Permission denied while pasta tries to open network namespace

[rei-ber]

Issue Description

After a system upgrade and newer versions, I can't run a container due to a pasta permission denied error. It is not the same as #22015 because it worked before system upgrade and the newest passt version.

The following packages were upgraded:

containers-common/unknown 100:0.58.3-1 amd64 [upgradable from: 100:0.58.2-1]                                                                 
distro-info-data/unknown 100:0.62-1 all [upgradable from: 100:0.60-1]                                                                        
less/oldstable-security 551-2+deb11u2 amd64 [upgradable from: 551-2]                                                                         
libc-bin/oldstable-security 2.31-13+deb11u10 amd64 [upgradable from: 2.31-13+deb11u9]                                                        
libc-dev-bin/oldstable-security 2.31-13+deb11u10 amd64 [upgradable from: 2.31-13+deb11u9]                                                    
libc-devtools/oldstable-security 2.31-13+deb11u10 amd64 [upgradable from: 2.31-13+deb11u9]                                                   
libc-l10n/oldstable-security 2.31-13+deb11u10 all [upgradable from: 2.31-13+deb11u9]                                                         
libc6-dev/oldstable-security 2.31-13+deb11u10 amd64 [upgradable from: 2.31-13+deb11u9]                                                       
libc6/oldstable-security 2.31-13+deb11u10 amd64 [upgradable from: 2.31-13+deb11u9]                                                          
libglib2.0-0/oldstable-security 2.66.8-1+deb11u3 amd64 [upgradable from: 2.66.8-1+deb11u1]                                                   
libglib2.0-data/oldstable-security 2.66.8-1+deb11u3 all [upgradable from: 2.66.8-1+deb11u1]                                                  
libslirp0/unknown 100:4.8.0-1 amd64 [upgradable from: 100:4.7.0-1]                                                                           
linux-compiler-gcc-10-x86/oldstable-security 5.10.216-1 amd64 [upgradable from: 5.10.209-2]                                                  
linux-image-amd64/oldstable-security 5.10.216-1 amd64 [upgradable from: 5.10.209-2]                                                          
linux-kbuild-5.10/oldstable-security 5.10.216-1 amd64 [upgradable from: 5.10.209-2]                                                          
linux-libc-dev/oldstable-security 5.10.216-1 amd64 [upgradable from: 5.10.209-2]
locales/oldstable-security 2.31-13+deb11u10 all [upgradable from: 2.31-13+deb11u9]
podman/unknown 100:5.0.3-1 amd64 [upgradable from: 100:5.0.2-1] 
slirp4netns/unknown 100:1.3.1-1 amd64 [upgradable from: 100:1.3.0-1]

I also downgraded the packages containers-common, libslirp0, podman and slirp4netns to its previous versions and rebooted, but it is still the same result. I am not really sure, if it is a podman issue or something with the others packages.

Steps to reproduce the issue

Steps to reproduce the issue
podman run --rm docker.io/alpine:latest id -u nobody

Describe the results you received

Error: pasta failed with exit code 1:
Couldn't open network namespace /run/user/1000/netns/netns-e2cc072d-7de1-22e5-8d7c-6351e59b8308: Permission denied

Describe the results you expected

I expect the user id is printed: 65534.

podman run --network=none --rm docker.io/alpine:latest id -u nobody and podman run --network=slirp4netns --rm docker.io/alpine:latest id -u nobody work as expected and print the id.

podman info output

host:
  arch: amd64
  buildahVersion: 1.35.4
  cgroupControllers:
  - memory
  - pids
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: conmon_100:2.1.11-1_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: e21e7c85b7637e622f21c57675bf1154fc8b1866'
  cpuUtilization:
    idlePercent: 91.31
    systemPercent: 6.1
    userPercent: 2.59
  cpus: 2
  databaseBackend: boltdb
  distribution:
    codename: bullseye
    distribution: debian
    version: "11"
  eventLogger: file
  freeLocks: 1983
  hostname: hostname
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.10.0-29-amd64
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 8008523776
  memTotal: 8314707968
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: Unknown
    package: podman-netavark_100:1.10.3-1_amd64
    path: /usr/libexec/podman/netavark
    version: netavark 1.10.3
  ociRuntime:
    name: crun
    package: crun_100:1.15-1_amd64
    path: /usr/bin/crun
    version: |-
      crun version 1.15
      commit: e6eacaf4034e84185fd8780ac9262bbf57082278
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt_100:0.0+20240510.72884484-1_amd64
    version: |
      pasta 0.0+20240510.72884484
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_AUDIT_WRITE,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_MKNOD,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_100:1.3.1-1_amd64
    version: |-
      slirp4netns version 1.3.1
      commit: unknown
      libslirp: 4.8.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.1
  swapFree: 1023406080
  swapTotal: 1023406080
  uptime: 0h 0m 24.00s
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
  - quay.io
store:
  configFile: /home/user/.config/containers/storage.conf
  containerStore:
    number: 48
    paused: 0
    running: 0
    stopped: 48
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/user/.local/share/containers/storage
  graphRootAllocated: 131631591424
  graphRootUsed: 15701336064
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 69
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/user/.local/share/containers/storage/volumes
version:
  APIVersion: 5.0.3
  Built: 0
  BuiltTime: Thu Jan  1 01:00:00 1970
  GitCommit: ""
  GoVersion: go1.22.3
  Os: linux
  OsArch: linux/amd64
  Version: 5.0.3

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

It is a debian 11 virtual machine running with VirtualBox:

cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

But it does not work with debian 12 and the same versions as well.

Additional information

No response

[Luap99]

It is a issue with pasta (passt), most likely apparmor blocking access when you are on debian. You should check the audit.log to confirm. Or disable apparmor.
I don't know how you installed this as debian stable doesn't ship these updates but please check the installed apparmor policy.

[rei-ber]

It is a issue with pasta (passt), most likely apparmor blocking access when you are on debian. You should check the audit.log to confirm. Or disable apparmor.

Yeah, there is a log in the journal: AVC apparmor="DENIED" operation="open" profile="passt" name="/run/user/1000/netns/netns-fc48cae4-8a15-67d8-f96d-f2e683d49dc5" pid=2292 comm="passt.avx2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Thanks. Disable passt profile did it: apparmor_parser -R /etc/apparmor.d/usr.bin.passt

Or defining this rules in the usr.bin.passt profile did it as well:

@{run}/user/1000/** wr,
/dev/net/tun wr,

But I am not familiar with apparmor rules and if this are the most restricted and minimalist rules?!

I don't know how you installed this as debian stable doesn't ship these updates but please check the installed apparmor policy.

They are installed by another repository, where these versions come from.

[Luap99]

You should check your installed profile. pasta ships a working profile upstream https://passt.top/passt/tree/contrib/apparmor/usr.bin.pasta so it is best to use that and if there are problems with that profile report them to the pasta maintainers.