On Thu, 13 Mar 2025 10:51:07 +0100 intrigeri <intrig...@debian.org> wrote:
> Control: reassign -1 passt > > Hi, > > Stefano Brivio (2025-03-12): > > On Wed, 12 Mar 2025 14:41:14 +0100 > > intrigeri <intrig...@debian.org> wrote: > > Thanks for fixing the address, yes, I didn't get the original report. > > Thanks for the quick reply! > > >> - It'll be necessary on Ubuntu, where removing the podman profile is > >> not an option. It's not needed *yet* solely because the profile is > >> not included in the Ubuntu package, which I'm guessing is a mistake > >> that will be fixed at some point > >> (https://bugs.launchpad.net/ubuntu/+source/passt/+bug/2077158). > >> So we can as well fix this proactively. And the fix should probably > >> be upstreamed. > > > > I'm not sure what fix you mean here, but Launchpad #2077158 is already > > fixed on Debian, and there's no further fix needed upstream. > > OK, so Ubuntu is already affected by the Debian bug we're > discussing here. > > (I haven't checked the current status in Ubuntu and I was blindly > trusting the status encoded in the Launchpad bug. I see current Ubuntu > Plucky now has the same passt version as current Debian testing/sid so > I suppose the Launchpad bug could be marked as fixed in that version. > I've left a comment on LP about this.) > > >> If we don't do that, then I'm fine with removing the podman profile, > >> which has limited value anyway in the context of Debian. > > > > Well, eventually, it would make sense to have an actual profile, I > > guess. > > > > Anyway, let me know. If somebody is willing to add to change Podman's > > profile in the way I mentioned (I can also submit a merge request > > eventually, but that will be in a while), I'd prefer that, but I can > > also just add a rule in pasta's profile for the moment. > > Developing a real, enforcing AppArmor profile for podman would > be great! > > That said, we're getting close to the freeze for Debian 13 (Trixie) so > to me it feels it's too late to aim for this solution as far as Trixie > is concerned, so please "just add a rule in pasta's profile for the > moment". Actually, if you need something quick, you don't really need a complete/real profile for Podman. You can just add to the current stub (untested, but I'm fairly confident): -- /usr/bin/pasta Cx -> pasta, profile pasta { /usr/bin/pasta r, signal (receive) set=("term") peer=podman, include if exists <abstractions/pasta> } -- it might be quicker than me changing and testing this in pasta's profile, because pasta's profile is maintained upstream and that needs a new release, plus I guess I won't find the time to properly test this before next week. It also has the advantage of going in the right direction and not requiring me to apply a workaround upstream and downstream which I would need to drop later... > I'm reassigning this bug accordingly. Keeping assigned to passt for the moment, but let me know if the option above is... an option. -- Stefano