From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by passt.top (Postfix) with ESMTP id 31DAE5A02A4
	for <passt-dev@passt.top>; Mon, 13 May 2024 19:48:35 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1715622514;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=4NAdRobTu5+pAlTLZbVOZLCy3DHL9dnFRQGDet5Feo8=;
	b=VuFrPiMDQ37xtrqmxZhrOLPpguaW6vc57/wri7ffUv+kO2KrJo8uR3Ed4qpPYbWi64u3H2
	0qevNUYK5l5kvZsqA4n259htIG5j9WWTInoQuWXk0QcQftBmt3/vt1pGSJRqjh5q5MgVlw
	FHdQ03mjxyWJvmTL+5VIZFgB5w14gDc=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-509-6Dt87mZeNs-XjL3-rjfBMw-1; Mon, 13 May 2024 13:42:29 -0400
X-MC-Unique: 6Dt87mZeNs-XjL3-rjfBMw-1
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 291988009FF
	for <passt-dev@passt.top>; Mon, 13 May 2024 17:42:29 +0000 (UTC)
Received: from pholzing-fedora.redhat.com (unknown [10.39.192.18])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 841B7C15BB9;
	Mon, 13 May 2024 17:42:28 +0000 (UTC)
From: Paul Holzinger <pholzing@redhat.com>
To: passt-dev@passt.top
Subject: [PATCH] apparmor: allow netns paths on /tmp
Date: Mon, 13 May 2024 19:41:55 +0200
Message-ID: <20240513174154.85616-2-pholzing@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.8
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"; x-default=true
Message-ID-Hash: V52XI6BQX72AVY7GRKATDVV4CH7UMG2I
X-Message-ID-Hash: V52XI6BQX72AVY7GRKATDVV4CH7UMG2I
X-MailFrom: pholzing@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Holzinger <pholzing@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20240513174154.85616-2-pholzing@redhat.com/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/V52XI6BQX72AVY7GRKATDVV4CH7UMG2I/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

For some unknown reason "owner" makes it impossible to open bind mounted
netns references as apparmor denies it. In the kernel denied log entry
we see ouid=0 but it is not clear why that is as the actual file is
owned by the real (rootless) user id.

In abstractions/pasta there is already `@{run}/user/@{uid}/**` without
owner set for the same reason as this path contains the netns path by
default when running under Podman.

Fixes: 72884484b00d ("apparmor: allow read access on /tmp for pasta")

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
---
 contrib/apparmor/usr.bin.pasta | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/apparmor/usr.bin.pasta b/contrib/apparmor/usr.bin.pasta
index 2a4d28c..bdfeb71 100644
--- a/contrib/apparmor/usr.bin.pasta
+++ b/contrib/apparmor/usr.bin.pasta
@@ -19,7 +19,7 @@ profile pasta /usr/bin/pasta{,.avx2} flags=(attach_disconnected) {
   include <abstractions/pasta>
 
   # Alternatively: include <abstractions/user-tmp>
-  owner /tmp/**				rw,	# tap_sock_unix_init(), pcap(),
+  /tmp/**				rw,	# tap_sock_unix_init(), pcap(),
 						# write_pidfile(),
 						# logfile_init(),
 						# pasta_open_ns()
-- 
2.45.0