Hi Tomas, (Cc: Reepca, who is the expert.)
Tomas Volf <[email protected]> skribis: > I hit another problem with apparmor profile we use for unprivileged > daemon: > > --8<---------------cut here---------------start------------->8--- > The following derivations will be built: > /gnu/store/wqi1n9v5gc01a0nqp9xfijjy3l9sda3d-vendor.drv > /gnu/store/5nkyshbp82vyb425cbmh79qwvqpxfddj-wire-1.1.0.drv > error (ignored): getting status of > `/gnu/store/wqi1n9v5gc01a0nqp9xfijjy3l9sda3d-vendor.drv.chroot': No such file > or directory > guix build: error: reading file `/proc/net/if_inet6': Permission denied > --8<---------------cut here---------------end--------------->8--- Is it ‘guix build -Sf the-file.scm’ that fails? > (source (origin > (method git-fetch) > (uri (git-reference > (url "https://github.com/goforj/wire";) > (commit (string-append "v" version)))) [...] > --8<---------------cut here---------------start------------->8--- > May 06 02:59:56 HOST kernel: audit: type=1400 audit(1778029196.515:366): > apparmor="DENIED" operation="open" profile="guix-daemon" > name="/proc/2125022/net/if_inet6" pid=2125022 comm="guix-daemon" > requested_mask="r" denied_mask="r" fsuid=997 ouid=0 > --8<---------------cut here---------------end--------------->8--- That must come from ‘haveGlobalIPv6Address’. What does AppArmor do in this case? Does it terminate the process? The daemon does all this: --8<---------------cut here---------------start------------->8--- if(fixedOutput) { if(findProgram(settings.slirp4netns) == "") printMsg(lvlError, std::format("`{}' can't be found in PATH, network access disabled", settings.slirp4netns)); else { if(!pathExists("/dev/net/tun")) printMsg(lvlError, "`/dev/net/tun' is missing, network access disabled"); else { useSlirp4netns = true; ctx.ipv6Enabled = haveGlobalIPv6Address(); } } } --8<---------------cut here---------------end--------------->8--- … even though in the end this is handled by “builtin:git-download”, which doesn’t need any of this. Thanks, Ludo’.
