Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:passt User: [email protected] Usertags: pu
[ Reason ] This version fixes bug #1124801, which prevents libvirt front-end tools such as virt-install and others from working as root, if AppArmor is enabled. [ Impact ] Users might not be able to install virtual machines as root, as long as AppArmor is enabled. [ Tests ] I manually tested the virt-install command mentioned in #1124801, and ran a quick functionality check of pasta(1) and passt(1) with the updated AppArmor policy. [ Risks ] Bumping the AppArmor ABI to 4.0 (from 3.0) is a trivial change because passt's own policy doesn't use any additional feature introduced by the 4.0 ABI, other than explicitly enabling creation of user namespaces, which is the essential point of this update. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Change the AppArmor policy to explicitly enable user namespace creation, so that when libvirtd starts passt as root, selecting the passt subprofile in libvirt's policy, which uses in turn the 4.0 ABI version, passt will be able to create user namespaces when it starts, for its own sandboxing. To explicitly enable user namespace creation, in turn, we need to change the ABI version of passt's policy to 4.0. These rules are not available in the 3.0 ABI, where user namespace creation is implicitly permitted, and which is used if passt is started as unprivileged user or stand-alone, because passt's own profile is used in those cases. When libvirt starts passt as root, its 4.0 policy includes passt's 3.0 AppArmor abstraction. Given that the ABI claim from libvirt's policy mentions 4.0, that takes priority over the 3.0 ABI version used in passt's abstraction.
Version in base suite: 0.0~git20250503.587980c-2 Base version: passt_0.0~git20250503.587980c-2 Target version: passt_0.0~git20250503.587980c-2+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/passt/passt_0.0~git20250503.587980c-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/passt/passt_0.0~git20250503.587980c-2+deb13u1.dsc changelog | 11 gbp.conf | 1 patches/backports/apparmor-Upgrade-ABI-version-to-4.0-explicitly-enabl.patch | 134 ++++++++++ patches/series | 1 4 files changed, 145 insertions(+), 2 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpjtvf8wgm/passt_0.0~git20250503.587980c-2.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpjtvf8wgm/passt_0.0~git20250503.587980c-2+deb13u1.dsc: no acceptable signature found diff -Nru passt-0.0~git20250503.587980c/debian/changelog passt-0.0~git20250503.587980c/debian/changelog --- passt-0.0~git20250503.587980c/debian/changelog 2025-05-14 15:00:48.000000000 +0000 +++ passt-0.0~git20250503.587980c/debian/changelog 2026-01-19 09:45:24.000000000 +0000 @@ -1,8 +1,15 @@ -passt (0.0~git20250503.587980c-2) unstable; urgency=high +passt (0.0~git20250503.587980c-2+deb13u1) trixie; urgency=medium + + * patches: Bump AppArmor ABI version to 4.0 and explicitly enable user namespace creation + (Closes: #1124801) + + -- Stefano Brivio <[email protected]> Mon, 19 Jan 2026 10:45:24 +0100 + +passt (0.0~git20250503.587980c-2) unstable; urgency=medium * Fix potential failed assertion on outbound broadcast packets - -- Stefano Brivio <[email protected]> Wed, 14 May 2025 17:00:48 +0200 + -- Stefano Brivio <[email protected]> Sun, 18 Jan 2026 13:19:27 +0100 passt (0.0~git20250503.587980c-1) unstable; urgency=medium diff -Nru passt-0.0~git20250503.587980c/debian/gbp.conf passt-0.0~git20250503.587980c/debian/gbp.conf --- passt-0.0~git20250503.587980c/debian/gbp.conf 2025-05-04 09:43:11.000000000 +0000 +++ passt-0.0~git20250503.587980c/debian/gbp.conf 2026-01-18 11:58:51.000000000 +0000 @@ -1,2 +1,3 @@ [DEFAULT] pristine-tar = True +debian-branch = debian/trixie diff -Nru passt-0.0~git20250503.587980c/debian/patches/backports/apparmor-Upgrade-ABI-version-to-4.0-explicitly-enabl.patch passt-0.0~git20250503.587980c/debian/patches/backports/apparmor-Upgrade-ABI-version-to-4.0-explicitly-enabl.patch --- passt-0.0~git20250503.587980c/debian/patches/backports/apparmor-Upgrade-ABI-version-to-4.0-explicitly-enabl.patch 1970-01-01 00:00:00.000000000 +0000 +++ passt-0.0~git20250503.587980c/debian/patches/backports/apparmor-Upgrade-ABI-version-to-4.0-explicitly-enabl.patch 2026-01-18 12:18:33.000000000 +0000 @@ -0,0 +1,134 @@ +From 81c6fb64cebf3d90610d365be4305be1fa0060fe Mon Sep 17 00:00:00 2001 +From: Stefano Brivio <[email protected]> +Date: Sat, 10 Jan 2026 14:15:44 +0100 +Subject: [PATCH] apparmor: Upgrade ABI version to 4.0, explicitly enable user + namespace creation + +In the 3.0 AppArmor ABI version we currently use, user namespace rules +are not supported, and, as long as we load confined profiles, those +implicitly allow creation of user namespaces. + +However, ABI version 4.0 introduces rules for user namespaces, and if +we don't specify any, we can't create user namespaces, see: + + https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction + +This wouldn't affect us in general, given that we're using the 3.0 +ABI, but libvirt's policy uses 4.0 instead, and if our abstractions +are used from there, no matter what ABI policy version we declare, +rules for user namespace creation now match ABI policy version 4.0. + +As a result, when libvirtd runs as root, and its profile includes +passt's abstraction, cf. commit 66769c2de825 ("apparmor: Workaround +for unconfined libvirtd when triggered by unprivileged user"), passt +can't detach user namespaces and will fail to start, as reported by +Niklas: + + ERROR internal error: Child process (passt --one-off --socket /run/libvirt/qemu/passt/1-haos-net0.socket --pid /run/libvirt/qemu/passt/1-haos-net0-passt.pid --tcp-ports 8123) unexpected exit status 1: Multiple interfaces with IPv6 routes, picked first + UNIX domain socket bound at /run/libvirt/qemu/passt/1-haos-net0.socket + Couldn't create user namespace: Permission denied + +This isn't a problem with libvirtd running as regular user, because +in that case, as a workaround, passt currently runs under its own +profile, not as a libvirtd subprofile (see commit referenced above). + +Given that ABI 4.0 has been around for a while, being introduced in +July 2023, finally take the step to upgrade to it and explicitly +enable user namespace creation. + +No further changes are needed in the existing policies to match new +features introduced in AppArmor 4.0. + +Reported-by: Niklas Edmundsson <[email protected]> +Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124801 +Signed-off-by: Stefano Brivio <[email protected]> + +Origin: upstream, commit:faab79cfd56a +Bug-Debian: https://bugs.debian.org/1124801 +Forwarded: not-needed +Applied-Ustream: 2026_01_17.81c97f6, commit:faab79cfd56a +Last-Update: 2026-01-18 +--- + contrib/apparmor/abstractions/passt | 3 ++- + contrib/apparmor/abstractions/pasta | 2 +- + contrib/apparmor/usr.bin.passt | 2 +- + contrib/apparmor/usr.bin.passt-repair | 2 +- + contrib/apparmor/usr.bin.pasta | 2 +- + 5 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstractions/passt +index 43fd63f..033d093 100644 +--- a/contrib/apparmor/abstractions/passt ++++ b/contrib/apparmor/abstractions/passt +@@ -11,7 +11,7 @@ + # Copyright (c) 2022 Red Hat GmbH + # Author: Stefano Brivio <[email protected]> + +- abi <abi/3.0>, ++ abi <abi/4.0>, + + include <abstractions/base> + +@@ -24,6 +24,7 @@ + capability setpcap, + capability net_admin, + capability sys_ptrace, ++ userns, + + / r, # isolate_prefork(), isolation.c + mount options=(rw, runbindable) -> /, +diff --git a/contrib/apparmor/abstractions/pasta b/contrib/apparmor/abstractions/pasta +index 9f73bee..251d4a2 100644 +--- a/contrib/apparmor/abstractions/pasta ++++ b/contrib/apparmor/abstractions/pasta +@@ -11,7 +11,7 @@ + # Copyright (c) 2022 Red Hat GmbH + # Author: Stefano Brivio <[email protected]> + +- abi <abi/3.0>, ++ abi <abi/4.0>, + + include <abstractions/passt> + +diff --git a/contrib/apparmor/usr.bin.passt b/contrib/apparmor/usr.bin.passt +index 62a4514..c123a86 100644 +--- a/contrib/apparmor/usr.bin.passt ++++ b/contrib/apparmor/usr.bin.passt +@@ -11,7 +11,7 @@ + # Copyright (c) 2022 Red Hat GmbH + # Author: Stefano Brivio <[email protected]> + +-abi <abi/3.0>, ++abi <abi/4.0>, + + include <tunables/global> + +diff --git a/contrib/apparmor/usr.bin.passt-repair b/contrib/apparmor/usr.bin.passt-repair +index 901189d..23ff1ce 100644 +--- a/contrib/apparmor/usr.bin.passt-repair ++++ b/contrib/apparmor/usr.bin.passt-repair +@@ -11,7 +11,7 @@ + # Copyright (c) 2025 Red Hat GmbH + # Author: Stefano Brivio <[email protected]> + +-abi <abi/3.0>, ++abi <abi/4.0>, + + #include <tunables/global> + +diff --git a/contrib/apparmor/usr.bin.pasta b/contrib/apparmor/usr.bin.pasta +index 2483968..56b5024 100644 +--- a/contrib/apparmor/usr.bin.pasta ++++ b/contrib/apparmor/usr.bin.pasta +@@ -11,7 +11,7 @@ + # Copyright (c) 2022 Red Hat GmbH + # Author: Stefano Brivio <[email protected]> + +-abi <abi/3.0>, ++abi <abi/4.0>, + + include <tunables/global> + +-- +2.43.0 + diff -Nru passt-0.0~git20250503.587980c/debian/patches/series passt-0.0~git20250503.587980c/debian/patches/series --- passt-0.0~git20250503.587980c/debian/patches/series 2025-05-14 14:50:38.000000000 +0000 +++ passt-0.0~git20250503.587980c/debian/patches/series 2026-01-18 12:07:36.000000000 +0000 @@ -1 +1,2 @@ fix-podman-issue-26073.patch +backports/apparmor-Upgrade-ABI-version-to-4.0-explicitly-enabl.patch
