From nobody Wed Apr 15 07:03:31 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1776094034; cv=none; d=zohomail.com; s=zohoarc; b=VMYV8xUkZx9jnPv5e+n/aaRtJAGaCpNIh7AREWSui4+SQF3hfI1BETpgtnb56YaeNwqMVGAL+b2N8wO0qAV5+ZH72TkClf5EI+j/Fs5bTVc4IRu91MPQerv2ezehAeWC/T08C2phGoc3ukjCYuJGN4GfWwIqhV1GagAPMQOv1wQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1776094034; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=sEv/td0E7n5mAXjkyfES4dpfYi2mBZmkgEpKsho/F1w=; b=Zp/N9gqH/X8Lx6P+SKK6yQQrDSrgaf6iKdJKNVwrMVhEAkZQzV19aCHy5agQy3wo8OmS6df+iVCIoYI94DD5vB/0CvlZ/WNBGN+6NdfWcbz2e6hBLHdgrAHxdF0Fjfa9KacxzFlkdWiELfLJ7OkZrHEFq8GiMBu2IT4AdFuz3Ow= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 1776094034041468.9700414114684; Mon, 13 Apr 2026 08:27:14 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id CF13A3FD29; Mon, 13 Apr 2026 11:27:12 -0400 (EDT) Received: from [172.19.199.3] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id 93AEE41936; Mon, 13 Apr 2026 11:24:24 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 5035A3F86D; Mon, 13 Apr 2026 11:24:11 -0400 (EDT) Received: from smtp-relay-internal-1.canonical.com (smtp-relay-internal-1.canonical.com [185.125.188.123]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 65EA73F359 for ; Mon, 13 Apr 2026 11:24:09 -0400 (EDT) Received: from mail-yx1-f70.google.com (mail-yx1-f70.google.com [74.125.224.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 3220F3F46B for ; Mon, 13 Apr 2026 15:24:08 +0000 (UTC) Received: by mail-yx1-f70.google.com with SMTP id 956f58d0204a3-65014989b1eso7915155d50.1 for ; Mon, 13 Apr 2026 08:24:08 -0700 (PDT) Received: from [127.0.1.1] ([147.219.77.79]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-65197c1cc5bsm5309319d50.16.2026.04.13.08.24.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 08:24:06 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_DNSWL_MED,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED, RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20251003; t=1776093848; bh=sEv/td0E7n5mAXjkyfES4dpfYi2mBZmkgEpKsho/F1w=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=XopkoJU7EyyACDreby7Vew2mv7ByinQo9UHLq86jmRJTc4uTnlfbudC051VwX15nu EXOa9+q5fW5U1Ndzz78zml+JHB4gQ1XDj+RxoREOBdVShYr2OZGX7ACRqG1K4jo7p0 6rSGHvOWAcBH/+2iR1YVqdfiAhcEnG25VICtAewSXefW2Z4kMyiWBqvAavTqMtfenq SwF/55laMUaSn8PoWUYZ+FkNTiQ7ZMStBUSWMRgu/WF1btWsiSLJhJ9UEhOsaZnypP NW2s1tODmnfVIO4z5YqdEGWnyWyo90EsNYG2gESDi0avhPsWfh3vTYoA3AJyq+Q5CL CoeNk/5ZLqeP4ydGubZ2uVdWO33XNb0RQjejJeYByCt3AZjTeH88U5j1aj/9/P/FgZ jyKupDu9CGZV9F+id92Bu9FgZ5BxePOb+OcV6Vso+zR2seQSGbeniskeAMmCCTemuX VTAyfDJBpwY+Bz0wNE2OaEGPQXTyDicV7jR178p0MeVqsISaCo46X+FvIsFoJyLBf4 tu/hjwg05CqEI8APfZZ9BiqRYox8aICotCS6g7SmJqYvXaFiDc82QzzuBEF8i6ejYv wb7jFvvZPwzWaWWoJJl5uKbC+r2RkoDt1ANojkAIZPKMQq08M87IbpzR81rLqjZ8Te 9ym3GHtjBakjUt1dHuif7QX0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776093847; x=1776698647; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=sEv/td0E7n5mAXjkyfES4dpfYi2mBZmkgEpKsho/F1w=; b=hyinIUXmXQwWjyZMi2+nbeklTBWzv9nA7eRFAO4eUR+oBQk5X0qi3BW9y3u7IORXSw geOixLZv5YDGJPsteWlqYfu6hrv7L2pldOkKDtejk8FXpMupFW69cgJ59hJgm4Jua55x UFc2I3tisw8UqfaStto1BNDBnFlII+6bGvzJ5ViUJiTWjKiHNmCuCapAwLOF1aYx67xj PfWQ5S8flYErh5I/u9K/VU5nq4cWbwTprwvFvGcQgOekp6JpiNachlUrlR6IebdBQWi6 iRZQuq3NjUjrNgxlwDUrDRdnV2Dyh06fkqktMY2/1AnxdQFwv/WN9xTOwl7HqXGfmtuV PiWw== X-Gm-Message-State: AOJu0Yx0h6UR+w+eJPNcsOkhk/1K10JWwEvaJgnLzvx7EBtc/3V53Hi4 