From 0314617ded701a25537882e60a33d67f99db4691 Mon Sep 17 00:00:00 2001
From: Lewis Roy <lewis@redhat.com>
Date: Mon, 25 Aug 2025 13:50:50 +1000
Subject: [PATCH] feat: Add support for running qemu-guest-agent in machine

Signed-off-by: Lewis Roy <lewis@redhat.com>
---
 build.sh                              |  2 +-
 podman-image/Containerfile.COREOS     | 13 +++++++++++++
 podman-image/build_common.sh          |  4 ++++
 podman-image/qemu-guest-agent.service | 11 +++++++++++
 podman-image/qemuga-vsock.te          |  9 +++++++++
 5 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 podman-image/qemu-guest-agent.service
 create mode 100644 podman-image/qemuga-vsock.te

diff --git a/build.sh b/build.sh
index ed36789c..d245396b 100755
--- a/build.sh
+++ b/build.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -exo pipefail
 
diff --git a/podman-image/Containerfile.COREOS b/podman-image/Containerfile.COREOS
index ead40cac..2d2f08f8 100644
--- a/podman-image/Containerfile.COREOS
+++ b/podman-image/Containerfile.COREOS
@@ -40,3 +40,16 @@ RUN --network=none rm -vf /etc/resolv.conf && rpm -e systemd-resolved
 # https://github.com/containers/podman/pull/21670#discussion_r1585790802
 COPY rosetta-activation.service /etc/systemd/system/rosetta-activation.service
 COPY rosetta-activation.sh /usr/local/bin/rosetta-activation.sh
+
+# Configure qemu-guest-agent
+# Copy in our service file override that communicates over vsock
+COPY qemu-guest-agent.service /etc/systemd/system/qemu-guest-agent.service
+# Bind mount non-base selinux policy module compile it and install it to allow
+# qemu-guest-agent access to the vsock-socket
+RUN --mount=type=bind,source=/qemuga-vsock.te,target=/run/qemuga-vsock.te,z <<EOF
+/usr/bin/checkmodule -M -m -o /run/qemuga-vsock.mod /run/qemuga-vsock.te
+/usr/bin/semodule_package -o /run/qemuga-vsock.pp -m /run/qemuga-vsock.mod
+sudo semodule -i /run/qemuga-vsock.pp
+rm /run/qemuga-vsock.pp /run/qemuga-vsock.mod
+systemctl enable qemu-guest-agent.service
+EOF
diff --git a/podman-image/build_common.sh b/podman-image/build_common.sh
index f694523c..0b79de69 100755
--- a/podman-image/build_common.sh
+++ b/podman-image/build_common.sh
@@ -105,6 +105,10 @@ PACKAGES=(
 
     # cpp for buildah.in support
     cpp
+
+    # qemu-guest-agent to enable communication from the host
+    qemu-guest-agent
+    checkpolicy
 )
 
 dnf install -y "${PACKAGES[@]}"
diff --git a/podman-image/qemu-guest-agent.service b/podman-image/qemu-guest-agent.service
new file mode 100644
index 00000000..6a695c9a
--- /dev/null
+++ b/podman-image/qemu-guest-agent.service
@@ -0,0 +1,11 @@
+Description=QEMU Guest Agent
+IgnoreOnIsolate=True
+
+[Service]
+UMask=0077
+ExecStart=/usr/bin/qemu-ga --method=vsock-listen --path=3:1025 # Todo: The 3 may need to be dynamic
+Restart=always
+RestartSec=0
+
+[Install]
+WantedBy=default.target
diff --git a/podman-image/qemuga-vsock.te b/podman-image/qemuga-vsock.te
new file mode 100644
index 00000000..30533f8c
--- /dev/null
+++ b/podman-image/qemuga-vsock.te
@@ -0,0 +1,9 @@
+module qemuga-vsock 1.0;
+
+require {
+        type virt_qemu_ga_t;
+        class vsock_socket { bind create getattr listen accept read write };
+}
+
+#============= virt_qemu_ga_t ==============
+allow virt_qemu_ga_t self:vsock_socket { bind create getattr listen accept read write };