bug#80984: Package does not build under unprivileged daemon w/ apparmor

[Tomas Volf]

Hello,

I hit another problem with apparmor profile we use for unprivileged
daemon:

--8<---------------cut here---------------start------------->8---
The following derivations will be built:
  /gnu/store/wqi1n9v5gc01a0nqp9xfijjy3l9sda3d-vendor.drv
  /gnu/store/5nkyshbp82vyb425cbmh79qwvqpxfddj-wire-1.1.0.drv
error (ignored): getting status of 
`/gnu/store/wqi1n9v5gc01a0nqp9xfijjy3l9sda3d-vendor.drv.chroot': No such file 
or directory
guix build: error: reading file `/proc/net/if_inet6': Permission denied
--8<---------------cut here---------------end--------------->8---

Disabling apparmor makes the package compile fine.

Can be reproduced using the following channel and package.  The relevant
part of the package is just the native-inputs, but I am pasting it here
for completeness.

--8<---------------cut here---------------start------------->8---
(list (channel
       (name 'guix)
       (url "https://git.wolfsden.cz/.git/guix";)
       (branch "master")
       (commit "3ed747174f9963b1f778e02a6eb95549cd7e3f1b")
       (introduction
        (make-channel-introduction
         "9edb3f66fd807b096b48283debdcddccfea34bad"
         (openpgp-fingerprint
          "BBB0 2DDF 2CEA F6A8 0D1D  E643 A2A0 6DF2 A33A 54FA"))))
      (channel
       (name 'nonguix)
       (url "https://git.wolfsden.cz/.git/nonguix";)
       (branch "master")
       (commit "eb6c046bb36efae15d61caacc8f4050bfaddde5c")
       (introduction
        (make-channel-introduction
         "897c1a470da759236cc11798f4e0a5f7d4d59fbc"
         (openpgp-fingerprint
          "2A39 3FFF 68F4 EF7A 3D29  12AF 6F51 20A0 22FB B2D5")))))
--8<---------------cut here---------------end--------------->8---

--8<---------------cut here---------------start------------->8---
(use-modules (gnu packages golang)
             (guix build-system go)
             (guix git-download)
             (guix gexp)
             ((guix licenses) #:prefix license:)
             (guix packages)
             ((nonguix download) #:select (go-mod-vendor)))

(define %go go-1.26)

(package
  (name "wire")
  (version "1.1.0")
  (source (origin
            (method git-fetch)
            (uri (git-reference
                   (url "https://github.com/goforj/wire";)
                   (commit (string-append "v" version))))
            (sha256
             (base32
              "0w7y240ahdglc6byn6s1vz16154ahc65002n64l9611aay3dp6ss"))))
  (build-system go-build-system)
  (arguments
   (list
    #:go %go
    #:unpack-path "github.com/goforj/wire"
    #:import-path "github.com/goforj/wire/cmd/wire"
    #:install-source? #f
    #:test-subdirs #~'("../../...")
    #:phases
    #~(modify-phases %standard-phases
        (add-after 'unpack 'vendor
          (lambda* (#:key unpack-path #:allow-other-keys)
            (copy-recursively #+(this-package-native-input "vendor")
                              (string-append "src/" unpack-path "/vendor"))))
        (add-before 'check 'enable-modules
          (lambda* (#:key unpack-path #:allow-other-keys)
            ;; Some tests need modules support.
            (substitute* (map (lambda (file)
                                (string-append "src/" unpack-path "/" file))
                              '("internal/wire/cache_test.go"
                                "internal/wire/generate_package_test.go"
                                "internal/wire/loader_test.go"
                                "internal/wire/parser_lazy_loader_test.go"))
              (("env := append\\(os\\.Environ\\(), \"GOWORK=off\")" all)
               (string-append
                all "; env = append(env, \"GO111MODULE=on\")"))))))))
  (native-inputs
   (list (origin
           (method (go-mod-vendor #:go %go))
           (uri (package-source this-package))
           (file-name "vendor")
           (sha256
            (base32
             "11gdfa55qa2yyk37abr0akcc6fks7zxgkj982xlpwr86y992bk0m")))))
  (home-page "https://github.com/goforj/wire";)
  (synopsis "Compile-time Dependency Injection for Go")
  (description
   "Wire is a code generation tool that automates connecting components using
dependency injection.  Dependencies between components are represented in Wire
as function parameters, encouraging explicit initialization instead of global
variables.  Because Wire operates without runtime state or reflection, code
written to be used with Wire is useful even for hand-written initialization.")
  (license license:asl2.0))
--8<---------------cut here---------------end--------------->8---

Following deny is logged into journald:

--8<---------------cut here---------------start------------->8---
May 06 02:59:56 HOST kernel: audit: type=1400 audit(1778029196.515:366): 
apparmor="DENIED" operation="open" profile="guix-daemon" 
name="/proc/2125022/net/if_inet6" pid=2125022 comm="guix-daemon" 
requested_mask="r" denied_mask="r" fsuid=997 ouid=0
--8<---------------cut here---------------end--------------->8---

Tomas

-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.