From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by passt.top (Postfix) with ESMTP id B05215A02D2
	for <passt-dev@passt.top>; Mon, 13 May 2024 23:37:52 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1715636271;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=gDqFkMZxy2QX5TNmGUI7PAqzAQGAzAS4dBc7/zKo748=;
	b=JkYORaO5sGwbSLR8LJOtaCVaP68QWke4OrSYdwqeyu3fufoXdNW3ELeGdHHd8Z26QM4RXe
	emQxHdnMn92qs3uc71TEXMnbngo726581VbD0ppYbNXxjc5285MjZDSMh6OxZ4LVnWZ8MK
	4L87mgkDn7Zbcb7s25bzS5z3fcXgkX8=
Received: from mail-lf1-f70.google.com (mail-lf1-f70.google.com
 [209.85.167.70]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-452-U-LiJk6BP2yQ0Ltgxx2Olg-1; Mon, 13 May 2024 17:37:50 -0400
X-MC-Unique: U-LiJk6BP2yQ0Ltgxx2Olg-1
Received: by mail-lf1-f70.google.com with SMTP id 2adb3069b0e04-51fd3568b04so4229905e87.1
        for <passt-dev@passt.top>; Mon, 13 May 2024 14:37:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1715636267; x=1716241067;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=gDqFkMZxy2QX5TNmGUI7PAqzAQGAzAS4dBc7/zKo748=;
        b=YM5avz5LbMso2ee3ER1FZnHD2XItdJtTM02Wbh5A4DoWaJeeFoJ/Qx6tY1wlV9827w
         twVmd2t/QvzeMxWJw8dlAke566k6QW5tqJOsjVSbekQNd4Gueq12G6m0UiuIk11Rz4Fp
         Rr93x4WqCWJc0C31aX3ZrUmyws17ZeILp2oHuAMcoUoJYcGtwIsivdy0ULl+oMMNtrmN
         WMA/bf5ajKXOIWA+WpNfvx7/uEdvJ2/Tr8lXXmK4yxWG3dgU4Z0mPbDndkL6RxenmMLg
         WHbdr8axll9RUsi9g/qB0pvUotDWoeNCPWfyrytRrnwFTfYguy69E+M2Y0A53Wj6HiRw
         8qfQ==
X-Gm-Message-State: AOJu0Yy1jEXpJDfRYX0fjaF9Ke7hLbKOgTn28z3dhyIHkLPz/y0DPdkJ
	KfvAIhk3ZE3n54D0mNGu3BrYK4k+/5QK1zJ8Zt0vWGyOGaVbcI6hZGlUjgCO5ISZ3Gs6bzK/07v
	rA/w6XT3JLtWtRiyPaXiWQ+vD3aDbPWxNBUlKTCDoSdB7ZazRx+KHrEP2J6PEwR6f97vndF6icD
	4uYYC83FLpr2sh5y7A0BBrmfDy87kZEDqfEt4=
X-Received: by 2002:a05:6512:3ca4:b0:51d:67a0:2433 with SMTP id 2adb3069b0e04-52210074979mr8628039e87.46.1715636266676;
        Mon, 13 May 2024 14:37:46 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFh6oixvRmMlrGlscxplCt0V8GtYb3Q0RMbRolnguMiUDqcoEfrEsTszm+42OC4AEjNL4QNhg==
X-Received: by 2002:a05:6512:3ca4:b0:51d:67a0:2433 with SMTP id 2adb3069b0e04-52210074979mr8628023e87.46.1715636266080;
        Mon, 13 May 2024 14:37:46 -0700 (PDT)
Received: from maya.cloud.tilaa.com (maya.cloud.tilaa.com. [164.138.29.33])
        by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a1781cf70sm640899766b.30.2024.05.13.14.37.45
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 13 May 2024 14:37:45 -0700 (PDT)
Date: Mon, 13 May 2024 23:37:12 +0200
From: Stefano Brivio <sbrivio@redhat.com>
To: Paul Holzinger <pholzing@redhat.com>
Subject: Re: [PATCH] apparmor: allow netns paths on /tmp
Message-ID: <20240513233712.266f0747@elisabeth>
In-Reply-To: <20240513174154.85616-2-pholzing@redhat.com>
References: <20240513174154.85616-2-pholzing@redhat.com>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.36; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: HFBJYHE7YQAFBPH6FMSWRUXMNQ6UFUMV
X-Message-ID-Hash: HFBJYHE7YQAFBPH6FMSWRUXMNQ6UFUMV
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20240513233712.266f0747@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/HFBJYHE7YQAFBPH6FMSWRUXMNQ6UFUMV/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Mon, 13 May 2024 19:41:55 +0200
Paul Holzinger <pholzing@redhat.com> wrote:

> For some unknown reason "owner" makes it impossible to open bind mounted
> netns references as apparmor denies it. In the kernel denied log entry
> we see ouid=0 but it is not clear why that is as the actual file is
> owned by the real (rootless) user id.
> 
> In abstractions/pasta there is already `@{run}/user/@{uid}/**` without
> owner set for the same reason as this path contains the netns path by
> default when running under Podman.
> 
> Fixes: 72884484b00d ("apparmor: allow read access on /tmp for pasta")
> 
> Signed-off-by: Paul Holzinger <pholzing@redhat.com>

Applied.

-- 
Stefano