I will open a separate issue for tracking the blockcommit r/w permissions side of this (as I should have done all along). I've opened a MR to libvirt-tck with a test case that demonstrates the bug [1]. apparmor/110-macvtap.t passes with these patches applied. Thanks for the reviews and continued consideration. [1] https://gitlab.com/libvirt/libvirt-tck/-/merge_requests/73 Resolves: https://gitlab.com/libvirt/libvirt/-/issues/692 Signed-off-by: Wesley Hershberger <wesley.hershberger@canonical.com> --- Changes in v4: - Split apparmor changes to separate patches - virBufferEscapeString for formatting in XML - Fix dangling pointer in virNetDevMacVLanTapOpen - Added tapfd path to qemustatusxml2xmldata Changes in v3: - Fix buglink in commit message - Link to v2: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/IPEBL... Changes in v2: - Drop `virt-aa-helper: Ask for no deny rule...` as it was applied - Drop `qemu: Store blockcommit permissions...` due to unresolved concerns - Pass tapfd path through netdef instead of resolving from fd - Link to v1: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/UNNBQ... --- Wesley Hershberger (3): qemu: Store tapfd path in domstatus XML apparmor: Pass status XML to virt-aa-helper virt-aa-helper: Include macvtap tapfd path src/conf/domain_conf.c | 8 ++++++++ src/conf/domain_conf.h | 1 + src/hypervisor/domain_interface.c | 2 +- src/lxc/lxc_process.c | 1 + src/qemu/qemu_interface.c | 1 + src/security/security_apparmor.c | 1 + src/security/virt-aa-helper.c | 5 +++++ src/util/virnetdevmacvlan.c | 18 +++++++++++------- src/util/virnetdevmacvlan.h | 4 +++- tests/qemustatusxml2xmldata/modern-in.xml | 7 +++++++ 10 files changed, 39 insertions(+), 9 deletions(-) --- base-commit: 792cb6bf60e774ee8ecf9e7d3cd2b6f21011ab43 change-id: 20260105-apparmor-races-d03238ee4d93 Best regards, -- Wesley Hershberger <wesley.hershberger@canonical.com>