From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=cvytgjVp;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by passt.top (Postfix) with ESMTPS id 941ED5A0272
	for <passt-dev@passt.top>; Wed, 05 Feb 2025 11:16:59 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1738750618;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=IRLIvNHZEeuCxfUnXoAE/uZSxzM9xhilwSRAHMunm3M=;
	b=cvytgjVpMZ3ZhloHJvRzRam+TGsRzQ7ylflp6hjZuX1kmo0LQ0yysXG+oB2547gko7oBGG
	F8h6mUOmGLHowK20OgzlPMq7es+AQ0NQa+0KukaxtHK7i5IFbGev70R1QGmIlAoAdLY3+u
	r93uax9PfLk4uILu+MOSh2MG8C0591k=
Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com
 [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-45-qf2IVDAdMYWyav8Mxnqd0A-1; Wed, 05 Feb 2025 05:16:57 -0500
X-MC-Unique: qf2IVDAdMYWyav8Mxnqd0A-1
X-Mimecast-MFC-AGG-ID: qf2IVDAdMYWyav8Mxnqd0A
Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-43623bf2a83so52099705e9.0
        for <passt-dev@passt.top>; Wed, 05 Feb 2025 02:16:57 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1738750615; x=1739355415;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=IRLIvNHZEeuCxfUnXoAE/uZSxzM9xhilwSRAHMunm3M=;
        b=ravUG6PsCxtMrKnnDIWKG0GI6FKjyWLZ77/S3nicrudWmAEmkKbIH8ntGFAnMs8aoS
         UeEzBowsyzxA2I6IN4bS96cJl9f7NxSDdTf8uX5AnhnFGXxuFLCJA65vxW6fLhItjjMQ
         t6s1jyP4p5Y9xpXWpbigaYYiZs41ti7xpFrhgS8YZUAdrKRvQrw7IUzbA6xua2q9Avyp
         03J1Iae1xuafFP1gO6q5MW4znfanQw8zTj8BzqDIUy/3Qz6HUfhgRWwxClXA98W2mFzQ
         LbBLZKT6khGYm92VC3HZ0e5WMGAHMBA2Ere6pRNx2bvl5cv/Z6OlP6xCZGeQEHyvQNZy
         WE1g==
X-Forwarded-Encrypted: i=1; AJvYcCV4Wy21Zrym5n9f1Klq4e+pI3wu/F6Y8cz8m0YjBHw2iPHMoIdLHxdLtnFFJYoQYHaUupfcQW9i47c=@passt.top
X-Gm-Message-State: AOJu0YzpNpHqbOepO8KjBDn0nqDtyG5w2l2rL1NsHnsoQabaT4s/ywGp
	SXz7Ut4WsL39IeLOpCDmMV1ES8b8Ia+Sf++dluPa2P5ReTKivPLr7pfz24jL7xsPhKvK3NZiQUx
	8ATFCTLitJUsG/8gj4lwAfH8EHwylGhZ+GZL0PeSjv2hgz0HDNBxUSWa6KCmUaxNgtMNTKI0zZP
	p3pJKDfmUzxBVOQfEfT4vGGt+Z5Tb6WjR4
X-Gm-Gg: ASbGncuxDjt9llgnhn/MeFRzu43ySkjBeyXqa/UQ19jCehbw2FkCJOu6VV2pnHQr7KQ
	6YewwwNIC6A6EFhK1jsZ/kR4j+NEVp0PWE5xMyiSfeOwJHZMmflq0mrN8FMqLhjv2yLF19WrjzP
	6+w8iGrMDcb7M5Gl55hb9hWX/Q1RrxGrvgNcGrMlOY8mMvELWVOJbE0HNPpyd/Lv28ZQh2FtEAp
	Zy89uYQsHfDaTAhEwJKPgxaVFmdbiSObmDv2RB5tVixRTkf9NadgZbc43Mf22hvSPoKfFX2nKhb
	OSbMMRsjBkAXjb3J
X-Received: by 2002:a05:6000:2a1:b0:385:fa3d:1988 with SMTP id ffacd0b85a97d-38db48a95bbmr1522107f8f.8.1738750614936;
        Wed, 05 Feb 2025 02:16:54 -0800 (PST)
X-Google-Smtp-Source: AGHT+IEZQkcZp7BGpAilnsTllzyQvIz2M8v5YUDqjWesp6EncdimgZWhzsV0OWaDe+yogbAR8i4NlQ==
X-Received: by 2002:a05:6000:2a1:b0:385:fa3d:1988 with SMTP id ffacd0b85a97d-38db48a95bbmr1522077f8f.8.1738750614544;
        Wed, 05 Feb 2025 02:16:54 -0800 (PST)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-38db7916be4sm659077f8f.90.2025.02.05.02.16.53
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 05 Feb 2025 02:16:53 -0800 (PST)
