Ubuntu
strongswan package

Merge ~paelzer/ubuntu/+source/strongswan:merge-disco-5.7.1-1-ubuntu2 into ubuntu/+source/strongswan:ubuntu/disco-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/strongswan
  3. merge-disco-5.7.1-1-ubuntu2
  4. Merge into ubuntu/disco-devel
Proposed by Christian Ehrhardt 
Status: Merged
Merge reported by: Christian Ehrhardt 
Merged at revision: 891ab057597eb2f27dbc7328e009f8179a1f0465
Proposed branch: ~paelzer/ubuntu/+source/strongswan:merge-disco-5.7.1-1-ubuntu2
Merge into: ubuntu/+source/strongswan:ubuntu/disco-devel
Diff against target: 81 lines (+26/-2)
4 files modified
debian/changelog (+10/-0)
debian/usr.lib.ipsec.charon (+7/-0)
debian/usr.sbin.charon-systemd (+6/-2)
debian/usr.sbin.swanctl (+3/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
Canonical Server packageset reviewers Pending
git-ubuntu developers Pending
Review via email: mp+360447@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This is a follow up to the merge, so I reused the Bileto ticket.
=> https://bileto.ubuntu.com/#/ticket/3550

PPA refreshed at: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3550

Tests will be triggered once built.

Revision history for this message
Karl Stenerud (kstenerud) wrote :

Structure looks good. I don't know enough about charon to comment on the contents.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm having some difficulties reproducing the bug in disco. Let's chat tomorrow.

review: Needs Information
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm getting this message when calling "swanctl" (no parameters):
[ 265.803822] audit: type=1400 audit(1544532219.932:34): apparmor="DENIED" operation="create" profile="/usr/sbin/swanctl" pid=1511 comm="swanctl" family="alg" sock_type="seqpacket" protocol=0 requested_mask="create" denied_mask="create"

Should that be addressed separately? A quick search didn't return results, so it might be really new.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

charon-systemd includes a mysql abstraction, do we need that in the other charon profile too?
-/usr/lib/ipsec/charon flags=(attach_disconnected) {
+/usr/sbin/charon-systemd flags=(complain,attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/authentication>
   #include <abstractions/openssl>
   #include <abstractions/p11-kit>
+ #include <abstractions/mysql>

   capability ipc_lock,
   capability net_admin,

review: Needs Information
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Moved mysql as well, thanks

I can confirm the swanctl deny, will take a look

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Both updates pushed to the branch in review here.
New bug for swanctl opened and linked here.
New upload in the Bileto PPA.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Tested with the new packages, all good.

+1 provided the bileto dep8 tests don't show new issues

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Build is fine.
(re)Tests are fine.

Tagges and uploaded.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Is in -proposed, set merged state

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 5b4dd6e..cc5f18e 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,13 @@
6+strongswan (5.7.1-1ubuntu2) disco; urgency=medium
7+
8+ * d/usr.sbin.charon-systemd: fix rule for CLUSTERIP to match effective
9+ path (LP: #1773956)
10+ * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
11+ profiles of both ways to start charon (LP: #1807664)
12+ * d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: #1807962)
13+
14+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 10 Dec 2018 08:30:01 +0100
15+
16 strongswan (5.7.1-1ubuntu1) disco; urgency=medium
17
18 * Merge with Debian unstable (LP: #1806401). Remaining changes:
19diff --git a/debian/usr.lib.ipsec.charon b/debian/usr.lib.ipsec.charon
20index d847f62..7159586 100644
21--- a/debian/usr.lib.ipsec.charon
22+++ b/debian/usr.lib.ipsec.charon
23@@ -19,6 +19,7 @@
24 #include <abstractions/authentication>
25 #include <abstractions/openssl>
26 #include <abstractions/p11-kit>
27+ #include <abstractions/mysql>
28
29 capability ipc_lock,
30 capability net_admin,
31@@ -68,10 +69,16 @@
32
33 /var/lib/strongswan/* r,
34
35+ /{,var/}run/systemd/notify w,
36+
37 # allow self to read file descriptors (LP #1786250)
38 # restrict to our own process-ID as per apparmor vars
39 @{PROC}/@{pid}/fd/ r,
40
41+ # for using the ha plugin (LP: #1773956)
42+ @{PROC}/@{pid}/net/ipt_CLUSTERIP/ r,
43+ @{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw,
44+
45 # Site-specific additions and overrides. See local/README for details.
46 #include <local/usr.lib.ipsec.charon>
47 }
48diff --git a/debian/usr.sbin.charon-systemd b/debian/usr.sbin.charon-systemd
49index b40fa67..1f67510 100644
50--- a/debian/usr.sbin.charon-systemd
51+++ b/debian/usr.sbin.charon-systemd
52@@ -71,9 +71,13 @@
53
54 /{,var/}run/systemd/notify w,
55
56+ # allow self to read file descriptors (LP #1786250)
57+ # restrict to our own process-ID as per apparmor vars
58+ @{PROC}/@{pid}/fd/ r,
59+
60 # for using the ha plugin (LP: #1773956)
61- @{PROC}/net/ipt_CLUSTERIP/ r,
62- @{PROC}/net/ipt_CLUSTERIP/* rw,
63+ @{PROC}/@{pid}/net/ipt_CLUSTERIP/ r,
64+ @{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw,
65
66 # Site-specific additions and overrides. See local/README for details.
67 #include <local/usr.sbin.charon-systemd>
68diff --git a/debian/usr.sbin.swanctl b/debian/usr.sbin.swanctl
69index 627f5c0..0ae7752 100644
70--- a/debian/usr.sbin.swanctl
71+++ b/debian/usr.sbin.swanctl
72@@ -21,6 +21,9 @@
73 # Allow communication with VICI plugin UNIX domain socket
74 /run/charon.vici rw,
75
76+ # for af-alg plugin
77+ network alg seqpacket,
78+
79 # As of 5.5.2, swanctl unnecessarily loads plugins by default, even though no
80 # plugins are actually used by swanctl. The following can be removed if
81 # plugin loading is disabled.

Subscribers

People subscribed via source and target branches