For quote generation and remote attestation, Intel TDX VM
communicates with the QGSD (Quote Generation Service)
on the host via unix socket.

The unix socket can be specified via:

  <launchSecurity type='tdx'>
    ...
    <quoteGenerationService path='/var/run/tdx-qgs/qgs.socket'/>
  </launchSecurity>
in case the path field is omitted, a default path is used.

This commit generates the needed rule in the dynamic AA profile
for the VM.

Signed-off-by: Hector Cao <hector.cao@canonical.com>
---
 src/security/virt-aa-helper.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index e932e79dab..32f369db11 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1397,6 +1397,19 @@ get_files(vahControl * ctl)
             break;
         case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+            /* To communicate with the QGSD daemon running on the host, if we use the unix socket,
+             * allow the VM to access to the unix socket.
+             */
+            if (ctl->def->sec->data.tdx.haveQGS) {
+                const char *qgsd_sock_file = QGS_UNIX_SOCKET_FILE;
+                if (ctl->def->sec->data.tdx.qgs_unix_path) {
+                    qgsd_sock_file = ctl->def->sec->data.tdx.qgs_unix_path;
+                }
+                if (vah_add_file(&buf, qgsd_sock_file, "rw") != 0) {
+                    return -1;
+                }
+            }
+            break;
         case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
         case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
             break;
-- 
2.43.0

Superseded by : https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/PBBMN4T22LUYIMM553POA4JV45WJAXF3/