NK8pjdVgO96Ml0ZSxhkjDVJ02CKhuAmR0XXAkIc/R46imQSWzpR7oMKSEgfVfu0IO++IB1bEbSu K65glYdwIkN5OldOTazYGyBqREfoY43z8pYNlj+7sQiet4mqzwiYs+f7W7F3ETIwCzJABHTTmJP 9ccW4TN/A= X-Gm-Gg: AeBDieuktWkABt3Z/ssDc+fZYzMT71mljCp+PMYhzg+b6S7XNi67bTGN7FSRLSrVtri QhU11kfLsMFnIDdA0peTp+6fi19ogRAopsOYzEju8u12UiwCFw4zrgGvpWfmeF8rRbOoysAKPuB 7ZUWhXfv/HLAkBL051tESU+OkZwoPNW44OvMDMEc9qvCWTfLgK+cMKiyw5ZpIUc5fZzykyggKzo 8VH+WYPWOlkDFCQ/QN8yGmfoglfgrkwY3Ss4zI1ZGloikrCvo1joJ+z/MpofCoIR/dfr+W5Dws+ 8dxh2y3K06pYcLx8NaCBMPx0YKcQNzGNez9kZr/Lqt4BQLASsPfIRKiczXf//A1/PpV4ROrK1ry 7N3S0KLtw9TP6GhtMZwQI32AYsGrD41HQT+f46/At/HzUba3pBqsyPJZF60FxcGPeRpIAgw== X-Received: by 2002:a53:b48b:0:b0:64a:e781:891f with SMTP id 956f58d0204a3-65198a96d7cmr10173718d50.28.1776093846880; Mon, 13 Apr 2026 08:24:06 -0700 (PDT) X-Received: by 2002:a53:b48b:0:b0:64a:e781:891f with SMTP id 956f58d0204a3-65198a96d7cmr10173685d50.28.1776093846442; Mon, 13 Apr 2026 08:24:06 -0700 (PDT) Date: Mon, 13 Apr 2026 10:23:45 -0500 Subject: [PATCH v4 1/3] qemu: Store tapfd path in domstatus XML MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260413-apparmor-races-v4-1-3e476b52bb68@canonical.com> References: <20260413-apparmor-races-v4-0-3e476b52bb68@canonical.com> In-Reply-To: <20260413-apparmor-races-v4-0-3e476b52bb68@canonical.com> To: devel@lists.libvirt.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=10082; i=wesley.hershberger@canonical.com; h=from:subject:message-id; bh=aZARDHUa2dOaaU2R9i1OtD0RcygzDXQ5zDpjnpOv2OM=; b=owEB7QES/pANAwAKAfkogKziOh25AcsmYgBp3QqTNgMyGQe80lfAIrW6ShccTKn1OT1pa9E4L /rJ3nKLyLaJAbMEAAEKAB0WIQQsIHxFLwpehxEbQ8r5KICs4joduQUCad0KkwAKCRD5KICs4jod uWNZC/9EP296JMBt7P4iJYoXq4N7kJcJzxWYlzw/uYMWpvyWyJXPkWT68p5jTHnQV4WtUUw3eGZ y2jhdhadn2ZiMtwhVDmURZSqT0iUIJ/CKL5K/QuYHeSVvED0xJkDB5lx9s4mqGH4xhfPdi8BBoq GXNGpBC6cIJ4RPSETxU6nHmIunEtgYdJ7logTzTupzlgdGtVmz7fiU3y9bgHc+apMBs14Yq/YwV TlTmvhFZpi5PxvA0KxmUtPThuFWzUId38j25rtwvJgCs2ahKG/9xAQnRk6x0pdo3Jjd0wOFhVnN kF9i/jeLzDl0onACn21ufB0rHhZg/TvnOhQYMTpQy3xogygS4Fh0xjOVg5v3uDkZxUffSV+y1pF gHd+v91Qd6dQxVYbL+c1prY8G4dU/SmW85nKf1LDjyu4yPwDVUJu7FMhmrBftCRydKMaNEZCp1R wQf8K7tZMuYx79IaR5+6zG8RhtiNSUlJdS0CX7d6MOk7yiQCJLVa8DVRJZLY/sNQ5SVY4= X-Developer-Key: i=wesley.hershberger@canonical.com; a=openpgp; fpr=2C207C452F0A5E87111B43CAF92880ACE23A1DB9 Message-ID-Hash: RGGIDO7YZJWVMZDEV4HB2NDKARABEZCH X-Message-ID-Hash: RGGIDO7YZJWVMZDEV4HB2NDKARABEZCH X-MailFrom: wesley.hershberger@canonical.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: wesley.hershberger@canonical.com, georgia.garcia@canonical.com, hector.cao@canonical.com, Peter Krempa X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Wesley Hershberger via Devel Reply-To: Wesley Hershberger X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1776094036560158500 Introduce a read-only `tapfd` element for direct interfaces (macvtap), which contains the path to the backing tapfd for that interface (e.g. `/dev/tapXX`). The element is only included when the domain is being formatted for internal consumption (VIR_DOMAIN_DEF_FORMAT_STATUS) and is not accepted in user-provided XML (!VIR_DOMAIN_DEF_PARSE_INACTIVE). This will be used by the AppArmor security driver when re-generating profiles. Reviewed-by: Peter Krempa Signed-off-by: Wesley Hershberger --- src/conf/domain_conf.c | 8 ++++++++ src/conf/domain_conf.h | 1 + src/hypervisor/domain_interface.c | 2 +- src/lxc/lxc_process.c | 1 + src/qemu/qemu_interface.c | 1 + src/util/virnetdevmacvlan.c | 18 +++++++++++------- src/util/virnetdevmacvlan.h | 4 +++- tests/qemustatusxml2xmldata/modern-in.xml | 7 +++++++ 8 files changed, 33 insertions(+), 9 deletions(-) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index b1ee519ff6..3497e84bf5 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -2971,6 +2971,7 @@ virDomainNetDefFree(virDomainNetDef *def) g_free(def->virtio); g_free(def->coalesce); g_free(def->sourceDev); + g_free(def->tapfdpath); =20 virNetDevIPInfoClear(&def->guestIP); virNetDevIPInfoClear(&def->hostIP); @@ -10635,6 +10636,10 @@ virDomainNetDefParseXML(virDomainXMLOption *xmlopt, return NULL; } =20 + if (!(flags & VIR_DOMAIN_DEF_PARSE_INACTIVE)) { + def->tapfdpath =3D virXPathString("string(./tapfd/@path)", ctxt); + } + if (virNetworkPortOptionsParseXML(ctxt, &def->isolatedPort) < 0) return NULL; =20 @@ -26032,6 +26037,9 @@ virDomainNetDefFormat(virBuffer *buf, if (def->mtu) virBufferAsprintf(buf, "\n", def->mtu); =20 + if (def->tapfdpath && (flags & VIR_DOMAIN_DEF_FORMAT_STATUS)) + virBufferEscapeString(buf, "\n", def->tapfdpat= h); + virDomainNetDefCoalesceFormatXML(buf, def->coalesce); =20 virDomainDeviceInfoFormat(buf, &def->info, flags | VIR_DOMAIN_DEF_FORM= AT_ALLOW_BOOT diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 75acfc46bf..a8f90803da 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -1212,6 +1212,7 @@ struct _virDomainNetDef { char *downscript; char *domain_name; /* backend domain name */ char *ifname; /* interface name on the host () */ + char *tapfdpath; /* Path in /dev for macvtap () */ virTristateBool managed_tap; virNetDevIPInfo hostIP; char *ifname_guest_actual; diff --git a/src/hypervisor/domain_interface.c b/src/hypervisor/domain_inte= rface.c index 5bc698d272..37e3d453a0 100644 --- a/src/hypervisor/domain_interface.c +++ b/src/hypervisor/domain_interface.c @@ -111,7 +111,7 @@ virDomainInterfaceEthernetConnect(virDomainDef *def, =20 if (virNetDevMacVLanIsMacvtap(net->ifname)) { auditdev =3D net->ifname; - if (virNetDevMacVLanTapOpen(net->ifname, tapfd, tapfdSize) < 0) + if (virNetDevMacVLanTapOpen(net->ifname, tapfd, tapfdSize, &ne= t->tapfdpath) < 0) goto cleanup; if (virNetDevMacVLanTapSetup(tapfd, tapfdSize, virDomainInterfaceIsVnetCompatMod= el(net)) < 0) { diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c index 1bca9e8dae..c731b28871 100644 --- a/src/lxc/lxc_process.c +++ b/src/lxc/lxc_process.c @@ -379,6 +379,7 @@ virLXCProcessSetupInterfaceDirect(virLXCDriver *driver, VIR_NETDEV_VPORT_PROFILE_OP_CREATE, cfg->stateDir, NULL, 0, + &net->tapfdpath, macvlan_create_flags) < 0) return NULL; =20 diff --git a/src/qemu/qemu_interface.c b/src/qemu/qemu_interface.c index 23a23d201a..edc53d53b3 100644 --- a/src/qemu/qemu_interface.c +++ b/src/qemu/qemu_interface.c @@ -81,6 +81,7 @@ qemuInterfaceDirectConnect(virDomainDef *def, &res_ifname, vmop, cfg->stateDir, tapfd, tapfdSize, + &net->tapfdpath, macvlan_create_flags) < 0) goto cleanup; =20 diff --git a/src/util/virnetdevmacvlan.c b/src/util/virnetdevmacvlan.c index cde9d70eef..07ccef52d9 100644 --- a/src/util/virnetdevmacvlan.c +++ b/src/util/virnetdevmacvlan.c @@ -152,24 +152,24 @@ int virNetDevMacVLanDelete(const char *ifname) int virNetDevMacVLanTapOpen(const char *ifname, int *tapfd, - size_t tapfdSize) + size_t tapfdSize, + char **tapname) { int retries =3D 10; int ret =3D -1; int ifindex; size_t i =3D 0; - g_autofree