From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Qv29i14A;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by passt.top (Postfix) with ESMTPS id 9C4C05A0275
	for <passt-dev@passt.top>; Tue, 04 Feb 2025 09:50:11 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1738659010;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=Wm8QAQXJ3dlnfozf8oc1VZTfliEjPqcdJCLS84pMq5E=;
	b=Qv29i14A8ZMJehZ3JhAD10+hP4QaCAAwiQF/0hAh45iSFc5MiIeksfurKp95f2lQ13p3yZ
	+BUvMRAvhaDs26eytCV7nRRsui4SnhfiIvg7s9+atsCA05teXIDpxXdJaCPLi6fVl6hkkz
	c/gSGte2EN7sIvNKAE6C2rE40gr3cBs=
Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com
 [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-530-bb3SQaOWMjGvZfy_jB2tKQ-1; Tue, 04 Feb 2025 03:50:09 -0500
X-MC-Unique: bb3SQaOWMjGvZfy_jB2tKQ-1
X-Mimecast-MFC-AGG-ID: bb3SQaOWMjGvZfy_jB2tKQ
Received: by mail-wm1-f72.google.com with SMTP id 5b1f17b1804b1-4361f371908so38044415e9.0
        for <passt-dev@passt.top>; Tue, 04 Feb 2025 00:50:09 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1738659006; x=1739263806;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=Wm8QAQXJ3dlnfozf8oc1VZTfliEjPqcdJCLS84pMq5E=;
        b=L45NoM4lT/IjDOqYXdBnKLX7ca6GyvHX+AB8h8RiDG8KpRPTqbNEHadWGXcyA2wVAK
         t9SvjeIRz4oWFKYXmVeGTl0klUZ3sKfjmVuafoztfEzj1hER1we8c/0hBWXFS+rIAzx8
         WmPxdMl6J8LHPRFHCoy2Kq1a3FTOEbQP0l1zwm8rZhCm9bhMco82aarxRN5OyRDNpRvg
         lEhV6V5LYgWK9oiBDPAqeMLxaGlmQniQq/YBsM8se1NPvmnLIPXHbVL17zAL4x0DZKrH
         XB8H1ci1UVaVbCRIHFTTQ+teVZ62jDjiELcKgg2sQrZqkZ/+jZWYTeJWzg1+5O2Vbrhm
         Pn7w==
X-Gm-Message-State: AOJu0YxkmVeUq6GP45MAN3tfNVsZ86tlFLa4t50m297KFJLHdAIJXYdi
	dOrpnRB5Nr5lJSux6XaSb5JP3PIa427nmW12P2EFPF1eStjwDpP4IPZAvr2FqcxPKxkgToIp9+J
	Kb1afa9RNShY5X2YMNnQYPu+pWYs58XZD/B5JFOIQFzmba8EvEkW95YqhJ/QiE4npoMD2xBjUCn
	SaWkXf/JhpnerxjIa/XgsQxSFCS/BIjZmT
X-Gm-Gg: ASbGncu7vZUZ7VsDNfF0Y+kCBNP3UyChZE9f7WuZgN3ejTSoN1FLAXQx6dHL58RKxuP
	LD0SqAxd7QP8ORAYnkXajKf0Rp6kaz8l1/qzaMG3aut3Vej226v5uSiNrzw1W5/3requoZtPDvW
	Wg85HvQEdWPBfk5YtqbImB5+jxrA9VUWZF3SAZKO1egYPFZxtazqeoebCWJEvts4EM+80U8U5Ms
	PdvtEDS+DO/RXhXp0ojADK5L+5xntWZ5y8iLdFURszwEpAzNG1v+3RGPg367zy/d92h/RbJUHnh
	Mqg6t1Tvpt0gazMx
X-Received: by 2002:a5d:5888:0:b0:385:f349:fffb with SMTP id ffacd0b85a97d-38c520938c8mr20433347f8f.45.1738659004961;
        Tue, 04 Feb 2025 00:50:04 -0800 (PST)
