From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=A2OrbBBl; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id A8DC55A0275 for ; Tue, 04 Feb 2025 11:17:32 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1738664251; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3rWQkY8OGIE/k1eHJWOTnk/5RlZJxHKJmhatyQ44IDU=; b=A2OrbBBlDWTVd4CBftgAhDW/Lt9jeLnlsqLmO4ugdXYXmKJxPttRmVJv/FlGXhFkAxq1zZ myqlllaZBVp4vNZt+8wB38JJmlxFgHnkRboABUGikKjtG5Xurs+fhlKYFnZpZUTb24zOjB JoPgEASDiNwpbUDZTmNh9yHw2vt4U/0= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-449-Ayu82v3PMjauy_9mEF05uQ-1; Tue, 04 Feb 2025 05:17:30 -0500 X-MC-Unique: Ayu82v3PMjauy_9mEF05uQ-1 X-Mimecast-MFC-AGG-ID: Ayu82v3PMjauy_9mEF05uQ Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-43651b1ba8aso38673005e9.1 for ; Tue, 04 Feb 2025 02:17:30 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738664248; x=1739269048; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=3rWQkY8OGIE/k1eHJWOTnk/5RlZJxHKJmhatyQ44IDU=; b=J460o+rTf/XebN68/JHo/Zn/CUJ0LkoAToLD32r4DphBRRYo7GqiIUL47lDYOQnmmj 6OAj2jcvGuG0nw7fszEl4KdBfXSxtDrromXuF+S/0rZ5tDdHHxWlCr4AiLAN+/QFm1PF 2KoSp/JjylGiMzPcFvBC4D0vTta5NOVSeC0j4o1iUCOPkPR1ttkXc+9tUJIntO13q/A5 K0tRVJa3iGPcjZo8h4Y4O6H5qe3gu2D3Z2qq3TGIWj28ke+j+DznCG4dkLP0BBv7cTjd M8Lr53J2bKkFyVnNrasGPvlc59/li6c6do3JcvT+diFy8MAbsyQt6+xiZCBuTKfskIlZ +pmQ== X-Forwarded-Encrypted: i=1; AJvYcCVqPYfZa8rfVGZJ6rfEeLFjKPeSYXqUUEtrf5YtBFK+ZZwmDHdLRLax4kM+cEwbzS2MYIEYxniv5qw=@passt.top X-Gm-Message-State: AOJu0YxzXn2ePMuZyyJQ/s4dif0Z6u6AqEsq60V6GM5v5zSSUpHXrA8M tfMnkxQSqImuxIMTjs3jMMu1Q5SOjHaTfzocMxxc8Ye7DsamXMOgHKPStQCVi8jNK5LaV81dqwE uR8j18ITl3vXx2808+nkkmsr+vgjj1SxKdyoNLKq2WxL8MNawgiL/Ur+m6v7QnBKicNoslRn2xf fXsHtWFBr5h7eoU4E8TNQlg4sU0SgUslRk X-Gm-Gg: ASbGncuM2OeA2o/UzRqEQ5YNKhup9a1Pxq9ssqbDc/A5EK2x3dUazk6s06XasmM9c6c 8j/2LUjBzDuyOg5lhSRwtEUEOo5x6XALABw9CmygHzQPZy7+5IdV4g+EjSdZlZJAcIJOaYXKBx5 M4dASMZdsrUz2Xqo1U0lW4dZGzPrOUCQn1VajEU2x/ziKjduEaizvgFBeeFX8dnMs8gA0TQRxsQ 5Dbgp9/Ejn4MlaHU8TaGHn0XPoLonQtW3Kz/e5xBzDexJsMyJ4HY5AYPEfklp5NcS64oluby48n 1FigqQ7fHcwPPCG2 X-Received: by 2002:a05:600c:5248:b0:436:1b81:b65c with SMTP id 5b1f17b1804b1-438dc3cbf74mr223730905e9.15.1738664247660; Tue, 04 Feb 2025 02:17:27 -0800 (PST) X-Google-Smtp-Source: AGHT+IGqXoLwHZXLTX/GK70PELfjWPIunwQDPkjABxLLAHTgAjc0dsGjLp9/ztjJUMtf0oHy1XhlKQ== X-Received: by 2002:a05:600c:5248:b0:436:1b81:b65c with SMTP id 5b1f17b1804b1-438dc3cbf74mr223730655e9.15.1738664247200; Tue, 04 Feb 2025 02:17:27 -0800 (PST) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-38c5c12247esm15813438f8f.53.2025.02.04.02.17.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Feb 2025 02:17:26 -0800 (PST) Date: Tue, 4 Feb 2025 11:17:24 +0100 From: Stefano Brivio To: Andrea Bolognani Subject: Re: Apparmor (and other) Issues Message-ID: <20250204111724.48b73b37@elisabeth> In-Reply-To: References: <20250129104112.0756df5c@elisabeth> <20250129194854.6b67fbfe@elisabeth> <3mWvqHbG0sGUhoq9ersir5eXDcFpZkAm8BGfuhs3YOBV36rlbJ82aj27diLMkSjg8YQnrQajsHKkcVh3kXG9gc-o2HZF2rQXo9DnqkqbwNQ=@protonmail.com> <20250131212024.34733b6d@elisabeth> <20250203093531.6a71cc81@elisabeth> <0gHPSAbajW7n2zyIE-8k2vez7nkpAHQOnP4p6yfc6i5v948AExss0zBAYKF-92Yqf90DhAg3Xx9u19aw4TtSQLnpNgvCEa--wkPTL0PDdnM=@protonmail.com> <20250204095000.4ca5c43a@elisabeth> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: