mirrors/passt
1
0
Fork 0
mirror of https://passt.top/passt synced 2025-05-25 10:35:35 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
passt/contrib/apparmor
History
Stefano Brivio f66769c2de apparmor: Workaround for unconfined libvirtd when triggered by unprivileged user 
If libvirtd is triggered by an unprivileged user, the virt-aa-helper
mechanism doesn't work, because per-VM profiles can't be instantiated,
and as a result libvirtd runs unconfined.

This means passt can't start, because the passt subprofile from
libvirt's profile is not loaded either.

Example:

  $ virsh start alpine
  error: Failed to start domain 'alpine'
  error: internal error: Child process (passt --one-off --socket /run/user/1000/libvirt/qemu/run/passt/1-alpine-net0.socket --pid /run/user/1000/libvirt/qemu/run/passt/1-alpine-net0-passt.pid --tcp-ports 40922:2) unexpected fatal signal 11

Add an annoying workaround for the moment being. Much better than
encouraging users to start guests as root, or to disable AppArmor
altogether.

Reported-by: Prafulla Giri <prafulla.giri@protonmail.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2025-02-06 09:43:09 +01:00
..
abstractions apparmor: Allow read access to /proc/sys/net/ipv4/ip_local_port_range 2024-09-06 15:34:06 +02:00
usr.bin.passt apparmor: Workaround for unconfined libvirtd when triggered by unprivileged user 2025-02-06 09:43:09 +01:00
usr.bin.passt-repair Introduce passt-repair 2025-02-04 01:28:04 +01:00
usr.bin.pasta apparmor: Fix comments after PID file and AF_UNIX socket creation refactoring 2024-05-23 16:44:21 +02:00