From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=fq/PvxXq;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by passt.top (Postfix) with ESMTPS id 5D7465A061A
	for <passt-dev@passt.top>; Tue, 04 Feb 2025 23:19:39 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1738707578;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=MDpTJnXlabclw9YDjc04wwPUomT177ZnOX/nAoVS/lA=;
	b=fq/PvxXqpeJFJQxBbI4RtGdQX4SuOnwuRacbdjnuRiM8ky7TmrY9tvN52+gGwknQDxDjFl
	+9JtRmpjYoKIqHzH/jEY8P3hTS8Prx3/KpxyAUxBWKaqB7lLZQ+D0gWdnjGRxFsbJItA2L
	dlU3g8NZ0AsFajvaHY7ZBGtxYAM/2zs=
Received: from mail-qt1-f197.google.com (mail-qt1-f197.google.com
 [209.85.160.197]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-3-jXGHQ4qWNhCoYhbc-kovnQ-1; Tue, 04 Feb 2025 17:19:36 -0500
X-MC-Unique: jXGHQ4qWNhCoYhbc-kovnQ-1
X-Mimecast-MFC-AGG-ID: jXGHQ4qWNhCoYhbc-kovnQ
Received: by mail-qt1-f197.google.com with SMTP id d75a77b69052e-4679aeb21e6so100943191cf.0
        for <passt-dev@passt.top>; Tue, 04 Feb 2025 14:19:36 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1738707576; x=1739312376;
        h=cc:to:subject:message-id:date:in-reply-to:mime-version:references
         :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=MDpTJnXlabclw9YDjc04wwPUomT177ZnOX/nAoVS/lA=;
        b=VIhhCviMLaQ8a8YDzGFs03w3+uewQMTMOwU857X3NSnMja3xe07nas3NFi8l4TWwds
         iYAjVqswaVQMLYIoOV1EHSG8sJILXwW4K4d7JtL/aNGKKItpuUOOoFsgKUyIO0CGivLl
         EiErWDLkrBKqvUFyN+NuSDTs7lg+9acSx1ohyl8nYfAubuk0otFkw7wT4tbAT39qBFtl
         QfucOaWWHYYijbEa9rE7mhzz0P3u0D0d7zYr7vpZ4dazz+91n5Mk95hOg22bvaCRUC30
         TIMz/yV7uEPdTrgRaCPtwNL0nPdgU9o6tU1PAwdase6Vo8Gz7bQYDpE57OkRWsK0hzEX
         dKCA==
X-Forwarded-Encrypted: i=1; AJvYcCVFoKPRKBGY4g6n4vwp2VVVWfyuDOuDP2jkCiGgoj9EHlI4HOB3lXnA7W7bS/ChGsrmgnj5MKh+0qk=@passt.top
X-Gm-Message-State: AOJu0YzigNYhpGww/IwIl51YeXUS1rg8DE1B/4MAVXvYJ5ZSNcKfHMH+
	9CYeoU/FcNOs7B1BjXr8HJ6RP7ZB/i2UQAMdM5fQMqETcn+ejKWXqNyo29ExzIHyLcFwXOhjo1j
	mqINZpUvvvq4LgWzzfz1yjoOmWhZPQKUNkaI52uSraCixH2orokFyI7wZRm56+s/q49Fxj4yzcC
	GjJ12ArW4uC3SDkSXM5FTXgzwT
X-Gm-Gg: ASbGncsWsBcuNaCA6WpQHutqRGsG2UxwRr1A5G8e3plg7ms9jBmlTMEA888767gA4L4
	I12NwiRJ2jlQ+gaCmCSXemUsnmDTbja9Sl5k74pBqyEUQ/ufGwglWOPlWJN4p
X-Received: by 2002:a05:622a:54a:b0:467:672a:abb6 with SMTP id d75a77b69052e-470281c2fd7mr5910601cf.23.1738707576018;
        Tue, 04 Feb 2025 14:19:36 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGpRk75w5sm1ixn5k/I32qwlzR940XFqhrZ2tgLreICpRewEDap2ZiTbAx0+Opu4pT5F83us7vMum5v6YEWHG8=
X-Received: by 2002:a05:622a:54a:b0:467:672a:abb6 with SMTP id
 d75a77b69052e-470281c2fd7mr5910381cf.23.1738707575740; Tue, 04 Feb 2025
 14:19:35 -0800 (PST)
Received: from 744723338238 named unknown by gmailapi.google.com with
 HTTPREST; Tue, 4 Feb 2025 14:19:34 -0800
Received: from 744723338238 named unknown by gmailapi.google.com with
 HTTPREST; Tue, 4 Feb 2025 14:19:34 -0800
From: Andrea Bolognani <abologna@redhat.com>
References: <NNMPy6qrSrpU0VFxOsd8tUnJFDsz_Ychl7WAxOB1aYfyRCjzTG4uzNEGZLkHUa_NnxCEAL_X1lhnySdZ_1i2ZMxuVK0zDHa-YLex3O5fhRw=@protonmail.com>
 <20250203093531.6a71cc81@elisabeth> <0gHPSAbajW7n2zyIE-8k2vez7nkpAHQOnP4p6yfc6i5v948AExss0zBAYKF-92Yqf90DhAg3Xx9u19aw4TtSQLnpNgvCEa--wkPTL0PDdnM=@protonmail.com>
