From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTP id B05215A02D2 for ; Mon, 13 May 2024 23:37:52 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1715636271; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gDqFkMZxy2QX5TNmGUI7PAqzAQGAzAS4dBc7/zKo748=; b=JkYORaO5sGwbSLR8LJOtaCVaP68QWke4OrSYdwqeyu3fufoXdNW3ELeGdHHd8Z26QM4RXe emQxHdnMn92qs3uc71TEXMnbngo726581VbD0ppYbNXxjc5285MjZDSMh6OxZ4LVnWZ8MK 4L87mgkDn7Zbcb7s25bzS5z3fcXgkX8= Received: from mail-lf1-f70.google.com (mail-lf1-f70.google.com [209.85.167.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-452-U-LiJk6BP2yQ0Ltgxx2Olg-1; Mon, 13 May 2024 17:37:50 -0400 X-MC-Unique: U-LiJk6BP2yQ0Ltgxx2Olg-1 Received: by mail-lf1-f70.google.com with SMTP id 2adb3069b0e04-51fd3568b04so4229905e87.1 for ; Mon, 13 May 2024 14:37:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715636267; x=1716241067; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=gDqFkMZxy2QX5TNmGUI7PAqzAQGAzAS4dBc7/zKo748=; b=YM5avz5LbMso2ee3ER1FZnHD2XItdJtTM02Wbh5A4DoWaJeeFoJ/Qx6tY1wlV9827w twVmd2t/QvzeMxWJw8dlAke566k6QW5tqJOsjVSbekQNd4Gueq12G6m0UiuIk11Rz4Fp Rr93x4WqCWJc0C31aX3ZrUmyws17ZeILp2oHuAMcoUoJYcGtwIsivdy0ULl+oMMNtrmN WMA/bf5ajKXOIWA+WpNfvx7/uEdvJ2/Tr8lXXmK4yxWG3dgU4Z0mPbDndkL6RxenmMLg WHbdr8axll9RUsi9g/qB0pvUotDWoeNCPWfyrytRrnwFTfYguy69E+M2Y0A53Wj6HiRw 8qfQ== X-Gm-Message-State: AOJu0Yy1jEXpJDfRYX0fjaF9Ke7hLbKOgTn28z3dhyIHkLPz/y0DPdkJ KfvAIhk3ZE3n54D0mNGu3BrYK4k+/5QK1zJ8Zt0vWGyOGaVbcI6hZGlUjgCO5ISZ3Gs6bzK/07v rA/w6XT3JLtWtRiyPaXiWQ+vD3aDbPWxNBUlKTCDoSdB7ZazRx+KHrEP2J6PEwR6f97vndF6icD 4uYYC83FLpr2sh5y7A0BBrmfDy87kZEDqfEt4= X-Received: by 2002:a05:6512:3ca4:b0:51d:67a0:2433 with SMTP id 2adb3069b0e04-52210074979mr8628039e87.46.1715636266676; Mon, 13 May 2024 14:37:46 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFh6oixvRmMlrGlscxplCt0V8GtYb3Q0RMbRolnguMiUDqcoEfrEsTszm+42OC4AEjNL4QNhg== X-Received: by 2002:a05:6512:3ca4:b0:51d:67a0:2433 with SMTP id 2adb3069b0e04-52210074979mr8628023e87.46.1715636266080; Mon, 13 May 2024 14:37:46 -0700 (PDT) Received: from maya.cloud.tilaa.com (maya.cloud.tilaa.com. [164.138.29.33]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a1781cf70sm640899766b.30.2024.05.13.14.37.45 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 May 2024 14:37:45 -0700 (PDT) Date: Mon, 13 May 2024 23:37:12 +0200 From: Stefano Brivio To: Paul Holzinger Subject: Re: [PATCH] apparmor: allow netns paths on /tmp Message-ID: <20240513233712.266f0747@elisabeth> In-Reply-To: <20240513174154.85616-2-pholzing@redhat.com> References: <20240513174154.85616-2-pholzing@redhat.com> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.36; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: HFBJYHE7YQAFBPH6FMSWRUXMNQ6UFUMV X-Message-ID-Hash: HFBJYHE7YQAFBPH6FMSWRUXMNQ6UFUMV X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Mon, 13 May 2024 19:41:55 +0200 Paul Holzinger wrote: > For some unknown reason "owner" makes it impossible to open bind mounted > netns references as apparmor denies it. In the kernel denied log entry > we see ouid=0 but it is not clear why that is as the actual file is > owned by the real (rootless) user id. > > In abstractions/pasta there is already `@{run}/user/@{uid}/**` without > owner set for the same reason as this path contains the netns path by > default when running under Podman. > > Fixes: 72884484b00d ("apparmor: allow read access on /tmp for pasta") > > Signed-off-by: Paul Holzinger Applied. -- Stefano