From nobody Mon Mar 23 23:30:08 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1773766054; cv=none;
	d=zohomail.com; s=zohoarc;
	b=nClu2vxG8oIASP1dD6p6PTQLFNPdTj7QNCwv7Hwpho/a1vDhTIgrSSfD2r8Cvv1PWsVxnGBCy8Iw4g2vwFEPzIPgw8tTI/yVSLCMFQ9iTqYyXvgIXhN71jseVAxkiZAGhki0BEKaoYJxLiHOyTAyG25AlFKs3zRFFjlzh2p9IwM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773766054;
 h=Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=/JXmMTMOEtrR3jGvltOjzKjQnWtpLCo77Al2owG2MiE=;
	b=DOWOPuSDUkl6HtBetEnC5uGvdAsDDOId+RhfBkS9+G5ahFlatccN7syftZYpOITZslnBsn21iND1G/Jf7eJb54V8FcOW/rCDP51U4I+JG04ibNCbbjs5MNrge8FrB6MEVGvYjIISmTg9G/Y1q837LZOJXKS6VNL8MO4G9a/oJp0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1773766054147746.5171317568793;
 Tue, 17 Mar 2026 09:47:34 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 30B5D417EC; Tue, 17 Mar 2026 12:47:33 -0400 (EDT)
Received: from [172.19.199.12] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id CE78C419CE;
	Tue, 17 Mar 2026 12:46:59 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 8AE99417EC; Tue, 17 Mar 2026 12:46:55 -0400 (EDT)
Received: from smtp-relay-canonical-1.canonical.com
 (smtp-relay-canonical-1.canonical.com [185.125.188.121])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id A5333417E1
	for <devel@lists.libvirt.org>; Tue, 17 Mar 2026 12:46:54 -0400 (EDT)
Received: from localhost.localdomain (1.general.hector.uk.vpn
 [10.172.192.134])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id 6A5353F824
	for <devel@lists.libvirt.org>; Tue, 17 Mar 2026 16:46:53 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
	s=20251003; t=1773766013;
	bh=/JXmMTMOEtrR3jGvltOjzKjQnWtpLCo77Al2owG2MiE=;
	h=From:To:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
	b=AKQCt+Y2VE5a5cs218L2sPnF8vmfOyYYOD3LTXBlLeDpKIW0NhI0km7AHqNCewMt9
	 HFn3QfKNHhBdXVM1k2FdOVaV/fjgwU9NypZUuiulC0fyvaASHbRvlOm2GCnR8oM1c/
	 gTL63zy9QliV2OgC3Bib1B0Di055rFEd9qXGu1Vw3UaWvgX8z2+y/PfdWCOiKfo3La
	 PDp5y+unQq7HxpMEhgPCu9Tr+1/EgB+VSU6zgQIBtD0TZp5DUpn0/QI10JrImjZo6W
	 ljfQlbKpTLhzUagY1K6UVLMpZ2CQ44c2+sEweN6+1cekjmECwChyuEtAbItHAZyMNA
	 6o2vM3PQSzUPBDxNjG8u/OOxxfZpJyHOv+QSuoi8OglITrbV0DmMMvuJPFN5VVelKt
	 aLAIONDooPDfgX0U0MAag3mZgaH8JrmYEDvifgrl9qmz0OMXQAEke6d5gy3r6Gc19X
	 k2gz0/r7iA9GcQfvboOo8sR87A1NBVgkLsf0xuMnihGLHWxEzzbqVXLjuCHdflZWQC
	 sj4Ep0galSJglAHop25E6brKpqquwss/yYAZhmHU2RwudqCAQ+2lee0b+hdX7kaLDg
	 tQUdKLaL0sJUjQhSZrY5Yk+b985ksWxtp9HHrGO+Cu9MtnM2PXLIOMDPOnlStCT7wH
	 fnJxDYgDvu5IAn4IRaDfqk+0=
To: devel@lists.libvirt.org
Subject: [PATCH v2] virt-aa-helper : grant access to unix socket for qgsd
Date: Tue, 17 Mar 2026 17:46:50 +0100
Message-ID: <20260317164650.81722-1-hector.cao@canonical.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260317161126.64428-1-hector.cao@canonical.com>
References: <20260317161126.64428-1-hector.cao@canonical.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: NZVYF2HL6U2OS2J33UR76QW6PWQS3CBV
X-Message-ID-Hash: NZVYF2HL6U2OS2J33UR76QW6PWQS3CBV
X-MailFrom: hector.cao@canonical.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/NZVYF2HL6U2OS2J33UR76QW6PWQS3CBV/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Hector Cao via Devel <devel@lists.libvirt.org>
Reply-To: Hector Cao <hector.cao@canonical.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1773766055255158500
Content-Type: text/plain; charset="utf-8"

For quote generation and remote attestation, Intel TDX VM
communicates with the QGSD (Quote Generation Service)
on the host via unix socket.

The unix socket can be specified via:

  <launchSecurity type=3D'tdx'>
    ...
    <quoteGenerationService path=3D'/var/run/tdx-qgs/qgs.socket'/>
  </launchSecurity>
in case the path field is omitted, a default path is used.

This commit generates the needed rule in the dynamic AA profile
for the VM.

Signed-off-by: Hector Cao <hector.cao@canonical.com>
---
 src/security/virt-aa-helper.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index e932e79dab..32f369db11 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1397,6 +1397,19 @@ get_files(vahControl * ctl)
             break;
         case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+            /* To communicate with the QGSD daemon running on the host, if=
 we use the unix socket,
+             * allow the VM to access to the unix socket.
+             */
+            if (ctl->def->sec->data.tdx.haveQGS) {
+                const char *qgsd_sock_file =3D QGS_UNIX_SOCKET_FILE;
+                if (ctl->def->sec->data.tdx.qgs_unix_path) {
+                    qgsd_sock_file =3D ctl->def->sec->data.tdx.qgs_unix_pa=
th;
+                }
+                if (vah_add_file(&buf, qgsd_sock_file, "rw") !=3D 0) {
+                    return -1;
+                }
+            }
+            break;
         case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
         case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
             break;
--=20
2.43.0