Bug#1086844: passt: apparmor profile breaks passt in libguestfs

Wed, 06 Nov 2024 09:36:17 -0800 

Hi,

On Wed, 06 Nov 2024 15:00:13 +0000
Tomas Janousek <t...@nomi.cz> wrote:

> Package: passt
> Version: 0.0~git20241030.ee7d0b6-1
> Severity: normal
> X-Debbugs-Cc: t...@nomi.cz
> 
> Dear Maintainer,
> 
> I just tried to run virt-sysprep on a system with passt installed (as a 
> recommended dep of podman) and I'm getting this error:
> 
>     $ virt-sysprep -v -d deb-tmp --enable customize \
>       --network \
>       --install openssh-server \
>       --ssh-inject root:file:"$HOME"/.ssh/id_rsa_vagrant.pub \
>       --run-command 'dpkg-reconfigure openssh-server' \
>       --mkdir /usr/lib/repart.d \
>       --append-line '/usr/lib/repart.d/50-root.conf:[Partition]' \
>       --append-line '/usr/lib/repart.d/50-root.conf:Type=root' \
>       --hostname deb-tmp
>     […]
>     libguestfs: command: run: passt
>     libguestfs: command: run: \ --one-off
>     libguestfs: command: run: \ --socket 
> /run/user/1000/libguestfsBF3BBT/passt.sock
>     libguestfs: command: run: \ --pid 
> /run/user/1000/libguestfsBF3BBT/passt1.pid
>     libguestfs: command: run: \ --address 169.254.2.15
>     libguestfs: command: run: \ --netmask 16
>     libguestfs: command: run: \ --mac-addr 52:56:00:00:00:02
>     libguestfs: command: run: \ --gateway 169.254.2.2
>     Failed to bind UNIX domain socket: Permission denied
>     virt-sysprep: error: libguestfs error: passt exited with status 1
> 
> The system journal says:
> 
>     kernel: audit: type=1400 audit(1730904512.692:218): apparmor="DENIED" 
> operation="mknod" class="file" profile="passt" 
> name="/run/user/1000/libguestfsBF3BBT/passt.sock" pid=2722319 
> comm="passt.avx2" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
> 
> I had to disable the AppArmor profile for passt to make this work.

I think we need an AppArmor policy for guestfs-tools similar to what is
currently shipped for libvirtd, say:

  profile passt {
    /usr/bin/passt r,

    signal (receive) set=("term") peer=/usr/bin/virt-sysprep,
    signal (receive) set=("term") peer=virt-sysprep,
    # for launch_passt(), lib/launch-direct.c
    # and similar rules for /usr/bin/virt-*

    owner @{run}/user/[0-9]*/libguestfs*/* rw,
    owner @{run}/libguestfs*/* rw,

    include if exists <abstractions/passt>
  }

because passt(1) just ships an abstraction, but its AppArmor policy
isn't aware of where socket (--socket) or PID (--pid) files will be
created.

Let me know if you need more details, if I should submit a patch, and if
this should be reassigned to guestfs-tools or libguestfs. Thanks.

-- 
Stefano

Reply via email to