[pkg-apparmor] Bug#1100135: Bug#1100135: Conflict between Podman Profile and Pasta profile breaks rootless network shutdown

intrigeri intrigeri at debian.org
Thu Mar 13 09:51:07 GMT 2025 

Control: reassign -1 passt

Hi,

Stefano Brivio (2025-03-12):
> On Wed, 12 Mar 2025 14:41:14 +0100
> intrigeri <intrigeri at debian.org> wrote:
> Thanks for fixing the address, yes, I didn't get the original report.

Thanks for the quick reply!

>>  - It'll be necessary on Ubuntu, where removing the podman profile is
>>    not an option. It's not needed *yet* solely because the profile is
>>    not included in the Ubuntu package, which I'm guessing is a mistake
>>    that will be fixed at some point
>>    (https://bugs.launchpad.net/ubuntu/+source/passt/+bug/2077158).
>>    So we can as well fix this proactively. And the fix should probably
>>    be upstreamed.
>
> I'm not sure what fix you mean here, but Launchpad #2077158 is already
> fixed on Debian, and there's no further fix needed upstream.

OK, so Ubuntu is already affected by the Debian bug we're
discussing here.

(I haven't checked the current status in Ubuntu and I was blindly
trusting the status encoded in the Launchpad bug. I see current Ubuntu
Plucky now has the same passt version as current Debian testing/sid so
I suppose the Launchpad bug could be marked as fixed in that version.
I've left a comment on LP about this.)

>> If we don't do that, then I'm fine with removing the podman profile,
>> which has limited value anyway in the context of Debian.
>
> Well, eventually, it would make sense to have an actual profile, I
> guess.
>
> Anyway, let me know. If somebody is willing to add to change Podman's
> profile in the way I mentioned (I can also submit a merge request
> eventually, but that will be in a while), I'd prefer that, but I can
> also just add a rule in pasta's profile for the moment.

Developing a real, enforcing AppArmor profile for podman would
be great!

That said, we're getting close to the freeze for Debian 13 (Trixie) so
to me it feels it's too late to aim for this solution as far as Trixie
is concerned, so please "just add a rule in pasta's profile for the
moment".

I'm reassigning this bug accordingly.

Cheers,
-- 
intrigeri

More information about the pkg-apparmor-team mailing list