From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=h8KSc7fF; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTPS id BA6D95A0271 for ; Mon, 12 Jan 2026 16:11:54 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1768230713; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bGj94X9NBP5jOprtVCCLXR46/u4FR+7+wQbQLOybMek=; b=h8KSc7fFJjZRRTa0pKrT01kvAJZEItkkjPgeUnOKDPGqIIMgzH7GvqbT45G2S7pQNa3XDZ B+G03jeIwSh/Dn1mi+EoCz1wMIPKX+KmUxUCJHU9CdaG8VOPgY/jjPb7cSZBk0YQc6Tggs IA5OIr6fp6UVLVJRv2jbPjeizJbNZps= Received: from mail-qt1-f200.google.com (mail-qt1-f200.google.com [209.85.160.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-368-qSSqRoNKMFmeV81BglD5wg-1; Mon, 12 Jan 2026 10:11:47 -0500 X-MC-Unique: qSSqRoNKMFmeV81BglD5wg-1 X-Mimecast-MFC-AGG-ID: qSSqRoNKMFmeV81BglD5wg_1768230707 Received: by mail-qt1-f200.google.com with SMTP id d75a77b69052e-4f1f42515ffso184892821cf.0 for ; Mon, 12 Jan 2026 07:11:47 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768230707; x=1768835507; h=content-transfer-encoding:cc:to:subject:message-id:date:in-reply-to :mime-version:references:from:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8DafQPpEEk9vi3+DZZTDwt7B2Da3tTUimGHx4XXbcFc=; b=mYFjMUPrvdwYRO2+pWP531bSW9qCf3q8V+w5X3NIibTtVMZOxxVxf7pqDItLEMcWv8 fADF8geDLTZcv30laI6n5+ZI0YVIEYrLv/4t5YNyhtlLKiorLFhu3n/KfG5s0Uomf1FD pIqqbwzQBz7OBrzBTHOga7X0Xn0n2I0T25Ov1Bvq7vkbpUjch4e4jBUo0CiJn56txiC3 n9Iq9p0POfcK6R6g1V4bAq1ViTNAY7bvmTzvwwNzqWm2B7DnrnnL4S9ngHswqcYk6sY2 yZU215fOhjGQrMGZpGr625fYCI0VA50VL3g3acvvLI2gZrpdYtfwN5b6QOjR5O/1B8HL Tz5g== X-Gm-Message-State: AOJu0YwuTWhbBHbFGjXOXwdmoNV6dTW0QyLIgekS0pyZNjw3qx/Q7Ae0 H7+xMUJi6szRWRKwtt0dlI+ympDx92lT1UD3jowz8HevukfCyM+7UdYZd/j9yiZ/BiWyTg+mDUc y47pvycIdId/Ou3oIRRb2AMaIEuHY7PACLo7M7Hb7cUQz3R8XT3jnZKDDw16hO/JfuqqXVtd5w1 +OtK/a5xSpWzkncx9mLXGfLsoostil X-Gm-Gg: AY/fxX4s1qtsIT7PWUHzvJLYM5DQVHhnVsIPFV6ryLi8ZV2vf30/2sgwhLHEaTkYxY+ lb2EEMoDErJoNY0KNrJOxhWflzpB97KrGTMA/NYAxj8Zgix/eFXVTbi54xWbzFkULClwM5PV557 U4xWEkJ2rbuPE6LJn5XQ1s0EHJKY38Hr8lW3r/GSFTOmVZaiojSWWiKUp5ENLvGelk X-Received: by 2002:a05:622a:98f:b0:4ee:4126:661c with SMTP id d75a77b69052e-4ffb4ae8757mr276457171cf.81.1768230706712; Mon, 12 Jan 2026 07:11:46 -0800 (PST) X-Google-Smtp-Source: AGHT+IGWQPW0T23ORrvEI4tq8wLVT92oeAFLM6m8lbe8NoTKKEEoRs4Tgt1nk0NW02pfZKwHmxyS3tLMoPK26mjRRHI= X-Received: by 2002:a05:622a:98f:b0:4ee:4126:661c with SMTP id d75a77b69052e-4ffb4ae8757mr276456321cf.81.1768230705986; Mon, 12 Jan 2026 07:11:45 -0800 (PST) Received: from 744723338238 named unknown by gmailapi.google.com with HTTPREST; Mon, 12 Jan 2026 08:11:44 -0700 Received: from 744723338238 named unknown by gmailapi.google.com with HTTPREST; Mon, 12 Jan 2026 08:11:44 -0700 From: Andrea Bolognani References: <20260110151430.3668869-1-sbrivio@redhat.com> MIME-Version: 1.0 In-Reply-To: <20260110151430.3668869-1-sbrivio@redhat.com> Date: Mon, 12 Jan 2026 08:11:44 -0700 X-Gm-Features: AZwV_QgtE9lQ4Fux4_ZmuPmyQUZ1RmHPUmwlkwOR0LPn1bwo_UrPC5FR4vHX5b0 Message-ID: Subject: Re: [PATCH] apparmor: Upgrade ABI version to 4.0, explicitly enable user namespace creation To: Stefano Brivio X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: kx94ca-JGIIO9H-EfgobGwDfjvbe6cnEAxxp87Am4dU_1768230707 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: RMABYNCZNAPPDKU43VSEFOMSQG5LRMRG X-Message-ID-Hash: RMABYNCZNAPPDKU43VSEFOMSQG5LRMRG X-MailFrom: abologna@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Niklas Edmundsson , Jim Fehlig , =?UTF-8?Q?Maxime_B=C3=A9lair?