Ubuntu
strongswan package

Code review comment for ~paelzer/ubuntu/+source/strongswan:lp-1780534-stroke-segfault-lp-1773956-clusterip-apparmor-cosmic

  1. Git
  2. lp:~paelzer/ubuntu/+source/strongswan
  3. lp-1780534-stroke-segfault-lp-1773956-clusterip-apparmor-cosmic
  4. Merge into ubuntu/cosmic-devel
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Are you intentionally not fixing the swanctl apparmor rule about the alg seqpacket socket in this sru, because we didn't have a bug about it, nor are we exactly sure about what stops working? Same reason you are not syncing the apparmor rules between /usr/lib/ipsec/charon and /usr/sbin/charon-systemd?

About the #1780534 bug, I'm seeing something interesting. On a fresh bionic, I do see the segfault the apparmor denied rule for "m", but I also see denials for a "rw" mask.

Starting from a clear dmesg -C on the host, I get this, with the bionic package, when I run ipsec status:
root@bionic-strongswan:~# dmesg
root@bionic-strongswan:~# ipsec status
Segmentation fault
root@bionic-strongswan:~# dmesg
[25224.523691] audit: type=1400 audit(1544727369.718:757): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-bionic-strongswan_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/dev/pts/0" pid=23039 comm="stroke" requested_mask="wr" denied_mask="wr" fsuid=165536 ouid=166536
[25224.523703] audit: type=1400 audit(1544727369.718:758): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-bionic-strongswan_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/dev/pts/0" pid=23039 comm="stroke" requested_mask="wr" denied_mask="wr" fsuid=165536 ouid=166536
[25224.523713] audit: type=1400 audit(1544727369.718:759): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-bionic-strongswan_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/dev/pts/0" pid=23039 comm="stroke" requested_mask="wr" denied_mask="wr" fsuid=165536 ouid=166536
[25224.523721] audit: type=1400 audit(1544727369.718:760): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-bionic-strongswan_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/dev/pts/0" pid=23039 comm="stroke" requested_mask="wr" denied_mask="wr" fsuid=165536 ouid=166536
[25224.523755] audit: type=1400 audit(1544727369.718:761): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-bionic-strongswan_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/usr/lib/ipsec/stroke" pid=23039 comm="stroke" requested_mask="m" denied_mask="m" fsuid=165536 ouid=165536

And once I install the updated package, the "m" denied entry is gone, no segfault anymore, but I keep seeing the "rw" denials. My host is bionic. I'll do a quick check on a disco container.

That being said, in the bug report, the reporter said that the "m" rule was enough to get things working for him, so the readwrite attempts might be something else and we can still proceed with the fix.

review: Needs Information

« Back to merge proposal