From nobody Mon Mar 23 23:25:46 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1773756503; cv=none;
	d=zohomail.com; s=zohoarc;
	b=mId35jqmoqnRtUpOurhvG02ijJpW0FpI5aYtC0yJOj2eULFnuZGsuGVEPRmfZII0+xYjFc1xkDKGQec/C8sOrl46YzprArNjnRWmn6kuVe54dGeIT6zc9azkpc8Ky1ahQNil35w0EVg1k0fjvQNduSlO4R4HVizTJ8kqUl8QSN8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773756503;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:Subject:Subject:To:To:Message-Id;
	bh=wreAXbhj8IJ8zVgBb90UFii8S5PL9PUNU3MWUmgWCYM=;
	b=lOJzt+CLqZ3U0iUoeZdPXM636lbexpnQoFoGIOvZUT2YEjIMCk220rm1SkBvwVNn2BZozZSVZc9mkNrL/RYVCBTICfXBGC9S19RxyVbGD3VS1V4PQwkc5paEN70NHzMHfMyV0FyalJSpoADosvvAXnmzjlqI8SrXVZIv5f1huJQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1773756503205325.6361938258656;
 Tue, 17 Mar 2026 07:08:23 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 3DB893F83C; Tue, 17 Mar 2026 10:08:22 -0400 (EDT)
Received: from [172.19.199.12] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id B911141960;
	Tue, 17 Mar 2026 10:07:27 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 5EF8D3F359; Tue, 17 Mar 2026 10:07:23 -0400 (EDT)
Received: from smtp-relay-internal-0.canonical.com
 (smtp-relay-internal-0.canonical.com [185.125.188.122])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 1CD5C3F8B0
	for <devel@lists.libvirt.org>; Tue, 17 Mar 2026 10:07:22 -0400 (EDT)
Received: from mail-yx1-f71.google.com (mail-yx1-f71.google.com
 [74.125.224.71])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id D52623FB9C
	for <devel@lists.libvirt.org>; Tue, 17 Mar 2026 14:07:19 +0000 (UTC)
Received: by mail-yx1-f71.google.com with SMTP id
 956f58d0204a3-64e89d070a7so2605258d50.1
        for <devel@lists.libvirt.org>; Tue, 17 Mar 2026 07:07:19 -0700 (PDT)
Received: from noble.lxd ([147.219.77.79])
        by smtp.gmail.com with ESMTPSA id
 956f58d0204a3-64e65b636d3sm7466738d50.17.2026.03.17.07.07.15
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 17 Mar 2026 07:07:15 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_BL_SPAMCOP_NET,
	RCVD_IN_DNSWL_MED,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,
	RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS
	autolearn=no autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
