Support vmnet networking without elevated permissions
Goal
QEMU 7.1 introduced support for networking using vmnet on macOS.
The goal would be to allow running QEMU without sudo
when using vmnet for networking.
Technical details
There is a com.apple.vm.networking
entitlement [1], that allows managing virtual network interfaces without elevated permissions.
QEMU already has the com.apple.security.hypervisor
entitlement when it's being build with support for the hvf
accelerator.
I guess this could be extended somehow to include the aforementioned entitlement when build with support for vmnet networking.
I've found a project [2], that uses this entitlement and QEMU under the hood and thus doesn't need elevated permissions. It might give some more insight into how this could work.
Additional information
Here is a command, that doesn't work when running as normal user:
$ qemu-system-aarch64 \
-device virtio-net-pci,netdev=net0 \
-netdev vmnet-bridged,id=net0,ifname=en0 \
-machine virt
It fails with:
qemu-system-aarch64: -netdev vmnet-bridged,id=net0,ifname=en0: cannot create vmnet interface: general failure (possibly not enough privileges)
When running the same command using elevated permissions (i.e. via sudo
), it works without any issue.