From nobody Mon Feb  2 05:54:45 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1768405050; cv=none;
	d=zohomail.com; s=zohoarc;
	b=OSPzJ2GS/ZwrkiB+Q1WY5QUga+mNvdrSflLkMs7DRiI2nquJhvONFd2BiQRwR9bhIYSWqFLCRZ3J/ce4LUQKsoCfHNGy8PeG/q3mpObArscU9MxDYYgwK+tCZzkg66yGKImxWawhPODrey0DeFgbEIkFiuRXu72gYn+chEZKTP0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1768405050;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=4UffnO/P9+69mfLgNp1AnEn0zu403J/hBJSoMEfLoZY=;
	b=G1ZiYm3rZ3NNB723UrJ4LQGU/6rbE83NcAe0thMZKtmMyGbC5RbmvyNCsJ6dk/tjGfW7yIB/XN4HWhc0mv/fcr6pcvn6ptiKxLgP1MidUYcpDFENOIv9mnM4UHKLhxgoyZHMbO8nHOUOtOpKDYQdsGfMGxTsMpXJscjv0jTw16o=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1768405050349326.98604895552626;
 Wed, 14 Jan 2026 07:37:30 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 78BC23FCFD; Wed, 14 Jan 2026 10:37:29 -0500 (EST)
Received: from [172.19.199.83] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 3C93241A4A;
	Wed, 14 Jan 2026 10:35:53 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 5247D3F361; Wed, 14 Jan 2026 10:35:38 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id BFC103F37B
	for <devel@lists.libvirt.org>; Wed, 14 Jan 2026 10:35:37 -0500 (EST)
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-13-zP5TFauoPGCyNUEqYfm8RA-1; Wed,
 14 Jan 2026 10:35:35 -0500
Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 193F9180035C
	for <devel@lists.libvirt.org>; Wed, 14 Jan 2026 15:35:35 +0000 (UTC)
Received: from moe (unknown [10.43.3.236])
	by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id 7418F30002D8
	for <devel@lists.libvirt.org>; Wed, 14 Jan 2026 15:35:34 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1768404937;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=4UffnO/P9+69mfLgNp1AnEn0zu403J/hBJSoMEfLoZY=;
	b=BChhalFL7AfcofkQIxxH6Kw8/jmuLPbybE0mmpHlQ7cR3SI/ZcDtsFeoqEb+0DmblPCbVD
	uHK+pmIraEUBGF2TFbTVj2IioSFlvtqVBxgMPeLPAv9an1WSPokj7LtYGgWLPHUinTU45s
	mTnfL1owDNi2AnMl6AmhsLZHDwq+RFo=
X-MC-Unique: zP5TFauoPGCyNUEqYfm8RA-1
X-Mimecast-MFC-AGG-ID: zP5TFauoPGCyNUEqYfm8RA_1768404935
To: devel@lists.libvirt.org
Subject: [PATCH 1/3] security: Introduce virSecurityDomainLoadProfile()
Date: Wed, 14 Jan 2026 16:35:29 +0100
Message-ID: 
 <b76d2a05f1e08036f111b92c06d4cd99ef85ccad.1768404892.git.mprivozn@redhat.com>
In-Reply-To: <cover.1768404892.git.mprivozn@redhat.com>
References: <cover.1768404892.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: DF1BTgx66AEXVc-zCKtEbJBflgmdfwIFFCubgtdOTRo_1768404935
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: QAJFV7F4WWVMYTNUAJRITG7FHCQUZ2XZ
X-Message-ID-Hash: QAJFV7F4WWVMYTNUAJRITG7FHCQUZ2XZ
X-MailFrom: mprivozn@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/QAJFV7F4WWVMYTNUAJRITG7FHCQUZ2XZ/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Michal Privoznik via Devel <devel@lists.libvirt.org>
Reply-To: Michal Privoznik <mprivozn@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1768405051688158500
Content-Type: text/plain; charset="utf-8"; x-default="true"