X-Google-Smtp-Source: AGHT+IF45hXI5L/Vf5u8W2Moqslthr1qLlwyfgPdyG9edF4hLYH77jiu9u7/yJe56xG2Qg449asWIQ==
X-Received: by 2002:a5d:5888:0:b0:385:f349:fffb with SMTP id ffacd0b85a97d-38c520938c8mr20433241f8f.45.1738659002942;
        Tue, 04 Feb 2025 00:50:02 -0800 (PST)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-38c5c1b5780sm15263951f8f.67.2025.02.04.00.50.02
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 04 Feb 2025 00:50:02 -0800 (PST)
Date: Tue, 4 Feb 2025 09:50:00 +0100
From: Stefano Brivio <sbrivio@redhat.com>
To: Prafulla Giri <prafulla.giri@protonmail.com>
Subject: Re: Apparmor (and other) Issues
Message-ID: <20250204095000.4ca5c43a@elisabeth>
In-Reply-To: <0gHPSAbajW7n2zyIE-8k2vez7nkpAHQOnP4p6yfc6i5v948AExss0zBAYKF-92Yqf90DhAg3Xx9u19aw4TtSQLnpNgvCEa--wkPTL0PDdnM=@protonmail.com>
References: <gfnJ5_aKhxXif2AlacEZIAO3UgiyKhgfDhlg7-FWBbkXttL891Y9k0zClSeYZiLN8JkMF9Z_pprz9f3w88cjZTkHL42cjar9boCCIuS6B08=@protonmail.com>
	<20250129104112.0756df5c@elisabeth>
	<S3b4qUhq7b72aZqUNyWdynRNtOJEnKslfqR0i4vnaUIBu3EnkzjxTC22qzD2ZsbQgiIWtyuKQfO6fBNYSaSNYgzDqXSft95vpyuFjI_T_74=@protonmail.com>
	<20250129194854.6b67fbfe@elisabeth>
	<3mWvqHbG0sGUhoq9ersir5eXDcFpZkAm8BGfuhs3YOBV36rlbJ82aj27diLMkSjg8YQnrQajsHKkcVh3kXG9gc-o2HZF2rQXo9DnqkqbwNQ=@protonmail.com>
	<20250131212024.34733b6d@elisabeth>
	<NNMPy6qrSrpU0VFxOsd8tUnJFDsz_Ychl7WAxOB1aYfyRCjzTG4uzNEGZLkHUa_NnxCEAL_X1lhnySdZ_1i2ZMxuVK0zDHa-YLex3O5fhRw=@protonmail.com>
	<20250203093531.6a71cc81@elisabeth>
	<0gHPSAbajW7n2zyIE-8k2vez7nkpAHQOnP4p6yfc6i5v948AExss0zBAYKF-92Yqf90DhAg3Xx9u19aw4TtSQLnpNgvCEa--wkPTL0PDdnM=@protonmail.com>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: v8dWl1xd17heD40j3CMoeTnpxBurrAI5qdGwzaU1xNo_1738659008
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: SUUKWSPNRF5PLMBB3UC5THGE75NNUQH5
X-Message-ID-Hash: SUUKWSPNRF5PLMBB3UC5THGE75NNUQH5
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "passt-dev@passt.top" <passt-dev@passt.top>, Andrea Bolognani <abologna@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20250204095000.4ca5c43a@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/SUUKWSPNRF5PLMBB3UC5THGE75NNUQH5/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Tue, 04 Feb 2025 08:21:53 +0000
Prafulla Giri <prafulla.giri@protonmail.com> wrote:

