From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from imap.gmail.com [173.194.76.109]
	by localhost with POP3 (fetchmail-6.3.26)
	for <sbrivio@localhost> (single-drop); Thu, 23 May 2024 13:19:42 +0200 (CEST)
Received: by 2002:a05:6a11:2489:b0:55f:c3c0:ed08 with SMTP id sg9csp1238844pxb;
        Thu, 23 May 2024 04:19:26 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCWT5C9gFDW1Dwgwn6X9VU0IgMmiYVxGWFdzdPnHP5ZxKHsulxnPYGESIW7tfvlS8bjgc98HQj3L8XYNiKHFEUCVLyClezOv5wM=
X-Google-Smtp-Source: AGHT+IHf805IdwE7H91jPqR0joed2tPAiPquKnQ/dj+z21+flH16joP7F4b8J1FFSyihhpfQdhWU
X-Received: by 2002:ae9:f217:0:b0:794:7158:d87f with SMTP id af79cd13be357-79499455f59mr464386585a.38.1716463166308;
        Thu, 23 May 2024 04:19:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1716463166; cv=none;
        d=google.com; s=arc-20160816;
        b=TdYT49yeHevxmXOhIHP/p69k5hfyH1du9aZ8KRQGnYv53GoXJWHoTLIUaYdEWMdUrX
         ywGTctndmV/nvDOd5mGH/AmysBEVzVC9NwhM6ltHv8yQu93/B4o+1KRPdCMUzI8/O9cx
         5qUnwihRdZD3Emkh5MoBdLQ9EP5H8OZK4l/tLcQZcKLnrUZUb2y47xAW7OjA1uWOSM3T
         HdoI1QZVuI8JJ0n+UeOEMJGma9whVvu22hswZvZN6xHXNYbJlasGj4JtsNTH7BmOaDkV
         mW/s5FU9SW8EiZaSGIcXTCdKwWNjxTo2eqvJR0wYfY8jusBT01AhR8KGzWbFv9pVFiup
         chOg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:list-unsubscribe:list-subscribe:list-post
         :list-owner:list-help:list-archive:list-archive:archived-at
         :archived-at:list-id:precedence:cc:message-id-hash:mime-version
         :message-id:date:subject:to:from:delivered-to;
        bh=RaFqJU1BNKLVp3tgV13z/QM5vBON6xm213na1Wt0lKE=;
        fh=IUxVceIu3e4WbV2AcvuDMLwWrx81GUWs8I5/HT1dogI=;
        b=Hv5tq+sDgc83KpZnNrWa5ufoUiao41OY1DXB5ZA9wh6kcFgYp9fckuB5uIzvLEs6DK
         4jf+0HzD0c3d0UJZCwEXWIJ7HU60ld1s2yk5LHGARwkvHYqNL7RKPhmOk/Rh+3o90cOJ
         41B3a5kKMBZllj7r/Y+xFhlnebOWRDIE35LCqZsFHyVMSekG5vDJ5bQSOAifzcjmSU/l
         JP5s+joICe0dmbiCmUGNrNCzc9bjDWjw0KjfE524t7tALx9nIS8VB5OGOvLKTmsC0w6P
         Yp9IpEt7qINFoXkkcU7U5iyHWbACYwR2WPAiWyC2qhkUVmLw2fFC8s09149CMLESj59x
         VnQA==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of passt-dev-bounces@passt.top designates 88.198.0.164 as permitted sender) smtp.mailfrom=passt-dev-bounces@passt.top
Return-Path: <passt-dev-bounces@passt.top>
Received: from us-smtp-inbound-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com. [205.139.110.120])
        by mx.google.com with ESMTPS id 6a1803df08f44-6ab8faec8casi19174546d6.578.2024.05.23.04.19.26
        for <sbrivio@gapps.redhat.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 23 May 2024 04:19:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of passt-dev-bounces@passt.top designates 88.198.0.164 as permitted sender) client-ip=88.198.0.164;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of passt-dev-bounces@passt.top designates 88.198.0.164 as permitted sender) smtp.mailfrom=passt-dev-bounces@passt.top
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-556-ER7hYiDwNNez6tSGeLCbjQ-1; Thu, 23 May 2024 07:19:25 -0400
X-MC-Unique: ER7hYiDwNNez6tSGeLCbjQ-1
Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D27F48058D1
	for <sbrivio@gapps.redhat.com>; Thu, 23 May 2024 11:19:24 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
	id CF559400057; Thu, 23 May 2024 11:19:24 +0000 (UTC)
Received: from mimecast-mx02.redhat.com (mimecast07.extmail.prod.ext.rdu2.redhat.com [10.11.55.23])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 95B4C492BC6
	for <sbrivio@redhat.com>; Thu, 23 May 2024 11:19:24 +0000 (UTC)
Received: from us-smtp-inbound-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7BF3C3C025A1
	for <sbrivio@redhat.com>; Thu, 23 May 2024 11:19:24 +0000 (UTC)
Received: from passt.top (passt.top [88.198.0.164]) by relay.mimecast.com
 with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384)
 id us-mta-270-WuUHbnJoOW-Uc3TgiqOVCQ-1; Thu, 23 May 2024 07:19:20 -0400
X-MC-Unique: WuUHbnJoOW-Uc3TgiqOVCQ-1
Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1])
