5cR0vFI1y?=
 =?us-ascii?Q?IQSW+SN8lyj7BqlI8csabuz7xXguom6a5ZOE8zRL1DwVVXwdPQ+VbG4e9ilz?=
 =?us-ascii?Q?g7VBoUY9iBAiLVwVnMkkZoGdnwl28sukkIBFMznic8lCqF8N/3EQE6FqPGPl?=
 =?us-ascii?Q?v/gkCWwlF/121yZmIJEuAA+6zE9SGHCAmityoRQwRDjoE0CzDyOKZjAtHh24?=
 =?us-ascii?Q?AS2GAE7jaP7QCuqo7+MkLPQ87ju1RwmFH3VB2wvOruzYRYUiuSmHYOfC8sdp?=
 =?us-ascii?Q?Phz7tYM13mmjmksdF312zuZWCVeBwGPBTCa8EsxWqz9nCu8CnU/iBhxJXlpE?=
 =?us-ascii?Q?qTCvTrJoltXNgz240sKJm8qDuNRVfnJRN5pcgO5vkdsjdWtsZU+C8I+SZytO?=
 =?us-ascii?Q?+/Ljym57/mhMeclyUxyXTSPH5xibCjdK?=
X-Forefront-Antispam-Report: 
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR12MB6834.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 =?us-ascii?Q?iwNSrcmyoHHpsqFCzWBdPA9xkz/+B+REVsFK58o4SAm9nDhIQKpABA1YwKOu?=
 =?us-ascii?Q?XWCKclyWazVzA+7Q4S3w4XA1QHZyClPn2yxIpJqW7TlBDfEFyHqlVC3GTyz+?=
 =?us-ascii?Q?EQIgm6MPeCngiG9ynCmx88HiP6JK84RM6BKfmlUG4h5njoQVgL7fvTRjW9l6?=
 =?us-ascii?Q?p6IDuvOJ8kU+0Z7NwSbzeIZjFBY3RtpLVmmB2NeF0gBshgHasOIwp1lNrkMG?=
 =?us-ascii?Q?Qwbn8j87cMW+3qPrbnqpkDCr0eGmB6Xk7kIEMqkHE8/IN7kv8bRQKDl0FDcg?=
 =?us-ascii?Q?FP+Rxna42dZnJOFnpW50ZWAFdVtDC6jG64U3oS31jmRBIPkLFn/E8q+H0jlE?=
 =?us-ascii?Q?EWYRdmWzSO50lB+LxJ1VYEiBgXDg/OUNzu+LDw9kNjTRNDurYwgMS70sO5/w?=
 =?us-ascii?Q?oaTeNY4qI8pG35vGCE0PT5V2NiYo6/JKQztxMYUhGoLbJPChmpQD4hq/tzPu?=
 =?us-ascii?Q?/zU/5l2TD2xaEDVFgEFjo4gBIR7xcwiRZWJhT/VIVwpqZYjnkDcGbxlPPvlX?=
 =?us-ascii?Q?+Yqk6luWL1g5ov9AS3IHh+5Ld6mutceV0idAeKxKLkDsY1EJ47SEPD8R+bZg?=
 =?us-ascii?Q?3uChR0Hw3Q2ykYS+Ne8XZzvCafFEYjM9aQqf+EjmTYKYGNRnXgPyMwkEy8W1?=
 =?us-ascii?Q?aYzkuCwB9sWcdQmDxYSV9MHZhZS7ltGTNZz4BIEmOamEIIdRo/NUgy4cGmgQ?=
 =?us-ascii?Q?sosjJbIIMZfkbjJpOaNbj6E9qr1AGUCWcv33CxCC0gtdypV+AkhxsP2/6yY2?=
 =?us-ascii?Q?NsiAje8OD4FwMinRm3X9K1NFP3g6ani1r6N60ftwYpyUOtpNNf4RVp16Pbnt?=
 =?us-ascii?Q?MTdGY4qzTf7PfYdLevKmKkZFhDdcPXd55oZpS8DP+nJmXnJLtD4iezMJ72aY?=
 =?us-ascii?Q?FvXB+qfvO00uKRmBubl99wEQfClX1mH8tp5v+paa7U1eCmMRtqqWJGCGCm8d?=
 =?us-ascii?Q?QNgAnXsIWWykIZpDIN475EcnTDMrzrWhdHbdbJYfE6/EAAQf4zWBKp/J5IiO?=
 =?us-ascii?Q?XN8KL40kjbezD/dBwITvXKUgy7qr0/EhqZDU72XT//S8Bdp6L69geU0olTHA?=
 =?us-ascii?Q?xGBwt3qKiYG8CODs/lLhhyK0WmgopldtJitEHVWPrfo2VXwNdGnYGdtmWqPU?=
 =?us-ascii?Q?0oTaCpYMJVcTFKrJhIEendnoD03evP2QUS4bvx/fF2F54qaDbFyo/MHTHY0G?=
 =?us-ascii?Q?S9cAwW+s71dPZ2AWmld/l95vRvoA0yFiIJSoJ5iInDGFuhZAP/0o+QlOECVi?=
 =?us-ascii?Q?CX1FF1qCoaBgw8U0GrsEao+OzvMANhoIItck/XvZXEwu9cSdi3u4KKFd385X?=
 =?us-ascii?Q?0EyEqq7NQ84UZUK+WBvD40Pp/SEwP23j6RmD7HrL9nPikdSUo1pOGUWL6UPa?=
 =?us-ascii?Q?oMDQe9nC69aFGq51axs1D8gZDLF47r45ratSdarFHOFWTlIoEdQiHij+tQwR?=
 =?us-ascii?Q?TGRz7rpCNmzBkIPhGLI5jiIthTFmeaItp628ritTtXt1BgNiUwNbXxDcGsrY?=
 =?us-ascii?Q?+3Kty9tHO4xfHYGA7tNTvK+aU44lclhUp+KyBDnJkeNILrmPknjpAsryCsk8?=
 =?us-ascii?Q?1n6LtrKAUmSnleKfg9T0944thG58RAPeHXdLLTBT?=
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 cc06b600-f151-4533-31a5-08de2c573a11
X-MS-Exchange-CrossTenant-AuthSource: PH7PR12MB6834.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Nov 2025 19:17:08.2225
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 Vn337NNFL1ifP4Q/ZxP0FTt9X0rbVdmbcDiOxpsA13ZqfVGVMFEu0xhq18uVCzr2k0uqqSKKwA8q7WKN+bfUMw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW6PR12MB9000
Message-ID-Hash: AULY672BML6UYJ6YUY4U7KVT42DZJFEW
