On Tue, Jan 30, 2024 at 10:47:54AM -0800, Andrea Bolognani wrote: > On Tue, Jan 30, 2024 at 07:15:51PM +0100, Stefano Brivio wrote: >> Commit 7a39b04d683f ("apparmor: Enable passt support") grants >> passt(1) read-write access to /{,var/}run/libvirt/qemu/passt/* if >> started by the libvirt daemon. That's the path where passt creates >> PID and socket files only if the guest is started by the root user. >> >> If the guest is started by another user, though, the path is more >> commonly /var/run/user/$UID/libvirt/qemu/run/passt: add it as >> read-write location. Otherwise, passt won't be able to start, as >> reported by Andreas. >> >> While at it, replace /{,var/}run/ in the existing rule by its >> corresponding tunable variable, @{run}. >> >> Reported-by: Andreas B. Mundt <andi(a)debian.org&gt; >> Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061678 >> Fixes: 7a39b04d683f ("apparmor: Enable passt support") >> Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com&gt; >> --- >> src/security/apparmor/libvirt-qemu.in | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in >> index f40f471891..8b92915281 100644 >> --- a/src/security/apparmor/libvirt-qemu.in >> +++ b/src/security/apparmor/libvirt-qemu.in >> @@ -196,7 +196,8 @@ >> signal (receive) set=("term") peer=libvirtd, >> signal (receive) set=("term") peer=virtqemud, >> >> - owner /{,var/}run/libvirt/qemu/passt/* rw, >> + owner @{run}/user/[0-9]*/libvirt/qemu/run/passt/* rw, >> + owner @{run}/libvirt/qemu/passt/* rw, > > Makes sense to me, so > > Reviewed-by: Andrea Bolognani <abologna(a)redhat.com&gt; > > I'll give Jim and others a chance to take a look before pushing.

I just realized that you sent the patch to the old mailing list address. We've migrated somewhat recently, so that's completely understandable :)