Ubuntu
strongswan package

Merge ~paelzer/ubuntu/+source/strongswan:lp-1780534-stroke-segfault-lp-1773956-clusterip-apparmor-cosmic into ubuntu/+source/strongswan:ubuntu/cosmic-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/strongswan
  3. lp-1780534-stroke-segfault-lp-1773956-clusterip-apparmor-cosmic
  4. Merge into ubuntu/cosmic-devel
Proposed by Christian Ehrhardt 
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 0ad77f7522812222f2c4212b563ae866b37ab4e2
Merged at revision: 0ad77f7522812222f2c4212b563ae866b37ab4e2
Proposed branch: ~paelzer/ubuntu/+source/strongswan:lp-1780534-stroke-segfault-lp-1773956-clusterip-apparmor-cosmic
Merge into: ubuntu/+source/strongswan:ubuntu/cosmic-devel
Diff against target: 59 lines (+18/-0)
4 files modified
debian/changelog (+10/-0)
debian/usr.lib.ipsec.charon (+4/-0)
debian/usr.lib.ipsec.lookip (+2/-0)
debian/usr.lib.ipsec.stroke (+2/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
Canonical Server Pending
git-ubuntu developers Pending
Review via email: mp+360801@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

test PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3563
Ticket for autotests: https://bileto.ubuntu.com/#/ticket/3563

qa-regression tests ran fine

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Are you intentionally not fixing the swanctl apparmor rule about the alg seqpacket socket in this sru, because we didn't have a bug about it, nor are we exactly sure about what stops working? Same reason you are not syncing the apparmor rules between /usr/lib/ipsec/charon and /usr/sbin/charon-systemd?

About the #1780534 bug, I'm seeing something interesting. On a fresh bionic, I do see the segfault the apparmor denied rule for "m", but I also see denials for a "rw" mask.

Starting from a clear dmesg -C on the host, I get this, with the bionic package, when I run ipsec status:
root@bionic-strongswan:~# dmesg
root@bionic-strongswan:~# ipsec status
Segmentation fault
root@bionic-strongswan:~# dmesg
[25224.523691] audit: type=1400 audit(1544727369.718:757): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-bionic-strongswan_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/dev/pts/0" pid=23039 comm="stroke" requested_mask="wr" denied_mask="wr" fsuid=165536 ouid=166536
[25224.523703] audit: type=1400 audit(1544727369.718:758): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-bionic-strongswan_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/dev/pts/0" pid=23039 comm="stroke" requested_mask="wr" denied_mask="wr" fsuid=165536 ouid=166536
[25224.523713] audit: type=1400 audit(1544727369.718:759): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-bionic-strongswan_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/dev/pts/0" pid=23039 comm="stroke" requested_mask="wr" denied_mask="wr" fsuid=165536 ouid=166536
[25224.523721] audit: type=1400 audit(1544727369.718:760): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-bionic-strongswan_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/dev/pts/0" pid=23039 comm="stroke" requested_mask="wr" denied_mask="wr" fsuid=165536 ouid=166536
[25224.523755] audit: type=1400 audit(1544727369.718:761): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-bionic-strongswan_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/usr/lib/ipsec/stroke" pid=23039 comm="stroke" requested_mask="m" denied_mask="m" fsuid=165536 ouid=165536

And once I install the updated package, the "m" denied entry is gone, no segfault anymore, but I keep seeing the "rw" denials. My host is bionic. I'll do a quick check on a disco container.

That being said, in the bug report, the reporter said that the "m" rule was enough to get things working for him, so the readwrite attempts might be something else and we can still proceed with the fix.

review: Needs Information
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Same in disco, "ipsec status" in a disco container (host bionic) generates a "rw" apparmor denied log in dmesg.

Oh, I think I know what that is.

It's the same thing that is preventing tcpdump from writing to stdout:
[26413.279579] audit: type=1400 audit(1544728558.491:877): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-disco-strongswan_<var-lib-lxd>" profile="/usr/sbin/tcpdump" name="/dev/pts/0" pid=19948 comm="tcpdump" requested_mask="wr" denied_mask="wr" fsuid=165536 ouid=166536

https://github.com/lxc/lxd/issues/2930

I think "ipsec status" won't be able to write anything to the terminal, unless you use "lxc exec" to enter the container instead of ssh.

Yep, via "lxc exec" it works, no denials, and ipsec status prints something to the terminal.

+1 then, as long as you didn't intend to also fix the swanctl issue for this SRU, and sync the charon profiles.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The swanctl alg issue we have no bug, nor do we know if it actually inhibits functionality.
Unless I heard of a real case I held back the change from the SRU.
The same is true for the syncing of the two profiles.

Thanks a lot for double checking all of this!

Tag pushed and uploaded for SRU processing.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index b42b2ab..3331523 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,13 @@
6+strongswan (5.6.3-1ubuntu4.1) cosmic; urgency=medium
7+
8+ * fix stroke and lookip execution in containers (LP: #1780534). Binaries
9+ need to be able to read map and execute themselves
10+ - d/usr.lib.ipsec.lookip: add rmix to own binary
11+ - d/usr.lib.ipsec.stroke: add rmix to own binary
12+ * d/usr.lib.ipsec.charon: allow CLUSTERIP for ha plugin (LP: #1773956)
13+
14+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 12 Dec 2018 15:52:43 +0100
15+
16 strongswan (5.6.3-1ubuntu4) cosmic; urgency=medium
17
18 * d/usr.lib.ipsec.charon: allow reading of own FDs (LP: #1786250)
19diff --git a/debian/usr.lib.ipsec.charon b/debian/usr.lib.ipsec.charon
20index 6fc50b1..4abc3c0 100644
21--- a/debian/usr.lib.ipsec.charon
22+++ b/debian/usr.lib.ipsec.charon
23@@ -75,6 +75,10 @@
24 # restrict to our own process-ID as per apparmor vars
25 @{PROC}/@{pid}/fd/ r,
26
27+ # for using the ha plugin (LP: #1773956)
28+ @{PROC}/@{pid}/net/ipt_CLUSTERIP/ r,
29+ @{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw,
30+
31 # Site-specific additions and overrides. See local/README for details.
32 #include <local/usr.lib.ipsec.charon>
33 }
34diff --git a/debian/usr.lib.ipsec.lookip b/debian/usr.lib.ipsec.lookip
35index de10433..614cda8 100644
36--- a/debian/usr.lib.ipsec.lookip
37+++ b/debian/usr.lib.ipsec.lookip
38@@ -15,6 +15,8 @@
39 /usr/lib/ipsec/lookip {
40 #include <abstractions/base>
41
42+ /usr/lib/ipsec/lookip rmix,
43+
44 /run/charon.lkp rw,
45
46 # Site-specific additions and overrides. See local/README for details.
47diff --git a/debian/usr.lib.ipsec.stroke b/debian/usr.lib.ipsec.stroke
48index 9d20ee7..af9cdcc 100644
49--- a/debian/usr.lib.ipsec.stroke
50+++ b/debian/usr.lib.ipsec.stroke
51@@ -17,6 +17,8 @@
52
53 capability dac_override,
54
55+ /usr/lib/ipsec/stroke rmix,
56+
57 /etc/strongswan.conf r,
58 /etc/strongswan.d/ r,
59 /etc/strongswan.d/** r,

Subscribers

People subscribed via source and target branches