char *tapname =3D NULL; =20 if (virNetDevGetIndex(ifname, &ifindex) < 0) return -1; =20 - tapname =3D g_strdup_printf("/dev/tap%d", ifindex); + *tapname =3D g_strdup_printf("/dev/tap%d", ifindex); =20 for (i =3D 0; i < tapfdSize; i++) { int fd =3D -1; =20 while (fd < 0) { - if ((fd =3D open(tapname, O_RDWR)) >=3D 0) { + if ((fd =3D open(*tapname, O_RDWR)) >=3D 0) { tapfd[i] =3D fd; } else if (retries-- > 0) { /* may need to wait for udev to be done */ @@ -178,7 +178,7 @@ virNetDevMacVLanTapOpen(const char *ifname, /* However, if haven't succeeded, quit. */ virReportSystemError(errno, _("cannot open macvtap tap device %1$= s"), - tapname); + *tapname); goto cleanup; } } @@ -188,6 +188,7 @@ virNetDevMacVLanTapOpen(const char *ifname, =20 cleanup: if (ret < 0) { + g_clear_pointer(tapname, g_free); while (i--) VIR_FORCE_CLOSE(tapfd[i]); } @@ -659,6 +660,7 @@ virNetDevMacVLanCreateWithVPortProfile(const char *ifna= meRequested, char *stateDir, int *tapfd, size_t tapfdSize, + char **tapfdpath, unsigned int flags) { g_autofree char *ifname =3D NULL; @@ -729,7 +731,7 @@ virNetDevMacVLanCreateWithVPortProfile(const char *ifna= meRequested, } =20 if (flags & VIR_NETDEV_MACVLAN_CREATE_WITH_TAP) { - if (virNetDevMacVLanTapOpen(ifname, tapfd, tapfdSize) < 0) + if (virNetDevMacVLanTapOpen(ifname, tapfd, tapfdSize, tapfdpath) <= 0) goto disassociate_exit; =20 if (virNetDevMacVLanTapSetup(tapfd, tapfdSize, vnet_hdr) < 0) @@ -888,7 +890,8 @@ int virNetDevMacVLanDelete(const char *ifname G_GNUC_UN= USED) int virNetDevMacVLanTapOpen(const char *ifname G_GNUC_UNUSED, int *tapfd G_GNUC_UNUSED, - size_t tapfdSize G_GNUC_UNUSED) + size_t tapfdSize G_GNUC_UNUSED, + char **tapname G_GNUC_UNUSED) { virReportSystemError(ENOSYS, "%s", _("Cannot create macvlan devices on this platform= ")); @@ -917,6 +920,7 @@ int virNetDevMacVLanCreateWithVPortProfile(const char *= ifname G_GNUC_UNUSED, char *stateDir G_GNUC_UNUSED, int *tapfd G_GNUC_UNUSED, size_t tapfdSize G_GNUC_UNUSED, + char **tapfdpath G_GNUC_UNUSED, unsigned int unused_flags G_GNU= C_UNUSED) { virReportSystemError(ENOSYS, "%s", diff --git a/src/util/virnetdevmacvlan.h b/src/util/virnetdevmacvlan.h index 31e4804cdc..7424b87965 100644 --- a/src/util/virnetdevmacvlan.h +++ b/src/util/virnetdevmacvlan.h @@ -72,13 +72,15 @@ int virNetDevMacVLanCreateWithVPortProfile(const char *= ifname, char *stateDir, int *tapfd, size_t tapfdSize, + char **tapfdpath, unsigned int flags) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3) ATTRIBUTE_NONNULL(6) ATTRIBUTE_NONNULL(8) ATTRIBUTE_NONNULL(10) G_GNUC_WARN_UNUSED_RESULT; =20 int virNetDevMacVLanTapOpen(const char *ifname, int *tapfd, - size_t tapfdSize) + size_t tapfdSize, + char **tapname) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) G_GNUC_WARN_UNUSED_RESULT; =20 diff --git a/tests/qemustatusxml2xmldata/modern-in.xml b/tests/qemustatusxm= l2xmldata/modern-in.xml index 3b3e831759..050669f554 100644 --- a/tests/qemustatusxml2xmldata/modern-in.xml +++ b/tests/qemustatusxml2xmldata/modern-in.xml @@ -437,6 +437,13 @@
+ + + + + +
