From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=QC0d71s8;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by passt.top (Postfix) with ESMTPS id A89D95A0271
	for <passt-dev@passt.top>; Mon, 12 Jan 2026 18:46:14 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1768239973;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=hlp+oHmuFa6EOVVrBBhF8f84+H1m1tHglnl/B+dQfuE=;
	b=QC0d71s8tr0a1roF4CnpADnOdWT+av9X8wF9CEmnJz5KHkGNMM3UIL7aT34MGnQfKASdyH
	YrV1W6Okj1JjOEfvge6rWcoYYa3McjyfJAb3oZHnlBBIWBGcGg7v7znSNXppa9pT35llKj
	8AxLv3ZzrUw6/yr1SwSXJTfPhphxwFg=
Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com
 [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-191-5enbc96fMFeDI0WchXiZ7w-1; Mon, 12 Jan 2026 12:46:11 -0500
X-MC-Unique: 5enbc96fMFeDI0WchXiZ7w-1
X-Mimecast-MFC-AGG-ID: 5enbc96fMFeDI0WchXiZ7w_1768239971
Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-430fc83f58dso3875882f8f.2
        for <passt-dev@passt.top>; Mon, 12 Jan 2026 09:46:11 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768239971; x=1768844771;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=hlp+oHmuFa6EOVVrBBhF8f84+H1m1tHglnl/B+dQfuE=;
        b=hdjI/dKUiA3vLVdmcOVoWteEWyr2pWIOPxveUtaYLSZcplfbyU720/KQRkUysB5tHK
         6ToVy9AKkixryRUYgzCQO4heCEfOrShlyVyElmYwEZrm4i9j9tVwaG7C90U0I2qyIQQO
         VotfRnkNJoYJ4U0ULNYVjL53BtAyODn9kZxM+Y0HuLfGZToUxXHl5zqCkjhGvcrARJJ6
         R6ibsJbdJD24Uas5OY9ZJYfCEVZGRgIZ15N1BRcnR+bfj+6L5Mq7CJufVpUbN5W0SIug
         kY500+OdubjtzJ6mU62MiDeTlQkm+dPAH+25PAysbZaWNIfWZ4xKdoxZfiy6hwYA0NL4
         4QMA==
X-Gm-Message-State: AOJu0Ywm3XPztoKQFtQfccsyjOwp+x2BdLT6p5Tj/aHXB/TOUqKIxg45
	xOdGfjOyL3qJ5w/gEhTAm35zo/zl7zh4F0e7SKSf/SFVPlizHWKJXLvJ4yMJVfZjnMnF2WIRkcz
	y0iYeEgTsaCIDJgGYJGJXRsq5/6hNQW9x47RxDxTeCjuXNV26ydVRmw==
X-Gm-Gg: AY/fxX7DyBs5zuQf6nxLzVcNndHwHgS4LX5zLk76TGffMMlvnu7qkGwqnqIShPUvPjC
	qWTcyhv17LEM7Jxj4hGeU9hv1YNYKgbIrExZ9m2WdkzCATt0GkA4Dlwhxc9ANI9VePP/2Pj7iUh
	X9+qB0widodpdzV2C6X5YuN9fzVYn1Tiq12ccvU6Nvb4jwT9Ohr6fBP+cc+NgDTHF5zhLfoPNfA
	pvgZfxzgA0MjYo6t+InHZOJfpmlLUxwRyIAo8O+I8OAzBmB7UDR4shcGY1mqt/noQ1dVEOTHBmc
	DFU5veyHFG6GYR19H/C3QYI1IBNW2qHQY9ydLecuSLb8pIyHTRTXWBpfi0P1uaXDTALNEGu0m8R
	7vD8D48BGn6DNWtjMN7+L
X-Received: by 2002:a05:6000:92:b0:432:e00b:8682 with SMTP id ffacd0b85a97d-432e00b8a38mr9113258f8f.25.1768239970617;
        Mon, 12 Jan 2026 09:46:10 -0800 (PST)
X-Google-Smtp-Source: AGHT+IHyqvxbRuRYSdRLMtc+zutUOccNLMAIG0mAxqJU7Dl0LsDs4tZk5rJzXagW156c0rHtS9GkdA==
X-Received: by 2002:a05:6000:92:b0:432:e00b:8682 with SMTP id ffacd0b85a97d-432e00b8a38mr9113221f8f.25.1768239970040;
        Mon, 12 Jan 2026 09:46:10 -0800 (PST)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-432bd5df8besm37801963f8f.26.2026.01.12.09.46.09
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 12 Jan 2026 09:46:09 -0800 (PST)
Date: Mon, 12 Jan 2026 18:46:07 +0100
From: Stefano Brivio <sbrivio@redhat.com>
To: Andrea Bolognani <abologna@redhat.com>
Subject: Re: [PATCH] apparmor: Upgrade ABI version to 4.0, explicitly enable
 user namespace creation
Message-ID: <20260112184607.5d0978a0@elisabeth>
In-Reply-To: <CABJz62Ngz7sCwTU9NnAkMCDXpJN2ryQXbk2FhnYuYtKertLBtA@mail.gmail.com>
References: <20260110151430.3668869-1-sbrivio@redhat.com>
	<CABJz62Ngz7sCwTU9NnAkMCDXpJN2ryQXbk2FhnYuYtKertLBtA@mail.gmail.com>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: --LU8LIghP6UtxbaE37JWcnaUaCwttOksUERugO8cQY_1768239971
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: GQQR6RT4NZSL2JZEQU4LRR3OEHHXVZD6
X-Message-ID-Hash: GQQR6RT4NZSL2JZEQU4LRR3OEHHXVZD6
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, Niklas Edmundsson <nikke@accum.se>, Jim Fehlig <jfehlig@suse.com>, Maxime =?UTF-8?B?QsOpbGFpcg==?= <maxime.belair@canonical.com>, Dario Faggioli <dfaggioli@suse.com>, devel@lists.libvirt.org
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20260112184607.5d0978a0@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/GQQR6RT4NZSL2JZEQU4LRR3OEHHXVZD6/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Mon, 12 Jan 2026 08:11:44 -0700
Andrea Bolognani <abologna@redhat.com> wrote:

