[Bug 1221840] podman with pasta (passt) fails with apparmor
https://bugzilla.suse.com/show_bug.cgi?id=1221840 https://bugzilla.suse.com/show_bug.cgi?id=1221840#c17 --- Comment #17 from Stefano Brivio <sbrivio@redhat.com> --- (In reply to Danish Prakash from comment #16)
Created attachment 873985 [details] apparmor profile fix for pasta
Thanks for the patch! A couple of comments:
The following patch should do the job. For starters, the permission denied error was coming from `ptrace` invocation being denied by apparmor.
I'm still confused as to why AppArmor doesn't seem to deny this on Debian, but I might simply have tested a slightly older combination of kernel and AppArmor components than what you're using on openSUSE Tumbleweed. Anyway, we need the CAP_SYS_PTRACE capability (within our detached user namespace) to open /proc/<pid>/ns/net (see also passt commit 594dce66d3bb), so I guess this is reasonable. The comment should refer to pasta_open_ns() for this -- that's the function which needs it.
Secondly, there are denials in accessing `/proc/<pid>/ns/` which, if added to abstractions/pasta, results in pasta(buildah bud in extension) running as expected with no issues.
Same for this one, I'm not sure why I can't reproduce this with Debian. But anyway, this seems to fit with the usage we need in pasta_netns_quit_init() (the comment should also be updated accordingly). -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com