From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=LNV95+/K; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTPS id EE6405A0275 for ; Tue, 04 Feb 2025 10:50:44 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1738662643; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gngtcu5m2C7hkOW6+LlprEYCzjFE1NVykGoCAS7tY64=; b=LNV95+/KycWN8bESiqJS70okyU5iZKyc0QGYuVNkEoY5v4zMg0seFtga+AS7OCoClbuecd vdsd4UwaCA3UNpyMFj+MHQtYl0XNVtZMDSmaHKXg/1eEd8+PoPY1N7eaWjk7klspFxO0us VtEsVlXI+budEeqlZfxd0LLtyXnN+Ys= Received: from mail-qt1-f200.google.com (mail-qt1-f200.google.com [209.85.160.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-306-0oMboAMVPCiQDs1VKk5WwQ-1; Tue, 04 Feb 2025 04:50:42 -0500 X-MC-Unique: 0oMboAMVPCiQDs1VKk5WwQ-1 X-Mimecast-MFC-AGG-ID: 0oMboAMVPCiQDs1VKk5WwQ Received: by mail-qt1-f200.google.com with SMTP id d75a77b69052e-467bbc77b05so107285481cf.0 for ; Tue, 04 Feb 2025 01:50:42 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738662642; x=1739267442; h=content-transfer-encoding:cc:to:subject:message-id:date:in-reply-to :mime-version:references:from:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=gngtcu5m2C7hkOW6+LlprEYCzjFE1NVykGoCAS7tY64=; b=IqyfDi1SMMjRDJELHkRD62qcZ5shKIpan+iYtOO2C2tNC2P51/vunK1uKl3iRCFdne nwFyiQ+SW29chBhYPMOgrY6b/SwAA24w57u2qvJrpo6+QQSBxU1sEiFjpDEEI/KBFchX I1vZ05Y2wC5+7YvxVOYuPR4UQcA30QyRLGKW0VhBcpC1FA/YdUCH9sdfdVQ4sWko440n z74VXkVh1YdiOOSHfNjK9MGoDfxNJLcevjRU+24Hdfkea3cc/kRjoOFeSU1Kg4tNX4OQ oIIJebS9DTv23NenzYcfCw1/CliTHqoyt5UIkJHgBTxVH/fgVKF20OgEeSn2wS0DTRVl 83LQ== X-Forwarded-Encrypted: i=1; AJvYcCUm3jYUKCdAyOel1ttCiJwNpaE1kh08ZBg5L0DGOEoOvepPGUHNlZK+MHyGpA5aTsFDzaeMiUscm6g=@passt.top X-Gm-Message-State: AOJu0YybFiqvFy73QXfUUDQJxvO9uqrTnnr3vr26H6QfxddeVyLbjjcR 5/AnZjIDP041S8QWEJQHZKiql5btaOlvqS12ryyEO4YNeEw3VmgDJsULs5kJL1RflklbDCw0/iC 780UB1JhlwJh1QRJs0Jjcyfsx2/B/FZg8VNvK3e2xjwchOIvYeQ+dvmeL2+xJymzAKXoUw9EGRI 9gr1W9YPUNkHfvJZOerg4bN9xb X-Gm-Gg: ASbGnctC2AKGHMuolpO6N1ez4NutZckR1/0jTAsu6LnIO9JberiwS+aiQD9N9auj3pp cluUbUrzwzT/pPVRUCGcGrVD5JmTPaeGc7oyw2byVyGb+aHA4TpN0BPGPrPXs X-Received: by 2002:a05:622a:311:b0:463:5cd7:ddd3 with SMTP id d75a77b69052e-46fd0a81363mr401469411cf.11.1738662641841; Tue, 04 Feb 2025 01:50:41 -0800 (PST) X-Google-Smtp-Source: AGHT+IHdaznqK9opX45vNWsZIrA5/l3rv1xjIprwGLW6dm/wMSpcDUCmiTxNxYUwOBO6aac3KZgIG7YrmGLpHuGF6L0= X-Received: by 2002:a05:622a:311:b0:463:5cd7:ddd3 with SMTP id d75a77b69052e-46fd0a81363mr401469231cf.11.1738662641549; Tue, 04 Feb 2025 01:50:41 -0800 (PST) Received: from 744723338238 named unknown by gmailapi.google.com with HTTPREST; Tue, 4 Feb 2025 09:50:40 +0000 Received: from 744723338238 named unknown by gmailapi.google.com with HTTPREST; Tue, 4 Feb 2025 09:50:40 +0000 From: Andrea Bolognani References: <20250129104112.0756df5c@elisabeth> <20250129194854.6b67fbfe@elisabeth> <3mWvqHbG0sGUhoq9ersir5eXDcFpZkAm8BGfuhs3YOBV36rlbJ82aj27diLMkSjg8YQnrQajsHKkcVh3kXG9gc-o2HZF2rQXo9DnqkqbwNQ=@protonmail.com> <20250131212024.34733b6d@elisabeth> <20250203093531.6a71cc81@elisabeth> <0gHPSAbajW7n2zyIE-8k2vez7nkpAHQOnP4p6yfc6i5v948AExss0zBAYKF-92Yqf90DhAg3Xx9u19aw4TtSQLnpNgvCEa--wkPTL0PDdnM=@protonmail.com> <20250204095000.4ca5c43a@elisabeth> MIME-Version: 1.0 In-Reply-To: <20250204095000.4ca5c43a@elisabeth> Date: Tue, 4 Feb 2025 09:50:40 +0000 X-Gm-Features: AWEUYZk-fLkIExYFDgAhBJp3QXPDiHTjsvn-f0pjs5u7pnoV4nab3HvMXyE36b4 