+ --=20 2.53.0 From nobody Wed Apr 15 07:03:31 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1776094078; cv=none; d=zohomail.com; s=zohoarc; b=BielocY51PDjLEVr6J5ZANqwUXvDRAIWtkoTm/xiNQGoMOvB88Wvc/LPRuLDA0ktj1CGbTXno8YC0WvTzMUCJ7Wk50PsYn7+kciuCcdlw7xHAjIk7OL1Q8A9Shzr3iOVMvfpp1fnLzhi/cA4XEl25x0jhefIEKqGN/+6THUrc6I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1776094078; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=ylY6xU5+ypTEWSZ4UncRHj3G6KUY7smeZMXAvhm1B4Y=; b=habrOKeXA8hbrwVp/5/B9/0YyCcAIQuo6nafSkSFIW8A36t/4lcZfCm2cWQ/XnyjT0FHRyUEgRpEPDRVEl+Ss5B32giMtvzqyxvBKtFr1jN56eSHawh0Ub4TeIFL6mW45eJmJkyfFX5o9Bo9eAF4JPXyKeIxfrgvviYaUyvN4HE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 1776094078567771.0506485526064; Mon, 13 Apr 2026 08:27:58 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 55373417FF; Mon, 13 Apr 2026 11:27:57 -0400 (EDT) Received: from [172.19.199.3] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id 160A041846; Mon, 13 Apr 2026 11:24:31 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 980F63F2FC; Mon, 13 Apr 2026 11:24:11 -0400 (EDT) Received: from smtp-relay-internal-1.canonical.com (smtp-relay-internal-1.canonical.com [185.125.188.123]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id D6C863F869 for ; Mon, 13 Apr 2026 11:24:09 -0400 (EDT) Received: from mail-yx1-f72.google.com (mail-yx1-f72.google.com [74.125.224.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id CD40D3F60D for ; Mon, 13 Apr 2026 15:24:08 +0000 (UTC) Received: by mail-yx1-f72.google.com with SMTP id 956f58d0204a3-64eb0bbab48so136894d50.1 for ; Mon, 13 Apr 2026 08:24:08 -0700 (PDT) Received: from [127.0.1.1] ([147.219.77.79]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-65197c1cc5bsm5309319d50.16.2026.04.13.08.24.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 08:24:07 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20251003; t=1776093848; bh=ylY6xU5+ypTEWSZ4UncRHj3G6KUY7smeZMXAvhm1B4Y=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=TJHRIKwBLf/a0OkqgHdQDlinkkk7UoJFH1RmM9Cip+HcZ324Rve0JaZVSBfONzx0n ZT88WtKXvPvYvLsdtus5ApClKxA1dN5619+4hkpAd2tYTYl6Qs9d8J7GZ9KlICQpxY /FhEhgKsvOAtdmXEft0zl/aiDX2LeBd/dWSS/zENjAqHVpgtNLIrPLxO54Nj77AtjG Njdymy+B399FrJhF9AJL2pwsILJw1b927e9nuPvwps37Xqa4nhzUOI7Sd8CAd7nQIU hG6ryErkq1A9W8V1bRn5VQ6R84KbZHkmA3wtFGivdExJpebwUjskDQMYIOiEIkXhyl DxhfYj2b+i6tGkUOq94zOWT4C56bc5U8GiJ0Oo5EgSNvreGXGxq+SrLBCnOrLrmeLG ykswxOlXDlkKJz1DsT/f4FnRxV15K7RTvzSkxFLOYXLD6yCtmRUyV0xDkikmigoC0k gytTapadvVUVtCafT9cBzuX7VRM65ykFMANf9PEJmXjWgfAAvkCNpbN5enGez7Nwiz WOGPAN/tEOSOXUFMifxB7NjJ5iGqe5qrdTpDj1UQSao8RfQUDtoJTdte2IEfNYkBLj 6lujw776Z3+etXKtK3Azz3iDnB0qxTX2Hj+p0i/UJqI1EpPP0g91SUoe6iQe/UApDP wRcBFz8bKZ7WulwsNwmAUcd8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776093848; x=1776698648; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ylY6xU5+ypTEWSZ4UncRHj3G6KUY7smeZMXAvhm1B4Y=; b=ptDIE3vdSG5ZWDRD7TgUyODvD2gX4B51p/wosno2S/a0Tqvnq2jZn/3dJbhl1EJO+t CFkZSV+/E5FbJbjAkYYIIz0bLJtGB06x0p2iMzDq0+nlQVytqIWSXQ1glBkEYnVPNtko ClYRX0NaWzwR//Ftw4Nf2yAN8FYmAdaEPDKNMycyuk3EN/prujk/JHd3RuxWmSrecOHZ cDFrrhw2dqjo4iWVo5mhE1GuNhTaetq30kVTQ8ZkrR3WQ6RMiLGhP+WzZAWiFbBBF4V7 tce/vm12FQcPvGVldDz24lkwezsCvWFYmDylY4jBtoVT7wBW7BofcwlZI7I1HFpa0ha7 pbYw== X-Gm-Message-State: AOJu0YzRhvobVWhmWp2Ln2EJXAUSq0OA+u9Q98fhDkdgGRjyW6IgBx21 Ke21YBoqEeXZjP/rZl4EZ8jnZb9JpT7aBoOVmKcAn9pH5oLLiP7Z56kceOTJWZKUvPHYq/sRrlu MOLWcunnsXdtjHzbvABPSxgiBBPdGGUxHz4ILqAgmRfBoKRF2QGS97WqxJxOVChiAS+j6ZYXMcW M= X-Gm-Gg: AeBDievi2K4rWmPNIcCqRTteucCLdvk2i+ezgFDwEEwZJ5a6qoP+ki4HCfW6QvmJtYw sD7Tr1QPNkuzE6BJi0ZEPUZGWwm5cSuLcEm7IVQdBIDD0AWMtN0Lwna5J+TaQxhtCJ8GXSSyJlI 9T9utHIizEIfAo6TS59XOU7aVhDkTqHLqKk6ArQC3aBblDfFCsV7RFcNo0Gp27kkPop7X+qkZaP yeJIceiw+4BsFN+RTclHPkpqQOzUsyOq5Rz1eCKKBPE4iwO4iO9Q/VcBVerdvxzTqNX3VfRRpIl /QMBTZv01mmfE73gz3Q3dMcxex55d0tHqJZAJwusQ+z545VkJe/oRYyGiYPaZrdeElW/4RNn65q YtM2K1cKm4xkp++1ky/vDoxO0GlUUU3bLZkecN7WlDuMZW+wfkfml4HGAqm1xs6aX2TMObg== X-Received: by 2002:a05:690e:4849:b0:64e:e6ca:1564 with SMTP id 956f58d0204a3-6518724af28mr9519035d50.34.1776093847836; Mon, 13 Apr 2026 08:24:07 -0700 (PDT) X-Received: by 2002:a05:690e:4849:b0:64e:e6ca:1564 with SMTP id 956f58d0204a3-6518724af28mr9519015d50.34.1776093847336; Mon, 13 Apr 2026 08:24:07 -0700 (PDT) Date: Mon, 13 Apr 2026 10:23:46 -0500 Subject: [PATCH v4 2/3] apparmor: Pass status XML to virt-aa-helper MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260413-apparmor-races-v4-2-3e476b52bb68@canonical.com> References: <20260413-apparmor-races-v4-0-3e476b52bb68@canonical.com> In-Reply-To: <20260413-apparmor-races-v4-0-3e476b52bb68@canonical.com> To: devel@lists.libvirt.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=1089; i=wesley.hershberger@canonical.com; h=from:subject:message-id; bh=J0We5Dc730UYpZS+bNQ5iCjyahO72PBGj3mV/KsPik0=; b=owEB7QES/pANAwAKAfkogKziOh25AcsmYgBp3QqTichagKkTW3I4K+suP/GPRYp8zFmRCOH+O un8rK4PZD6JAbMEAAEKAB0WIQQsIHxFLwpehxEbQ8r5KICs4joduQUCad0KkwAKCRD5KICs4jod uUTQC/0YwseIW0az/Yu8QOWo2rg11/++A9ME8uNkRKP//TzSIAq8utK64+F+YMyhNRzGz7GdMAZ kJ/bsEK0KQUrViuUT+CjdYqvfaPe+SLIarrsHJmQQqOBXlNYA5oFeWHLoqj7PBwQGCNCkdN6a+Z LwEV9FE6Unn6qT7Xk+uKzyxVc7rXta337YkxFSq2EpQ65LqwfSjfs9Rrn3HwLa+Z2WSwJH8GZCX /mRNg2UDyiwOpYRLlVIVo0edKHmP24Fu4MoqzH+2Shu3RXq5qxb1T9dH6UffO5u5X0EzBJeZGAE fOJMmzt8CZb3Ftl3ODZ2ptLR6PQcP42fPuliQpy2e/xPZu7x4Z7TQHq9hYpTTlCpV/63jYz4Vyu zlsDN1g8HyJ8oQr6TP+0HkaRQfxGSeLBwC+1txpfxiJBzZKDMNOOlTMaUJ6/AuYVkUArOLvPKLg b4L4Hw9OouhNZ4NmoxHekmO+qv0m3KVT3t6kJSvGm44EnNYsHcAH5xCWSSvg/9IfLiObw= X-Developer-Key: i=wesley.hershberger@canonical.com; a=openpgp; fpr=2C207C452F0A5E87111B43CAF92880ACE23A1DB9 Message-ID-Hash: 2IRP42AR6NQWDQMVZ3W4Y5RQBWBVK2LD X-Message-ID-Hash: 2IRP42AR6NQWDQMVZ3W4Y5RQBWBVK2LD X-MailFrom: wesley.hershberger@canonical.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: wesley.hershberger@canonical.com, georgia.garcia@canonical.com, hector.cao@canonical.com, Peter Krempa X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Wesley Hershberger via Devel Reply-To: Wesley Hershberger X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1776094080324158500 VIR_DOMAIN_DEF_FORMAT_STATUS is used to include disk & network privateData elements in the domain XML, which contain misc information that should be available to the virt-aa-helper when generating rules. For now, this will be used in a subsequent patch to pass tap paths to the virt-aa-helper. Reviewed-by: Peter Krempa Signed-off-by: Wesley Hershberger --- src/security/security_apparmor.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/security_apparmor.c b/src/security/security_appar= mor.c index e53486ee0c..a66382fbac 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -156,6 +156,7 @@ load_profile(virSecurityManager *mgr G_GNUC_UNUSED, =20 if (virDomainDefFormatInternal(def, NULL, &buf, VIR_DOMAIN_DEF_FORMAT_SECURE | + VIR_DOMAIN_DEF_FORMAT_STATUS | VIR_DOMAIN_DEF_FORMAT_VOLUME_TRANSLATED= ) < 0) return -1; =20 --=20 2.53.0 From nobody Wed Apr 15 07:03:31 