From: Stefano Brivio <sbrivio@redhat.com>
To: passt-dev@passt.top
Cc: "Niklas Edmundsson" <nikke@accum.se>,
"Andrea Bolognani" <abologna@redhat.com>,
"Jim Fehlig" <jfehlig@suse.com>,
"Maxime Bélair" <maxime.belair@canonical.com>,
"Dario Faggioli" <dfaggioli@suse.com>
Subject: [PATCH] apparmor: Upgrade ABI version to 4.0, explicitly enable user namespace creation
Date: Sat, 10 Jan 2026 16:14:30 +0100 [thread overview]
Message-ID: <20260110151430.3668869-1-sbrivio@redhat.com> (raw)
In the 3.0 AppArmor ABI version we currently use, user namespace rules
are not supported, and, as long as we load confined profiles, those
implicitly allow creation of user namespaces.
However, ABI version 4.0 introduces rules for user namespaces, and if
we don't specify any, we can't create user namespaces, see:
https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
This wouldn't affect us in general, given that we're using the 3.0
ABI, but libvirt's policy uses 4.0 instead, and if our abstractions
are used from there, no matter what ABI policy version we declare,
rules for user namespace creation now match ABI policy version 4.0.
As a result, when libvirtd runs as root, and its profile includes
passt's abstraction, cf. commit 66769c2de825 ("apparmor: Workaround
for unconfined libvirtd when triggered by unprivileged user"), passt
can't detach user namespaces and will fail to start, as reported by
Niklas:
ERROR internal error: Child process (passt --one-off --socket /run/libvirt/qemu/passt/1-haos-net0.socket --pid /run/libvirt/qemu/passt/1-haos-net0-passt.pid --tcp-ports 8123) unexpected exit status 1: Multiple interfaces with IPv6 routes, picked first
UNIX domain socket bound at /run/libvirt/qemu/passt/1-haos-net0.socket
Couldn't create user namespace: Permission denied
This isn't a problem with libvirtd running as regular user, because
in that case, as a workaround, passt currently runs under its own
profile, not as a libvirtd subprofile (see commit referenced above).
Given that ABI 4.0 has been around for a while, being introduced in
July 2023, finally take the step to upgrade to it and explicitly
enable user namespace creation.
No further changes are needed in the existing policies to match new
features introduced in AppArmor 4.0.
Reported-by: Niklas Edmundsson <nikke@accum.se>
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124801
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
contrib/apparmor/abstractions/passt | 3 ++-
contrib/apparmor/abstractions/pasta | 2 +-
contrib/apparmor/usr.bin.passt | 2 +-
contrib/apparmor/usr.bin.passt-repair | 2 +-
contrib/apparmor/usr.bin.pasta | 2 +-
5 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstractions/passt
index 25b2ea8..0ffadaf 100644
--- a/contrib/apparmor/abstractions/passt
+++ b/contrib/apparmor/abstractions/passt
@@ -11,7 +11,7 @@
# Copyright (c) 2022 Red Hat GmbH
# Author: Stefano Brivio <sbrivio@redhat.com>
- abi <abi/3.0>,
+ abi <abi/4.0>,
include <abstractions/base>
@@ -24,6 +24,7 @@
capability setpcap,
capability net_admin,
capability sys_ptrace,
+ userns,
/ r, # isolate_prefork(), isolation.c
mount options=(rw, runbindable) -> /,
diff --git a/contrib/apparmor/abstractions/pasta b/contrib/apparmor/abstractions/pasta
index 9f73bee..251d4a2 100644
--- a/contrib/apparmor/abstractions/pasta
+++ b/contrib/apparmor/abstractions/pasta
@@ -11,7 +11,7 @@
# Copyright (c) 2022 Red Hat GmbH
# Author: Stefano Brivio <sbrivio@redhat.com>
- abi <abi/3.0>,
+ abi <abi/4.0>,
include <abstractions/passt>
diff --git a/contrib/apparmor/usr.bin.passt b/contrib/apparmor/usr.bin.passt
index 62a4514..c123a86 100644
--- a/contrib/apparmor/usr.bin.passt
+++ b/contrib/apparmor/usr.bin.passt
@@ -11,7 +11,7 @@
# Copyright (c) 2022 Red Hat GmbH
# Author: Stefano Brivio <sbrivio@redhat.com>
-abi <abi/3.0>,
+abi <abi/4.0>,
include <tunables/global>
diff --git a/contrib/apparmor/usr.bin.passt-repair b/contrib/apparmor/usr.bin.passt-repair
index 901189d..23ff1ce 100644
--- a/contrib/apparmor/usr.bin.passt-repair
+++ b/contrib/apparmor/usr.bin.passt-repair
@@ -11,7 +11,7 @@
# Copyright (c) 2025 Red Hat GmbH
# Author: Stefano Brivio <sbrivio@redhat.com>
-abi <abi/3.0>,
+abi <abi/4.0>,
#include <tunables/global>
diff --git a/contrib/apparmor/usr.bin.pasta b/contrib/apparmor/usr.bin.pasta
index 2483968..56b5024 100644
--- a/contrib/apparmor/usr.bin.pasta
+++ b/contrib/apparmor/usr.bin.pasta
@@ -11,7 +11,7 @@
# Copyright (c) 2022 Red Hat GmbH
# Author: Stefano Brivio <sbrivio@redhat.com>
-abi <abi/3.0>,
+abi <abi/4.0>,
include <tunables/global>
--
2.43.0
next reply other threads:[~2026-01-10 15:14 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-10 15:14 Stefano Brivio [this message]
2026-01-12 15:11 ` Andrea Bolognani
2026-01-12 17:46 ` Stefano Brivio
2026-01-13 13:06 ` Andrea Bolognani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260110151430.3668869-1-sbrivio@redhat.com \
--to=sbrivio@redhat.com \
--cc=abologna@redhat.com \
--cc=dfaggioli@suse.com \
--cc=jfehlig@suse.com \
--cc=maxime.belair@canonical.com \
--cc=nikke@accum.se \
--cc=passt-dev@passt.top \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).