Message-ID: Subject: Re: Apparmor (and other) Issues To: Stefano Brivio X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: 2JASRyOt_J7YUahKQBsRTMeMqj885azOz4QhA_9VBFg_1738662642 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: M7E5OQ62M7BNK55TGWW2N64Z4B4WZKG7 X-Message-ID-Hash: M7E5OQ62M7BNK55TGWW2N64Z4B4WZKG7 X-MailFrom: abologna@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Prafulla Giri , "passt-dev@passt.top" X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Tue, Feb 04, 2025 at 09:50:00AM +0100, Stefano Brivio wrote: > On Tue, 04 Feb 2025 08:21:53 +0000 Prafulla Giri wrote: > > type=3DSERVICE_START msg=3Daudit(1738501309.082:134): pid=3D1 uid=3D0 a= uid=3D4294967295 ses=3D4294967295 subj=3Dunconfined msg=3D'unit=3Dpolkit co= mm=3D"systemd" exe=3D"/usr/lib/systemd/systemd" hostname=3D? addr=3D? termi= nal=3D? res=3Dsuccess'UID=3D"root" AUID=3D"unset" > > type=3DAVC msg=3Daudit(1738501309.118:135): apparmor=3D"DENIED" operati= on=3D"file_mmap" class=3D"file" profile=3D"passt" name=3D"/usr/bin/passt" p= id=3D2030 comm=3D"passt" requested_mask=3D"r" denied_mask=3D"r" fsuid=3D100= 0 ouid=3D0FSUID=3D"larryboy" OUID=3D"root" > > type=3DSYSCALL msg=3Daudit(1738501309.118:135): arch=3Dc000003e syscall= =3D59 success=3Dno exit=3D-13 a0=3D7faf24035fc0 a1=3D7faf24035210 a2=3D7ffc= 063280d0 a3=3D0 items=3D0 ppid=3D1964 pid=3D2030 auid=3D1000 uid=3D1000 gid= =3D1000 euid=3D1000 suid=3D1000 fsuid=3D1000 egid=3D1000 sgid=3D1000 fsgid= =3D1000 tty=3D(none) ses=3D1 comm=3D"passt" exe=3D"/usr/bin/passt" subj=3Dp= asst key=3D(null)ARCH=3Dx86_64 SYSCALL=3Dexecve AUID=3D"larryboy" UID=3D"la= rryboy" GID=3D"larryboy" EUID=3D"larryboy" SUID=3D"larryboy" FSUID=3D"larry= boy" EGID=3D"larryboy" SGID=3D"larryboy" FSGID=3D"larryboy" > > type=3DPROCTITLE msg=3Daudit(1738501309.118:135): proctitle=3D"(null)" > > type=3DANOM_ABEND msg=3Daudit(1738501309.118:136): auid=3D1000 uid=3D10= 00 gid=3D1000 ses=3D1 subj=3Dpasst pid=3D2030 comm=3D"passt" exe=3D"/usr/bi= n/passt" sig=3D11 res=3D1AUID=3D"larryboy" UID=3D"larryboy" GID=3D"larryboy= " > > So, it looks like passt is running as its own profile. This shouldn't > happen because the libvirt profile has an own subprofile and we should > see that in "profile" on the type=3DAVC line but... I just reproduced > this! Clean Debian sid install, fresh install of libvirtd: > > error: internal error: Child process (passt --one-off --socket /run/user/= 1000/libvirt/qemu/run/passt/1-alpine-net0.socket --pid /run/user/1000/libvi= rt/qemu/run/passt/1-alpine-net0-passt.pid --tcp-ports 40922:22) unexpected = fatal signal 11 > > I'll keep you posted. I've skimmed the conversation trying to understand whether there's anything that I need do from the libvirt side, but AFAICT no explicit action has been called for so far. It looks like you're making good progress in figuring out what's going on. Being able to reproduce the issue yourself is certainly going to help. I'm happy to leave all the debugging to you, since as you know I'm not very good at the AppArmor stuff and I'm really, really bad at the networking stuff ;) Once a clearer picture emerges, if it turns out that changes are needed in either libvirt or its Debian packaging, I can definitely look into making that happen. --=20 Andrea Bolognani / Red Hat / Virtualization