Comment 41 for bug 1393842

I understand why you are doing this, but this means that a malicious guest is now able to create, for example, a block device with only DAC protecting the host. Since qemu on Ubuntu runs as non-root, this isn't completely horrible, but since apparmor doesn't have fine-grained mediation of mknod, it would be better if the guest agent were modified to use a socket (perhaps abstract?) so the mknod was not required.