Bug#1061678: passt: apparmor denies access to /run/user/$UID/libvirt/qemu/run/passt/

2024-01-31 Thread Stefano Brivio 
reassign 1061678 libvirt

On Mon, 29 Jan 2024 14:03:38 +0100
Stefano Brivio  wrote:

> [...]
>
> Then, in libvirtd's policy, specific rules cover the paths for socket
> and PID files as needed by libvirtd itself. To solve this, we need a
> change in libvirtd's policy. You can try adding:
> 
> owner @{run}/user/[0-9]*/libvirt/qemu/run/passt/* rw,
> 
> in the 'profile passt' block of /etc/apparmor.d/usr.sbin.libvirtd, and
> it should work.

...which is now libvirt upstream commit f95675fdbb42 ("apparmor: Add
user session path for PID and socket files used by passt").

-- 
Stefano

Bug#1061678: passt: apparmor denies access to /run/user/$UID/libvirt/qemu/run/passt/

2024-01-29 Thread Stefano Brivio 
Andi, thanks for reporting this.

Andrea,

On Sun, 28 Jan 2024 17:16:38 +0100
"Andreas B. Mundt"  wrote:

> Package: passt
> Version: 0.0~git20231230.f091893-1
> Severity: normal
> Tags: upstream
> X-Debbugs-Cc: a...@debian.org
> 
> Hi,
> 
> I tried to run a VM using libvirt with user mode networking and
> 'passt':
> …
> 
>   
>   
>   
> 
> …
> Starting the machine fails and the log shows:
>kernel: audit: type=1400 audit(1706457189.881:713): apparmor="DENIED" 
> operation="mknod" …
>libvirtd[752859]: internal error: Child process (passt --one-off
>--socket 
> /run/user/1000/libvirt/qemu/run/passt/47-debiantesting-6-net0.socket
>--pid 
> /run/user/1000/libvirt/qemu/run/passt/47-debiantesting-6-net0-passt.pid
>[…]
>PID file open: Permission denied

I was trying to find out why I don't hit this on my system, and there I
have, in /etc/apparmor.d/usr.sbin.libvirtd:

owner @{run}/user/[0-9]*/libvirt/qemu/run/passt/* rw,

but at the end of the discussion we had back then, you submitted this
as part of the libvirt patch (then merged as commit 7a39b04d683f
"apparmor: Enable passt support"):

owner /{,var/}run/libvirt/qemu/passt/* rw,

which, I guess, only works when root uses virsh to start the guests.

I suppose we need both rules to cover both root and non-root cases?

> I guess the path to socket and pid file is not allowed from
> '/etc/apparmor.d/usr.bin.passt'. After 'aa-teardown' it works as
> expected.   
> 
> To Reproduce the issu:
>  passt --debug --one-off \
>   --socket /run/user/1000/libvirt/qemu/run/passt/38-debiantesting-net0.socket 
> \
>   --pid /run/user/1000/libvirt/qemu/run/passt/38-debiantesting-net0-passt.pid

Andi, this is actually expected: what passt(1) itself needs as AppArmor
is provided by its abstraction, /etc/apparmor.d/abstractions/passt.

This is sourced by /etc/apparmor.d/usr.bin.passt as an example of stand-alone
usage, as well as from /etc/apparmor.d/usr.sbin.libvirtd.

Then, in libvirtd's policy, specific rules cover the paths for socket
and PID files as needed by libvirtd itself. To solve this, we need a
change in libvirtd's policy. You can try adding:

owner @{run}/user/[0-9]*/libvirt/qemu/run/passt/* rw,

in the 'profile passt' block of /etc/apparmor.d/usr.sbin.libvirtd, and
it should work.

> Thanks and best regards,
> 
>   Andi
> 
> -- System Information:
> Debian Release: trixie/sid
>   APT prefers stable-security
>   APT policy: (500, 'stable-security'), (500, 'testing')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 6.5.0-5-amd64 (SMP w/4 CPU threads; PREEMPT)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
> LANGUAGE=en_US:en
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
> 
> Versions of packages passt depends on:
> ii  libc6  2.37-13
> 
> passt recommends no packages.
> 
> Versions of packages passt suggests:
> ii  apparmor  3.0.12-1+b2
> 
> -- no debconf information

-- 
Stefano

Bug#1032968: unblock: passt/0.0~git20230309.7c7625d-1

2023-03-16 Thread Stefano Brivio 
On Thu, 16 Mar 2023 16:22:33 +0100
Paul Gevers  wrote:

> Hi Stefano,
> 
> On 14-03-2023 22:44, Stefano Brivio wrote:
> > - full slirp4netns(1) compatibility not granted  
> 
> I've never heard of this before, what does that mean for the user?

pasta(1) is supposed to provide a drop-in replacement for
slirp4netns(1): you create a network namespace, as a regular user, and
it can give that namespace network connectivity without creating any
interface outside it.

