Bug 2426863

Summary: Adjust AppArmor profile for TCP-related sysctl parameters
Product: [Fedora] Fedora Reporter: Martin Pitt <mpitt>
Component: passtAssignee: Stefano Brivio <sbrivio>
Status: POST --- QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: sbrivio, yuhuang
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
URL: https://logs-cockpit.apps.ocp.cloud.ci.centos.org/pull-8568-441df88a-20260101-142732-debian-testing-cockpit-project-cockpit-machines/log.html
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
[PATCH] apparmor: Allow reading TCP RTO sysctl parameters none

Description Martin Pitt 2026-01-02 20:14:42 UTC 
I wanted to file this at https://passt.top/passt/bugs , but I did not yet get a confirmation mail for my account request, and honestly I really don't want yet another bugzilla account for an one-off report/patch. So, please forgive me for slightly abusing the Fedora bug tracker!

The latest passt version now causes AppArmor violations. This got spotted in https://github.com/cockpit-project/bots/pull/8568 .

I created a patch to fix this, and tested it with cockpit-machines.

Reproducible: Always

Steps to Reproduce:
passt.avx2 -f
Actual Results:
kernel: audit: type=1400 audit(1767384668.175:118): apparmor="DENIED" operation="open" class="file" profile="passt" name="/proc/sys/net/ipv4/tcp_syn_retries" pid=1104 comm="passt.avx2" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0
kernel: audit: type=1400 audit(1767384668.183:119): apparmor="DENIED" operation="open" class="file" profile="passt" name="/proc/sys/net/ipv4/tcp_syn_linear_timeouts" pid=1104 comm="passt.avx2" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0
kernel: audit: type=1400 audit(1767384668.183:120): apparmor="DENIED" operation="open" class="file" profile="passt" name="/proc/sys/net/ipv4/tcp_rto_max_ms" pid=1104 comm="passt.avx2" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0



Expected Results:
No AppArmor violations
Comment 1 Martin Pitt 2026-01-02 20:15:42 UTC 
Created attachment 2120873 [details]
[PATCH] apparmor: Allow reading TCP RTO sysctl parameters
Comment 2 Stefano Brivio 2026-01-08 14:24:43 UTC 
Martin, thanks a lot for spotting this and for the patch!

It turns out I tested the Debian package manually (while checking logs) only on a system with an older kernel version without those procfs entries, to specifically check failure handling, but I missed to check the working case, sorry for that. A couple of comments:

(In reply to Martin Pitt from comment #0)
> I wanted to file this at https://passt.top/passt/bugs , but I did not yet
> get a confirmation mail for my account request

I'm reviewing those manually as we currently have a high rate of attempted automatic registrations by so-called "AI" bots... and I happened to be offline for *at least* 48 hours, if you can imagine such a thing. :)

> and honestly I really don't
> want yet another bugzilla account for an one-off report/patch.

Well, it's not the first one you report, but... this almost sounds like you're begging for more bugs. :) We'll not disappoint you.

> I created a patch to fix this, and tested it with cockpit-machines.

I just posted it to the upstream mailing list for review, that's https://archives.passt.top/passt-dev/20260108142335.3378196-1-sbrivio@redhat.com/.
Comment 3 Martin Pitt 2026-01-08 14:39:05 UTC 
Hey Stefano,

(In reply to Stefano Brivio from comment #2)
> > I wanted to file this at https://passt.top/passt/bugs , but I did not yet
> > get a confirmation mail for my account request
> 
> I'm reviewing those manually as we currently have a high rate of attempted
> automatic registrations by so-called "AI" bots... 

I hear you brother.. In Cockpit we've also had to do some interesting fights against scrapers, it's an uphill battle :(

> and I happened to be offline for *at least* 48 hours, if you can imagine such a thing. :)

Just in case that came across wrong: That was totally not meant to be a blame, just an explanation why I'm posting here on Fedora bz. As it happened, I was on EOY break long enough for the registration confirmation to time out 😅 (but no worries..)

> I just posted it to the upstream mailing list for review

Thanks muchly!
Comment 4 Stefano Brivio 2026-01-08 16:07:45 UTC 
(In reply to Martin Pitt from comment #3)
> Just in case that came across wrong: That was totally not meant to be a
> blame, just an explanation why I'm posting here on Fedora bz. As it
> happened, I was on EOY break long enough for the registration confirmation
> to time out 😅 (but no worries..)

Oops, timing. No, no, it was rather self-deprecation. :)