commit c7abe7448c746cf0e3a6b7fab80e083afba5d5ae
Author: Serge Hallyn <serge.hallyn@ubuntu.com>
Date:   Wed Jun 18 03:20:59 2014 +0000

    virt-aa-helper: allow access to /dev/vhost-net if needed
    
    Only allow the access if it is a KVM domain which has a NIC which wants
    non-userspace networking.
    
    This addresses https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1322568
    
    Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Index: libvirt-1.2.2/src/security/virt-aa-helper.c
===================================================================
--- libvirt-1.2.2.orig/src/security/virt-aa-helper.c
+++ libvirt-1.2.2/src/security/virt-aa-helper.c
@@ -900,7 +900,7 @@ get_files(vahControl * ctl)
     size_t i;
     char *uuid;
     char uuidstr[VIR_UUID_STRING_BUFLEN];
-    bool needsVfio = false;
+    bool needsVfio = false, needsvhost = false;
 
     /* verify uuid is same as what we were given on the command line */
     virUUIDFormat(ctl->def->uuid, uuidstr);
@@ -1076,6 +1076,21 @@ get_files(vahControl * ctl)
         }
     }
 
+    if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
+        for (i = 0; i < ctl->def->nnets; i++) {
+            virDomainNetDefPtr net = ctl->def->nets[i];
+            if (net && net->model) {
+                if (net->driver.virtio.name == VIR_DOMAIN_NET_BACKEND_TYPE_QEMU)
+                    continue;
+                if (STRNEQ(net->model, "virtio"))
+                    continue;
+            }
+            needsvhost = true;
+        }
+    }
+    if (needsvhost)
+        virBufferAddLit(&buf, "  /dev/vhost-net rw,\n");
+
     if (needsVfio) {
         virBufferAddLit(&buf, "  /dev/vfio/vfio rw,\n");
         virBufferAddLit(&buf, "  /dev/vfio/[0-9]* rw,\n");
