Merge ~fermulator/ubuntu/+source/strongswan:allow_charon_apparmor_read_proc_fd_LP_#1786250 into ubuntu/+source/strongswan:ubuntu/devel

Proposed by fermulator
Status: Rejected
Rejected by: Christian Ehrhardt 
Proposed branch: ~fermulator/ubuntu/+source/strongswan:allow_charon_apparmor_read_proc_fd_LP_#1786250
Merge into: ubuntu/+source/strongswan:ubuntu/devel
Diff against target: 15 lines (+4/-0)
1 file modified
debian/usr.lib.ipsec.charon (+4/-0)
Reviewer Review Type Date Requested Status
Canonical Server packageset reviewers Pending
Canonical Server Team Pending
Karl Stenerud Pending
Review via email: mp+353423@code.launchpad.net

Commit message

As per LP #1786250, user noted audit failures in system log
against charon trying to read its own list of file descriptors
in /proc/<pid>/fd/.

We are uncertain when/why this started, however it is not
unreasonable for a process to attempt to read its own fd's,
so allow by extending the apparmor profile for charon.

References:
 - http://manpages.ubuntu.com/manpages/bionic/en/man5/apparmor.d.5.html
 - https://linux.die.net/man/5/proc

To post a comment you must log in.
Revision history for this message
Karl Stenerud (kstenerud) wrote :

Thanks for the merge proposal! We're getting started on it but in the meantime, could you help with a couple of things?

1. We are trying to come up with a simple test case, but if you have one already (config files, etc), that would help a lot!

2. Could you add a commit to your branch called "changelog" which adds an entry to debian/changelog? You can make one by running the dch command from the top level of the strongswan repo.

The message part can be something like this:

  * debian/usr.lib.ipsec.charon: allow self to read file descriptors.
    (LP #1786250)

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

@Karl - while I have liked it as teaching case IMHO you might consider doing the cleanups/rewites yourself so that this could be resolved before Final Freeze for Cosmic.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I'll take over the cleaning of this as Karl isn't around for a while

We'd need/prefer a real email for the Author statement.
Since the actual change was suggested by me I'll set myself and attribute the change to you.

Also in the meantime a new version is in Cosmic, we need to rebase and address all Karl mentioned before (e.g. missing Changelog).

There also was a trailing whitespace that needed to be removed.

The updated version is built in PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3437/+packages

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Revision history for this message
fermulator (fermulator) wrote :

Sorry @paelzer, I had presumed since the merge was so simple it would just go through without these delays, I wasn't paying attention. (my bad)

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Not your problem at all, we used it as test for a new team member to review such MPs but there was a (real world) accident that made this MP to get stuck.

Unmerged commits

d0ec74d... by Matt Callaghan <fermulator>

As per LP #1786250, user noted audit failures in system log
against charon trying to read its own list of file descriptors
in /proc/<pid>/fd/.

We are uncertain when/why this started, however it is not
unreasonable for a process to attempt to read its own fd's,
so allow by extending the apparmor profile for charon.

References:
http://manpages.ubuntu.com/manpages/bionic/en/man5/apparmor.d.5.html
https://linux.die.net/man/5/proc

5a19dba... by Christian Ehrhardt 

Import patches-unapplied version 5.6.2-2ubuntu1 to ubuntu/cosmic-proposed

Imported using git-ubuntu import.

Upload parent: 160ffc1245f6373f9875244a91b7a9d8e78d0957

160ffc1... by Christian Ehrhardt 

changelog: DROP: fix dependencies of strongswan-libcharon

Signed-off-by: Christian Ehrhardt <email address hidden>

9e52311... by Christian Ehrhardt 

changelog: allow systemd notifications (LP: #1765652)

Signed-off-by: Christian Ehrhardt <email address hidden>

daeaf83... by Christian Ehrhardt 

  + d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)

Signed-off-by: Christian Ehrhardt <email address hidden>

4ad9501... by Christian Ehrhardt 

changelog: allow to contact mysql for sql and attr-sql plugins (LP: #1766240)

Signed-off-by: Christian Ehrhardt <email address hidden>

b8f8665... by Christian Ehrhardt 

  + d/usr.sbin.charon-systemd: allow to contact mysql for sql and
    attr-sql plugins (LP: #1766240)

Signed-off-by: Christian Ehrhardt <email address hidden>

9f15092... by Christian Ehrhardt 

update-maintainer

fb8fcca... by Christian Ehrhardt 

reconstruct-changelog

cdd1bde... by Christian Ehrhardt 

merge-changelogs

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/usr.lib.ipsec.charon b/debian/usr.lib.ipsec.charon
2index 9e24c74..85b30b4 100644
3--- a/debian/usr.lib.ipsec.charon
4+++ b/debian/usr.lib.ipsec.charon
5@@ -71,6 +71,10 @@
6
7 /var/lib/strongswan/* r,
8
9+ # allow self to read file descriptors (LP #1786250)
10+ # restrict to our own process and ID as per apparmor vars
11+ @{PROC}/@{pid}/fd/ r,
12+
13 # Site-specific additions and overrides. See local/README for details.
14 #include <local/usr.lib.ipsec.charon>
15 }

Subscribers

People subscribed via source and target branches