From nobody Mon Mar 23 23:25:48 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1773826652; cv=none; d=zohomail.com; s=zohoarc; b=O9Xh0II1uKDAZ4QMzCZ0aNYhaSgaXbejgEDvqsRdVmEakU4vN+Qg2NKULdQ+QYhUr6MbQW+hJhPyMz+NvCKExEE930a2JPlecbw97BuX3MYr2OAfNyHR23ERB0MkUxpiyBVHJ0yAQRLvi3JVvx/DeguovximyBY8nfeyg1bg9x0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1773826652; h=Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc; bh=4Hpt/j0n1/4nHiXDTTe5YyUztt22W+50zbPeHEl7Xqo=; b=N+daZqyRVAPSnwO3lwBhy0DIcVU9Bl7ZBUWO6anHyahT/oAgaDpD2JJRF1KeeKH7ZSck+s7TkC4PsdOWO1Fif4utYCZcSEA9sjOx69izi0G9XLocw21usWIOGBgeCcPwSTCzESHQqyiH0QRDO7M0OY1Zga/uipWsjNkwksG4yrk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1773826652361250.63683906904657; Wed, 18 Mar 2026 02:37:32 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id A6A85418AB; Wed, 18 Mar 2026 05:37:31 -0400 (EDT) Received: from [172.19.199.12] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id 586C3418CF; Wed, 18 Mar 2026 05:36:21 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id AD3A33F34F; Wed, 18 Mar 2026 05:36:16 -0400 (EDT) Received: from smtp-relay-canonical-1.canonical.com (smtp-relay-canonical-1.canonical.com [185.125.188.121]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 1713C3F817 for ; Wed, 18 Mar 2026 05:36:13 -0400 (EDT) Received: from localhost.localdomain (1.general.hector.uk.vpn [10.172.192.134]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id 37F6140478 for ; Wed, 18 Mar 2026 09:36:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20251003; t=1773826572; bh=4Hpt/j0n1/4nHiXDTTe5YyUztt22W+50zbPeHEl7Xqo=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ftN6lAWGUKjqUzADo5S+3F8jX/wOhekyb0uCdeIGQTJH38xtwk9kQhYHVhbnfuPYj Unt9ZEXNgyT6QnOQ7zT8KbDWrLs7lhVHKTsvs2hONitVX7QoX5wE7r/nJSy2jJKZ4u /xVkPR1+oY9r71xCENydCCnIFSbjcjv/7C4zXDTPDy7yGsS1/Slci0u4ARoTYyKr// KyFYVjX/VBqx0gupG3LjUVbC680FCOzPfIXcp4ZAC11MnCN/FNeRfkRm40ln08xYtp yOHrVOS0V6T5MOCBZ19FpeuTA7ODvfI9W87D0P2+FDlFiFxoMx7lQKCVV7wzyypE2u kyXN3G+yAKmBHQab+DMxej9czyojkwT34GeG/E5SThQ7jnONnCst1iCbdpZV/Eu4/N ipoS0XvVlcJI36PmTaDJ89dM21Lpy63y39ASxGTAByemaAz9M0z0Tnbi5Bbw+M0e83 DyKJ6umjfrF3cLEnmbZSZtavOOzPKUK4eOBikyhCOo5+xADoQeBHTB5TcAiq3AR3ac EMRenRESQ1c3tDyJMtIXASO5xVUbodT7tQ9Bq4+VPxUZGny7uLT5FYbX+uRPA+2vE3 Ccyf6dqcVwDNf5/p1ihFfrgWEbzWYHSP6Wl7N+F5UUcT2BfIWmShCC+qcdABFxrF5u 6GsqEF98s0LfAIfPS3J1GrCo= To: devel@lists.libvirt.org Subject: [PATCH v3 1/1] virt-aa-helper : grant access to unix socket for qgsd Date: Wed, 18 Mar 2026 10:36:09 +0100 Message-ID: <20260318093609.168452-2-hector.cao@canonical.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260318093609.168452-1-hector.cao@canonical.com> References: <20260317164607.81420-1-hector.cao@canonical.com> <20260318093609.168452-1-hector.cao@canonical.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: BGMU7I5W64PFMN747T3GAJ5MNV3VRYTK X-Message-ID-Hash: BGMU7I5W64PFMN747T3GAJ5MNV3VRYTK X-MailFrom: hector.cao@canonical.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Hector Cao via Devel Reply-To: Hector Cao X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1773826654644154100 Content-Type: text/plain; charset="utf-8" For quote generation and remote attestation, Intel TDX VM communicates with the QGSD (Quote Generation Service) on the host via unix socket. The unix socket can be specified via: ... in case the path field is omitted, a default path is used. This commit generates the needed rule in the dynamic AA profile for the VM. Signed-off-by: Hector Cao --- src/security/virt-aa-helper.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index e932e79dab..c3c333e761 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1395,8 +1395,21 @@ get_files(vahControl * ctl) case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP: virBufferAddLit(&buf, " \"/dev/sev\" rw,\n"); break; - case VIR_DOMAIN_LAUNCH_SECURITY_PV: case VIR_DOMAIN_LAUNCH_SECURITY_TDX: + /* To communicate with the QGSD daemon running on the host, if= we use the unix socket, + * allow the VM to access to the unix socket. + */ + if (ctl->def->sec->data.tdx.haveQGS) { + const char *qgsd_sock_file =3D QGS_UNIX_SOCKET_FILE; + if (ctl->def->sec->data.tdx.qgs_unix_path) { + qgsd_sock_file =3D ctl->def->sec->data.tdx.qgs_unix_pa= th; + } + if (vah_add_file(&buf, qgsd_sock_file, "rw") !=3D 0) { + return -1; + } + } + break; + case VIR_DOMAIN_LAUNCH_SECURITY_PV: case VIR_DOMAIN_LAUNCH_SECURITY_NONE: case VIR_DOMAIN_LAUNCH_SECURITY_LAST: break; --=20 2.43.0