From: Michal Privoznik <mprivozn@redhat.com>

So far, this is a NOP as no secdriver implements the callback.
But the idea is to separate seclabel generation on profile
loading for AppArmor. See next commit.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/qemu/qemu_process.c  | 7 +++++++
 src/qemu/qemu_security.h | 1 +
 2 files changed, 8 insertions(+)

diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index a53bb40783..5d5b1b291b 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -7154,6 +7154,13 @@ qemuProcessPrepareDomain(virQEMUDriver *driver,
         }
     }
 
+    /* Keep this as the last step so that security drivers can
+     * see all the path generated in steps above. */
+    if (!(flags & VIR_QEMU_PROCESS_START_PRETEND)) {
+        if (qemuSecurityManagerLoadProfile(driver->securityManager, vm->def) < 0)
+            return -1;
+    }
+
     return 0;
 }
 
diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h
index 36663cffde..d540c01f77 100644
--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@@ -137,6 +137,7 @@ int qemuSecurityCommandRun(virQEMUDriver *driver,
 #define qemuSecurityGetMountOptions virSecurityManagerGetMountOptions
 #define qemuSecurityGetNested virSecurityManagerGetNested
 #define qemuSecurityGetProcessLabel virSecurityManagerGetProcessLabel
+#define qemuSecurityManagerLoadProfile virSecurityManagerLoadProfile
 #define qemuSecurityNew virSecurityManagerNew
 #define qemuSecurityNewDAC virSecurityManagerNewDAC
 #define qemuSecurityNewStack virSecurityManagerNewStack
-- 
2.52.0