[Bug 1221840] New: podman with pasta (passt) fails with apparmor
https://bugzilla.suse.com/show_bug.cgi?id=1221840 Bug ID: 1221840 Summary: podman with pasta (passt) fails with apparmor Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Containers Assignee: containers-bugowner@suse.de Reporter: joerg@bec.de QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Since the updates of a few days ago, unprivileged podman with default network settings fails to create the network namespace if apparmor is enabled on the system. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221840 Marcus Rückert <mrueckert@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|containers-bugowner@suse.de |suse-beta@cboltz.de CC| |suse-beta@cboltz.de Component|Containers |AppArmor -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221840 Marcus Rückert <mrueckert@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|AppArmor |Containers Assignee|suse-beta@cboltz.de |containers-bugowner@suse.de -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221840 https://bugzilla.suse.com/show_bug.cgi?id=1221840#c1 --- Comment #1 from Jörg Sonnenberger <joerg@bec.de> --- Smallest reproducer I have: $ buildah run $(buildah from registry.opensuse.org/opensuse/leap:15.5) /bin/bash -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221840 https://bugzilla.suse.com/show_bug.cgi?id=1221840#c2 --- Comment #2 from Jörg Sonnenberger <joerg@bec.de> --- Created attachment 873715 --> https://bugzilla.suse.com/attachment.cgi?id=873715&action=edit Working rules Thanks to darix, the included rules work. I don't understand why /dev/net/tun rule is necessary. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221840 https://bugzilla.suse.com/show_bug.cgi?id=1221840#c3 Marcus Rückert <mrueckert@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mrueckert@suse.com --- Comment #3 from Marcus Rückert <mrueckert@suse.com> --- important note: abstraction/pasta already has a rule for the tun device. but abstractions/passt does not. but the two abstractions look very similar. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221840 https://bugzilla.suse.com/show_bug.cgi?id=1221840#c4 Ricardo Branco <rbranco@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rbranco@suse.com --- Comment #4 from Ricardo Branco <rbranco@suse.com> --- It could be the cause for the failures in the podman upstream tests: https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=DVD&machine=64bit&test=containers_host_podman_testsuite&version=Tumbleweed More details in: podman_integration-bats-user-local.tap podman_integration-bats-user-remote.tap -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221840 https://bugzilla.suse.com/show_bug.cgi?id=1221840#c18 --- Comment #18 from Christian Boltz <suse-beta@cboltz.de> --- From the patch:
+++ b/contrib/apparmor/usr.bin.pasta + ptrace,
Just wondering - does pasta really need to trace everything, and be traced by everything - or could you make the rule more specific? If you are unsure, please show the audit.log events for ptrace. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1221840 https://bugzilla.suse.com/show_bug.cgi?id=1221840#c23 --- Comment #23 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to Stefano Brivio from comment #22)
By the way, pasta(1) doesn't ptrace() anything and isn't ptrace()d by anybody, it just needs to open namespace entries in procfs.
Namespaces can be interesting[tm], and IIRC yo don't need to do explicit ptrace() calls to trigger ptrace events. (I'll need to ask someone who does the kernel-side work if you are interested in the details.) That said - the only ptrace event in your audit.log is: type=AVC msg=audit(04/02/2024 12:49:39.412:101237) : apparmor=DENIED operation=ptrace profile=passt pid=8042 comm=passt.avx2 requested_mask=read denied_mask=read peer="unconfined" which translates to ptrace read peer=unconfined, If passt also needs to open namespace entries of confined processes, remove the "peer=unconfined" part. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com