Bug#1086844: passt: apparmor profile breaks passt in libguestfs

Wed, 06 Nov 2024 07:03:40 -0800 

Package: passt
Version: 0.0~git20241030.ee7d0b6-1
Severity: normal
X-Debbugs-Cc: t...@nomi.cz

Dear Maintainer,

I just tried to run virt-sysprep on a system with passt installed (as a 
recommended dep of podman) and I'm getting this error:

    $ virt-sysprep -v -d deb-tmp --enable customize \
      --network \
      --install openssh-server \
      --ssh-inject root:file:"$HOME"/.ssh/id_rsa_vagrant.pub \
      --run-command 'dpkg-reconfigure openssh-server' \
      --mkdir /usr/lib/repart.d \
      --append-line '/usr/lib/repart.d/50-root.conf:[Partition]' \
      --append-line '/usr/lib/repart.d/50-root.conf:Type=root' \
      --hostname deb-tmp
    […]
    libguestfs: command: run: passt
    libguestfs: command: run: \ --one-off
    libguestfs: command: run: \ --socket 
/run/user/1000/libguestfsBF3BBT/passt.sock
    libguestfs: command: run: \ --pid /run/user/1000/libguestfsBF3BBT/passt1.pid
    libguestfs: command: run: \ --address 169.254.2.15
    libguestfs: command: run: \ --netmask 16
    libguestfs: command: run: \ --mac-addr 52:56:00:00:00:02
    libguestfs: command: run: \ --gateway 169.254.2.2
    Failed to bind UNIX domain socket: Permission denied
    virt-sysprep: error: libguestfs error: passt exited with status 1

The system journal says:

    kernel: audit: type=1400 audit(1730904512.692:218): apparmor="DENIED" 
operation="mknod" class="file" profile="passt" 
name="/run/user/1000/libguestfsBF3BBT/passt.sock" pid=2722319 comm="passt.avx2" 
requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

I had to disable the AppArmor profile for passt to make this work.


-- System Information:
Debian Release: trixie/sid
  APT prefers stable-security
  APT policy: (990, 'stable-security'), (990, 'testing'), (500, 
'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 
'unstable'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.10.3-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER, TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages passt depends on:
ii  libc6  2.40-3

passt recommends no packages.

Versions of packages passt suggests:
ii  apparmor  3.1.7-1+b2

-- no debconf information

Reply via email to