> type=SERVICE_START msg=audit(1738501309.082:134): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=polkit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
> type=AVC msg=audit(1738501309.118:135): apparmor="DENIED" operation="file_mmap" class="file" profile="passt" name="/usr/bin/passt" pid=2030 comm="passt" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0FSUID="larryboy" OUID="root"
> type=SYSCALL msg=audit(1738501309.118:135): arch=c000003e syscall=59 success=no exit=-13 a0=7faf24035fc0 a1=7faf24035210 a2=7ffc063280d0 a3=0 items=0 ppid=1964 pid=2030 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="passt" exe="/usr/bin/passt" subj=passt key=(null)ARCH=x86_64 SYSCALL=execve AUID="larryboy" UID="larryboy" GID="larryboy" EUID="larryboy" SUID="larryboy" FSUID="larryboy" EGID="larryboy" SGID="larryboy" FSGID="larryboy"
> type=PROCTITLE msg=audit(1738501309.118:135): proctitle="(null)"
> type=ANOM_ABEND msg=audit(1738501309.118:136): auid=1000 uid=1000 gid=1000 ses=1 subj=passt pid=2030 comm="passt" exe="/usr/bin/passt" sig=11 res=1AUID="larryboy" UID="larryboy" GID="larryboy"

So, it looks like passt is running as its own profile. This shouldn't
happen because the libvirt profile has an own subprofile and we should
see that in "profile" on the type=AVC line but... I just reproduced
this! Clean Debian sid install, fresh install of libvirtd:

error: internal error: Child process (passt --one-off --socket /run/user/1000/libvirt/qemu/run/passt/1-alpine-net0.socket --pid /run/user/1000/libvirt/qemu/run/passt/1-alpine-net0-passt.pid --tcp-ports 40922:22) unexpected fatal signal 11

I'll keep you posted.

> > https://archives.passt.top/passt-dev/20250203082210.2114348-1-sbrivio@redhat.com/
> > 
> > then:
> > 
> > make
> > 
> > and ./pasta --config-net --trace --pcap /tmp/dns.pcap -- nslookup
> > fsf.org
> >   
> $ ./pasta --config-net --trace --pcap /tmp/dns.pcap -- nslookup fsf.org # On Debian Trixie, dns.pcap attached
> 0.0002: No interfaces with usable IPv6 routes
> 0.0002: Failed to detect external interface for IPv6
> 0.0035: Template interface: enp1s0 (IPv4)
> 0.0035: Namespace interface: enp1s0
> 0.0035: MAC:
> 0.0035:     host: 9a:55:9a:55:9a:55
> 0.0035:     NAT to host 127.0.0.1: 192.168.100.1
> 0.0036: DHCP:
> 0.0036:     assign: 192.168.100.157
> 0.0036:     mask: 255.255.255.0
> 0.0036:     router: 192.168.100.1
> 0.0036: DNS:
> 0.0036:     192.168.100.1
> 0.0036: DNS search list:
> 0.0036:     .
> 0.0204: SO_PEEK_OFF supported
> 0.0204: TCP_INFO tcpi_snd_wnd field  supported
> 0.0205: TCP_INFO tcpi_bytes_acked field  supported
> 0.0205: TCP_INFO tcpi_min_rtt field  supported
> 0.0205: Saving packet capture to /tmp/dns.pcap
> 0.0281: pasta: epoll event on /dev/net/tun device 16 (events: 0x00000001)
> 0.0413: pasta: epoll event on /dev/net/tun device 16 (events: 0x00000001)
> 0.0414: pasta: epoll event on /dev/net/tun device 16 (events: 0x00000001)
> 0.0414: tap: protocol 17, 192.168.100.157:56205 -> 192.168.100.1:53 (1 packet)
> 0.0415: Flow 0 (NEW): FREE -> NEW
> 0.0415: Flow 0 (INI): NEW -> INI
> 0.0415: Flow 0 (INI): TAP [192.168.100.157]:56205 -> [192.168.100.1]:53 => ?
> 0.0416: Flow 0 (TGT): INI -> TGT
> 0.0416: Flow 0 (TGT): TAP [192.168.100.157]:56205 -> [192.168.100.1]:53 => HOST [0.0.0.0]:56205 -> [192.168.100.1]:53
> 0.0416: Flow 0 (UDP flow): TGT -> TYPED
> 0.0416: Flow 0 (UDP flow): TAP [192.168.100.157]:56205 -> [192.168.100.1]:53 => HOST [0.0.0.0]:56205 -> [192.168.100.1]:53
> 0.0417: Flow 0 (UDP flow): Side 0 hash table insert: bucket: 121236
> 0.0417: Flow 0 (UDP flow): TYPED -> ACTIVE
> 0.0417: Flow 0 (UDP flow): TAP [192.168.100.157]:56205 -> [192.168.100.1]:53 => HOST [0.0.0.0]:56205 -> [192.168.100.1]:53
> 0.3059: pasta: epoll event on UDP reply socket 96 (events: 0x00000001)
> 0.3059: Flow 0 (UDP flow): Received 1 datagrams on reply socket
> Server:		192.168.100.1
> Address:	192.168.100.1#53
> 
> Non-authoritative answer:
> Name:	fsf.org
> Address: 209.51.188.174

Okay, at least the DNS issue is fixed. I'll apply the fix in a moment,
it will be available in an updated package in a while.

-- 
Stefano