From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by passt.top (Postfix) with ESMTP id 9F7BE5A004E
	for <passt-user@passt.top>; Fri, 07 Jun 2024 20:17:17 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1717784236;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=sLUheo5Ea9ENAgAQCdoQnqTgAOIPSNxL7+dcimMEw8o=;
	b=fxWYsmEKD/vXoZvZm8tu89Nssx2hfSuWGhJiWtLw8n7Sb6qt9ARZM6VgJZ+bWV/SI2277h
	w2POV0KedWszwQhXQzp3Bsvd0nY1PbPp0FznJT7ldyqi+8C9mWCSr5ljhe5LGxKlHv9cct
	D4Ajrp2WJuVW0iVyJaootyiO8ONOqVY=
Received: from mail-qv1-f69.google.com (mail-qv1-f69.google.com
 [209.85.219.69]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-3-zsRw8Z1LPpy0EyP8hyNULg-1; Fri, 07 Jun 2024 14:17:14 -0400
X-MC-Unique: zsRw8Z1LPpy0EyP8hyNULg-1
Received: by mail-qv1-f69.google.com with SMTP id 6a1803df08f44-6ae28390afdso72213686d6.0
        for <passt-user@passt.top>; Fri, 07 Jun 2024 11:17:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1717784234; x=1718389034;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=sLUheo5Ea9ENAgAQCdoQnqTgAOIPSNxL7+dcimMEw8o=;
        b=emKVmLq7Tkwc2cO53IVYTlKFScz7rJf0ghmCUiUDUYlvI6vUqxN5NwsHW20UazEjKz
         9yM8YWc49IppQvCFmDy38CzfME1Thk7buxcybVZnUqW5nVjxcSZZ3HdFKkCIxfzqjivh
         mQI6+5X+AOCNgxHGV5yB+lQ9mDhvj4URdFmwDrJRawgWhZXC8f4YctyQeWvIUSjkCkoD
         Dz4hVIlYlSGCuuJq5kdOAjMQJA3mjOjM2s/Yl4YVJW5i0RDCPjzG8LHXXDcEl0f4YdbX
         1HAzgb7kdwEsNOPzpIE91boZ5Qe1WknbqJ95dN1ZUxgNXt6hzGLxp7n/sVVAIVEeSHxv
         NJgg==
X-Gm-Message-State: AOJu0Yx1I6Wy0YRGfw36UOspqBaC/dC3AoIFC0kLFo0392fz2ZDLyGmM
	2VJX+t+UbBb5X4EO0z4nM54JooBoA35BcEa15aDehvsA93T+NoGuJEY7uzajEFwFDrwFLr3+yy+
	nAJQ9jehzPm0Wrx0GitdlNPoQsHPo5oqxZyZJ51BSNGMAinEqO/8=
X-Received: by 2002:a05:6214:3a88:b0:6af:bb72:78af with SMTP id 6a1803df08f44-6b0595f4ccfmr49090266d6.31.1717784234016;
        Fri, 07 Jun 2024 11:17:14 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IH7ZxtrFVuW55UFdGRa93MmeqI7EpXJG7hhcDlBZXXVlIf1Kzw+93/0QFrpxsHVec1J66eBmA==
X-Received: by 2002:a05:6214:3a88:b0:6af:bb72:78af with SMTP id 6a1803df08f44-6b0595f4ccfmr49089916d6.31.1717784233421;
        Fri, 07 Jun 2024 11:17:13 -0700 (PDT)
Received: from maya.cloud.tilaa.com (maya.cloud.tilaa.com. [164.138.29.33])
        by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6b04f9b4377sm19244536d6.105.2024.06.07.11.17.12
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 07 Jun 2024 11:17:12 -0700 (PDT)
Date: Fri, 7 Jun 2024 20:16:17 +0200
From: Stefano Brivio <sbrivio@redhat.com>
To: hamish-passt@moffatt.email
Subject: Re: apparmor blocks passt running podman
Message-ID: <20240607201617.757cdd1b@elisabeth>
In-Reply-To: <8cf17fe5-ae9f-4228-8970-ada3a88128be@moffatt.email>
References: <8cf17fe5-ae9f-4228-8970-ada3a88128be@moffatt.email>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: CTH35KOLPKJ3SUBF7PXZD53Y2HY3RI62
X-Message-ID-Hash: CTH35KOLPKJ3SUBF7PXZD53Y2HY3RI62
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-user@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: "For passt users: support, questions and answers" <passt-user.passt.top>
Archived-At: <https://archives.passt.top/passt-user/20240607201617.757cdd1b@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-user@passt.top/message/CTH35KOLPKJ3SUBF7PXZD53Y2HY3RI62/>
List-Archive: <https://archives.passt.top/passt-user/>
List-Archive: <https://passt.top/hyperkitty/list/passt-user@passt.top/>
List-Help: <mailto:passt-user-request@passt.top?subject=help>
List-Owner: <mailto:passt-user-owner@passt.top>
List-Post: <mailto:passt-user@passt.top>
List-Subscribe: <mailto:passt-user-join@passt.top>
List-Unsubscribe: <mailto:passt-user-leave@passt.top>

Hi Hamish,

On Fri, 7 Jun 2024 20:45:39 +1000
hamish-passt@moffatt.email wrote:

> Hi,
> 
> I have podman 5.1.0 and passt 0.0+20240523.765eb0bf running on Debian 
> bookworm (via unofficial packages).
> 
> When I try to run podman using passt for networking, it is blocked by 
> apparmor (3.0.8).
> 
> audit: type=1400 audit(1717756950.285:65): apparmor="DENIED" 
> operation="open" profile="passt" 
> name="/run/user/1000/netns/netns-cad489f7-d3c4-7730-9d15-17ae8e172da4" 
> pid=246135 comm="passt.avx2" requested_mask="r" denied_mask="r" 
> fsuid=1000 ouid=0
> 
> I'm not familiar with apparmor so I don't know how to debug this. The 
> installed apparmor profile files match the ones in the pasta git. Can 
> you help?

Thanks for your report.

I think the issue is caused by the fact that, with the package you're
using, pasta is associated with the "passt" profile, which is the
profile for passt(1) mode, instead of the usr.bin.pasta profile: look
at the "profile" string in the AppArmor message you shared.

I fixed this in the official Debian packages here, a while ago:
  https://salsa.debian.org/sbrivio/passt/-/commit/5bb812e79143670a57440cd8aa7f2979583c5a0a

Which unofficial packages are you using?

On Debian Bookworm, I think you could simply use the official version
from testing, 0.0~git20240523.765eb0b-1, see also:
  https://tracker.debian.org/pkg/passt

-- 
Stefano