On Wed, 05 Feb 2025 07:40:34 +0000 Prafulla Giri <prafulla.giri(a)protonmail.com> wrote:If I may ask, however: could this simply not be dealt with by allowing passt binary access to $XDG_RUNTIME_DIR of the user in the apparmor profile? Forgive me, I am just a novice.Yes, that's a workaround. But the rationale for the current mechanism based on a passt 'abstraction' is that if libvirtd starts passt, then those /var/run/... paths are needed for the socket, and otherwise not. Only the libvirt profile "knows" about that. That's why it's in the libvirt profile. But the libvirt profile is not associated to the process, oops.But from my lack-of-understanding this issue looks like an issue of passt process not being able to create a socket inside a libvirt-maintained directory inside /run/user/$UID and that is why disabling the apparmor profile for passt seems to work-around this (?) Are there security concerns with this? Only asking out of curiosity.Your understanding is correct. We're just trying to make things as strict as possible, and depending on specific paths. We'll probably need to make them a bit looser for the moment being and perhaps just allow passt, no matter who starts it, to write to /var/run/**. -- Stefano