V9-q3MDYAT0OgtUEK7OzDwUSy60tyyE4PdXY3EFmXEM_1738664249 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: NSYV6USQJ5PNVTCUYHJEDKW76DK2TXRB X-Message-ID-Hash: NSYV6USQJ5PNVTCUYHJEDKW76DK2TXRB X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Prafulla Giri , "passt-dev@passt.top" X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Tue, 4 Feb 2025 09:50:40 +0000 Andrea Bolognani wrote: > On Tue, Feb 04, 2025 at 09:50:00AM +0100, Stefano Brivio wrote: > > On Tue, 04 Feb 2025 08:21:53 +0000 Prafulla Giri wrote: > > > type=SERVICE_START msg=audit(1738501309.082:134): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=polkit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" > > > type=AVC msg=audit(1738501309.118:135): apparmor="DENIED" operation="file_mmap" class="file" profile="passt" name="/usr/bin/passt" pid=2030 comm="passt" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0FSUID="larryboy" OUID="root" > > > type=SYSCALL msg=audit(1738501309.118:135): arch=c000003e syscall=59 success=no exit=-13 a0=7faf24035fc0 a1=7faf24035210 a2=7ffc063280d0 a3=0 items=0 ppid=1964 pid=2030 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="passt" exe="/usr/bin/passt" subj=passt key=(null)ARCH=x86_64 SYSCALL=execve AUID="larryboy" UID="larryboy" GID="larryboy" EUID="larryboy" SUID="larryboy" FSUID="larryboy" EGID="larryboy" SGID="larryboy" FSGID="larryboy" > > > type=PROCTITLE msg=audit(1738501309.118:135): proctitle="(null)" > > > type=ANOM_ABEND msg=audit(1738501309.118:136): auid=1000 uid=1000 gid=1000 ses=1 subj=passt pid=2030 comm="passt" exe="/usr/bin/passt" sig=11 res=1AUID="larryboy" UID="larryboy" GID="larryboy" > > > > So, it looks like passt is running as its own profile. This shouldn't > > happen because the libvirt profile has an own subprofile and we should > > see that in "profile" on the type=AVC line but... I just reproduced > > this! Clean Debian sid install, fresh install of libvirtd: > > > > error: internal error: Child process (passt --one-off --socket /run/user/1000/libvirt/qemu/run/passt/1-alpine-net0.socket --pid /run/user/1000/libvirt/qemu/run/passt/1-alpine-net0-passt.pid --tcp-ports 40922:22) unexpected fatal signal 11 > > > > I'll keep you posted. > > I've skimmed the conversation trying to understand whether there's > anything that I need do from the libvirt side, but AFAICT no explicit > action has been called for so far. Not yet, because I was hoping to figure out what's going on, but I'm actually (almost?) stuck now. I don't think this is the same as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094583 by the way, because: $ find /etc/apparmor.d/ -ls | grep -i virt 148926 4 drwxr-xr-x 2 root root 4096 Feb 4 08:44 /etc/apparmor.d/libvirt 148927 4 -rw-r--r-- 1 root root 192 Jan 15 08:06 /etc/apparmor.d/libvirt/TEMPLATE.qemu 149882 4 -rw-r--r-- 1 root root 342 Jan 15 08:06 /etc/apparmor.d/libvirt/TEMPLATE.lxc 6098 8 -rw-r--r-- 1 root root 4780 Jan 30 22:47 /etc/apparmor.d/usr.sbin.libvirtd 20741 0 -rw-r--r-- 1 root root 0 Feb 4 08:44 /etc/apparmor.d/local/usr.sbin.libvirtd 20572 0 -rw-r--r-- 1 root