I checked vsock devices, those are fully mediated by libvirt and only an already open FD is passed when using those. Without apparmor allowing a new open to qemu I have:
sudo lsof -p 9445 +fg | grep vhost qemu-syst 9445 libvirt-qemu 19u CHR RW,LG 10,241 0t0 503 /dev/vhost-vsock
For: <vsock model='virtio'> <cid auto='yes'/> </vsock>
So vsock is good as-is
I checked vsock devices, those are fully mediated by libvirt and only an already open FD is passed when using those.
Without apparmor allowing a new open to qemu I have:
sudo lsof -p 9445 +fg | grep vhost
qemu-syst 9445 libvirt-qemu 19u CHR RW,LG 10,241 0t0 503 /dev/vhost-vsock
For:
<vsock model='virtio'>
<cid auto='yes'/>
</vsock>
So vsock is good as-is