Discussed here: https://bugzilla.redhat.com/show_bug.cgi?id=1921826
Note that SELinux prevents passing the file descriptor. If you are testing this, you need to set permissive SELinux mode.
To be clear, this patch adds large complexity only to open the ovsdb socket. But the goal here is to add a general mechanism, how we in the future can move more privileged operations out of NetworkManager and sandbox NetworkManager better.