root 0 Feb 4 08:44 /etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper 6826 12 -rw-r--r-- 1 root root 9258 Jan 30 22:47 /etc/apparmor.d/abstractions/libvirt-qemu 20662 8 -rw-r--r-- 1 root root 4610 Jan 30 22:47 /etc/apparmor.d/abstractions/libvirt-lxc 6099 4 -rw-r--r-- 1 root root 1898 Jan 30 22:47 /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper $ find /etc/libvirt/ -ls | grep -i conf find: '/etc/libvirt/secrets': Permission denied 268888 20 -rw-r--r-- 1 root root 17826 Jan 30 22:47 /etc/libvirt/libvirtd.conf 269240 4 -rw-r--r-- 1 root root 2169 Jan 30 22:47 /etc/libvirt/libxl-lockd.conf 324760 4 -rw-r--r-- 1 root root 547 Nov 1 09:13 /etc/libvirt/libvirt.conf 269243 4 -rw-r--r-- 1 root root 3058 Jan 15 08:06 /etc/libvirt/virtlockd.conf 263460 4 -rw-r--r-- 1 root root 2465 Jan 30 22:47 /etc/libvirt/qemu-sanlock.conf 263459 4 -rw-r--r-- 1 root root 2169 Jan 30 22:47 /etc/libvirt/qemu-lockd.conf 269238 4 -rw-r--r-- 1 root root 1175 Jan 15 08:06 /etc/libvirt/lxc.conf 324759 4 -rw-r--r-- 1 root root 450 Nov 1 09:13 /etc/libvirt/libvirt-admin.conf 269241 4 -rw-r--r-- 1 root root 2465 Jan 30 22:47 /etc/libvirt/libxl-sanlock.conf 269242 4 -rw-r--r-- 1 root root 2268 Jan 15 08:06 /etc/libvirt/libxl.conf 263461 40 -rw------- 1 root root 39106 Jan 30 22:47 /etc/libvirt/qemu.conf 262245 4 -rw-r--r-- 1 root root 4095 Jan 15 08:06 /etc/libvirt/virtlogd.conf 268889 4 -rw-r--r-- 1 root root 1041 Jan 30 22:47 /etc/libvirt/network.conf > It looks like you're making good progress in figuring out what's > going on. Being able to reproduce the issue yourself is certainly > going to help. I'm happy to leave all the debugging to you, since as > you know I'm not very good at the AppArmor stuff and I'm really, > really bad at the networking stuff ;) ...no, wait, I'm still failing to understand the bigger picture of what happens AppArmor-wise when I do 'virsh start something'. :) This is really pretty simple: fresh Debian sid image, all packages updated to today. Then: virt-install -d --name alpine --memory 1024 --noreboot --osinfo alpinelinux3.20 --network backend.type=passt,portForward0.proto=tcp,portForward0.range0.start=40922,portForward0.range0.to=22 --import --disk nocloud_alpine-3.21.2-x86_64-bios-tiny-r0.qcow2 this works. But: $ virsh start alpine error: Failed to start domain 'alpine' error: internal error: Child process (passt --one-off --socket /run/user/1000/libvirt/qemu/run/passt/1-alpine-net0.socket --pid /run/user/1000/libvirt/qemu/run/passt/1-alpine-net0-passt.pid --tcp-ports 40922:2) unexpected fatal signal 11 execve() of passt is denied by AppArmor. Starting passt on its own (passt -f) works, instead. At this point, which libvirtd (?) process should associate with which libvirtd profile? Once that's clear to me, I can probably debug further. I can also give you access to the machine if needed. > Once a clearer picture emerges, if it turns out that changes are > needed in either libvirt or its Debian packaging, I can definitely > look into making that happen. I'm fairly sure it's libvirt, because I didn't change anything substantial in passt, and it's anyway the AppArmor profile for libvirtd that seems to be... missing? And yet it's there. -- Stefano