X-Message-ID-Hash: AULY672BML6UYJ6YUY4U7KVT42DZJFEW
X-MailFrom: nathanc@nvidia.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
CC: skolothumtho@nvidia.com, nicolinc@nvidia.com, nathanc@nvidia.com,
 mochs@nvidia.com
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/AULY672BML6UYJ6YUY4U7KVT42DZJFEW/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Nathan Chen via Devel <devel@lists.libvirt.org>
Reply-To: Nathan Chen <nathanc@nvidia.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1764098482786019100
Content-Type: text/plain; charset="utf-8"

Implement proper isolation and access control for EGM memory devices:

- Add device to cgroup for access control
- Set up namespace mappings for device access
- Ensure proper permissions in containerized environments
- Allow EGM device path access to bypass SELinux, AppArmor,
  and DAC permissions

Signed-off-by: Nathan Chen <nathanc@nvidia.com>
---
 src/qemu/qemu_cgroup.c                     | 10 ++++++++++
 src/qemu/qemu_namespace.c                  |  3 +++
 src/security/apparmor/usr.sbin.libvirtd.in |  3 +++
 src/security/security_apparmor.c           |  2 ++
 src/security/security_dac.c                |  8 ++++++++
 src/security/security_selinux.c            |  6 ++++++
 src/security/virt-aa-helper.c              |  4 ++++
 7 files changed, 36 insertions(+)

diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 7dadef0739..8b70740121 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -577,6 +577,11 @@ qemuSetupMemoryDevicesCgroup(virDomainObj *vm,
                                         VIR_CGROUP_DEVICE_RW, false) < 0)
             return -1;
         break;
+    case VIR_DOMAIN_MEMORY_MODEL_EGM:
+        if (qemuCgroupAllowDevicePath(vm, mem->source.egm.path,
+                                      VIR_CGROUP_DEVICE_RW, false) < 0)
+            return -1;
+        break;
     case VIR_DOMAIN_MEMORY_MODEL_NONE:
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
@@ -615,6 +620,11 @@ qemuTeardownMemoryDevicesCgroup(virDomainObj *vm,
                                        VIR_CGROUP_DEVICE_RW, false) < 0)
             return -1;
         break;
+    case VIR_DOMAIN_MEMORY_MODEL_EGM:
+        if (qemuCgroupDenyDevicePath(vm, mem->source.egm.path,
+                                     VIR_CGROUP_DEVICE_RWM, false) < 0)
+            return -1;
+        break;
     case VIR_DOMAIN_MEMORY_MODEL_NONE:
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index c689cc3e40..f6404cb280 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -394,6 +394,9 @@ qemuDomainSetupMemory(virDomainMemoryDef *mem,
         *paths =3D g_slist_prepend(*paths, g_strdup(QEMU_DEV_SGX_VEPVC));
         *paths =3D g_slist_prepend(*paths, g_strdup(QEMU_DEV_SGX_PROVISION=
));
         break;
+    case VIR_DOMAIN_MEMORY_MODEL_EGM:
+        *paths =3D g_slist_prepend(*paths, g_strdup(mem->source.egm.path));
+        break;
=20
     case VIR_DOMAIN_MEMORY_MODEL_NONE:
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/appa=
rmor/usr.sbin.libvirtd.in
index 6267e4f737..2a6a4b979c 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -47,6 +47,9 @@ profile libvirtd @sbindir@/libvirtd flags=3D(attach_disco=
