public inbox for passt-user@passt.top
 help / color / mirror / Atom feed
* apparmor blocks passt running podman
@ 2024-06-07 10:45 hamish-passt
  2024-06-07 18:16 ` Stefano Brivio
  0 siblings, 1 reply; 2+ messages in thread
From: hamish-passt @ 2024-06-07 10:45 UTC (permalink / raw)
  To: passt-user

Hi,

I have podman 5.1.0 and passt 0.0+20240523.765eb0bf running on Debian 
bookworm (via unofficial packages).

When I try to run podman using passt for networking, it is blocked by 
apparmor (3.0.8).

audit: type=1400 audit(1717756950.285:65): apparmor="DENIED" 
operation="open" profile="passt" 
name="/run/user/1000/netns/netns-cad489f7-d3c4-7730-9d15-17ae8e172da4" 
pid=246135 comm="passt.avx2" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0

I'm not familiar with apparmor so I don't know how to debug this. The 
installed apparmor profile files match the ones in the pasta git. Can 
you help?

thanks,

Hamish


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: apparmor blocks passt running podman
  2024-06-07 10:45 apparmor blocks passt running podman hamish-passt
@ 2024-06-07 18:16 ` Stefano Brivio
  0 siblings, 0 replies; 2+ messages in thread
From: Stefano Brivio @ 2024-06-07 18:16 UTC (permalink / raw)
  To: hamish-passt; +Cc: passt-user

Hi Hamish,

On Fri, 7 Jun 2024 20:45:39 +1000
hamish-passt@moffatt.email wrote:

> Hi,
> 
> I have podman 5.1.0 and passt 0.0+20240523.765eb0bf running on Debian 
> bookworm (via unofficial packages).
> 
> When I try to run podman using passt for networking, it is blocked by 
> apparmor (3.0.8).
> 
> audit: type=1400 audit(1717756950.285:65): apparmor="DENIED" 
> operation="open" profile="passt" 
> name="/run/user/1000/netns/netns-cad489f7-d3c4-7730-9d15-17ae8e172da4" 
> pid=246135 comm="passt.avx2" requested_mask="r" denied_mask="r" 
> fsuid=1000 ouid=0
> 
> I'm not familiar with apparmor so I don't know how to debug this. The 
> installed apparmor profile files match the ones in the pasta git. Can 
> you help?

Thanks for your report.

I think the issue is caused by the fact that, with the package you're
using, pasta is associated with the "passt" profile, which is the
profile for passt(1) mode, instead of the usr.bin.pasta profile: look
at the "profile" string in the AppArmor message you shared.

I fixed this in the official Debian packages here, a while ago:
  https://salsa.debian.org/sbrivio/passt/-/commit/5bb812e79143670a57440cd8aa7f2979583c5a0a

Which unofficial packages are you using?

On Debian Bookworm, I think you could simply use the official version
from testing, 0.0~git20240523.765eb0b-1, see also:
  https://tracker.debian.org/pkg/passt

-- 
Stefano


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-06-07 18:17 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-06-07 10:45 apparmor blocks passt running podman hamish-passt
2024-06-07 18:16 ` Stefano Brivio

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).