From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from imap.gmail.com [173.194.76.109]
	by localhost with POP3 (fetchmail-6.3.26)
	for <sbrivio@localhost> (single-drop); Thu, 23 May 2024 15:08:52 +0200 (CEST)
Received: by 2002:a05:6a10:f17:b0:55f:c3c0:ed08 with SMTP id vd23csp60175pxb;
        Thu, 23 May 2024 06:08:27 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCW0gK4zWvIVdGQ1D4tupwB99xM82gul/5rGNotgFtSfJ1X7K/r1zWl0i2371kNlcKtsa03tkxCmTxYwkbHaYPTkxWZ/l7e8f7Y=
X-Google-Smtp-Source: AGHT+IF7lxKgr+QqKwN4HCbJuzrqne+7oT0H8nUlB9vdfz2NL5VUmMGOxZgQHiERE+pxjgSPewiT
X-Received: by 2002:a81:49d3:0:b0:619:da17:87be with SMTP id 00721157ae682-627e486ab73mr45819267b3.42.1716469706838;
        Thu, 23 May 2024 06:08:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1716469706; cv=none;
        d=google.com; s=arc-20160816;
        b=gKSOv7KdD9NJxcpHhTdIXjTQosk/vCkEFnnpEyPIEdk6zHkH6dhDHXIGcb2OTVp5gg
         bTRNFUmoThE/yDvFiEvlY5K5RYvJr0Qdv7j6OlZOSCcF6kjsYn+1X32DcaFtFz0F/1Kq
         pDqiuA6vmRw5U59LMpcKCNcZ2gjh0ODB7TeiRxQ/az/xeEKbKZA0QMLmQIAFnu5qEcUE
         3UoVA7+PE+znCkgrYvbAa1DDvjUB17PNChYc2xyzf84IbtSLlraSv7suFt6Nl4q0eq9s
         Hn7EeLgB0Axju+qnu+VADvU5PYymchJsdtPuFi7lPrw4kfgz8imMw0H7RWxi9huLVjcQ
         aa2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-disposition:user-agent:in-reply-to:mime-version:references
         :message-id:subject:cc:to:from:date:delivered-to;
        bh=J7oM9S/V9OgGpzEDW8HH3na+humJvIyJWCYg6wJ90eE=;
        fh=htis3z6nDPD3FFPmKX7SGQyhLv1B9tDlnJYWrC8d10o=;
        b=I3Lxa2juewrvCzlMO7NouP6kE/z+7658UZ/zVKOSqApIZRsDyzSKh/CskHkxgjHmWR
         LTVeh3kbxxdQVQWugs1QHe8KhUFOeJ8ODX5wX+KCP0XOqjw7nxCdQ5mTz7+syVuQjfeB
         YZDplad5VRGrihlNmy7/8S88PjMaLolveYeDYytS2EZ82YQmICnFcz2183Lp1HQhaYlR
         GGJlw/d5/nw9y+4gCdtyukKva/4lnmI6hEVKoGN6QlnyZy3nH0zlX3f91mt7Eh5eBJ01
         OTym7QfPNZM67HETpvzNIvySK0zwmZ8NmgvqD7ZYSkg93X8vc/mW7d8vx64zABC830q7
         9LIg==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       gateway.spf=pass (google.com: domain gapps.redhat.com configured 205.139.110.120 as internal address) smtp.mailfrom=rjones@redhat.com smtp.remote-ip=205.139.110.120 policy.d=gapps.redhat.com
Return-Path: <rjones@redhat.com>
Received: from us-smtp-inbound-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com. [205.139.110.120])
        by mx.google.com with ESMTPS id 00721157ae682-627f384151asi9124147b3.198.2024.05.23.06.08.26
        for <sbrivio@gapps.redhat.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 23 May 2024 06:08:26 -0700 (PDT)
Received-SPF: pass (google.com: domain gapps.redhat.com configured 205.139.110.120 as internal address)
Authentication-Results: mx.google.com;
       gateway.spf=pass (google.com: domain gapps.redhat.com configured 205.139.110.120 as internal address) smtp.mailfrom=rjones@redhat.com smtp.remote-ip=205.139.110.120 policy.d=gapps.redhat.com
Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73])
 by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-498-4I2o-EvSN-28e_nc_SIoIQ-1; Thu,
 23 May 2024 09:08:25 -0400
X-MC-Unique: 4I2o-EvSN-28e_nc_SIoIQ-1
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C632E3801F5A
	for <sbrivio@gapps.redhat.com>; Thu, 23 May 2024 13:08:24 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
	id C2B5D28E2; Thu, 23 May 2024 13:08:24 +0000 (UTC)
Received: from localhost (unknown [10.42.28.23])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 029B67414;
	Thu, 23 May 2024 13:08:23 +0000 (UTC)
Date: Thu, 23 May 2024 14:08:23 +0100
From: "Richard W.M. Jones" <rjones@redhat.com>
To: Stefano Brivio <sbrivio@redhat.com>
Cc: passt-dev@passt.top
Subject: Re: [PATCH] apparmor: Fix comments after PID file and AF_UNIX socket
 creation refactoring
Message-ID: <20240523130823.GZ4345@redhat.com>
References: <20240523111917.1745151-1-sbrivio@redhat.com>
MIME-Version: 1.0
In-Reply-To: <20240523111917.1745151-1-sbrivio@redhat.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.5
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
List-Id: <passt-dev.passt.top>

