Ubuntu
strongswan package

Merge ~paelzer/ubuntu/+source/strongswan:lp-1780534-stroke-segfault-lp-1773956-clusterip-apparmor-bionic into ubuntu/+source/strongswan:ubuntu/bionic-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/strongswan
  3. lp-1780534-stroke-segfault-lp-1773956-clusterip-apparmor-bionic
  4. Merge into ubuntu/bionic-devel
Proposed by Christian Ehrhardt 
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 33bcd983dde05db15703dea10d46facd6cd5fe6c
Merged at revision: 33bcd983dde05db15703dea10d46facd6cd5fe6c
Proposed branch: ~paelzer/ubuntu/+source/strongswan:lp-1780534-stroke-segfault-lp-1773956-clusterip-apparmor-bionic
Merge into: ubuntu/+source/strongswan:ubuntu/bionic-devel
Diff against target: 59 lines (+18/-0)
4 files modified
debian/changelog (+10/-0)
debian/usr.lib.ipsec.charon (+4/-0)
debian/usr.lib.ipsec.lookip (+2/-0)
debian/usr.lib.ipsec.stroke (+2/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
Canonical Server Pending
git-ubuntu developers Pending
Review via email: mp+360800@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

test PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3563
Ticket for autotests: https://bileto.ubuntu.com/#/ticket/3563

qa-regression tests ran fine

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

+1 if you are happy with not addressing swanctl and syncing both charon profiles.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The swanctl alg issue we have no bug, nor do we know if it actually inhibits functionality.
Unless I heard of a real case I held back the change from the SRU.
The same is true for the syncing of the two profiles.

Thanks a lot for double checking all of this!

Tag pushed and uploaded for SRU processing.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index d31b635..cf0ab43 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,13 @@
6+strongswan (5.6.2-1ubuntu2.4) bionic; urgency=medium
7+
8+ * fix stroke and lookip execution in containers (LP: #1780534). Binaries
9+ need to be able to read map and execute themselves
10+ - d/usr.lib.ipsec.lookip: add rmix to own binary
11+ - d/usr.lib.ipsec.stroke: add rmix to own binary
12+ * d/usr.lib.ipsec.charon: allow CLUSTERIP for ha plugin (LP: #1773956)
13+
14+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 12 Dec 2018 15:52:43 +0100
15+
16 strongswan (5.6.2-1ubuntu2.3) bionic-security; urgency=medium
17
18 * SECURITY UPDATE: Insufficient input validation in gmp plugin
19diff --git a/debian/usr.lib.ipsec.charon b/debian/usr.lib.ipsec.charon
20index 9e24c74..c5dba27 100644
21--- a/debian/usr.lib.ipsec.charon
22+++ b/debian/usr.lib.ipsec.charon
23@@ -71,6 +71,10 @@
24
25 /var/lib/strongswan/* r,
26
27+ # for using the ha plugin (LP: #1773956)
28+ @{PROC}/@{pid}/net/ipt_CLUSTERIP/ r,
29+ @{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw,
30+
31 # Site-specific additions and overrides. See local/README for details.
32 #include <local/usr.lib.ipsec.charon>
33 }
34diff --git a/debian/usr.lib.ipsec.lookip b/debian/usr.lib.ipsec.lookip
35index de10433..614cda8 100644
36--- a/debian/usr.lib.ipsec.lookip
37+++ b/debian/usr.lib.ipsec.lookip
38@@ -15,6 +15,8 @@
39 /usr/lib/ipsec/lookip {
40 #include <abstractions/base>
41
42+ /usr/lib/ipsec/lookip rmix,
43+
44 /run/charon.lkp rw,
45
46 # Site-specific additions and overrides. See local/README for details.
47diff --git a/debian/usr.lib.ipsec.stroke b/debian/usr.lib.ipsec.stroke
48index 9d20ee7..af9cdcc 100644
49--- a/debian/usr.lib.ipsec.stroke
50+++ b/debian/usr.lib.ipsec.stroke
51@@ -17,6 +17,8 @@
52
53 capability dac_override,
54
55+ /usr/lib/ipsec/stroke rmix,
56+
57 /etc/strongswan.conf r,
58 /etc/strongswan.d/ r,
59 /etc/strongswan.d/** r,

Subscribers

People subscribed via source and target branches