Re: [PATCH 0/9] qemu: support passt as the backend for vhost-user network interfaces

On Thu, Feb 13, 2025 at 01:19:44PM -0500, Laine Stump wrote: [...] Unfortunately unprivileged VMs don't actually benefit from AppArmor isolation. See [1] for a recent discussion about this. I truly appreciate the amount of information you've included in the cover letter, especially the details about required passt version and missing SELinux bits. That made it much easier for me to jump in with some confidence. Speaking of SELinux, with the current policy on Fedora 41 I get a couple of AVC denials related to accessing the shared memory file. I understand that's expected, based on the above, but it's still quite surprising to me that the VM would start at all in this case. Just like the scenario that I've mentioned in my reply to 9/9, the network interface quietly being broken doesn't make for a great user experience. I believe this specific failure scenario, unlike the other one, is pre-existing and not easy to deal with purely through XML validation, but I really think that we should spend some effort (as a follow-up) on making sure that, if passt can't set up the network interface successfully, we report a useful error to the user instead of just leaving things broken with no clear indication that they are. [1] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/R5... -- Andrea Bolognani / Red Hat / Virtualization