[pkg-go] [pkg-apparmor] Bug#1100135: Conflict between Podman Profile and Pasta profile breaks rootless network shutdown
Stefano Brivio
sbrivio at redhat.com
Thu Mar 13 16:11:57 GMT 2025
On Thu, 13 Mar 2025 10:51:07 +0100
intrigeri <intrigeri at debian.org> wrote:
> Control: reassign -1 passt
>
> Hi,
>
> Stefano Brivio (2025-03-12):
> > On Wed, 12 Mar 2025 14:41:14 +0100
> > intrigeri <intrigeri at debian.org> wrote:
> > Thanks for fixing the address, yes, I didn't get the original report.
>
> Thanks for the quick reply!
>
> >> - It'll be necessary on Ubuntu, where removing the podman profile is
> >> not an option. It's not needed *yet* solely because the profile is
> >> not included in the Ubuntu package, which I'm guessing is a mistake
> >> that will be fixed at some point
> >> (https://bugs.launchpad.net/ubuntu/+source/passt/+bug/2077158).
> >> So we can as well fix this proactively. And the fix should probably
> >> be upstreamed.
> >
> > I'm not sure what fix you mean here, but Launchpad #2077158 is already
> > fixed on Debian, and there's no further fix needed upstream.
>
> OK, so Ubuntu is already affected by the Debian bug we're
> discussing here.
>
> (I haven't checked the current status in Ubuntu and I was blindly
> trusting the status encoded in the Launchpad bug. I see current Ubuntu
> Plucky now has the same passt version as current Debian testing/sid so
> I suppose the Launchpad bug could be marked as fixed in that version.
> I've left a comment on LP about this.)
>
> >> If we don't do that, then I'm fine with removing the podman profile,
> >> which has limited value anyway in the context of Debian.
> >
> > Well, eventually, it would make sense to have an actual profile, I
> > guess.
> >
> > Anyway, let me know. If somebody is willing to add to change Podman's
> > profile in the way I mentioned (I can also submit a merge request
> > eventually, but that will be in a while), I'd prefer that, but I can
> > also just add a rule in pasta's profile for the moment.
>
> Developing a real, enforcing AppArmor profile for podman would
> be great!
>
> That said, we're getting close to the freeze for Debian 13 (Trixie) so
> to me it feels it's too late to aim for this solution as far as Trixie
> is concerned, so please "just add a rule in pasta's profile for the
> moment".
Actually, if you need something quick, you don't really need a
complete/real profile for Podman. You can just add to the current stub
(untested, but I'm fairly confident):
--
/usr/bin/pasta Cx -> pasta,
profile pasta {
/usr/bin/pasta r,
signal (receive) set=("term") peer=podman,
include if exists <abstractions/pasta>
}
--
it might be quicker than me changing and testing this in pasta's
profile, because pasta's profile is maintained upstream and that needs
a new release, plus I guess I won't find the time to properly test this
before next week.
It also has the advantage of going in the right direction and not
requiring me to apply a workaround upstream and downstream which I
would need to drop later...
> I'm reassigning this bug accordingly.
Keeping assigned to passt for the moment, but let me know if the
option above is... an option.
--
Stefano
More information about the Pkg-go-maintainers
mailing list