Couldn't open network namespace /var/tmp/...cut...: Permission denied

[cevich]

Issue Description

Debian 13 (SID) fail to run rootless podman with pasta networking when root and/or runroot are pointing at a path at or below /var/tmp/. This is believed to be due to a broken apparmor profile, but attempts at workarounds have failed (PR discussion). Example annotated log.

Steps to reproduce the issue

On a Debian VM:

1. podman --root=/var/tmp/something --runroot=/var/tmp/somethingelse network create foobar
2. podman --root=/var/tmp/something --runroot=/var/tmp/somethingelse run -it --rm --network=foobar quay.io/libpod/alpine:latest true

Describe the results you received

Error: setting up Pasta: pasta failed with exit code 1:
Couldn't open network namespace /var/tmp/...cut...: Permission denied

Describe the results you expected

Container should run and exit cleanly without any error.

podman info output

host:
  arch: amd64
  buildahVersion: 1.36.0-dev
  cgroupControllers:
  - cpuset
  - cpu
  - cpuacct
  - blkio
  - memory
  - devices
  - freezer
  - net_cls
  - perf_event
  - net_prio
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v1
  conmon:
    package: conmon_2.1.10+ds1-1+b1_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: unknown'
  cpuUtilization:
    idlePercent: 25.16
    systemPercent: 24.35
    userPercent: 50.49
  cpus: 2
  databaseBackend: sqlite
  distribution:
    codename: trixie
    distribution: debian
    version: "13"
  eventLogger: journald
  freeLocks: 2048
  hostname: cirrus-task-6081697266008064
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.7.12-cloud-amd64
  linkmode: dynamic
  logDriver: journald
  memFree: 2506199040
  memTotal: 4114882560
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns_1.4.0-5.1_amd64
      path: /usr/lib/podman/aardvark-dns
      version: aardvark-dns 1.4.0
    package: netavark_1.4.0-4.1_amd64
    path: /usr/lib/podman/netavark
    version: netavark 1.4.0
  ociRuntime:
    name: runc
    package: runc_1.1.12+ds1-2_amd64
    path: /usr/bin/runc
    version: |-
      runc version 1.1.12+ds1
      commit: 1.1.12+ds1-2
      spec: 1.1.0
      go: go1.22.0
      libseccomp: 2.5.5
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt_0.0~git20240426.d03c4e2-1_amd64
    version: |
      pasta 0.0~git20240426.d03c4e2-1
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: true
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.2.1-1+b1_amd64
    version: |-
      slirp4netns version 1.2.1
      commit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.5
  swapFree: 0
  swapTotal: 0
  uptime: 0h 36m 36.00s
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  docker.io:
    Blocked: false
    Insecure: false
    Location: mirror.gcr.io
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: docker.io
    PullFromMirror: ""
  docker.io/library:
    Blocked: false
    Insecure: false
    Location: quay.io/libpod
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: docker.io/library
    PullFromMirror: ""
  localhost:5000:
    Blocked: false
    Insecure: true
    Location: localhost:5000
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: localhost:5000
    PullFromMirror: ""
  search:
  - docker.io
  - quay.io
  - registry.fedoraproject.org
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 211116445696
  graphRootUsed: 6220103680
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.1.0-dev
  Built: 1715007301
  BuiltTime: Mon May  6 14:55:01 2024
  GitCommit: e8ef36e26edd8aac3349c348b6320c2dbe73126b
  GoVersion: go1.22.2
  Os: linux
  OsArch: linux/amd64
  Version: 5.1.0-dev

Podman in a container

Yes

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

No response

[Luap99]

#22533 changes it to /tmp which I thought would work, however it seem /tmp... is only given write access and pasta opens the path with read access so it gets blocked. The apparmor profile needs a rule to allow read access.

[Luap99]

https://archives.passt.top/passt-dev/20240508161316.111022-1-pholzing@redhat.com/