From: Andrea Bolognani <abologna@redhat.com>
To: Stefano Brivio <sbrivio@redhat.com>
Cc: Prafulla Giri <prafulla.giri@protonmail.com>,
"passt-dev@passt.top" <passt-dev@passt.top>
Subject: Re: Apparmor (and other) Issues
Date: Tue, 4 Feb 2025 09:50:40 +0000 [thread overview]
Message-ID: <CABJz62M=tn40ovN0TbmSNfG0Gqc-JxgSEP6La=rLDfhRYUs2sg@mail.gmail.com> (raw)
In-Reply-To: <20250204095000.4ca5c43a@elisabeth>
On Tue, Feb 04, 2025 at 09:50:00AM +0100, Stefano Brivio wrote:
> On Tue, 04 Feb 2025 08:21:53 +0000 Prafulla Giri <prafulla.giri@protonmail.com> wrote:
> > type=SERVICE_START msg=audit(1738501309.082:134): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=polkit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
> > type=AVC msg=audit(1738501309.118:135): apparmor="DENIED" operation="file_mmap" class="file" profile="passt" name="/usr/bin/passt" pid=2030 comm="passt" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0FSUID="larryboy" OUID="root"
> > type=SYSCALL msg=audit(1738501309.118:135): arch=c000003e syscall=59 success=no exit=-13 a0=7faf24035fc0 a1=7faf24035210 a2=7ffc063280d0 a3=0 items=0 ppid=1964 pid=2030 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="passt" exe="/usr/bin/passt" subj=passt key=(null)ARCH=x86_64 SYSCALL=execve AUID="larryboy" UID="larryboy" GID="larryboy" EUID="larryboy" SUID="larryboy" FSUID="larryboy" EGID="larryboy" SGID="larryboy" FSGID="larryboy"
> > type=PROCTITLE msg=audit(1738501309.118:135): proctitle="(null)"
> > type=ANOM_ABEND msg=audit(1738501309.118:136): auid=1000 uid=1000 gid=1000 ses=1 subj=passt pid=2030 comm="passt" exe="/usr/bin/passt" sig=11 res=1AUID="larryboy" UID="larryboy" GID="larryboy"
>
> So, it looks like passt is running as its own profile. This shouldn't
> happen because the libvirt profile has an own subprofile and we should
> see that in "profile" on the type=AVC line but... I just reproduced
> this! Clean Debian sid install, fresh install of libvirtd:
>
> error: internal error: Child process (passt --one-off --socket /run/user/1000/libvirt/qemu/run/passt/1-alpine-net0.socket --pid /run/user/1000/libvirt/qemu/run/passt/1-alpine-net0-passt.pid --tcp-ports 40922:22) unexpected fatal signal 11
>
> I'll keep you posted.
I've skimmed the conversation trying to understand whether there's
anything that I need do from the libvirt side, but AFAICT no explicit
action has been called for so far.
It looks like you're making good progress in figuring out what's
going on. Being able to reproduce the issue yourself is certainly
going to help. I'm happy to leave all the debugging to you, since as
you know I'm not very good at the AppArmor stuff and I'm really,
really bad at the networking stuff ;)
Once a clearer picture emerges, if it turns out that changes are
needed in either libvirt or its Debian packaging, I can definitely
look into making that happen.
--
Andrea Bolognani / Red Hat / Virtualization
next prev parent reply other threads:[~2025-02-04 9:50 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <gfnJ5_aKhxXif2AlacEZIAO3UgiyKhgfDhlg7-FWBbkXttL891Y9k0zClSeYZiLN8JkMF9Z_pprz9f3w88cjZTkHL42cjar9boCCIuS6B08=@protonmail.com>
2025-01-29 9:41 ` Apparmor (and other) Issues Stefano Brivio
2025-01-29 18:10 ` Prafulla Giri
2025-01-29 18:48 ` Stefano Brivio
2025-01-30 10:05 ` Prafulla Giri
2025-01-31 20:20 ` Stefano Brivio
[not found] ` <NNMPy6qrSrpU0VFxOsd8tUnJFDsz_Ychl7WAxOB1aYfyRCjzTG4uzNEGZLkHUa_NnxCEAL_X1lhnySdZ_1i2ZMxuVK0zDHa-YLex3O5fhRw=@protonmail.com>
2025-02-02 14:40 ` Prafulla Giri
2025-02-03 8:35 ` Stefano Brivio
[not found] ` <0gHPSAbajW7n2zyIE-8k2vez7nkpAHQOnP4p6yfc6i5v948AExss0zBAYKF-92Yqf90DhAg3Xx9u19aw4TtSQLnpNgvCEa--wkPTL0PDdnM=@protonmail.com>
2025-02-04 8:50 ` Stefano Brivio
2025-02-04 9:50 ` Andrea Bolognani [this message]
2025-02-04 10:17 ` Stefano Brivio
2025-02-04 15:50 ` Andrea Bolognani
2025-02-04 16:22 ` Stefano Brivio
2025-02-04 18:46 ` Andrea Bolognani
2025-02-04 19:14 ` Stefano Brivio
2025-02-04 22:19 ` Andrea Bolognani
2025-02-04 22:34 ` Stefano Brivio
2025-02-05 7:40 ` Prafulla Giri
2025-02-05 10:16 ` Stefano Brivio
2025-02-07 6:49 ` Prafulla Giri
2025-02-07 9:16 ` Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CABJz62M=tn40ovN0TbmSNfG0Gqc-JxgSEP6La=rLDfhRYUs2sg@mail.gmail.com' \
--to=abologna@redhat.com \
--cc=passt-dev@passt.top \
--cc=prafulla.giri@protonmail.com \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).