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1776094139; cv=none; d=zohomail.com; s=zohoarc; b=iXx14D3BM7wg6+LNm/boj0WQHJXVx7jNulcA1Z7jQfxlsq2B3PI1TUYUgXpUKOYOuzUVeckZDDSO2Mr0hmXcm4cUKOg1Eb2Vz2JUV2hFLHOMVWvbgdtaPpXYWoVUi12URswJQ3BAdWpdLLxmXI1YXPjWJxtW5ASKb8vYVqlMnYk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1776094139; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=sLv7XRa11WyaAwNIOKJg9tZ6VkOpH9YlMSo5aKoVWzk=; b=O3SIAeA9gqj+HmBcgBi7XX5OF5BEFRZmBZVoGwiZqjElxupAzLwTHk7PsSwgGHcQo8urZDVfFKbcR1GEN3fWJADpGDaQVP4MqSCVeC8HqZuiDugB8BgB2wQKyW7fmpQJ6Vs8Bh4+VNuKhr1FCdFckER6DgRYMBd154TWrzR8vYM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 1776094139246822.1614649718614; Mon, 13 Apr 2026 08:28:59 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 1F5CB3F2F8; Mon, 13 Apr 2026 11:28:58 -0400 (EDT) Received: from [172.19.199.3] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id 60D824185E; Mon, 13 Apr 2026 11:24:36 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 1BF893F2F5; Mon, 13 Apr 2026 11:24:12 -0400 (EDT) Received: from smtp-relay-internal-0.canonical.com (smtp-relay-internal-0.canonical.com [185.125.188.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 53E9B3F359 for ; Mon, 13 Apr 2026 11:24:11 -0400 (EDT) Received: from mail-yx1-f71.google.com (mail-yx1-f71.google.com [74.125.224.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 641563F29A for ; Mon, 13 Apr 2026 15:24:10 +0000 (UTC) Received: by mail-yx1-f71.google.com with SMTP id 956f58d0204a3-65022c7ac7dso8403865d50.3 for ; Mon, 13 Apr 2026 08:24:10 -0700 (PDT) Received: from [127.0.1.1] ([147.219.77.79]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-65197c1cc5bsm5309319d50.16.2026.04.13.08.24.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 08:24:07 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_DNSWL_MED,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED, RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20251003; t=1776093850; bh=sLv7XRa11WyaAwNIOKJg9tZ6VkOpH9YlMSo5aKoVWzk=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=jByOzQgAgJMTjkLk3+3ZU6PYNgJK6gkeypNdZ7H708T/xcREENN/Q0RtDQK7SFBsV uNqQwdPjc0dbkgVnZrGkQ9XyKco+VJAv5LGdh2D/S8J1xyykBsRtPn1iZPCFZVauHF RGxvsgrxKvUDulW+DRJlInkVDd4RhlxH+74p3VhPAgkU6WY18QoS35O2VTfxkufeft zAJRjBTkkEVbCsakKxHjc+CLwy17DMXDkM+qg6UkNCxQVp4HVXhLqL+bv9inZT7oDP 0Y4Im/xsXKN2P+A3GjjIBlt1Zv1BjhgMsD2OGhKqfe2ZKU2KIaqfJZelm+N/6wncWY vGY0G1BvJkvNc7yRHqjAgbugE0qF4GwQj36q6ktsJPPUJsu+m4yHazNAgYAc3KA4gc /3uVyp9dmoM260lhPNziriELsqoEtS2CLHk105TyJRzqn5Ch1ROI+xWj9hjp6+wTAN n3Km1ZyDAuiTzlLOdTqP45hE0MyDIdVMm3yR7GT7y1leOHmUA4XjRFHP8WQtSNjifG lN2BGzc/EXc1ZuwZIiGrwGVl9yXjiLbtLImxJudh+VLtgxsFBOEKTzRKMl4EI0BlKt MIRI9vBrtniZ4FKJsCzItLaF6by8X5zO2fE+yvRuu2NATIzVW7JVffUueUtsUM0OxR 9z+q/G26CiZykdfadYkZBrDI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776093849; x=1776698649; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=sLv7XRa11WyaAwNIOKJg9tZ6VkOpH9YlMSo5aKoVWzk=; b=BIwaEFvIUbRSyy+pM4+KYc5D2CHROA2BH6U+K+4fW9+xXBrV/bpuVkkTTvCO8UoUPx NmAts4DCzatZr3yLVF/i6zSYVGGlv6x35UHigXB9jBRHL4PuFO7bLvhN6fn64g8JvybV gR764cJD6vpkwCIUIV5epDAi+ybPJ0z4TWZfp9x/i7Y0q0RuKlWbXPqEwatShoG4TpC+ pWUmaOICedZIIIJ5Kp31q5G4fXRGkMwTbpUpUXq7Mtd2W85YbZroRDyjaB3NNLeYbFBx KQnz22Vi0yQ+/cDyW/Iu3x3B+xSijHkZ8QsRyoUdTD6J6RG+ZE9MLxhas6IbEm//vD8K WS1Q== X-Gm-Message-State: AOJu0YzgI3s7jsW5HObh6fRvVmF3LK5YFXS4CDdZnnl1p+u1zlXjQPhz aTp5D5dFi6uGKXdDidXpRpSjYMZg0hBZjb6cPNDQ7sFDnIUcyvrA+OdIFCEWbHhBdPnKdzbvziZ Ku1BgnHXFy9mITCH2H2S8lnv02lk09q3O09DYEmLkEe8koy7EpDUCMwHvKP6jdrMoHJ1jkStLyZ A= X-Gm-Gg: AeBDievTCv3ddpKvIByVoY/4QQqMk3HYQKSo/oFp4AQYW01fUiDh01AmWiMvXiQ3g+V