On Wed, Jan 15, 2025 at 11:49:43AM -0300, Georgia Garcia wrote: > On Tue, 2025-01-14 at 12:13 -0600, Andrea Bolognani wrote: > > Going by the example presented in [1], IIUC your change would make it > > so the lines needed for macvtap use, specifically > > > > "/dev/net/tun" rwk, > > "/dev/tap82" rwk, > > > > would be written to .runtime_files instead of .files. That's good > > enough to safeguard them from disappearing when disks are unplugged, > > but what if the macvtap interface itself is? Wouldn't those lines > > linger around despite being no longer needed? > > Yes, they would, and that is the current behavior - if you remove only > the macvtap, it will not be removed from .files > > That's the current limitation because there are no security hooks > called when macvtap devices are unplugged. I thought it would be better > to be over-permissive (fd permissions linger throughout the runtime of > the vm) than over-restrictive to fix the issue given what's available > in the security side of libvirt.