> [adding libvirt devel list]
> 
> On Sat, Jan 10, 2026 at 04:14:30PM +0100, Stefano Brivio wrote:
> > In the 3.0 AppArmor ABI version we currently use, user namespace rules
> > are not supported, and, as long as we load confined profiles, those
> > implicitly allow creation of user namespaces.
> >
> > However, ABI version 4.0 introduces rules for user namespaces, and if
> > we don't specify any, we can't create user namespaces, see:
> >
> >   https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
> >
> > This wouldn't affect us in general, given that we're using the 3.0
> > ABI, but libvirt's policy uses 4.0 instead, and if our abstractions
> > are used from there, no matter what ABI policy version we declare,
> > rules for user namespace creation now match ABI policy version 4.0.  
> 
> AFAICT libvirt's policy doesn't explicitly declares any ABI version,
> so how does that work? Is the most recent one being used in that
> case?

Oh, right, I forgot to mention that this is implicit from including
abstraction/base in libvirt's policy, which uses 4.0 on all the current
versions of AppArmor-enabled distributions I checked (Debian, including
stable/trixie, Ubuntu, openSUSE).

> Assuming that's the case, how far back will that result in ABI 4.0
> being the effective one? It looks like Debian only got AppArmor 4+ in
> March of last year.

Given that it's bound to the version from abstraction/base, the only
risk I see is that passt might now ship a policy with an ABI version
that's too new for the distribution at hand.

But ABI 4.0 has been around for more than two years now, so I don't
really see a problem.

> Do we want to make the ABI version explicit in libvirt's policy? If
> so, should we stick with 3.0 for maximum compatibility?

I wouldn't make it explicit. Yes, sticking to 3.0 would have avoided
this issue and resulted in better compatibility overall but would cause
even more problems if you ever need to switch "back" to 4.0 at some
point in time.

I think that using the version from abstraction/base as libvirt does
is actually a more convenient and compatible approach in general.

We didn't do that in passt's policy because the rules included there
are too broad, but given that libvirtd's policy already includes it,
I'd suggest to keep it that way.