The main distinction is that it's written with performance, IPv6, and
security in mind, but functionally it's supposed to be a superset of it.

It has other functionalities (such as full IPv6 support), so it's not
useless otherwise, but it's probably unexpected for users (and I see
it as a source of potential bugs) that they can't set an outbound
address as they could do it on slirp4netns.

> > [ Tests ]
> > I ran the upstream test suite against the packaged version on a
> > Debian testing (Bookworm) x86_64 system.  
> 
> If you can do this manually, you can probably also do it automatically. 
> If you turn this into an autopkgtest [1] your package could migrate 
> without our intervention (providing that it passes on all architectures 
> where the binary builds and that it tests a substantial part of the 
> as-installed binaries).

Salsa seems to be inaccessible at the moment (and I can't fetch that
link from archive.org), but yes, I started reading about it just after
I realised the migration was blocked, so I know a bit already.

The current problem with the upstream test suite is that it takes a
long time to complete, and has a lot of dependencies, including things
that are not packaged in Debian (e.g. https://github.com/google/neper/).

But most of those dependencies (and time) are only needed for
performance tests, and we're working to refactor the test framework to
make it reasonably modular. It's not exactly trivial as we spawn virtual
machines and there are context dependencies between test cases, so it
will probably take a while. Just to give an idea, screen capture of
latest run:

  https://passt.top/#continuous-integration

Once that is done, it should be trivial (from what I remember of the
document you linked) to create autopkgtests for it.

We also have optional tests (which I run from time to time) to check
build and basic functionality on several distributions, including a few
flavours of Debian:

  https://passt.top/passt/tree/test/distro/debian

but that makes little sense now that it's packaged (and that we'll be
able to have distribution tests... in distributions, eventually).

-- 
Stefano

Bug#1022886: ITP: passt -- Unprivileged user-mode network connectivity for virtual machines and containers

2022-10-27 Thread Stefano Brivio 
Package: wnpp
Severity: wishlist
Owner: Stefano Brivio 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: passt
  Version : 0.0~git20221026.f212044
  Upstream Author : Stefano Brivio 
* URL : https://passt.top/
* License : AGPL-3.0-or-later AND BSD-3-Clause
  Programming Lang: C
  Description : Unprivileged user-mode network connectivity for virtual 
machines and containers

passt implements a translation layer between a Layer-2 network
interface and native Layer-4 sockets (TCP, UDP, ICMP/ICMPv6 echo) on
a host. It doesn't require any capabilities or privileges, and it can
be used as a simple replacement for Slirp.

pasta (same binary as passt, different command) offers equivalent
functionality, for network namespaces: traffic is forwarded using a
tap interface inside the namespace, without the need to create
further interfaces on the host, hence not requiring any capabilities
or privileges.

This might become a dependency for other packages such as libvirt and
podman. Having it packaged in Debian would actually favour adoption
of this solution over libslirp/slirp4netns, which provide a similar
functionality but limited in many aspects, with generally poorer
performance and with a codebase that originates from a very different
purpose, that showed a number of security issues in its long history.

I filed a RFP in the past, at:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010498

I now plan to maintain this package as sponsored maintainer, and I
already contacted a sponsor.

Bug#1010498: RFP: passt -- Unprivileged user-mode network connectivity for virtual machines and containers

2022-05-02 Thread Stefano Brivio 
Sorry, wrong link, it's actually:
  https://passt.top/passt/tree/contrib/debian

Bug#1010498: RFP: passt -- Unprivileged user-mode network connectivity for virtual machines and containers

2022-05-02 Thread Stefano Brivio 
Package: wnpp
Severity: wishlist

* Package name: passt
  Version : 0+git-32210fb64f7d
  Upstream Author : Stefano Brivio 
* URL : https://passt.top/
* License : AGPL-3.0-or-later AND BSD-3-Clause
  Programming Lang: C
  Description : user-mode networking daemons for virtual machines and 
containers

passt implements a translation layer between a Layer-2 network interface and
native Layer-4 sockets (TCP, UDP, ICMP/ICMPv6 echo) on a host. It doesn't
require any capabilities or privileges, and it can be used as a simple
replacement for Slirp.

pasta (same binary as passt, different command) offers equivalent functionality,
for network namespaces: traffic is forwarded using a tap interface inside the
namespace, without the need to create further interfaces on the host, hence not
requiring any capabilities or privileges.

This might become a dependency for other packages such as
libvirt and podman. Having it packaged in Debian would actually
favour adoption of this solution over libslirp/slirp4netns, which
provide a similar functionality but limited in many aspects, with
generally poorer performance and with a codebase that originates
from a very different purpose, that showed a number of security
issues in its long history.

I don't plan to maintain this package -- this is actually an RFP.

An example of Debian packaging files is available upstream at:
  https://passt.top/contrib/debian
including dh_apparmor rules for the example policy from:
  https://passt.top/passt/tree/contrib/apparmor