From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=d6qjfDlm; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTPS id 1853B5A0272 for ; Mon, 17 Feb 2025 08:37:52 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1739777870; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1mzPObIrps5YRXF+prgnTpacTHE41akl+hm2YQdE0rg=; b=d6qjfDlmpgAWvnnFrMA0pg+rlntPhEIPTHc09HnG24awUxpa+O00AEl5Xx43xPtEOErvkC Mi1ozOoqyQ9ioAWPsAN92YyRW9pPLK4S/DQKJ4s9N9m9vsSU25uBga68Sht54davfWGxLe Mx8/KarhmxVKG5fgXGAGJbWpTIaVsac= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-684-FdArIaf5NbyXOGP_GWap0A-1; Mon, 17 Feb 2025 02:37:49 -0500 X-MC-Unique: FdArIaf5NbyXOGP_GWap0A-1 X-Mimecast-MFC-AGG-ID: FdArIaf5NbyXOGP_GWap0A_1739777868 Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-43970e7df5bso7903745e9.2 for ; Sun, 16 Feb 2025 23:37:49 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739777867; x=1740382667; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=1mzPObIrps5YRXF+prgnTpacTHE41akl+hm2YQdE0rg=; b=HikB0M/wTDBAt6dH89AXrEjJNCBPlR1e8XX4lrnP125cypeW8gGClLQEr79DNx6cL4 mYr8E3H/wwv+E75kDgbK5vzUAGtDbdfjaNOOh8JTKwUAhr6QiwcD3rD7Wb1M4Cwyh3J8 8z3zr/Pwtsqdphbvfs8T/jZvvaQM6zHDpBHgL/lPma/rw3JIGOb+K8pg/c7jVnnW80he oaO+k3KD1dy78nGK22ULz79NyunC6yxqmLEen/wv35i1AiQgXrKnEWbcwsnABJIPZUmL 48bWgJCfRoRAH7qxwLOl8SpNQGuobF8IcFPtgXq8BFtePn1ULKxRIWtnJ0Eq4yxzqTb7 ab4g== X-Forwarded-Encrypted: i=1; AJvYcCUeEH+SSoEQaj7EDRz7w5IiwsJINlybwUWZPF4VikQO1OD3H8LSIndWzOqjrYMHDltFBkzqRJ1vjRw=@passt.top X-Gm-Message-State: AOJu0YxtclqcOXfPsrX9cWCmzOdjVVGS+dp18feuxTHDHpy4q+cPW7wP XP62dFsDvADjSi7wIlF17D+Oowlmzol83fHTRuWC8rq3ywiCgM7EOXBhg0ekdGiH7c1E00FU7gP gKMh53zQ5XcKAmWFMHqYR/VXVAUPxA+muFklmKKn+FVtIAwbV7ApRWwgEtAUsMGIXD+1npuFSjy 5N8d2+MLcMZ7dx0QRokzG1VRLgbgefiVL6 X-Gm-Gg: ASbGnct6FTU7WQKu3Q2HEult9sSsLGqCJUFXv4RRAhBHQwvZ/sEFmW//LUhVV1l+msb wGkMPNB0bxe8DkvW1H/dGzLMp7PMbm4HTLeSuN6p8LxaiUnmPLB1CRL5BOJ9syg0aROoO20raPo I67N52PodvhOj9v7ewVGpSUUkJYQnHwSfscXayQ+I9+5WEWfzpgYc/Uc79z+ObJfDuNIsrqplwP a1j0c+JVRN5ROZ6pkjh/jsf20990sLg7QGPULsu6v3tYUpAnazOlMbaOTX2geqGRfdLYxn+Sx7Q KBkIr+ns/jUXewZGs5+cJ9U6TkQZfIL5xg== X-Received: by 2002:a05:600c:35d5:b0:439:4036:e925 with SMTP id 5b1f17b1804b1-4396e6eb290mr89780735e9.11.1739777866835; Sun, 16 Feb 2025 23:37:46 -0800 (PST) X-Google-Smtp-Source: AGHT+IGbyJITJCxjYEtdRP4/7wOltlCspjddWVIiA+RmI6PqtYtBoaoCqrulO5k3wxLPvZjy1ZCOFw== X-Received: by 2002:a05:600c:35d5:b0:439:4036:e925 with SMTP id 5b1f17b1804b1-4396e6eb290mr89780395e9.11.1739777866351; Sun, 16 Feb 2025 23:37:46 -0800 (PST) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-439880fbd6fsm11763355e9.18.2025.02.16.23.37.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 16 Feb 2025 23:37:45 -0800 (PST) Date: Mon, 17 Feb 2025 08:37:41 +0100 From: Stefano Brivio To: Prafulla Giri Subject: Re: Apparmor (and other) Issues Message-ID: <20250217083741.41343ded@elisabeth> In-Reply-To: References: <20250204233441.6cda8c64@elisabeth> <20250205111651.59551470@elisabeth> <20250207101631.0875e141@elisabeth> <20250209100848.4e5c39de@elisabeth> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: xb170f-WaxrYK33X1_x-4vKPSKuVXa1yB4t-9DNSCOE_1739777868 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: NOXVGTWFVI76PN6YUA32LQS7WDEX5VPX X-Message-ID-Hash: NOXVGTWFVI76PN6YUA32LQS7WDEX5VPX X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Andrea Bolognani , "passt-dev@passt.top" X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Mon, 17 Feb 2025 06:37:18 +0000 Prafulla Giri wrote: > Hello there, > > Please forgive me for being MIA. > > On Sunday, February 9th, 2025 at 2:53 PM, Stefano Brivio wrote: > > > On Sat, 08 Feb 2025 17:19:59 +0000 > > Prafulla Giri prafulla.giri@protonmail.com wrote: > > > > > On Friday, February 7th, 2025 at 3:01 PM, Stefano Brivio sbrivio@redhat.com wrote: > > > > > > > On Fri, 07 Feb 2025 06:49:45 +0000 > > > > Prafulla Giri prafulla.giri@protonmail.com wrote: > > > > > > > > > On Wednesday, February 5th, 2025 at 4:01 PM, Stefano Brivio > > > > > sbrivio@redhat.com