nnected) {
   mount options=3D(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**,
   umount /{,var/}run/libvirt/qemu/*{,/},
=20
+  # Allow bind mounting EGM devices into qemu namespaces
+  mount options=3D(rw, bind) /dev/egm* -> /{,var/}run/libvirt/qemu/**,
+
   network inet stream,
   network inet dgram,
   network inet6 stream,
diff --git a/src/security/security_apparmor.c b/src/security/security_appar=
mor.c
index 68ac39611f..ea04e756d6 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -631,6 +631,8 @@ AppArmorSetMemoryLabel(virSecurityManager *mgr,
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
     case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+    case VIR_DOMAIN_MEMORY_MODEL_EGM:
+        path =3D mem->source.egm.path;
     case VIR_DOMAIN_MEMORY_MODEL_LAST:
         break;
     }
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 2f788b872a..2d79009ee9 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1890,6 +1890,9 @@ virSecurityDACRestoreMemoryLabel(virSecurityManager *=
mgr,
          * don't need to restore anything. */
         break;
=20
+    case VIR_DOMAIN_MEMORY_MODEL_EGM:
+        return virSecurityDACRestoreFileLabel(mgr, mem->source.egm.path);
+
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
     case VIR_DOMAIN_MEMORY_MODEL_LAST:
@@ -2121,6 +2124,11 @@ virSecurityDACSetMemoryLabel(virSecurityManager *mgr,
             return -1;
         break;
=20
+    case VIR_DOMAIN_MEMORY_MODEL_EGM:
+        return virSecurityDACSetOwnership(mgr, NULL,
+                                          mem->source.egm.path,
+                                          user, group, true);
+
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
     case VIR_DOMAIN_MEMORY_MODEL_LAST:
diff --git a/src/security/security_selinux.c b/src/security/security_selinu=
x.c
index 2f3cc274a5..b288778634 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1666,6 +1666,9 @@ virSecuritySELinuxSetMemoryLabel(virSecurityManager *=
mgr,
                                          seclabel->imagelabel, true) < 0)
             return -1;
         break;
+    case VIR_DOMAIN_MEMORY_MODEL_EGM:
+        path =3D mem->source.egm.path;
+        break;
=20
     case VIR_DOMAIN_MEMORY_MODEL_NONE:
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
@@ -1709,6 +1712,9 @@ virSecuritySELinuxRestoreMemoryLabel(virSecurityManag=
er *mgr,
         if (virSecuritySELinuxRestoreFileLabel(mgr, DEV_SGX_PROVISION, tru=
e, false) < 0)
             ret =3D -1;
         return ret;
+    case VIR_DOMAIN_MEMORY_MODEL_EGM:
+        path =3D mem->source.egm.path;
+        break;
=20
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index de0a826063..0e387dd4be 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1194,6 +1194,10 @@ get_files(vahControl * ctl)
                 return -1;
             }
             break;
+        case VIR_DOMAIN_MEMORY_MODEL_EGM:
+            if (vah_add_file(&buf, mem->source.egm.path, "rw") !=3D 0)
+                return -1;
+            break;
=20
         case VIR_DOMAIN_MEMORY_MODEL_DIMM:
         case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
--=20
2.43.0