Date: Wed, 5 Feb 2025 11:16:51 +0100
From: Stefano Brivio <sbrivio@redhat.com>
To: Prafulla Giri <prafulla.giri@protonmail.com>
Subject: Re: Apparmor (and other) Issues
Message-ID: <20250205111651.59551470@elisabeth>
In-Reply-To: <t4Q_AOLf7PMtjbFhRT3BxgqrXnYgjLWspa4QmF0qYhJVBv1Ii9Ab-QXjz67Ox8mMDfb3KccGtG8Z70roOVrG5G97j8AdT5WQeP7q7ZyvQzk=@protonmail.com>
References: <NNMPy6qrSrpU0VFxOsd8tUnJFDsz_Ychl7WAxOB1aYfyRCjzTG4uzNEGZLkHUa_NnxCEAL_X1lhnySdZ_1i2ZMxuVK0zDHa-YLex3O5fhRw=@protonmail.com>
	<CABJz62M=tn40ovN0TbmSNfG0Gqc-JxgSEP6La=rLDfhRYUs2sg@mail.gmail.com>
	<20250204111724.48b73b37@elisabeth>
	<CABJz62OUge8uNdXHVGU+YOW1_MfGbUMHnnb3DWk4nRe+k03BhA@mail.gmail.com>
	<20250204172242.76889328@elisabeth>
	<CABJz62MeCkdxQh0j557EOvGEOJjiVr7ph9zPTK1vp=5vY9OBFA@mail.gmail.com>
	<20250204201448.0bf3f7a3@elisabeth>
	<CABJz62PU05v7PEasddd_nevEkNeugJ1qYsu0Xj000parQqtm4g@mail.gmail.com>
	<20250204233441.6cda8c64@elisabeth>
	<t4Q_AOLf7PMtjbFhRT3BxgqrXnYgjLWspa4QmF0qYhJVBv1Ii9Ab-QXjz67Ox8mMDfb3KccGtG8Z70roOVrG5G97j8AdT5WQeP7q7ZyvQzk=@protonmail.com>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: R57USSoIAmIBC07q1SBVW0SlfVWLxIMHH8_dI7MCG6c_1738750616
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: QFN5O5UZOGI7KRUST6CF2MF5IGWHSWNP
X-Message-ID-Hash: QFN5O5UZOGI7KRUST6CF2MF5IGWHSWNP
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Andrea Bolognani <abologna@redhat.com>, "passt-dev@passt.top" <passt-dev@passt.top>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20250205111651.59551470@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/QFN5O5UZOGI7KRUST6CF2MF5IGWHSWNP/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Wed, 05 Feb 2025 07:40:34 +0000
Prafulla Giri <prafulla.giri@protonmail.com> wrote:

> If I may ask, however: could this simply not be dealt with by
> allowing passt binary access to $XDG_RUNTIME_DIR of the user in the
> apparmor profile? Forgive me, I am just a novice.

Yes, that's a workaround. But the rationale for the current mechanism
based on a passt 'abstraction' is that if libvirtd starts passt, then
those /var/run/... paths are needed for the socket, and otherwise not.

Only the libvirt profile "knows" about that. That's why it's in the
libvirt profile. But the libvirt profile is not associated to the
process, oops.

> But from my
> lack-of-understanding this issue looks like an issue of passt process
> not being able to create a socket inside a libvirt-maintained
> directory inside /run/user/$UID and that is why disabling the
> apparmor profile for passt seems to work-around this (?) Are there
> security concerns with this? Only asking out of curiosity.

Your understanding is correct. We're just trying to make things as
strict as possible, and depending on specific paths.

We'll probably need to make them a bit looser for the moment being and
perhaps just allow passt, no matter who starts it, to write to
/var/run/**.

-- 
Stefano