Comment 24 for bug 1815910

I think they vhost_scsi might be covered by AppArmorSetSecurityHostLabel adding the rule as needed.
I'm not so sure on vhost_vsock.
Certainly worth to come up with a few tests and ensure that is true for all early/late access cases when implementing this.