	by passt.top (Postfix) with ESMTP id E76B55A0304;
	Thu, 23 May 2024 13:19:18 +0200 (CEST)
Received: by passt.top (Postfix, from userid 1000)
	id 1B99D5A0305; Thu, 23 May 2024 13:19:17 +0200 (CEST)
From: Stefano Brivio <sbrivio@redhat.com>
To: passt-dev@passt.top
Subject: [PATCH] apparmor: Fix comments after PID file and AF_UNIX socket
 creation refactoring
Date: Thu, 23 May 2024 13:19:17 +0200
Message-ID: <20240523111917.1745151-1-sbrivio@redhat.com>
MIME-Version: 1.0
Message-ID-Hash: IOJXGLUJQUEB22LKUTEQX2U4GZNQSMWY
X-Message-ID-Hash: IOJXGLUJQUEB22LKUTEQX2U4GZNQSMWY
X-MailFrom: sbrivio@passt.top
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: "'Richard W . M . Jones'" <rjones@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20240523111917.1745151-1-sbrivio@redhat.com/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/IOJXGLUJQUEB22LKUTEQX2U4GZNQSMWY/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition;Similar Internal Domain=false;Similar Monitored External Domain=false;Custom External Domain=false;Mimecast External Domain=false;Newly Observed Domain=false;Internal User Name=false;Custom Display Name List=false;Reply-to Address Mismatch=false;Targeted Threat Dictionary=false;Mimecast Threat Dictionary=false;Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="US-ASCII"; x-default=true

Now:
- we don't open the PID file in main() anymore
- PID file and AF_UNIX socket are opened by pidfile_open() and
  tap_sock_unix_open()
- write_pidfile() becomes pidfile_write()

Reported-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 contrib/apparmor/abstractions/pasta | 2 +-
 contrib/apparmor/usr.bin.passt      | 9 ++++++---
 contrib/apparmor/usr.bin.pasta      | 9 ++++++---
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/contrib/apparmor/abstractions/pasta b/contrib/apparmor/abstrac=
tions/pasta
index 581ad1b..9f73bee 100644
--- a/contrib/apparmor/abstractions/pasta
+++ b/contrib/apparmor/abstractions/pasta
@@ -27,7 +27,7 @@
   @{PROC}/@{pid}/net/udp=09=09r,
   @{PROC}/@{pid}/net/udp6=09=09r,
=20
-  @{run}/user/@{uid}/**=09=09=09rw,=09# pasta_open_ns(), main()
+  @{run}/user/@{uid}/**=09=09=09rw,=09# pasta_open_ns()
=20
   @{PROC}/[0-9]*/ns/=09=09=09r,=09# pasta_netns_quit_init(),
   @{PROC}/[0-9]*/ns/net=09=09=09r,=09# pasta_wait_for_ns(),
diff --git a/contrib/apparmor/usr.bin.passt b/contrib/apparmor/usr.bin.pass=
t
index 564f82f..9568189 100644
--- a/contrib/apparmor/usr.bin.passt
+++ b/contrib/apparmor/usr.bin.passt
@@ -19,9 +19,12 @@ profile passt /usr/bin/passt{,.avx2} {
   include <abstractions/passt>
=20
   # Alternatively: include <abstractions/user-tmp>
-  owner /tmp/**=09=09=09=09w,=09# tap_sock_unix_init(), pcap(),
-=09=09=09=09=09=09# write_pidfile(),
+  owner /tmp/**=09=09=09=09w,=09# tap_sock_unix_open(),
+=09=09=09=09=09=09# tap_sock_unix_init(), pcap(),
+=09=09=09=09=09=09# pidfile_open(),
+=09=09=09=09=09=09# pidfile_write(),
 =09=09=09=09=09=09# logfile_init()
=20
-  owner @{HOME}/**=09=09=09w,=09# pcap(), write_pidfile()
+  owner @{HOME}/**=09=09=09w,=09# pcap(), pidfile_open(),
+=09=09=09=09=09=09# pidfile_write()
 }
diff --git a/contrib/apparmor/usr.bin.pasta b/contrib/apparmor/usr.bin.past=
a
index bdfeb71..2483968 100644
--- a/contrib/apparmor/usr.bin.pasta
+++ b/contrib/apparmor/usr.bin.pasta
@@ -19,10 +19,13 @@ profile pasta /usr/bin/pasta{,.avx2} flags=3D(attach_di=
sconnected) {
   include <abstractions/pasta>
=20
   # Alternatively: include <abstractions/user-tmp>
-  /tmp/**=09=09=09=09rw,=09# tap_sock_unix_init(), pcap(),
-=09=09=09=09=09=09# write_pidfile(),
+  /tmp/**=09=09=09=09rw,=09# tap_sock_unix_open(),
+=09=09=09=09=09=09# tap_sock_unix_init(), pcap(),
+=09=09=09=09=09=09# pidfile_open(),
+=09=09=09=09=09=09# pidfile_write(),
 =09=09=09=09=09=09# logfile_init(),
 =09=09=09=09=09=09# pasta_open_ns()
=20
-  owner @{HOME}/**=09=09=09w,=09# pcap(), write_pidfile()
+  owner @{HOME}/**=09=09=09w,=09# pcap(), pidfile_open(),
+=09=09=09=09=09=09# pidfile_write()
 }
--=20
2.43.0