Support vmnet networking without elevated permissions

Goal

QEMU 7.1 introduced support for networking using vmnet on macOS. The goal would be to allow running QEMU without sudo when using vmnet for networking.

Technical details

There is a com.apple.vm.networking entitlement [1], that allows managing virtual network interfaces without elevated permissions. QEMU already has the com.apple.security.hypervisor entitlement when it's being build with support for the hvf accelerator. I guess this could be extended somehow to include the aforementioned entitlement when build with support for vmnet networking.

I've found a project [2], that uses this entitlement and QEMU under the hood and thus doesn't need elevated permissions. It might give some more insight into how this could work.

Additional information

Here is a command, that doesn't work when running as normal user:

$ qemu-system-aarch64 \
    -device virtio-net-pci,netdev=net0 \
    -netdev vmnet-bridged,id=net0,ifname=en0 \
    -machine virt

It fails with:

qemu-system-aarch64: -netdev vmnet-bridged,id=net0,ifname=en0: cannot create vmnet interface: general failure (possibly not enough privileges)

When running the same command using elevated permissions (i.e. via sudo), it works without any issue.

Links

• [1] https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_vm_networking
• [2] https://github.com/utmapp/UTM