apparmor: Allow reading TCP RTO sysctl parameters

Since commits 3dde0e07804e ("tcp: Update data retransmission timeout")
and 1a834879a2f7 ("tcp: Clamp the retry timeout") from 2025-12-02,
passt reads additional TCP-related sysctl parameters from /proc to
configure retransmission timeout behavior:

  - /proc/sys/net/ipv4/tcp_syn_retries
  - /proc/sys/net/ipv4/tcp_syn_linear_timeouts
  - /proc/sys/net/ipv4/tcp_rto_max_ms

These are read by tcp_get_rto_params() during initialization. Adjust the
AppArmor profile accordingly.

Link: https://bugzilla.redhat.com/show_bug.cgi?id=2426863
Link: https://github.com/cockpit-project/bots/pull/8568
Fixes: 3dde0e07804e ("tcp: Update data retransmission timeout")
Fixes: 1a834879a2f7 ("tcp: Clamp the retry timeout")
Signed-off-by: Martin Pitt <mpitt@redhat.com>
[sbrivio: Minor formatting change, changed commit references]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

1 files changed, 4 insertions, 0 deletions

diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstractions/passt
index 43fd63f..25b2ea8 100644
--- a/contrib/apparmor/abstractions/passt
+++ b/contrib/apparmor/abstractions/passt
@@ -36,6 +36,10 @@
 
   @{PROC}/sys/net/ipv4/ip_local_port_range r,	# fwd_probe_ephemeral()
 
+  @{PROC}/sys/net/ipv4/tcp_syn_retries r,	# tcp_get_rto_params(), tcp.c
+  @{PROC}/sys/net/ipv4/tcp_syn_linear_timeouts r,
+  @{PROC}/sys/net/ipv4/tcp_rto_max_ms r,
+
   network netlink raw,				# nl_sock_init_do(), netlink.c
 
   network inet stream,				# tcp.c