** Description changed: + [Impact] + + * Certain strongswan based vpn setups fail, especially those based on + network-manager-l2tp or neutron-vpn-netns-wrapper + + * The fix is opening up the apparmor profile slightly for charon and + stroke where paths are disconnected + + [Test Case] + + * valid VPN setup with network-manager-l2tp, then running "sudo ipsec + status" + + or + + * valid neutron-vpn setup and then + # mkdir /tmp/test + # ip netns add testns + # ip netns exec testns neutron-vpn-netns-wrapper --mount_paths "/var/run:/tmp/test" --cmd "ipsec,status" + + In both cases the command fails as it can't reach charon log. + + [Regression Potential] + + * Since the profile for strongswan is opened up a bit (and not more + restricted) the regression potential for strongswan should be minimal. + + * Yet OTOH due to the change there is a slightly higher security risk + now. That said the case seems to be exactly what the feature was + designed for [1] and there are several other packages holding a similar + flag. + + [1]: + http://wiki.apparmor.net/index.php/ReleaseNotes_2_5#path_name_lookup_and_mediation_of + + [Other Info] + + * The part of the "valid VPN setup" both Test cases would need some more + input by the reporters if possible - to easen testing (see comments + #5+#6 and #28+#29 for the current status on tests). + + * Unless this is done we have to rely more than usual on the reporters to + verify this. + + $ lsb_release -rd Description: Ubuntu 16.04 LTS Release: 16.04 $ apt-cache policy strongswan strongswan: - Installed: 5.3.5-1ubuntu3 - Candidate: 5.3.5-1ubuntu3 - Version table: - *** 5.3.5-1ubuntu3 500 - 500 http://au.archive.ubuntu.com/ubuntu xenial/main amd64 Packages - 500 http://au.archive.ubuntu.com/ubuntu xenial/main i386 Packages - 100 /var/lib/dpkg/status - + Installed: 5.3.5-1ubuntu3 + Candidate: 5.3.5-1ubuntu3 + Version table: + *** 5.3.5-1ubuntu3 500 + 500 http://au.archive.ubuntu.com/ubuntu xenial/main amd64 Packages + 500 http://au.archive.ubuntu.com/ubuntu xenial/main i386 Packages + 100 /var/lib/dpkg/status Looks like 'ipsec status' might be causing strongswan's charon to write to run/systemd/journal/dev-log instead of /run/systemd/journal/dev-log and apparmor doesn't like it. Extract from /etc/apparmor.d/abstractions/base : - /{,var/}run/systemd/journal/dev-log w, + /{,var/}run/systemd/journal/dev-log w, With an established ipsec connection, issue the following : $ sudo ipsec status connecting to 'unix:///var/run/charon.ctl' failed: Permission denied failed to connect to stroke socket 'unix:///var/run/charon.ctl' - $ journalctl ... Jun 01 12:15:07 ThinkCentre-M900 kernel: audit: type=1400 audit(1464785297.366:491): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/ipsec/charon" name="run/systemd/journal/dev-log" pid=4994 comm="charon" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 ... ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: strongswan 5.3.5-1ubuntu3 ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8 Uname: Linux 4.4.0-22-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.20.1-0ubuntu2.1 Architecture: amd64 CurrentDesktop: Unity Date: Wed Jun 1 23:06:53 2016 InstallationDate: Installed on 2016-05-11 (21 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) PackageArchitecture: all SourcePackage: strongswan UpgradeStatus: No upgrade log present (probably fresh install)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1587886 Title: strongswan ipsec status issue with apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/hundredpapercuts/+bug/1587886/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