On Thu, May 23, 2024 at 01:19:17PM +0200, Stefano Brivio wrote:
> Now:
> - we don't open the PID file in main() anymore
> - PID file and AF_UNIX socket are opened by pidfile_open() and
>   tap_sock_unix_open()
> - write_pidfile() becomes pidfile_write()
> 
> Reported-by: Richard W.M. Jones <rjones@redhat.com>
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
> ---
>  contrib/apparmor/abstractions/pasta | 2 +-
>  contrib/apparmor/usr.bin.passt      | 9 ++++++---
>  contrib/apparmor/usr.bin.pasta      | 9 ++++++---
>  3 files changed, 13 insertions(+), 7 deletions(-)
> 
> diff --git a/contrib/apparmor/abstractions/pasta b/contrib/apparmor/abstractions/pasta
> index 581ad1b..9f73bee 100644
> --- a/contrib/apparmor/abstractions/pasta
> +++ b/contrib/apparmor/abstractions/pasta
> @@ -27,7 +27,7 @@
>    @{PROC}/@{pid}/net/udp		r,
>    @{PROC}/@{pid}/net/udp6		r,
>  
> -  @{run}/user/@{uid}/**			rw,	# pasta_open_ns(), main()
> +  @{run}/user/@{uid}/**			rw,	# pasta_open_ns()
>  
>    @{PROC}/[0-9]*/ns/			r,	# pasta_netns_quit_init(),
>    @{PROC}/[0-9]*/ns/net			r,	# pasta_wait_for_ns(),
> diff --git a/contrib/apparmor/usr.bin.passt b/contrib/apparmor/usr.bin.passt
> index 564f82f..9568189 100644
> --- a/contrib/apparmor/usr.bin.passt
> +++ b/contrib/apparmor/usr.bin.passt
> @@ -19,9 +19,12 @@ profile passt /usr/bin/passt{,.avx2} {
>    include <abstractions/passt>
>  
>    # Alternatively: include <abstractions/user-tmp>
> -  owner /tmp/**				w,	# tap_sock_unix_init(), pcap(),
> -						# write_pidfile(),
> +  owner /tmp/**				w,	# tap_sock_unix_open(),
> +						# tap_sock_unix_init(), pcap(),
> +						# pidfile_open(),
> +						# pidfile_write(),
>  						# logfile_init()
>  
> -  owner @{HOME}/**			w,	# pcap(), write_pidfile()
> +  owner @{HOME}/**			w,	# pcap(), pidfile_open(),
> +						# pidfile_write()
>  }
> diff --git a/contrib/apparmor/usr.bin.pasta b/contrib/apparmor/usr.bin.pasta
> index bdfeb71..2483968 100644
> --- a/contrib/apparmor/usr.bin.pasta
> +++ b/contrib/apparmor/usr.bin.pasta
> @@ -19,10 +19,13 @@ profile pasta /usr/bin/pasta{,.avx2} flags=(attach_disconnected) {
>    include <abstractions/pasta>
>  
>    # Alternatively: include <abstractions/user-tmp>
> -  /tmp/**				rw,	# tap_sock_unix_init(), pcap(),
> -						# write_pidfile(),
> +  /tmp/**				rw,	# tap_sock_unix_open(),
> +						# tap_sock_unix_init(), pcap(),
> +						# pidfile_open(),
> +						# pidfile_write(),
>  						# logfile_init(),
>  						# pasta_open_ns()
>  
> -  owner @{HOME}/**			w,	# pcap(), write_pidfile()
> +  owner @{HOME}/**			w,	# pcap(), pidfile_open(),
> +						# pidfile_write()
>  }

Seems like a very straightforward and mechanical change, so:

Acked-by: Richard W.M. Jones <rjones@redhat.com>

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html