Overview

File foo.patch of Package libvirt

--- libvirt-12.1.0/src/qemu/qemu_command.c.old	2026-03-26 10:54:33.236512090 +0100
+++ libvirt-12.1.0/src/qemu/qemu_command.c	2026-03-26 10:59:15.656332275 +0100
@@ -8915,13 +8915,29 @@
                                             priv->driver->config->macFilter,
                                             cfg->bridgeHelperName) < 0)
             return -1;
-        break;
 
+        /* Immediately label the TAP fds before any further operations
+         * to avoid race condition where the device is accessed with
+         * the default device_t context instead of tun_tap_device_t */
+        for (int i = 0; i < tapfdSize; i++) {
+            if (qemuSecuritySetTapFDLabel(priv->driver->securityManager,
+                                          vm->def, tapfd[i]) < 0)
+                return -1;
+        }
+        break;
     case VIR_DOMAIN_NET_TYPE_DIRECT:
         vhostfd = true;
         if (qemuInterfaceDirectConnect(vm->def, priv->driver, net,
                                        tapfd, tapfdSize, vmop) < 0)
             return -1;
+        /* Immediately label the TAP fds before any further operations
+         * to avoid race condition where the device is accessed with
+         * the default device_t context instead of tun_tap_device_t */
+        for (int i = 0; i < tapfdSize; i++) {
+            if (qemuSecuritySetTapFDLabel(priv->driver->securityManager,
+                                          vm->def, tapfd[i]) < 0)
+                return -1;
+        }
         break;
 
     case VIR_DOMAIN_NET_TYPE_ETHERNET:
@@ -8931,6 +8947,14 @@
                                               priv->driver->privileged,
                                               tapfd, tapfdSize) < 0)
             return -1;
+        /* Immediately label the TAP fds before any further operations
+         * to avoid race condition where the device is accessed with
+         * the default device_t context instead of tun_tap_device_t */
+        for (int i = 0; i < tapfdSize; i++) {
+            if (qemuSecuritySetTapFDLabel(priv->driver->securityManager,
+                                          vm->def, tapfd[i]) < 0)
+                return -1;
+        }
         vhostfd = true;
         break;
 
@@ -8971,11 +8995,11 @@
 
         netpriv->tapfds = g_slist_reverse(netpriv->tapfds);
 
-        for (i = 0; i < tapfdSize; i++) {
-            if (qemuSecuritySetTapFDLabel(priv->driver->securityManager,
-                                          vm->def, tapfd[i]) < 0)
-                return -1;
-        }
+        /* for (i = 0; i < tapfdSize; i++) { */
+        /*     if (qemuSecuritySetTapFDLabel(priv->driver->securityManager, */
+        /*                                   vm->def, tapfd[i]) < 0) */
+        /*         return -1; */
+        /* } */
 
         if (qemuInterfaceOpenVhostNet(vm, net) < 0)
             return -1;
openSUSE Build Service is sponsored by
Places