> > As a result, when libvirtd runs as root, and its profile includes
> > passt's abstraction, cf. commit 66769c2de825 ("apparmor: Workaround
> > for unconfined libvirtd when triggered by unprivileged user"), passt
> > can't detach user namespaces and will fail to start, as reported by
> > Niklas:
> >
> >   ERROR    internal error: Child process (passt --one-off --socket /run/libvirt/qemu/passt/1-haos-net0.socket --pid /run/libvirt/qemu/passt/1-haos-net0-passt.pid --tcp-ports 8123) unexpected exit status 1: Multiple interfaces with IPv6 routes, picked first
> >   UNIX domain socket bound at /run/libvirt/qemu/passt/1-haos-net0.socket
> >   Couldn't create user namespace: Permission denied
> >
> > This isn't a problem with libvirtd running as regular user, because
> > in that case, as a workaround, passt currently runs under its own
> > profile, not as a libvirtd subprofile (see commit referenced above).
> >
> > Given that ABI 4.0 has been around for a while, being introduced in
> > July 2023, finally take the step to upgrade to it and explicitly
> > enable user namespace creation.
> >
> > No further changes are needed in the existing policies to match new
> > features introduced in AppArmor 4.0.
> >
> > Reported-by: Niklas Edmundsson <nikke@accum.se>
> > Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124801
> > Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
> > ---
> >  contrib/apparmor/abstractions/passt   | 3 ++-
> >  contrib/apparmor/abstractions/pasta   | 2 +-
> >  contrib/apparmor/usr.bin.passt        | 2 +-
> >  contrib/apparmor/usr.bin.passt-repair | 2 +-
> >  contrib/apparmor/usr.bin.pasta        | 2 +-
> >  5 files changed, 6 insertions(+), 5 deletions(-)
> >
> > diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstractions/passt
> > index 25b2ea8..0ffadaf 100644
> > --- a/contrib/apparmor/abstractions/passt
> > +++ b/contrib/apparmor/abstractions/passt
> > @@ -11,7 +11,7 @@
> >  # Copyright (c) 2022 Red Hat GmbH
> >  # Author: Stefano Brivio <sbrivio@redhat.com>
> >
> > -  abi <abi/3.0>,
> > +  abi <abi/4.0>,
> >
> >    include <abstractions/base>
> >
> > @@ -24,6 +24,7 @@
> >    capability setpcap,
> >    capability net_admin,
> >    capability sys_ptrace,
> > +  userns,
> >
> >    /					r,	# isolate_prefork(), isolation.c
> >    mount options=(rw, runbindable) -> /,
> > diff --git a/contrib/apparmor/abstractions/pasta b/contrib/apparmor/abstractions/pasta
> > index 9f73bee..251d4a2 100644
> > --- a/contrib/apparmor/abstractions/pasta
> > +++ b/contrib/apparmor/abstractions/pasta
> > @@ -11,7 +11,7 @@
> >  # Copyright (c) 2022 Red Hat GmbH
> >  # Author: Stefano Brivio <sbrivio@redhat.com>
> >
> > -  abi <abi/3.0>,
> > +  abi <abi/4.0>,
> >
> >    include <abstractions/passt>
> >
> > diff --git a/contrib/apparmor/usr.bin.passt b/contrib/apparmor/usr.bin.passt
> > index 62a4514..c123a86 100644
> > --- a/contrib/apparmor/usr.bin.passt
> > +++ b/contrib/apparmor/usr.bin.passt
> > @@ -11,7 +11,7 @@
> >  # Copyright (c) 2022 Red Hat GmbH
> >  # Author: Stefano Brivio <sbrivio@redhat.com>
> >
> > -abi <abi/3.0>,
> > +abi <abi/4.0>,
> >
> >  include <tunables/global>
> >
> > diff --git a/contrib/apparmor/usr.bin.passt-repair b/contrib/apparmor/usr.bin.passt-repair
> > index 901189d..23ff1ce 100644
> > --- a/contrib/apparmor/usr.bin.passt-repair
> > +++ b/contrib/apparmor/usr.bin.passt-repair
> > @@ -11,7 +11,7 @@
> >  # Copyright (c) 2025 Red Hat GmbH
> >  # Author: Stefano Brivio <sbrivio@redhat.com>
> >
> > -abi <abi/3.0>,
> > +abi <abi/4.0>,
> >
> >  #include <tunables/global>
> >
> > diff --git a/contrib/apparmor/usr.bin.pasta b/contrib/apparmor/usr.bin.pasta
> > index 2483968..56b5024 100644
> > --- a/contrib/apparmor/usr.bin.pasta
> > +++ b/contrib/apparmor/usr.bin.pasta
> > @@ -11,7 +11,7 @@
> >  # Copyright (c) 2022 Red Hat GmbH
> >  # Author: Stefano Brivio <sbrivio@redhat.com>
> >
> > -abi <abi/3.0>,
> > +abi <abi/4.0>,
> >
> >  include <tunables/global>
> >
> > --
> > 2.43.0

-- 
Stefano