	s=20251003; t=1773756439;
	bh=wreAXbhj8IJ8zVgBb90UFii8S5PL9PUNU3MWUmgWCYM=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc;
	b=YnYS+zDgU1A04UEHfy13rEXHx3EPGctdKykZts8wMQZ/QJ1Wr3DFBT9tznt9vR4SJ
	 cgDPO148d3yc3Kn39trIEz4QlNiMclvoMRVO7vk1hTrl5vaaiahMo4nTJA+rTum7Ck
	 c/QXUWRSELjk3puJxvQqnLMfgpiXOkJuoqPBHLV/XZ1pt8Mo1Kxja2zIgONxW03yka
	 wB0v/UZkjQMO2vvZ01R29JZSScPAGvJ/iiX+GuJp0mFjDMX/YJ2ZjnDjHgktBXNNJ+
	 cOh5t511MF4yPaiAg+4SZtG0GAWc3rTNrkhZTOyYRAwEOs15Yx8iz4hraZdPJgA8Ss
	 YX3Z5cxlFbWo8L4gCyQkWFo/PwzggLSq6XmBcu+TAm/YlrkWhD9QANZ8kVdqq4d3Od
	 1pGIAC+SN7E6/4K6PI1OFLxVNxWtmxAntzOXFWlIeDlCvjjbeY3xIZBRx710o2zZV3
	 wh1VGjaZor3QxRhUMrEFGC96A9yP++3DdRRe1f9xoBPVNOytZg9XDIoGdm4p5AnI5o
	 FZLGSTA7QLvqsaqxgXZgHYmq2pmQKjvrEaGAVyDoRFhuHEqRj+eFgFetatUOzjdCzc
	 3afBuQZWhGlo+TMy8WaQ1J/ImdRe4K/8XprQ49olzE/M0w+UH92PQ88k+ieomom6GF
	 letUeC/5BKgqzg/qE1yZ7og8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773756439; x=1774361239;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=wreAXbhj8IJ8zVgBb90UFii8S5PL9PUNU3MWUmgWCYM=;
        b=i7RtimYO9Nex6yR2OaruFo42heszXViXBh7IIYqLMB7PJtl3ocK005oMWVAQ+RDVSi
         kPQmDWKxJg2mP9LKC5V1/21cmQsB591CHvWz/gp3tidEJIGVgL6DF8MMcNotXukayz7K
         iMqp576Z711yaPhHdamjiX5srIzPFgQ54MRQT2SfaNijP9Oabvq41hUTFqMoNvf6z6S7
         NWQ7/psrRUROnR8sWIe1a8iK7DRSpAo2we5/yl82AB9+ysNzTk0YEPIEmTuc4unTmfol
         R4P+GSsGiGYaPWS8qdRNnHRnzU0sJPnDObgrEt4yojiD85W6jWjVa6dzA+ERVVsjWPGe
         DI0A==
X-Gm-Message-State: AOJu0Yyt6fVii3gjjqzz17Ab3UrLR4SnKi83R8gyw+DhgYWBHOM2+E1/
	P0RTSqTJIxtqu82ueU+R551q077TQ9V8xQ61rkxVQ8Y8+/I/pR2fMC1d6uBZS5Qr44OQr90vfxO
	M3NFzip8OZa5dpSEMEOTg+7xo9QxjEEg6xIyL7Vhibl0tyE21kr89Phn0WUsfmOGQk1MD49C+YD
	0=
X-Gm-Gg: ATEYQzzP2SikUnBEMcH0Ofylf2yhXUrPejBdBC3HMY8184reuGVrgf2WiTAOdr92sV0
	ws4S6XKQtcl1FMW7xDvCkeV64VNqY4AGeyWMvX0jVSGIjMV3ZXVOoGHe0KkfY+wVlUnzJWXrlSr
	uHUAdqZDdtVndXQclFMmQux3eNYr4o1tLT9LwOFdJ5fgdGzjOKBlBJLtzllcC9QUDaTV6UBn31t
	guPTWU1aowcp3OjuOKeGezwaGVOe3xm7U5vyZUtcn2I8d/blVRAUwm+xGcKOBqW6IGr3F0YVOQJ
	69XXRDAnhLoGz2d8naChDd/UdUiQPA9AzDxIRI8wdv2GO2pkueXDWRrnP8Yz78MQ472J23+wvHE
	nZPXVl5mhRbpKJEgvEtEqffb2P2b2Tu7LRQ==
X-Received: by 2002:a05:690e:205c:b0:64a:d85b:c214 with SMTP id
 956f58d0204a3-64e6308db19mr12844387d50.44.1773756438510;
        Tue, 17 Mar 2026 07:07:18 -0700 (PDT)
