[PATCH] qemu: Label vhostuser net device

[Jim Fehlig]

Attaching a newly created vhostuser port to a VM fails due to an
apparmor denial

internal error: unable to execute QEMU command 'chardev-add': Failed
to bind socket to /run/openvswitch/vhu838c4d29-c9: Permission denied

In the case of a net device type VIR_DOMAIN_NET_TYPE_VHOSTUSER, the
underlying chardev is not labeled in qemuDomainAttachNetDevice prior
to calling qemuMonitorAttachCharDev. Label the chardev before calling
qemuMonitorAttachCharDev, and restore the label when removing the
net device.

Signed-off-by: Jim Fehlig <jfehlig at suse.com>
---
 src/qemu/qemu_hotplug.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index c00e8a7852..42e7997112 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -1467,6 +1467,11 @@ qemuDomainAttachNetDevice(virQEMUDriver *driver,
     }
 
     if (actualType == VIR_DOMAIN_NET_TYPE_VHOSTUSER) {
+        virDomainChrDef chr = { .source = net->data.vhostuser };
+
+        if (qemuSecuritySetChardevLabel(driver, vm, &chr) < 0)
+            goto cleanup;
+
         if (qemuMonitorAttachCharDev(priv->mon, charDevAlias, net->data.vhostuser) < 0) {
             ignore_value(qemuDomainObjExitMonitor(driver, vm));
             virDomainAuditNet(vm, NULL, net, "attach", false);
@@ -4692,6 +4697,8 @@ qemuDomainRemoveNetDevice(virQEMUDriver *driver,
     }
 
     if (actualType == VIR_DOMAIN_NET_TYPE_VHOSTUSER) {
+        virDomainChrDef chr = { .source = net->data.vhostuser };
+
         /* vhostuser has a chardev too */
         if (qemuMonitorDetachCharDev(priv->mon, charDevAlias) < 0) {
             /* well, this is a messy situation. Guest visible PCI device has
@@ -4699,6 +4706,8 @@ qemuDomainRemoveNetDevice(virQEMUDriver *driver,
              * to just ignore the error and carry on.
              */
         }
+        if (qemuSecurityRestoreChardevLabel(driver, vm, &chr) < 0)
+            VIR_WARN("Unable to restore security label on vhostuser char device");
     } else if (actualType == VIR_DOMAIN_NET_TYPE_VDPA) {
         int vdpafdset = -1;
         g_autoptr(qemuMonitorFdsets) fdsets = NULL;
-- 
2.32.0