From: Michal Privoznik <mprivozn@redhat.com>

Specifically tailored for AppArmor, so that generating a seclabel
and producing profile can be separated.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/libvirt_private.syms        |  1 +
 src/security/security_driver.h  |  4 ++++
 src/security/security_manager.c | 13 +++++++++++++
 src/security/security_manager.h |  2 ++
 src/security/security_stack.c   | 15 +++++++++++++++
 5 files changed, 35 insertions(+)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 4e57e4a8f6..64152c3bbb 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1822,6 +1822,7 @@ virSecurityManagerGetModel;
 virSecurityManagerGetMountOptions;
 virSecurityManagerGetNested;
 virSecurityManagerGetProcessLabel;
+virSecurityManagerLoadProfile;
 virSecurityManagerMoveImageMetadata;
 virSecurityManagerNew;
 virSecurityManagerNewDAC;
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index b8c5b416e3..d81662dab4 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -81,6 +81,8 @@ typedef int (*virSecurityDomainReserveLabel) (virSecurity=
Manager *mgr,
                                               pid_t pid);
 typedef int (*virSecurityDomainReleaseLabel) (virSecurityManager *mgr,
                                               virDomainDef *sec);
+typedef int (*virSecurityDomainLoadProfile) (virSecurityManager *mgr,
+                                             virDomainDef *def);
 typedef int (*virSecurityDomainSetAllLabel) (virSecurityManager *mgr,
                                              char *const *sharedFilesystem=
s,
                                              virDomainDef *sec,
@@ -211,6 +213,8 @@ struct _virSecurityDriver {
     virSecurityDomainReserveLabel domainReserveSecurityLabel;
     virSecurityDomainReleaseLabel domainReleaseSecurityLabel;
=20
+    virSecurityDomainLoadProfile domainLoadProfile;
+
     virSecurityDomainGetProcessLabel domainGetSecurityProcessLabel;
     virSecurityDomainSetProcessLabel domainSetSecurityProcessLabel;
     virSecurityDomainSetChildProcessLabel domainSetSecurityChildProcessLab=
el;
diff --git a/src/security/security_manager.c b/src/security/security_manage=
r.c
index 5fc4eb4872..87c8b9f3c1 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -726,6 +726,19 @@ virSecurityManagerReleaseLabel(virSecurityManager *mgr,
 }
=20
=20
+int
+virSecurityManagerLoadProfile(virSecurityManager *mgr,
+                              virDomainDef *def)
+{
+    VIR_LOCK_GUARD lock =3D virObjectLockGuard(mgr);
+
+    if (!mgr->drv->domainLoadProfile)
+        return 0;
+
+    return mgr->drv->domainLoadProfile(mgr, def);
+}
+
+
 static int virSecurityManagerCheckModel(virSecurityManager *mgr,
                                         char *secmodel)
 {
diff --git a/src/security/security_manager.h b/src/security/security_manage=
r.h
index 068ca4e290..381b614ec1 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -128,6 +128,8 @@ int virSecurityManagerReserveLabel(virSecurityManager *=
mgr,
                                    pid_t pid);
 int virSecurityManagerReleaseLabel(virSecurityManager *mgr,
                                    virDomainDef *sec);
+int virSecurityManagerLoadProfile(virSecurityManager *mgr,
+                                  virDomainDef *def);
 int virSecurityManagerCheckAllLabel(virSecurityManager *mgr,
                                     virDomainDef *sec);
 int virSecurityManagerSetAllLabel(virSecurityManager *mgr,
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 99a68a6053..96b59d159b 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -280,6 +280,19 @@ virSecurityStackReserveLabel(virSecurityManager *mgr,
 }
=20
=20
+static int
+virSecurityStackLoadProfile(virSecurityManager *mgr,
+                            virDomainDef *vm)
+{
+    int rc =3D 0;
+
+    if (virSecurityManagerLoadProfile(virSecurityStackGetPrimary(mgr), vm)=