= , Dario Faggioli , devel@lists.libvirt.org X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: [adding libvirt devel list] On Sat, Jan 10, 2026 at 04:14:30PM +0100, Stefano Brivio wrote: > In the 3.0 AppArmor ABI version we currently use, user namespace rules > are not supported, and, as long as we load confined profiles, those > implicitly allow creation of user namespaces. > > However, ABI version 4.0 introduces rules for user namespaces, and if > we don't specify any, we can't create user namespaces, see: > > https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restri= ction > > This wouldn't affect us in general, given that we're using the 3.0 > ABI, but libvirt's policy uses 4.0 instead, and if our abstractions > are used from there, no matter what ABI policy version we declare, > rules for user namespace creation now match ABI policy version 4.0. AFAICT libvirt's policy doesn't explicitly declares any ABI version, so how does that work? Is the most recent one being used in that case? Assuming that's the case, how far back will that result in ABI 4.0 being the effective one? It looks like Debian only got AppArmor 4+ in March of last year. Do we want to make the ABI version explicit in libvirt's policy? If so, should we stick with 3.0 for maximum compatibility? > As a result, when libvirtd runs as root, and its profile includes > passt's abstraction, cf. commit 66769c2de825 ("apparmor: Workaround > for unconfined libvirtd when triggered by unprivileged user"), passt > can't detach user namespaces and will fail to start, as reported by > Niklas: > > ERROR internal error: Child process (passt --one-off --socket /run/l= ibvirt/qemu/passt/1-haos-net0.socket --pid /run/libvirt/qemu/passt/1-haos-n= et0-passt.pid --tcp-ports 8123) unexpected exit status 1: Multiple interfac= es with IPv6 routes, picked first > UNIX domain socket bound at /run/libvirt/qemu/passt/1-haos-net0.socket > Couldn't create user namespace: Permission denied > > This isn't a problem with libvirtd running as regular user, because > in that case, as a workaround, passt currently runs under its own > profile, not as a libvirtd subprofile (see commit referenced above). > > Given that ABI 4.0 has been around for a while, being introduced in > July 2023, finally take the step to upgrade to it and explicitly > enable user namespace creation. > > No further changes are needed in the existing policies to match new > features introduced in AppArmor 4.0. > > Reported-by: Niklas Edmundsson > Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D1124801 > Signed-off-by: Stefano Brivio > --- > contrib/apparmor/abstractions/passt | 3 ++- > contrib/apparmor/abstractions/pasta | 2 +- > contrib/apparmor/usr.bin.passt | 2 +- > contrib/apparmor/usr.bin.passt-repair | 2 +- > contrib/apparmor/usr.bin.pasta | 2 +- > 5 files changed, 6 insertions(+), 5 deletions(-) > > diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstr= actions/passt > index 25b2ea8..0ffadaf 100644 > --- a/contrib/apparmor/abstractions/passt > +++ b/contrib/apparmor/abstractions/passt > @@ -11,7 +11,7 @@ > # Copyright (c) 2022 Red Hat GmbH > # Author: Stefano Brivio > > - abi , > + abi , > > include > > @@ -24,6 +24,7 @@ > capability setpcap, > capability net_admin, > capability sys_ptrace, > + userns, > > /=09=09=09=09=09r,=09# isolate_prefork(), isolation.c > mount options=3D(rw, runbindable) -> /, > diff --git a/contrib/apparmor/abstractions/pasta b/contrib/apparmor/abstr= actions/pasta > index 9f73bee..251d4a2 100644 > --- a/contrib/apparmor/abstractions/pasta > +++ b/contrib/apparmor/abstractions/pasta > @@ -11,7 +11,7 @@ > # Copyright (c) 2022 Red Hat GmbH > # Author: Stefano Brivio > > - abi , > + abi , > > include > > diff --git a/contrib/apparmor/usr.bin.passt b/contrib/apparmor/usr.bin.pa= sst > index 62a4514..c123a86 100644 > --- a/contrib/apparmor/usr.bin.passt > +++ b/contrib/apparmor/usr.bin.passt > @@ -11,7 +11,7 @@ > # Copyright (c) 2022 Red Hat GmbH > # Author: Stefano Brivio > > -abi , > +abi , > > include > > diff --git a/contrib/apparmor/usr.bin.passt-repair b/contrib/apparmor/usr= .bin.passt-repair > index 901189d..23ff1ce 100644 > --- a/contrib/apparmor/usr.bin.passt-repair > +++ b/contrib/apparmor/usr.bin.passt-repair > @@ -11,7 +11,7 @@ > # Copyright (c) 2025 Red Hat GmbH > # Author: Stefano Brivio > > -abi , > +abi , > > #include > > diff --git a/contrib/apparmor/usr.bin.pasta b/contrib/apparmor/usr.bin.pa= sta > index 2483968..56b5024 100644 > --- a/contrib/apparmor/usr.bin.pasta > +++ b/contrib/apparmor/usr.bin.pasta > @@ -11,7 +11,7 @@ > # Copyright (c) 2022 Red Hat GmbH > # Author: Stefano Brivio > > -abi , > +abi , > > include > > -- > 2.43.0 >