X-Received: by 2002:a05:690e:205c:b0:64a:d85b:c214 with SMTP id
 956f58d0204a3-64e6308db19mr12844213d50.44.1773756436406;
        Tue, 17 Mar 2026 07:07:16 -0700 (PDT)
Date: Tue, 17 Mar 2026 09:06:55 -0500
Subject: [PATCH v3] qemu: Store tapfd path in domstatus XML
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260317-apparmor-races-v3-1-5c7423fa48d4@canonical.com>
X-B4-Tracking: v=1; b=H4sIAP9fuWkC/3XMTQrCMBCG4auUrB1JJv40rryHuEiTqQ3YpCQSl
 JK7m3YjKG4G3oHvmVmi6CixUzOzSNklF3wNuWmYGbS/EThbmyHHAxd8D3qadBxDhKgNJbBcomy
 JdlZJVkdTpN49V/ByrT249AjxtfpZLN+/VBbAQUk0PSeleHc8G+2Dd0bftyaMbOEyfoh6fggEA
 dZSZ3pqJVr8Jkopb5XEHg/zAAAA
To: devel@lists.libvirt.org
X-Mailer: b4 0.13.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=12522;
 i=wesley.hershberger@canonical.com; h=from:subject:message-id;
 bh=SvQXIUY3CeD+1RkB5ATMuofbGTRkGENynHjyQq0JRu4=;
 b=owEB7QES/pANAwAKAfkogKziOh25AcsmYgBpuWATy9RKn4C11tLcIzJA81jaFwGLuzmmhfWl6
 pKpFzVR2dOJAbMEAAEKAB0WIQQsIHxFLwpehxEbQ8r5KICs4joduQUCablgEwAKCRD5KICs4jod
 uXuAC/9G1azUsmWN4DCmmi/R2zr6+AGi65QPcM49lZ7rg01h/+eHI+QCm/OrEe+fBCr5kXpQzKO
 aUfA/BmKUaGn8kTqj1jLgn919JJNdGBMVqCafSAQEi0SVySm5AwoM4e3ro8m+L0Q9naT7VH3b78
 YPD+d4shUD/R5DPumbPA+oJJJZnmx6kHWgU2Elq3rxZptls8VSF21x5lJO6zOFIgAHwZgzWcGw2
 cRtBbNW7A5lLKYGsAoL2pY9jbMalmylcqZ+6mMatgP6G96Xt1EqR0PXIwrMBEgo9cLIAuA/3wO8
 9UQWua3gZGswSibaH3TVonc1cLr6zVmmYXy+b/iiIMe5BVRgNjkoliYfD3xfWyjoNDOJ1UxQi3e
 DsPZz6+FQvb2aoUgJQGuQWMZEz6Pmk0iezflZTe6QACCbdZROxWdTlk752KJA/P25A1LzltbzFI
 qcxkZlSvucLKazJoNa2JzAxfg/n7L6PL4lPHIR/PCyZuvBswenMDENPGGHeIIJgzahL50=
X-Developer-Key: i=wesley.hershberger@canonical.com; a=openpgp;
 fpr=2C207C452F0A5E87111B43CAF92880ACE23A1DB9
Message-ID-Hash: 6YBDS6AFDDAJ2UNTZG7JYWBC2B4EK6GT
X-Message-ID-Hash: 6YBDS6AFDDAJ2UNTZG7JYWBC2B4EK6GT
X-MailFrom: wesley.hershberger@canonical.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
CC: wesley.hershberger@canonical.com, georgia.garcia@canonical.com,
 hector.cao@canonical.com
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/6YBDS6AFDDAJ2UNTZG7JYWBC2B4EK6GT/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Wesley Hershberger via Devel <devel@lists.libvirt.org>
Reply-To: Wesley Hershberger <wesley.hershberger@canonical.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1773756506442154100

