Hello both, thank you for your answers!
Ludovic Courtès <[email protected]> writes: > Hello! > > Reepca Russelstein <[email protected]> skribis: > >> That section is nested inside an 'if (useChroot) { ... }', which should >> be false in the case of builtins. I suspect it's the native-inputs >> mentioned that are failing to build - that is, it's "vendor" whose build >> is failing to start, not "wire" directly. "vendor" uses a special >> origin method, which is why the non-builtin fixed-output machinery kicks >> in. > > Right. > >> I assume that "r" is "read" and "w" is "write", so having done no >> research on this, maybe something like: >> >> owner @{PROC}/@{pid}/net/if_inet6 r, >> >> could get us past this issue? In general though, it looks like the >> apparmor profile might not have been designed with slirp4netns in mind >> (perhaps it predates it?) - here are some filenames that I don't see >> mentioned in it: >> >> /dev/net/tun >> /proc/sys/net/ipv6/conf/tap0/accept_dad >> /proc/sys/net/ipv6/conf/tap0/accept_ra >> /proc/sys/net/ipv4/conf/all/route_localnet >> /proc/self/mountinfo >> /proc/self/net/if_inet6 > > Yes, looks like this should work. > > Tomas, could you try to amend the AppArmor profile as suggested and > report back? I have tried the owner @{PROC}/@{pid}/net/if_inet6 r, but it did not help. But it was push in the right direction! The `owner' part was not matching, but once I removed it, it did pass that step. However many more denies showed up during the way. To sum it up, below you can find a patch to the guix-daemon profile that allowed me to successfully build the `wire' package (well, more specifically the `vendor' dependency). I had to disable systemd-resolved, but that was probably some gimmick of the VM I am using, and seems unrelated to the apparmor (there were no denies in the log). --8<---------------cut here---------------start------------->8--- --- /tmp/guix-daemon 2026-06-05 23:55:34.899060823 +0200 +++ /etc/apparmor.d/guix-daemon 2026-06-05 23:54:57.739026227 +0200 @@ -11,7 +11,9 @@ capability sys_admin, capability net_admin, capability sys_chroot, + capability setuid, capability setgid, + capability setpcap, capability chown, network dgram, umount, @@ -19,7 +21,9 @@ pivot_root, # Paths inside build chroot /real-root/ w, - / w, + / rw, + + mqueue getattr type=posix /disconnected/, @{guix_localstatedir}/guix/** rwk, /var/log/guix/** w, @@ -28,17 +32,31 @@ owner @{PROC}/@{pid}/uid_map rw, owner @{PROC}/@{pid}/gid_map rw, owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/net/if_inet6 r, @{guix_storedir}/ r, @{guix_storedir}/** rwlmk, + @{guix_storedir}/*-slirp4netns-*/bin/slirp4netns ix, @{guix_storedir}/*/bin/guile cx -> guix-builder, @{guix_storedir}/*-guix-command cx -> guix-helper, @{guix_storedir}/*-guix-*/bin/guix cx -> guix-helper, @{etc_rw}/nsswitch.conf r, @{etc_rw}/passwd r, @{etc_rw}/group r, + @{etc_rw}/hosts r, owner /tmp/** rwl, owner /var/tmp/** rwl, + network inet stream, + network inet6 stream, + + /etc/resolv.conf r, + /old/ w, + /dev/net/tun rw, + /proc/sys/net/ipv6/conf/tap0/accept_dad w, + /proc/sys/net/ipv6/conf/tap0/accept_ra w, + /proc/sys/net/ipv4/conf/all/route_localnet w, + /usr/bin/newgidmap Ux, # Site-specific additions and overrides. See local/README for details. --8<---------------cut here---------------end--------------->8--- Should I send the above as a patch or is it too insane? There must be better way I would hope? Tomas -- There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors.
