← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

 

Thanks, setting verification done.

** Tags removed: verification-needed
** Tags added: verification-done

** Also affects: strongswan (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1587886

Title:
  strongswan ipsec status issue with apparmor

Status in One Hundred Papercuts:
  Triaged
Status in strongswan package in Ubuntu:
  Fix Released
Status in strongswan source package in Xenial:
  Fix Committed
Status in strongswan source package in Yakkety:
  New

Bug description:
  [Impact]

   * Certain strongswan based vpn setups fail, especially those based on 
     network-manager-l2tp or neutron-vpn-netns-wrapper

   * The fix is opening up the apparmor profile slightly for charon and 
     stroke where paths are disconnected

  [Test Case]

   * valid VPN setup with network-manager-l2tp, then running "sudo ipsec
  status"

   or

   * valid neutron-vpn setup and then
      # mkdir /tmp/test
      # ip netns add testns
      # ip netns exec testns neutron-vpn-netns-wrapper --mount_paths "/var/run:/tmp/test" --cmd "ipsec,status"

    In both cases the command fails as it can't reach charon log.

  [Regression Potential]

   * Since the profile for strongswan is opened up a bit (and not more 
     restricted) the regression potential for strongswan should be minimal.

   * Yet OTOH due to the change there is a slightly higher security risk 
     now. That said the case seems to be exactly what the feature was 
     designed for [1] and there are several other packages holding a similar 
     flag.

    [1]:
  http://wiki.apparmor.net/index.php/ReleaseNotes_2_5#path_name_lookup_and_mediation_of

  [Other Info]
   
   * The part of the "valid VPN setup" both Test cases would need some more 
     input by the reporters if possible - to easen testing (see comments 
     #5+#6 and #28+#29 for the current status on tests).

   * Unless this is done we have to rely more than usual on the reporters to 
     verify this.


  $ lsb_release -rd
  Description:	Ubuntu 16.04 LTS
  Release:	16.04

  $ apt-cache policy strongswan
  strongswan:
    Installed: 5.3.5-1ubuntu3
    Candidate: 5.3.5-1ubuntu3
    Version table:
   *** 5.3.5-1ubuntu3 500
          500 http://au.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
          500 http://au.archive.ubuntu.com/ubuntu xenial/main i386 Packages
          100 /var/lib/dpkg/status

  Looks like 'ipsec status' might be causing strongswan's charon to
  write to run/systemd/journal/dev-log instead of /run/systemd/journal
  /dev-log and apparmor doesn't like it.

  Extract from /etc/apparmor.d/abstractions/base :
    /{,var/}run/systemd/journal/dev-log w,

  With an established ipsec connection, issue the following :

  $ sudo ipsec status
  connecting to 'unix:///var/run/charon.ctl' failed: Permission denied
  failed to connect to stroke socket 'unix:///var/run/charon.ctl'

  $ journalctl
  ...
  Jun 01 12:15:07 ThinkCentre-M900 kernel: audit: type=1400 audit(1464785297.366:491): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/ipsec/charon" name="run/systemd/journal/dev-log" pid=4994 comm="charon" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
  ...

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: strongswan 5.3.5-1ubuntu3
  ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
  Uname: Linux 4.4.0-22-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.20.1-0ubuntu2.1
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Wed Jun  1 23:06:53 2016
  InstallationDate: Installed on 2016-05-11 (21 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
  PackageArchitecture: all
  SourcePackage: strongswan
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/hundredpapercuts/+bug/1587886/+subscriptions