Introduce a read-only `tapfd` element for direct interfaces (macvtap),
which contains the path to the backing tapfd for that interface
(e.g. `/dev/tapXX`).

The element is only included when the domain is being formatted for
internal consumption (VIR_DOMAIN_DEF_FORMAT_STATUS) and is not accepted
in user-provided XML (!VIR_DOMAIN_DEF_PARSE_INACTIVE).

This is used by the AppArmor security driver when re-generating profiles.

Partial-Resolves: https://gitlab.com/libvirt/libvirt/-/issues/692
Bug-Ubuntu: https://bugs.launchpad.net/bugs/2126574
Signed-off-by: Wesley Hershberger <wesley.hershberger@canonical.com>
---
Resending this patch as I've not recieved a response on my previous
submission. Fixed the bug URL in the commit message as I missed that
feedback item on my last mail.

This submission is a partial revision of a previous series with a fix
for the macvtap component of gitlab#692 [1][2]. I haven't had bandwidth
to resolve the blockcommit component since the complexity there is
somewhat higher (and is also lower priority for us).

I kept the separate `tapfd` element rather than reusing the existing
`backend` element (virDomainNetBackend.tap) to avoid making a
user-visible change [3]. I'd be happy to use the existing field instead
if you think that would make more sense.

I opted not to introduce/modify a security driver API for FD+path as the
patch here is sufficient to resolve the bug, but would be willing to do
so if that would make this change more palatable.

I've opened a MR to libvirt-tck with test cases that demonstrate the
bugs that this fixes [4]. apparmor/110-macvtap.t passes with this patch
applied.

Thanks for the reviews and continued consideration.
~Wesley

[1] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/=
UNNBQCMTOCLILQFBDG75734OCQZIXWQF/
[2] https://gitlab.com/libvirt/libvirt/-/issues/692
[3] https://libvirt.org/formatdomain.html#setting-network-backend-specific-=
options
[4] https://gitlab.com/libvirt/libvirt-tck/-/merge_requests/73
---
Changes in v3:
- Fix buglink in commit message
- Link to v2: https://lists.libvirt.org/archives/list/devel@lists.libvirt.o=
rg/thread/IPEBLU63JTLWMHZZDEP3KQ6AMVC53VKR/

Changes in v2:
- Drop `virt-aa-helper: Ask for no deny rule...` as it was applied
- Drop `qemu: Store blockcommit permissions...` due to unresolved concerns
- Pass tapfd path through netdef instead of resolving from fd
- Link to v1: https://lists.libvirt.org/archives/list/devel@lists.libvirt.o=
rg/thread/UNNBQCMTOCLILQFBDG75734OCQZIXWQF/
---
 src/conf/domain_conf.c            |  8 ++++++++
 src/conf/domain_conf.h            |  1 +
 src/hypervisor/domain_interface.c |  2 +-
 src/lxc/lxc_process.c             |  1 +
 src/qemu/qemu_interface.c         |  1 +
 src/security/security_apparmor.c  |  1 +
 src/security/virt-aa-helper.c     |  5 +++++
 src/util/virnetdevmacvlan.c       | 18 +++++++++++-------
 src/util/virnetdevmacvlan.h       |  4 +++-
 9 files changed, 32 insertions(+), 9 deletions(-)

diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 03a05366e1..9714a1e141 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -2971,6 +2971,7 @@ virDomainNetDefFree(virDomainNetDef *def)
     g_free(def->virtio);
     g_free(def->coalesce);
     g_free(def->sourceDev);
+    g_free(def->tapfdpath);
=20
     virNetDevIPInfoClear(&def->guestIP);
     virNetDevIPInfoClear(&def->hostIP);
@@ -10634,6 +10635,10 @@ virDomainNetDefParseXML(virDomainXMLOption *xmlopt,
             return NULL;
     }
=20
+    if (!(flags & VIR_DOMAIN_DEF_PARSE_INACTIVE)) {
+        def->tapfdpath =3D virXPathString("string(./tapfd/@path)", ctxt);
+    }
+
     if (virNetworkPortOptionsParseXML(ctxt, &def->isolatedPort) < 0)
         return NULL;
=20
@@ -26004,6 +26009,9 @@ virDomainNetDefFormat(virBuffer *buf,
     if (def->mtu)
         virBufferAsprintf(buf, "<mtu size=3D'%u'/>\n", def->mtu);
=20
+    if (def->tapfdpath && (flags & VIR_DOMAIN_DEF_FORMAT_STATUS))
+        virBufferAsprintf(buf, "<tapfd path=3D'%s'/>\n", def->tapfdpath);
+
     virDomainNetDefCoalesceFormatXML(buf, def->coalesce);
=20
     virDomainDeviceInfoFormat(buf, &def->info, flags | VIR_DOMAIN_DEF_FORM=
AT_ALLOW_BOOT
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index e63230beec..3bb4de6274 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -1212,6 +1212,7 @@ struct _virDomainNetDef {
     char *downscript;
     char *domain_name; /* backend domain name */
     char *ifname; /* interface name on the host (<target dev=3D'x'/>) */
+    char *tapfdpath; /* Path in /dev for macvtap (<tapfd path=3D"/dev/tapX=
X">) */
     virTristateBool managed_tap;
     virNetDevIPInfo hostIP;
     char *ifname_guest_actual;
diff --git a/src/hypervisor/domain_interface.c b/src/hypervisor/domain_inte=
rface.c
index 5bc698d272..37e3d453a0 100644
--- a/src/hypervisor/domain_interface.c
+++ b/src/hypervisor/domain_interface.c
@@ -111,7 +111,7 @@ virDomainInterfaceEthernetConnect(virDomainDef *def,
=20
         if (virNetDevMacVLanIsMacvtap(net->ifname)) {
             auditdev =3D net->ifname;
-            if (virNetDevMacVLanTapOpen(net->ifname, tapfd, tapfdSize) < 0)
+            if (virNetDevMacVLanTapOpen(net->ifname, tapfd, tapfdSize, &ne=
t->tapfdpath) < 0)
                 goto cleanup;
             if (virNetDevMacVLanTapSetup(tapfd, tapfdSize,
                                          virDomainInterfaceIsVnetCompatMod=
el(net)) < 0) {
diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
index 1bca9e8dae..c731b28871 100644
--- a/src/lxc/lxc_process.c
+++ b/src/lxc/lxc_process.c
@@ -379,6 +379,7 @@ virLXCProcessSetupInterfaceDirect(virLXCDriver *driver,
             VIR_NETDEV_VPORT_PROFILE_OP_CREATE,
             cfg->stateDir,
             NULL, 0,
+            &net->tapfdpath,
             macvlan_create_flags) < 0)
         return NULL;
=20
diff --git a/src/qemu/qemu_interface.c b/src/qemu/qemu_interface.c
index 23a23d201a..edc53d53b3 100644
--- a/src/qemu/qemu_interface.c
+++ b/src/qemu/qemu_interface.c
@@ -81,6 +81,7 @@ qemuInterfaceDirectConnect(virDomainDef *def,
                                                &res_ifname,
                                                vmop, cfg->stateDir,
                                                tapfd, tapfdSize,
+                                               &net->tapfdpath,
                                                macvlan_create_flags) < 0)
         goto cleanup;
=20
diff --git a/src/security/security_apparmor.c b/src/security/security_appar=
mor.c
index 40f13ec1a5..3ff80e1dc9 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -156,6 +156,7 @@ load_profile(virSecurityManager *mgr G_GNUC_UNUSED,
=20
     if (virDomainDefFormatInternal(def, NULL, &buf,
                                    VIR_DOMAIN_DEF_FORMAT_SECURE |
+                                   VIR_DOMAIN_DEF_FORMAT_STATUS |
                                    VIR_DOMAIN_DEF_FORMAT_VOLUME_TRANSLATED=
) < 0)
         return -1;
=20
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index e932e79dab..60e03c2ce8 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1192,6 +1192,11 @@ get_files(vahControl * ctl)
                                      vhu->type) !=3D 0)
                 return -1;
         }
+
+        if (net->tapfdpath) {
+            if (vah_add_file(&buf, net->tapfdpath, "rwk") !=3D 0)
+                return -1;
+        }
     }
=20
     for (i =3D 0; i < ctl->def->nmems; i++) {
diff --git a/src/util/virnetdevmacvlan.c b/src/util/virnetdevmacvlan.c
index cde9d70eef..fcf63e08ff 100644
--- a/src/util/virnetdevmacvlan.c
+++ b/src/util/virnetdevmacvlan.c