 <20250204095000.4ca5c43a@elisabeth> <CABJz62M=tn40ovN0TbmSNfG0Gqc-JxgSEP6La=rLDfhRYUs2sg@mail.gmail.com>
 <20250204111724.48b73b37@elisabeth> <CABJz62OUge8uNdXHVGU+YOW1_MfGbUMHnnb3DWk4nRe+k03BhA@mail.gmail.com>
 <20250204172242.76889328@elisabeth> <CABJz62MeCkdxQh0j557EOvGEOJjiVr7ph9zPTK1vp=5vY9OBFA@mail.gmail.com>
 <20250204201448.0bf3f7a3@elisabeth>
MIME-Version: 1.0
In-Reply-To: <20250204201448.0bf3f7a3@elisabeth>
Date: Tue, 4 Feb 2025 14:19:34 -0800
X-Gm-Features: AWEUYZn20MRMiNPu6gjF2ng1req4CDmOhA3snhW-AICiQQw9VwI2yrsbYlqI0Ng
Message-ID: <CABJz62PU05v7PEasddd_nevEkNeugJ1qYsu0Xj000parQqtm4g@mail.gmail.com>
Subject: Re: Apparmor (and other) Issues
To: Stefano Brivio <sbrivio@redhat.com>
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: dYxvzvqVOJ5FGxh7gO71IBghA1fLjVMqasTf0ryDxjY_1738707576
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: 552IQ646OJHT6JRRQO7YKQRIGMLFYJRT
X-Message-ID-Hash: 552IQ646OJHT6JRRQO7YKQRIGMLFYJRT
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Prafulla Giri <prafulla.giri@protonmail.com>, "passt-dev@passt.top" <passt-dev@passt.top>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/CABJz62PU05v7PEasddd_nevEkNeugJ1qYsu0Xj000parQqtm4g@mail.gmail.com/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/552IQ646OJHT6JRRQO7YKQRIGMLFYJRT/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Tue, Feb 04, 2025 at 08:14:48PM +0100, Stefano Brivio wrote:
> On Tue, 4 Feb 2025 18:46:37 +0000 Andrea Bolognani <abologna@redhat.com> wrote:
> > > 2. (most reasonable I think) don't use per-VM profiles for the rootless
> > >    case. Define a single "libvirt-user" (or "libvirt-session") profile
> > >    and use that. We could copy it from the existing ones I suppose.
> >
> > Sounds to me like this would require granting the QEMU process access
> > to roughly the entire filesystem? The disk image could live anywhere
> > after all, and if we can't dynamically add a rule for the exact path
> > the only way out is a free-for-all approach.
>
> Right. That's what we did for libguestfs as well, the image can be
> *almost* anywhere. But it's not free-for-all: you're just granting
> *limited* filesystem access (not to sysfs, not to /etc, and so on).
>
> And I had to build a *very* loose profile for libguestfs because that
> applies to root as well, but for rootless libvirtd, it might even make
> sense to restrict access to just @{HOME}/** and /tmp/** (that's what I
> did for stand-alone passt, for example).

That could work, I suppose. Needs to be discussed upstream, making
sure to involve those who are more experienced with AppArmor than I
am, especially since it's not just a matter of updating the policy
but fundamentally changing how the driver works when operating in
unprivileged mode.

> I'll try to submit a pull request at least for Debian in a couple of
> days.

Be aware that I will emphatically refuse to introduce changes to the
Debian package unless they have been merged upstream first. AppArmor
support lives in the upstream repository, and all fixes and
improvements have to go through it.

-- 
Andrea Bolognani / Red Hat / Virtualization