EKQWQ0spTftT9C+6xj04WTCNf7pT2oAdBaKLxjTDWXs70xfdRQebhEVMMPHMol9CnWoXFCntTX9 jpQnRh8+5TQe2v2tkMF5Ms3689I+c0CkyZyDSqsJ0C2VvsAqPDPX+/e6B5XwzRJepIe6Mlh4+wG Op99+7ZyA/l7hO2lwtWrIlIKpqWGWyWrzRVuMnUoTDOslTcJ1AMQGH7AJAoL95CTJzidLXNugr9 qJURPzyDzkrJoqiZ3dPoAKI0RwxyzekWfkzGC57JVSHtmlY4E7ACohMJ7BOKMIiuRFQEZ5u9LSZ wYmeYfP5tvUJ2BgUQCTwD00y4NGUdTuduYjIC3kkWnqgD5SeQVyePbT4uzMNpfMJKw/0pmQ== X-Received: by 2002:a53:e3c9:0:b0:650:7818:38a3 with SMTP id 956f58d0204a3-65198a82f48mr9937810d50.20.1776093849146; Mon, 13 Apr 2026 08:24:09 -0700 (PDT) X-Received: by 2002:a53:e3c9:0:b0:650:7818:38a3 with SMTP id 956f58d0204a3-65198a82f48mr9937791d50.20.1776093848613; Mon, 13 Apr 2026 08:24:08 -0700 (PDT) Date: Mon, 13 Apr 2026 10:23:47 -0500 Subject: [PATCH v4 3/3] virt-aa-helper: Include macvtap tapfd path MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260413-apparmor-races-v4-3-3e476b52bb68@canonical.com> References: <20260413-apparmor-races-v4-0-3e476b52bb68@canonical.com> In-Reply-To: <20260413-apparmor-races-v4-0-3e476b52bb68@canonical.com> To: devel@lists.libvirt.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=1241; i=wesley.hershberger@canonical.com; h=from:subject:message-id; bh=Ssmq5w5JAGq5i0v17UxTH+Xp2vQl9/J6U0r+cJ2dX24=; b=owEB7QES/pANAwAKAfkogKziOh25AcsmYgBp3QqUbES/rvO/lNyEmIi8iVFY8sdYAIOng2kV9 J+zxT/C0AaJAbMEAAEKAB0WIQQsIHxFLwpehxEbQ8r5KICs4joduQUCad0KlAAKCRD5KICs4jod ucheDADMdNgL09qx30UBIoV56TeGsS0odiMeNs6s31iPUI5loSPv18074Ncn4q2nzKCu99TIlH/ 68Wd3dBxyJbgbClCUmnxOSRRLZy7HoM8vbvCbAg7p2Q0gSQr3F2zJPg1b1+UD4S+VhezTlB5yUb Bm+EfpWIVVCBfPIoaTcMlaCQJsb9IBZfyTRjvXKr9lPh0hC7buxnI8hh64uG0JLshagXnIlJ/mD w8p6hSr9YE4uZMrITVTj6K9nwzYf9XQqco0itU/YpoIBzwHY/BufCNai08IqRD8mwHtOVwZLOR3 ew6LLw+LitwHONJ679mk9sPKGF/VtSkuyKZBDZiOYhvCMDkTeERS63FG7mBzpX/0p99Nyg7tKBM 6FwHRpGPRBObzk5k1PH1z+SDio6fBr/S4AJEbE0aS99ixdTaKRJVxadq7EEbhyibK6//RQAtMce aZmI0cTTgyJSEkKOY3M+H4j4tvN0vjlMi+9v6ABEPfda55yRHKzlzFcxz2UNAXx+1WXKg= X-Developer-Key: i=wesley.hershberger@canonical.com; a=openpgp; fpr=2C207C452F0A5E87111B43CAF92880ACE23A1DB9 Message-ID-Hash: 2G65AC7ARFAZE4ADB6LR4YWEXUNG4FXL X-Message-ID-Hash: 2G65AC7ARFAZE4ADB6LR4YWEXUNG4FXL X-MailFrom: wesley.hershberger@canonical.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: wesley.hershberger@canonical.com, georgia.garcia@canonical.com, hector.cao@canonical.com, Peter Krempa X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Wesley Hershberger via Devel Reply-To: Wesley Hershberger X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1776094140670158500 Wthout this change, the tapfd path would only be appended to a domain's profile when the device is hotplugged (either during domain start or normal operation). Operations which regenerate the profile (blockcommit, etc) will cause this path to be dropped from the profile. Since the domain status XML now includes the path to the tap device, include it in the profile. Resolves: https://gitlab.com/libvirt/libvirt/-/issues/692 Bug-Ubuntu: https://bugs.launchpad.net/bugs/2126574 Reviewed-by: Peter Krempa Signed-off-by: Wesley Hershberger --- src/security/virt-aa-helper.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 14b202bf7b..2eae4d7f3f 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1192,6 +1192,11 @@ get_files(vahControl * ctl) vhu->type) !=3D 0) return -1; } + + if (net->tapfdpath) { + if (vah_add_file(&buf, net->tapfdpath, "rwk") !=3D 0) + return -1; + } } =20 for (i =3D 0; i < ctl->def->nmems; i++) { --=20 2.53.0