wrote: > > > > > > > > > > > But the libvirt profile is not associated to the > > > > > > process, oops. > > > > > > > > > > Oh, so this is what is being worked upon: that Apparmor is not making > > > > > the association > > > > > > > > That, I'm not sure, but at least Andrea asked openSUSE and Ubuntu > > > > people for comments. I just prepared (and merged) a workaround for the > > > > moment. You are Cc'ed on the patch. If you want to test it, you should > > > > add this: > > > > > > > > # Workaround: libvirt's profile comes with a passt subprofile which includes, > > > > # in turn, , and adds libvirt-specific rules on top, to > > > > > > > > # allow passt (when started by libvirtd) to write socket and PID files in the > > > > # location requested by libvirtd itself, and to execute passt itself. > > > > # > > > > # However, when libvirt runs as unprivileged user, the mechanism based on > > > > # virt-aa-helper, designed to build per-VM profiles as guests are started, > > > > # doesn't work. The helper needs to create and load profiles on the fly, which > > > > # can't be done by unprivileged users, of course. > > > > # > > > > # As a result, libvirtd runs unconfined if guests are started by unprivileged > > > > # users, starting passt unconfined as well, which means that passt runs under > > > > # its own stand-alone profile (this one), which implies in turn that execve() > > > > # of /usr/bin/passt is not allowed, and socket and PID files can't be written. > > > > # > > > > # Duplicate libvirt-specific rules here as long as this is not solved in > > > > # libvirt's profile itself. > > > > /usr/bin/passt r, > > > > owner @{run}/user/[0-9]/libvirt/qemu/run/passt/ rw, > > > > owner @{run}/libvirt/qemu/passt/* rw, > > > > > > > > to your /etc/apparmor.d/usr.bin.passt. Note that changes to AppArmor > > > > policy files are retained as configuration, so, if you edit it, package > > > > upgrades won't override things automatically. You will need to: > > > > > > I seem to have botched things up really good, or we're getting into more and more trouble here: > > > > > > Worry not, I can explain: > > You are a very good teacher, I must say. > > > > > 1. I have manually `make install`-ed passt (and friends). > > > $ passt version # I don't know what's causing the non-AVX2 thing issue > > > > > > If you install it to /usr/local/bin, other than adding a profile for > > /usr/local/bin/passt{,.avx2} as you correctly did, you also need to add > > the /usr/local/bin path to the "abstraction" that's included by the > > profile. In /etc/apparmor.d/abstractions/passt we have: > > > > /usr/bin/passt.avx2 ix, # arch_avx2_exec(), arch.c > > > > and if you want to do experiments with a local version that needs to be: > > > > /usr/bin/passt.avx2 ix, # arch_avx2_exec(), arch.c > > /usr/bin/local/passt.avx2 ix, > > I did just that and > $ pasta --config-net --trace --pcap /tmp/dns.pcap -- nslookup fsf.org # `which pasta` -> /usr/local/bin/pasta > works as expected, thank you. > > However, for some reason libvirt still can't run pasta. You mean 'passt', and: > $ virsh start --domain vm1 > rror: Failed to start domain 'vm1' > error: internal error: Child process (passt --one-off --socket /run/user/1000/libvirt/qemu/run/passt/2-vm1-net0.socket --pid /run/user/1000/libvirt/qemu/run/passt/2-vm1-net0-passt.pid) unexpected exit status 126: libvirt: error : cannot execute binary passt: Permission denied > > It seems adding merely '/usr/bin/local/passt.avx2 ix,' in the abstractions file isn't quite enough. Perhaps there's something missing? Strangely enough, the libvirt-qemu abstraction file does import this abstraction file. https://salsa.debian.org/sbrivio/passt/-/commit/5bb812e79143670a57440cd8aa7f2979583c5a0a might explain it. You need to create hard links ('make install' doesn't do that) to associate different AppArmor profiles. In any case, I'm releasing (and packaging) a new version with the AppArmor workaround today. -- Stefano