From nobody Mon Mar 23 23:30:08 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1773764439; cv=none; d=zohomail.com; s=zohoarc; b=Ew3ofd0R5N27Y6S2Edw1YwyXUaIiFKaQ8vTkCUOhIMWU0EoJsR1aurZbhohnhfD2ImB+ONBVGX5cFUiimxL1xRzIC766OJ2LVQIHEsFCjFBMjpU5ntxbb8thW9hpv4/SibjSzWnH+A6hVPeEJ7Ms6V/uxwkXXVG3WFPU5Bp9uxE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1773764439; h=Content-Transfer-Encoding:Date:Date:From:From:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:Subject:Subject:To:To:Message-Id:Cc; bh=3Qc+YP6gerGXIRCmtoSd65/kKnNkMyNw4k6WU2vzee8=; b=IIaZluGxGPGC9r4XgFuOKLB+ygz7tTFZ0JI2Gmh0Of6Si8xJZXF1CBs4F4zwYlXosUJUdjb9LplHdwqx0Xww5xdgmxyyNZVjbQr7qv22hKyl/ef+0uYIaF5M2zHcd6IdrRILd8e/nJBmUxgr6+WHRqbc6Q/WYtBRjMzd1DQ09A4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1773764439251768.5841538183056; Tue, 17 Mar 2026 09:20:39 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id A7EA8417E1; Tue, 17 Mar 2026 12:20:38 -0400 (EDT) Received: from [172.19.199.12] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id 3BEFF41990; Tue, 17 Mar 2026 12:20:07 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id CCF75417D3; Tue, 17 Mar 2026 12:20:02 -0400 (EDT) Received: from smtp-relay-canonical-0.canonical.com (smtp-relay-canonical-0.canonical.com [185.125.188.120]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id E70713F896 for ; Tue, 17 Mar 2026 12:20:01 -0400 (EDT) Received: from localhost.localdomain (1.general.hector.uk.vpn [10.172.192.134]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 691313F776 for ; Tue, 17 Mar 2026 16:11:29 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 X-Greylist: delayed 511 seconds by postgrey-1.37 at lists.libvirt.org; Tue, 17 Mar 2026 12:20:01 EDT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20251003; t=1773763889; bh=3Qc+YP6gerGXIRCmtoSd65/kKnNkMyNw4k6WU2vzee8=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=Ne+YvIxWGI5mN2BjKuvKBCf28j3BEv9Uh5reLKZpXGx/sJkeVVfmiozaVT+a/SolO A+5cCzuZRrYG+/f9tSKewhyXa+VubeOHT2JrLAqaV84dT6YtsTQ65rExNlkP9VAyVx ygf9D5gga5kIwTmJyxtHHfBb9oPV5ppxJeKZEc6Q5LW6kg+rqHAgOvDil/uo7CmONV i/8xRIPgToqNW5N5I6oBJmWtgGLAnFw/8EE3fN9Tmdo2yF440+AIO6UVvZOj9i32aq yN1ThYgcuqxDOnPTzoemMFtYZbFTnUP2ijPxiXG4olq71XD2/Z/ODz2T46Xk+q2q9d ezyJ9XuyLN0mwZ/bgBybbCoypfgdzCI1xeljQhHWthnMqnxgspPBklYB4kiabjjE4+ bFzZvpyoN+65eOPs2oO/21fzJ34c4sGs6RRizjpOV/pI9ZkfS6lzUJv3Xm4N26wqul YzQ5XHumiy5p0E0gCsq3Pi28mczIFm0SkvSsRDkomnBHc8ST0iYJAKJT+ptEi8elP3 XnnPX9+ZluVzFulWPeVcg0Y7p1WXJo14vJF1DN1yg9m29Nih40mDSKi9tpfkZU1s/p /jomvfDLOyFcRMMG+YGXCq3n7iVfCrl1XiohUARGsrI+fAcNHQGaGz2H2eh3uLcGHX Vi659GCD26Ur5v5DKZlWK/kA= To: devel@lists.libvirt.org Subject: [PATCH] virt-aa-helper : grant access to unix socket for qgsd Date: Tue, 17 Mar 2026 17:11:26 +0100 Message-ID: <20260317161126.64428-1-hector.cao@canonical.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: JME56X6SYHDGCU2Y6WL6X5ESRPRARHV4 X-Message-ID-Hash: JME56X6SYHDGCU2Y6WL6X5ESRPRARHV4 X-MailFrom: hector.cao@canonical.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Hector Cao via Devel Reply-To: Hector Cao X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1773764442445154100 Content-Type: text/plain; charset="utf-8" For quote generation and remote attestation, Intel TDX VM communicates with the QGSD (Quote Generation Service) on the host via unix socket. The unix socket can be specified via: ... in case the path field is omitted, a default path is used. This commit generates the needed rule in the dynamic AA profile for the VM. Signed-off-by: Hector Cao --- src/security/virt-aa-helper.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index e932e79dab..53059ad5fa 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1397,6 +1397,19 @@ get_files(vahControl * ctl) break; case VIR_DOMAIN_LAUNCH_SECURITY_PV: case VIR_DOMAIN_LAUNCH_SECURITY_TDX: + /* To communicate with the QGSD daemon running on the host, if= we use the unix socket, + * allow the VM to access to the unix socket. + */ + if (ctl->def->sec->data.tdx.haveQGS) { + const char *qgsd_sock_file =3D QGS_UNIX_SOCKET_FILE; + if (ctl->def->sec->data.tdx.qgs_unix_path) { + qgsd_sock_file =3D ctl->def->sec->data.tdx.qgs_unix_pa= th; + } + if (vah_add_file(&buf, qgsd_sock_file, "rw") !=3D 0) { + return -1; + } + } + break; case VIR_DOMAIN_LAUNCH_SECURITY_NONE: case VIR_DOMAIN_LAUNCH_SECURITY_LAST: break; --=20 2.43.0