@@ -152,24 +152,24 @@ int virNetDevMacVLanDelete(const char *ifname)
 int
 virNetDevMacVLanTapOpen(const char *ifname,
                         int *tapfd,
-                        size_t tapfdSize)
+                        size_t tapfdSize,
+                        char **tapname)
 {
     int retries =3D 10;
     int ret =3D -1;
     int ifindex;
     size_t i =3D 0;
-    g_autofree char *tapname =3D NULL;
=20
     if (virNetDevGetIndex(ifname, &ifindex) < 0)
         return -1;
=20
-    tapname =3D g_strdup_printf("/dev/tap%d", ifindex);
+    *tapname =3D g_strdup_printf("/dev/tap%d", ifindex);
=20
     for (i =3D 0; i < tapfdSize; i++) {
         int fd =3D -1;
=20
         while (fd < 0) {
-            if ((fd =3D open(tapname, O_RDWR)) >=3D 0) {
+            if ((fd =3D open(*tapname, O_RDWR)) >=3D 0) {
                 tapfd[i] =3D fd;
             } else if (retries-- > 0) {
                 /* may need to wait for udev to be done */
@@ -178,7 +178,7 @@ virNetDevMacVLanTapOpen(const char *ifname,
                 /* However, if haven't succeeded, quit. */
                 virReportSystemError(errno,
                                      _("cannot open macvtap tap device %1$=
s"),
-                                     tapname);
+                                     *tapname);
                 goto cleanup;
             }
         }
@@ -188,6 +188,7 @@ virNetDevMacVLanTapOpen(const char *ifname,
=20
  cleanup:
     if (ret < 0) {
+        g_free(*tapname);
         while (i--)
             VIR_FORCE_CLOSE(tapfd[i]);
     }
@@ -659,6 +660,7 @@ virNetDevMacVLanCreateWithVPortProfile(const char *ifna=
meRequested,
                                        char *stateDir,
                                        int *tapfd,
                                        size_t tapfdSize,
+                                       char **tapfdpath,
                                        unsigned int flags)
 {
     g_autofree char *ifname =3D NULL;
@@ -729,7 +731,7 @@ virNetDevMacVLanCreateWithVPortProfile(const char *ifna=
meRequested,
     }
=20
     if (flags & VIR_NETDEV_MACVLAN_CREATE_WITH_TAP) {
-        if (virNetDevMacVLanTapOpen(ifname, tapfd, tapfdSize) < 0)
+        if (virNetDevMacVLanTapOpen(ifname, tapfd, tapfdSize, tapfdpath) <=
 0)
             goto disassociate_exit;
=20
         if (virNetDevMacVLanTapSetup(tapfd, tapfdSize, vnet_hdr) < 0)
@@ -888,7 +890,8 @@ int virNetDevMacVLanDelete(const char *ifname G_GNUC_UN=
USED)
 int
 virNetDevMacVLanTapOpen(const char *ifname G_GNUC_UNUSED,
                         int *tapfd G_GNUC_UNUSED,
-                        size_t tapfdSize G_GNUC_UNUSED)
+                        size_t tapfdSize G_GNUC_UNUSED,
+                        char **tapname G_GNUC_UNUSED)
 {
     virReportSystemError(ENOSYS, "%s",
                          _("Cannot create macvlan devices on this platform=
"));
@@ -917,6 +920,7 @@ int virNetDevMacVLanCreateWithVPortProfile(const char *=
ifname G_GNUC_UNUSED,
                                            char *stateDir G_GNUC_UNUSED,
                                            int *tapfd G_GNUC_UNUSED,
                                            size_t tapfdSize G_GNUC_UNUSED,
+                                           char **tapfdpath G_GNUC_UNUSED,
                                            unsigned int unused_flags G_GNU=
C_UNUSED)
 {
     virReportSystemError(ENOSYS, "%s",
diff --git a/src/util/virnetdevmacvlan.h b/src/util/virnetdevmacvlan.h
index 31e4804cdc..7424b87965 100644
--- a/src/util/virnetdevmacvlan.h
+++ b/src/util/virnetdevmacvlan.h
@@ -72,13 +72,15 @@ int virNetDevMacVLanCreateWithVPortProfile(const char *=
ifname,
                                            char *stateDir,
                                            int *tapfd,
                                            size_t tapfdSize,
+                                           char **tapfdpath,
                                            unsigned int flags)
     ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3) ATTRIBUTE_NONNULL(6)
     ATTRIBUTE_NONNULL(8) ATTRIBUTE_NONNULL(10) G_GNUC_WARN_UNUSED_RESULT;
=20
 int virNetDevMacVLanTapOpen(const char *ifname,
                             int *tapfd,
-                            size_t tapfdSize)
+                            size_t tapfdSize,
+                            char **tapname)
    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2)
    G_GNUC_WARN_UNUSED_RESULT;
=20

---
base-commit: 54f5032e576a886cfb8232abbfa08a2f6e9f9962
change-id: 20260105-apparmor-races-d03238ee4d93

Best regards,
--=20
Wesley Hershberger <wesley.hershberger@canonical.com>