I wanted to file this at https://passt.top/passt/bugs , but I did not yet get a confirmation mail for my account request, and honestly I really don't want yet another bugzilla account for an one-off report/patch. So, please forgive me for slightly abusing the Fedora bug tracker! The latest passt version now causes AppArmor violations. This got spotted in https://github.com/cockpit-project/bots/pull/8568 . I created a patch to fix this, and tested it with cockpit-machines. Reproducible: Always Steps to Reproduce: passt.avx2 -f Actual Results: kernel: audit: type=1400 audit(1767384668.175:118): apparmor="DENIED" operation="open" class="file" profile="passt" name="/proc/sys/net/ipv4/tcp_syn_retries" pid=1104 comm="passt.avx2" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0 kernel: audit: type=1400 audit(1767384668.183:119): apparmor="DENIED" operation="open" class="file" profile="passt" name="/proc/sys/net/ipv4/tcp_syn_linear_timeouts" pid=1104 comm="passt.avx2" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0 kernel: audit: type=1400 audit(1767384668.183:120): apparmor="DENIED" operation="open" class="file" profile="passt" name="/proc/sys/net/ipv4/tcp_rto_max_ms" pid=1104 comm="passt.avx2" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0 Expected Results: No AppArmor violations
Created attachment 2120873 [details] [PATCH] apparmor: Allow reading TCP RTO sysctl parameters
Martin, thanks a lot for spotting this and for the patch! It turns out I tested the Debian package manually (while checking logs) only on a system with an older kernel version without those procfs entries, to specifically check failure handling, but I missed to check the working case, sorry for that. A couple of comments: (In reply to Martin Pitt from comment #0) > I wanted to file this at https://passt.top/passt/bugs , but I did not yet > get a confirmation mail for my account request I'm reviewing those manually as we currently have a high rate of attempted automatic registrations by so-called "AI" bots... and I happened to be offline for *at least* 48 hours, if you can imagine such a thing. :) > and honestly I really don't > want yet another bugzilla account for an one-off report/patch. Well, it's not the first one you report, but... this almost sounds like you're begging for more bugs. :) We'll not disappoint you. > I created a patch to fix this, and tested it with cockpit-machines. I just posted it to the upstream mailing list for review, that's https://archives.passt.top/passt-dev/20260108142335.3378196-1-sbrivio@redhat.com/.
Hey Stefano, (In reply to Stefano Brivio from comment #2) > > I wanted to file this at https://passt.top/passt/bugs , but I did not yet > > get a confirmation mail for my account request > > I'm reviewing those manually as we currently have a high rate of attempted > automatic registrations by so-called "AI" bots... I hear you brother.. In Cockpit we've also had to do some interesting fights against scrapers, it's an uphill battle :( > and I happened to be offline for *at least* 48 hours, if you can imagine such a thing. :) Just in case that came across wrong: That was totally not meant to be a blame, just an explanation why I'm posting here on Fedora bz. As it happened, I was on EOY break long enough for the registration confirmation to time out 😅 (but no worries..) > I just posted it to the upstream mailing list for review Thanks muchly!
(In reply to Martin Pitt from comment #3) > Just in case that came across wrong: That was totally not meant to be a > blame, just an explanation why I'm posting here on Fedora bz. As it > happened, I was on EOY break long enough for the registration confirmation > to time out 😅 (but no worries..) Oops, timing. No, no, it was rather self-deprecation. :)