 < 0)
+        rc =3D -1;
+
+    return rc;
+}
+
+
 static int
 virSecurityStackSetHostdevLabel(virSecurityManager *mgr,
                                 virDomainDef *vm,
@@ -1070,6 +1083,8 @@ virSecurityDriver virSecurityDriverStack =3D {
     .domainReserveSecurityLabel         =3D virSecurityStackReserveLabel,
     .domainReleaseSecurityLabel         =3D virSecurityStackReleaseLabel,
=20
+    .domainLoadProfile                  =3D virSecurityStackLoadProfile,
+
     .domainGetSecurityProcessLabel      =3D virSecurityStackGetProcessLabe=
l,
     .domainSetSecurityProcessLabel      =3D virSecurityStackSetProcessLabe=
l,
     .domainSetSecurityChildProcessLabel =3D virSecurityStackSetChildProces=
sLabel,
--=20
2.52.0
From nobody Mon Feb  2 05:54:45 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1768405108; cv=none;
	d=zohomail.com; s=zohoarc;
	b=KLbLuc8nWP1rNaeE8Sxk+cq57yaZf3GqFwpvwGd2GOLwApHRVMHi86akeTKt9BJ9Kd12ErXL4pjbnMly8DJS53r8v9BtvJYVcO8uNsu/JLRS3hfmZ7bweckAwqXC8fdBdjQ3qoXGtfNXZ5FVXOm4G+Am9hlgTYIbV92hcvyv6Z0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1768405108;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=/7hvy9OhEvjGQY8u4Duh54GKqrwF7ti9mLlegj6+ki8=;
	b=eJlJsjGgjxlKAJFStg4zehwdmkFahxrdz1K7EvI0ekfd4vcrpf6MoovFBc5aTue5EOb9PHsVBhZekmoePgVhTMDhH0A15zoCveOAz2ZCBS+ZzDmrERDbRIETCK01RB0Ur/pisifEDm3D69dxhErLUblAGI2/JTYcTMYDRM6khJo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 17684051082146.995774171314679;
 Wed, 14 Jan 2026 07:38:28 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 65EF341ACB; Wed, 14 Jan 2026 10:38:27 -0500 (EST)
Received: from [172.19.199.83] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 1AE3241C92;
	Wed, 14 Jan 2026 10:35:57 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 6F4AA3F358; Wed, 14 Jan 2026 10:35:39 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id DB2773F361
	for <devel@lists.libvirt.org>; Wed, 14 Jan 2026 10:35:38 -0500 (EST)
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-613-hn74CDcdMPSCvTq0pfM1lQ-1; Wed,
 14 Jan 2026 10:35:36 -0500
Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 187C51956095
	for <devel@lists.libvirt.org>; Wed, 14 Jan 2026 15:35:36 +0000 (UTC)
Received: from moe (unknown [10.43.3.236])
	by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id 751A230002D8
	for <devel@lists.libvirt.org>; Wed, 14 Jan 2026 15:35:35 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_PASS
	autolearn=unavailable autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1768404938;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=/7hvy9OhEvjGQY8u4Duh54GKqrwF7ti9mLlegj6+ki8=;
	b=AmkbK8CBI81hNkg5nHP7JwAo3cJbdYc2A7aab2HVmgiPazZ/36zo00nZYuyp2A8bVBRM5I
	s4vd2Wj90ZWz6Q5nFlunKdX+LRHSO2xApfwXFyU1De2l7TbBcXvcm0mUGzDKxBEVSJlgV4
	8otwb9tn5k9St4oi0Bvr8t1SH2Lr9pM=
X-MC-Unique: hn74CDcdMPSCvTq0pfM1lQ-1
X-Mimecast-MFC-AGG-ID: hn74CDcdMPSCvTq0pfM1lQ_1768404936
To: devel@lists.libvirt.org
Subject: [PATCH 2/3] qemu: Call virSecurityManagerLoadProfile() at the end of
 qemuProcessPrepareDomain()
Date: Wed, 14 Jan 2026 16:35:30 +0100
Message-ID: 
 <0cf6af8ca34e8db070d68666ebfd8277e709052c.1768404892.git.mprivozn@redhat.com>
In-Reply-To: <cover.1768404892.git.mprivozn@redhat.com>
References: <cover.1768404892.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: IZ7rHay0yw47YwY1J4xruyIn8JOkQCONPKK80hoxJfE_1768404936
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: VIHK7RZGWWNRWISM7IW7U375DJLCINNU
X-Message-ID-Hash: VIHK7RZGWWNRWISM7IW7U375DJLCINNU
X-MailFrom: mprivozn@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/VIHK7RZGWWNRWISM7IW7U375DJLCINNU/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Michal Privoznik via Devel <devel@lists.libvirt.org>
Reply-To: Michal Privoznik <mprivozn@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1768405110118158500
Content-Type: text/plain; charset="utf-8"; x-default="true"

