On Tue, Nov 12, 2024 at 01:39:16PM +0100, Stefano Brivio wrote:
> FYI. I'm not sure you're on the pkg-libvirt-maintainers list and I
> didn't receive any answer from there yet.
>
>
> Begin forwarded message:
>
> Date: Wed, 6 Nov 2024 18:25:48 +0100
> From: Stefano Brivio <sbri...@redhat.com>
> To: Hilko Bengen <ben...@debian.org>,
> pkg-libvirt-maintain...@lists.alioth.debian.org
> Cc: Tomas Janousek <t...@nomi.cz>, 1086...@bugs.debian.org, Debian Bug
> Tracking System <sub...@bugs.debian.org>
> Subject: Re: Bug#1086844: passt: apparmor profile breaks passt in
> libguestfs
>
>
> Hi,
>
> On Wed, 06 Nov 2024 15:00:13 +0000
> Tomas Janousek <t...@nomi.cz> wrote:
>
> > Package: passt
> > Version: 0.0~git20241030.ee7d0b6-1
> > Severity: normal
> > X-Debbugs-Cc: t...@nomi.cz
> >
> > Dear Maintainer,
> >
> > I just tried to run virt-sysprep on a system with passt installed (as a
> > recommended dep of podman) and I'm getting this error:
> >
> > $ virt-sysprep -v -d deb-tmp --enable customize \
> > --network \
> > --install openssh-server \
> > --ssh-inject root:file:"$HOME"/.ssh/id_rsa_vagrant.pub \
> > --run-command 'dpkg-reconfigure openssh-server' \
> > --mkdir /usr/lib/repart.d \
> > --append-line '/usr/lib/repart.d/50-root.conf:[Partition]' \
> > --append-line '/usr/lib/repart.d/50-root.conf:Type=root' \
> > --hostname deb-tmp
> > […]
> > libguestfs: command: run: passt
> > libguestfs: command: run: \ --one-off
> > libguestfs: command: run: \ --socket
> > /run/user/1000/libguestfsBF3BBT/passt.sock
> > libguestfs: command: run: \ --pid
> > /run/user/1000/libguestfsBF3BBT/passt1.pid
> > libguestfs: command: run: \ --address 169.254.2.15
> > libguestfs: command: run: \ --netmask 16
> > libguestfs: command: run: \ --mac-addr 52:56:00:00:00:02
> > libguestfs: command: run: \ --gateway 169.254.2.2
> > Failed to bind UNIX domain socket: Permission denied
> > virt-sysprep: error: libguestfs error: passt exited with status 1
> >
> > The system journal says:
> >
> > kernel: audit: type=1400 audit(1730904512.692:218): apparmor="DENIED"
> > operation="mknod" class="file" profile="passt"
> > name="/run/user/1000/libguestfsBF3BBT/passt.sock" pid=2722319
> > comm="passt.avx2" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
> >
> > I had to disable the AppArmor profile for passt to make this work.
>
> I think we need an AppArmor policy for guestfs-tools similar to what is
> currently shipped for libvirtd, say:
>
> profile passt {
> /usr/bin/passt r,
>
> signal (receive) set=("term") peer=/usr/bin/virt-sysprep,
> signal (receive) set=("term") peer=virt-sysprep,
> # for launch_passt(), lib/launch-direct.c
> # and similar rules for /usr/bin/virt-*
>
> owner @{run}/user/[0-9]*/libguestfs*/* rw,
> owner @{run}/libguestfs*/* rw,
>
> include if exists <abstractions/passt>
> }
>
> because passt(1) just ships an abstraction, but its AppArmor policy
> isn't aware of where socket (--socket) or PID (--pid) files will be
> created.
>
> Let me know if you need more details, if I should submit a patch, and if
> this should be reassigned to guestfs-tools or libguestfs. Thanks.
Thanks for forwarding this.
The use of passt is a change of behaviour that affects all guestfs
tools, guestfish, and virt-v2v. It was caused by this change:
https://github.com/libguestfs/libguestfs/commit/02bbc9daa742a3f9ed128e8a74546980f2b3670a
(and similar commits around that one), starting in libguestfs 1.52:
https://libguestfs.org/guestfs-release-notes-1.52.1.html#build-changes
Do you know where the apparmor profile is shipped right now? Could it
be in libvirt (src/security/apparmor)?
We don't ship any SELinux or apparmor profiles upstream in libguestfs
or the tools, so assigning the bug upstream to us won't result in any
useful outcome.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
