Ubuntu
strongswan package

Merge ~paelzer/ubuntu/+source/strongswan:merge-disco-5.7.1-1-ubuntu2 into ubuntu/+source/strongswan:ubuntu/disco-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/strongswan
  3. merge-disco-5.7.1-1-ubuntu2
  4. Merge into ubuntu/disco-devel
Proposed by Christian Ehrhardt 
Status: Merged
Merge reported by: Christian Ehrhardt 
Merged at revision: 891ab057597eb2f27dbc7328e009f8179a1f0465
Proposed branch: ~paelzer/ubuntu/+source/strongswan:merge-disco-5.7.1-1-ubuntu2
Merge into: ubuntu/+source/strongswan:ubuntu/disco-devel
Diff against target: 81 lines (+26/-2)
4 files modified
debian/changelog (+10/-0)
debian/usr.lib.ipsec.charon (+7/-0)
debian/usr.sbin.charon-systemd (+6/-2)
debian/usr.sbin.swanctl (+3/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
Canonical Server packageset reviewers Pending
git-ubuntu developers Pending
Review via email: mp+360447@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This is a follow up to the merge, so I reused the Bileto ticket.
=> https://bileto.ubuntu.com/#/ticket/3550

PPA refreshed at: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3550

Tests will be triggered once built.

Revision history for this message
Karl Stenerud (kstenerud) wrote :

Structure looks good. I don't know enough about charon to comment on the contents.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm having some difficulties reproducing the bug in disco. Let's chat tomorrow.

review: Needs Information
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm getting this message when calling "swanctl" (no parameters):
[ 265.803822] audit: type=1400 audit(1544532219.932:34): apparmor="DENIED" operation="create" profile="/usr/sbin/swanctl" pid=1511 comm="swanctl" family="alg" sock_type="seqpacket" protocol=0 requested_mask="create" denied_mask="create"

Should that be addressed separately? A quick search didn't return results, so it might be really new.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

charon-systemd includes a mysql abstraction, do we need that in the other charon profile too?
-/usr/lib/ipsec/charon flags=(attach_disconnected) {
+/usr/sbin/charon-systemd flags=(complain,attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/authentication>
   #include <abstractions/openssl>
   #include <abstractions/p11-kit>
+ #include <abstractions/mysql>

   capability ipc_lock,
   capability net_admin,

review: Needs Information
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Moved mysql as well, thanks

I can confirm the swanctl deny, will take a look

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Both updates pushed to the branch in review here.
New bug for swanctl opened and linked here.
New upload in the Bileto PPA.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Tested with the new packages, all good.

+1 provided the bileto dep8 tests don't show new issues

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Build is fine.
(re)Tests are fine.

Tagges and uploaded.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Is in -proposed, set merged state

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 5b4dd6e..cc5f18e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
1strongswan (5.7.1-1ubuntu2) disco; urgency=medium
2
3 * d/usr.sbin.charon-systemd: fix rule for CLUSTERIP to match effective
4 path (LP: #1773956)
5 * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
6 profiles of both ways to start charon (LP: #1807664)
7 * d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: #1807962)
8
9 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 10 Dec 2018 08:30:01 +0100
10
1strongswan (5.7.1-1ubuntu1) disco; urgency=medium11strongswan (5.7.1-1ubuntu1) disco; urgency=medium
212
3 * Merge with Debian unstable (LP: #1806401). Remaining changes:13 * Merge with Debian unstable (LP: #1806401). Remaining changes:
diff --git a/debian/usr.lib.ipsec.charon b/debian/usr.lib.ipsec.charon
index d847f62..7159586 100644
--- a/debian/usr.lib.ipsec.charon
+++ b/debian/usr.lib.ipsec.charon
@@ -19,6 +19,7 @@
19 #include <abstractions/authentication>19 #include <abstractions/authentication>
20 #include <abstractions/openssl>20 #include <abstractions/openssl>
21 #include <abstractions/p11-kit>21 #include <abstractions/p11-kit>
22 #include <abstractions/mysql>
2223
23 capability ipc_lock,24 capability ipc_lock,
24 capability net_admin,25 capability net_admin,
@@ -68,10 +69,16 @@
6869
69 /var/lib/strongswan/* r,70 /var/lib/strongswan/* r,
7071
72 /{,var/}run/systemd/notify w,
73
71 # allow self to read file descriptors (LP #1786250)74 # allow self to read file descriptors (LP #1786250)
72 # restrict to our own process-ID as per apparmor vars75 # restrict to our own process-ID as per apparmor vars
73 @{PROC}/@{pid}/fd/ r,76 @{PROC}/@{pid}/fd/ r,
7477
78 # for using the ha plugin (LP: #1773956)
79 @{PROC}/@{pid}/net/ipt_CLUSTERIP/ r,
80 @{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw,
81
75 # Site-specific additions and overrides. See local/README for details.82 # Site-specific additions and overrides. See local/README for details.
76 #include <local/usr.lib.ipsec.charon>83 #include <local/usr.lib.ipsec.charon>
77}84}
diff --git a/debian/usr.sbin.charon-systemd b/debian/usr.sbin.charon-systemd
index b40fa67..1f67510 100644
--- a/debian/usr.sbin.charon-systemd
+++ b/debian/usr.sbin.charon-systemd
@@ -71,9 +71,13 @@
7171
72 /{,var/}run/systemd/notify w,72 /{,var/}run/systemd/notify w,
7373
74 # allow self to read file descriptors (LP #1786250)
75 # restrict to our own process-ID as per apparmor vars
76 @{PROC}/@{pid}/fd/ r,
77
74 # for using the ha plugin (LP: #1773956)78 # for using the ha plugin (LP: #1773956)
75 @{PROC}/net/ipt_CLUSTERIP/ r,79 @{PROC}/@{pid}/net/ipt_CLUSTERIP/ r,
76 @{PROC}/net/ipt_CLUSTERIP/* rw,80 @{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw,
7781
78 # Site-specific additions and overrides. See local/README for details.82 # Site-specific additions and overrides. See local/README for details.
79 #include <local/usr.sbin.charon-systemd>83 #include <local/usr.sbin.charon-systemd>
diff --git a/debian/usr.sbin.swanctl b/debian/usr.sbin.swanctl
index 627f5c0..0ae7752 100644
--- a/debian/usr.sbin.swanctl
+++ b/debian/usr.sbin.swanctl
@@ -21,6 +21,9 @@
21 # Allow communication with VICI plugin UNIX domain socket21 # Allow communication with VICI plugin UNIX domain socket
22 /run/charon.vici rw,22 /run/charon.vici rw,
2323
24 # for af-alg plugin
25 network alg seqpacket,
26
24 # As of 5.5.2, swanctl unnecessarily loads plugins by default, even though no27 # As of 5.5.2, swanctl unnecessarily loads plugins by default, even though no
25 # plugins are actually used by swanctl. The following can be removed if28 # plugins are actually used by swanctl. The following can be removed if
26 # plugin loading is disabled.29 # plugin loading is disabled.

Subscribers

People subscribed via source and target branches