From: Michal Privoznik <mprivozn@redhat.com>

So far, this is a NOP as no secdriver implements the callback.
But the idea is to separate seclabel generation on profile
loading for AppArmor. See next commit.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/qemu/qemu_process.c  | 7 +++++++
 src/qemu/qemu_security.h | 1 +
 2 files changed, 8 insertions(+)

diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index a53bb40783..5d5b1b291b 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -7154,6 +7154,13 @@ qemuProcessPrepareDomain(virQEMUDriver *driver,
         }
     }
=20
+    /* Keep this as the last step so that security drivers can
+     * see all the path generated in steps above. */
+    if (!(flags & VIR_QEMU_PROCESS_START_PRETEND)) {
+        if (qemuSecurityManagerLoadProfile(driver->securityManager, vm->de=
f) < 0)
+            return -1;
+    }
+
     return 0;
 }
=20
diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h
index 36663cffde..d540c01f77 100644
--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@@ -137,6 +137,7 @@ int qemuSecurityCommandRun(virQEMUDriver *driver,
 #define qemuSecurityGetMountOptions virSecurityManagerGetMountOptions
 #define qemuSecurityGetNested virSecurityManagerGetNested
 #define qemuSecurityGetProcessLabel virSecurityManagerGetProcessLabel
+#define qemuSecurityManagerLoadProfile virSecurityManagerLoadProfile
 #define qemuSecurityNew virSecurityManagerNew
 #define qemuSecurityNewDAC virSecurityManagerNewDAC
 #define qemuSecurityNewStack virSecurityManagerNewStack
--=20
2.52.0
From nobody Mon Feb  2 05:54:45 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1768405154; cv=none;
	d=zohomail.com; s=zohoarc;
	b=U7jsJkeUaq3AhcrrwnhPEMHLv4Xv/fLEtVJNLsGzDUjZKy8qH6C2oiYpdxFVljEX3vINO6aahHLMpMmT9A9aUmIT/pGq3+yxJ3tk0fw5nvZMh+oMsz3ZZ1mC1CowUNZswN4NgpMPi4qyiIoqbYh+G7z3YHCCDQbRu/uPrbi8DFk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1768405154;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=t+eKO6YatoGsRu2LG6wmND4r0AkWtYG0qOJZwWRpHHI=;
	b=AeO3hNLg/a3lNkj0fzrMBLyaEavZG7xUoCMRKr+wqul5Bm9qnLFcKxJsBEzJc9c4RhMhxP9c/PafqqCTzcXnrzRtE7SEAjjZkwqGQpmKHeNUGaWxET2UPQZfig+6rjbXB5MupLvMDneschj7IzMxjChWeaj8g8aUDZbOvornmfo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1768405154944282.50039851877716;
 Wed, 14 Jan 2026 07:39:14 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 0971C418A9; Wed, 14 Jan 2026 10:39:14 -0500 (EST)
Received: from [172.19.199.83] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 65B6643E01;
	Wed, 14 Jan 2026 10:36:00 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 2821C3F358; Wed, 14 Jan 2026 10:35:41 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 8F2713F361
	for <devel@lists.libvirt.org>; Wed, 14 Jan 2026 10:35:40 -0500 (EST)
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-145-34VocvsFMWyaKF4eUdy-TQ-1; Wed,
 14 Jan 2026 10:35:37 -0500
Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 2680619560B5
	for <devel@lists.libvirt.org>; Wed, 14 Jan 2026 15:35:37 +0000 (UTC)
Received: from moe (unknown [10.43.3.236])
	by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id 81D3530002D8
	for <devel@lists.libvirt.org>; Wed, 14 Jan 2026 15:35:36 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1768404940;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=t+eKO6YatoGsRu2LG6wmND4r0AkWtYG0qOJZwWRpHHI=;
	b=Wgx85mA+1NGno0GdDFIiLdy/o1R3gvEWz9H9sci5ygb4924VwNF/ei4vbSTaW+Yb5cLwVI
	OffVjv5gI4GXZt4PteDmpazUMni4HPqQ8i25t7hYN1KWDfF3+CgSkZD5d6tUCFR/NuRWbi
	UgMuZCvWFCPqtXKsgk+jPscwB+JwQ9w=
X-MC-Unique: 34VocvsFMWyaKF4eUdy-TQ-1
X-Mimecast-MFC-AGG-ID: 34VocvsFMWyaKF4eUdy-TQ_1768404937
To: devel@lists.libvirt.org
Subject: [PATCH 3/3] security_apparmor: Move profile loading into
 .domainLoadProfile callback
Date: Wed, 14 Jan 2026 16:35:31 +0100
Message-ID: 
 <a27bf26c25692787bbbd49a1772f668c96415290.1768404892.git.mprivozn@redhat.com>
In-Reply-To: <cover.1768404892.git.mprivozn@redhat.com>
References: <cover.1768404892.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: RErqYtX5tbqNoEN0jA6U4uJNuX5-T74tqgF4x84ci3U_1768404937
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: GQFKXMPBQHR746TM2HLRMYVIBHFC6QHL
X-Message-ID-Hash: GQFKXMPBQHR746TM2HLRMYVIBHFC6QHL
X-MailFrom: mprivozn@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/GQFKXMPBQHR746TM2HLRMYVIBHFC6QHL/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Michal Privoznik via Devel <devel@lists.libvirt.org>
Reply-To: Michal Privoznik <mprivozn@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1768405156148158500
Content-Type: text/plain; charset="utf-8"; x-default="true"

