Re: apparmor blocks passt running podman

public inbox for passt-user@passt.top
 help / color / mirror / Atom feed

From: Stefano Brivio <sbrivio@redhat.com>
To: hamish-passt@moffatt.email
Cc: passt-user@passt.top
Subject: Re: apparmor blocks passt running podman
Date: Fri, 7 Jun 2024 20:16:17 +0200	[thread overview]
Message-ID: <20240607201617.757cdd1b@elisabeth> (raw)
In-Reply-To: <8cf17fe5-ae9f-4228-8970-ada3a88128be@moffatt.email>

Hi Hamish,

On Fri, 7 Jun 2024 20:45:39 +1000
hamish-passt@moffatt.email wrote:

> Hi,
> 
> I have podman 5.1.0 and passt 0.0+20240523.765eb0bf running on Debian 
> bookworm (via unofficial packages).
> 
> When I try to run podman using passt for networking, it is blocked by 
> apparmor (3.0.8).
> 
> audit: type=1400 audit(1717756950.285:65): apparmor="DENIED" 
> operation="open" profile="passt" 
> name="/run/user/1000/netns/netns-cad489f7-d3c4-7730-9d15-17ae8e172da4" 
> pid=246135 comm="passt.avx2" requested_mask="r" denied_mask="r" 
> fsuid=1000 ouid=0
> 
> I'm not familiar with apparmor so I don't know how to debug this. The 
> installed apparmor profile files match the ones in the pasta git. Can 
> you help?

Thanks for your report.

I think the issue is caused by the fact that, with the package you're
using, pasta is associated with the "passt" profile, which is the
profile for passt(1) mode, instead of the usr.bin.pasta profile: look
at the "profile" string in the AppArmor message you shared.

I fixed this in the official Debian packages here, a while ago:
  https://salsa.debian.org/sbrivio/passt/-/commit/5bb812e79143670a57440cd8aa7f2979583c5a0a

Which unofficial packages are you using?

On Debian Bookworm, I think you could simply use the official version
from testing, 0.0~git20240523.765eb0b-1, see also:
  https://tracker.debian.org/pkg/passt

-- 
Stefano

     prev parent reply	other threads:[~2024-06-07 18:17 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-06-07 10:45 apparmor blocks passt running podman hamish-passt
2024-06-07 18:16 ` Stefano Brivio [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240607201617.757cdd1b@elisabeth \
    --to=sbrivio@redhat.com \
    --cc=hamish-passt@moffatt.email \
    --cc=passt-user@passt.top \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).