From: Michal Privoznik <mprivozn@redhat.com>

Here's the problem. When starting a QEMU domain, the process is
split into several phases. A simplified process looks like this:

1)  qemuProcessPrepareDomain()
1a)  qemuSecurityGenLabel()
1b)  generate run time paths
1c)  qemuSecurityManagerLoadProfile()

2)  qemuProcessPrepareHost()
2a)  qemuSecurityDomainSetPathLabel() /* transitively */

3)  qemuProcessLaunch()
3a)  qemuSecuritySetAllLabel()

NB, step 2a) also contains helper processes used to set up host,
that we want to run in the security context of the domain (e.g.
swtpm_setup).

This works well for SELinux and DAC because their APIs basically
match 1:1 to ours. But it's not that simple with AppArmor. It
doesn't contain any profile upfront, so one is generated in step
1a) (among with seclabel). But at that point, the domain
definition has no run time info. This can then lead to some paths
being left out (for instance, disks which source wasn't
translated from storage pool/vol spec into a path).

After previous commits, there's this new step 1c) which can
actually load the profile. Therefore, move profile loading into
.domainLoadProfile callback.

Resolves: https://gitlab.com/libvirt/libvirt/-/issues/135
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/security/security_apparmor.c | 31 +++++++++++++++++++++++--------
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/src/security/security_apparmor.c b/src/security/security_appar=
mor.c
index 68ac39611f..98fad9034d 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -387,23 +387,36 @@ AppArmorGenSecurityLabel(virSecurityManager *mgr G_GN=
UC_UNUSED,
     if (!secdef->model)
         secdef->model =3D g_strdup(SECURITY_APPARMOR_NAME);
=20
-    /* Now that we have a label, load the profile into the kernel. */
+    return 0;
+}
+
+
+static int
+AppArmorLoadProfile(virSecurityManager *mgr G_GNUC_UNUSED,
+                    virDomainDef *def)
+{
+    virSecurityLabelDef *secdef =3D virDomainDefGetSecurityLabelDef(def,
+                                                 SECURITY_APPARMOR_NAME);
+
+    if (!secdef)
+        return 0;
+
+    if ((secdef->type =3D=3D VIR_DOMAIN_SECLABEL_STATIC) ||
+        (secdef->type =3D=3D VIR_DOMAIN_SECLABEL_NONE)) {
+        return 0;
+    }
+
     if (load_profile(mgr, secdef->label, def, NULL, false) < 0) {
         virReportError(VIR_ERR_INTERNAL_ERROR,
                        _("cannot load AppArmor profile \'%1$s\'"),
                        secdef->label);
-        goto err;
+        return -1;
     }
=20
     return 0;
-
- err:
-    VIR_FREE(secdef->label);
-    VIR_FREE(secdef->imagelabel);
-    VIR_FREE(secdef->model);
-    return -1;
 }
=20
+
 static int
 AppArmorSetSecurityAllLabel(virSecurityManager *mgr,
                             char *const *sharedFilesystems G_GNUC_UNUSED,
@@ -1157,6 +1170,8 @@ virSecurityDriver virAppArmorSecurityDriver =3D {
     .domainReserveSecurityLabel         =3D AppArmorReserveSecurityLabel,
     .domainReleaseSecurityLabel         =3D AppArmorReleaseSecurityLabel,
=20
+    .domainLoadProfile                  =3D AppArmorLoadProfile,
+
     .domainGetSecurityProcessLabel      =3D AppArmorGetSecurityProcessLabe=
l,
     .domainSetSecurityProcessLabel      =3D AppArmorSetSecurityProcessLabe=
l,
     .domainSetSecurityChildProcessLabel =3D AppArmorSetSecurityChildProces=
sLabel,
--=20
2.52.0