Default usr.lib.ipsec.stroke profile causes segfault for 'ipsec status'

Bug #1780534 reported by Andras Dosztal
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned
strongswan (Ubuntu)
Fix Released
Low
Christian Ehrhardt 
Bionic
Fix Released
Undecided
Unassigned
Cosmic
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

 * In unprivileged containers there seem to be a few extra apparmor checks
   triggering, in particular a common pattern that usually is granted with
   "rmix" on the own binary.

 * Add the rule to the profile to avoid stroke segfaulting in containers

[Test Case]

 * Take an unprivileged (default) LXD container and install strongswan
 * Then run stroke:
    $ ipsec status
   or directly via:
    $ /usr/lib/ipsec/stroke
   same for lookip
    $ /usr/lib/ipsec/lookip
* Without the fix this segfaults on mapping its own binary

[Regression Potential]

 * This is granting ever so slightly more to it through apparmor, there
    should be no existing functionality degrading by it.

[Other Info]

 * n/a

---

Symptoms on a Bionic LXD container running on Bionic server:
- I can start the ipsec service with systemctl
- I can also use the ‘ipsec start|restart|stop’ commands
- The VPN tunnel to a remote host is created.
- However when I issue ‘ipsec status|statusall|listxxx|etc’ commands, I get a segfault:

    root@vpn1:~# ipsec statusall
    Segmentation fault

I found that ipsec is just a script calling ‘/usr/lib/ipsec/stroke’ for getting the status, and this process fails with permission denied:

    root@vpn1:~# strace /usr/lib/ipsec/stroke statusall
    execve("/usr/lib/ipsec/stroke", ["/usr/lib/ipsec/stroke", "statusall"], 0x7fff5d0ae198 /* 14 vars */) = -1 EACCES (Permission denied)
    --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
    +++ killed by SIGSEGV +++
    Segmentation fault

This is the AppArmor related log entry:

    Jul 7 04:53:32 lxd1 kernel: [ 4526.583617] audit: type=1400 audit(1530939212.389:68): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-vpn1_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/usr/lib/ipsec/stroke" pid=3372 comm="stroke" requested_mask="m" denied_mask="m" fsuid=100000 ouid=100000

It shows that /usr/lib/ipsec/stroke needs rights for mmap operations, which is not included in the /etc/apparmor.d/usr.lib.ipsec.stroke file. I added it (see attachment, line 26) and the error is gone.

Related branches

Revision history for this message
Andras Dosztal (adosztal) wrote :
description: updated
description: updated
description: updated
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Ack, thanks for the report.

Repro is really as easy as:
1. get container
2. apt install strongswan
3. any of the commands:
$ ipsec status
$ /usr/lib/ipsec/stroke status
$ /usr/lib/ipsec/stroke

Changed in strongswan (Ubuntu):
status: New → Triaged
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hmm, this really only is true when running in a container - it is just fine in a VM.
In addition PVNs from containers are always "special" as e.g. ipsec does a lot of kernel offloading. There are extra ipsec-userspace plugins in strongswan to make up for that.

Changed in strongswan (Ubuntu):
importance: Undecided → Low
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This apparmor rule
  /usr/lib/ipsec/stroke m,
in /etc/apparmor.d/usr.lib.ipsec.stroke would resolve it.

But I'm currently puzzled why it occurs in containers but not in VMs.

Furthermore when attaching GDB it fails ?before? the actual program, there isn't anything to debug - it didn't even reach main yet.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This is very very odd, but in general applictions have often a
 /path/to/binary rmix,
rule and that is what makes it work.
Charon has one, so lets add the same for stroke as well, that seems safe and reasonable.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Since it would never (rarely?) work in a container anyway I'm not sure about the "real" need to SRU this, but fixing in 19.04 onwards seems right to me. Furthermore anyone could fix it by changing the config like
  $ echo "/usr/lib/ipsec/stroke rmix," | sudo tee /etc/apparmor.d/local/usr.lib.ipsec.stroke

Please @Andreas Dosztal - is there a real "in container" use case for this or were you just playing with it when you found the bug?

Changed in strongswan (Ubuntu Bionic):
status: New → Incomplete
Changed in strongswan (Ubuntu Cosmic):
status: New → Incomplete
Revision history for this message
Andras Dosztal (adosztal) wrote :

Not yet but I'm working in a development project that will hopefully use containers for VPN in production. However I already have a workaround (cloud-init downloading the fixed config file) so the bug is not a blocker.

Revision history for this message
Tobias Brunner (tobias-strongswan) wrote :

Why shouldn't it work in a container? (Granted, I don't know LXD, but strongSwan runs fine in network namespaces and stuff like Docker.)

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

BTW the same fix is needed for /usr/lib/ipsec/lookip from libcharon-extra-plugins

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I also started a discussion with the apparmor folks to understand what/if there is an issue making this special in containers.

Changed in strongswan (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Christian Ehrhardt  (paelzer)
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.2 KiB)

This bug was fixed in the package strongswan - 5.7.1-1ubuntu1

---------------
strongswan (5.7.1-1ubuntu1) disco; urgency=medium

  * Merge with Debian unstable (LP: #1806401). Remaining changes:
    - Clean up d/strongswan-starter.postinst: section about runlevel changes
    - Clean up d/strongswan-starter.postinst: Removed entire section on
      opportunistic encryption disabling - this was never in strongSwan and
      won't be see upstream issue #2160.
    - d/rules: Removed patching ipsec.conf on build (not using the
      debconf-managed config.)
    - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
      used for debconf-managed include of private key).
    - Mass enablement of extra plugins and features to allow a user to use
      strongswan for a variety of extra use cases without having to rebuild.
      + d/control: Add required additional build-deps
      + d/control: Mention addtionally enabled plugins
      + d/rules: Enable features at configure stage
      + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
      + d/libstrongswan.install: Add plugins (so, conf)
    - d/strongswan-starter.install: Install pool feature, which is useful since
      we have attr-sql plugin enabled as well using it.
    - Add plugin kernel-libipsec to allow the use of strongswan in containers
      via this userspace implementation (please do note that this is still
      considered experimental by upstream).
      + d/libcharon-extra-plugins.install: Add kernel-libipsec components
      + d/control: List kernel-libipsec plugin at extra plugins description
      + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
        upstream recommends to not load kernel-libipsec by default.
    - Relocate tnc plugin
      + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
      + Add new subpackage for TNC in d/strongswan-tnc-* and d/control
    - d/libstrongswan.install: Reorder conf and .so alphabetically
    - d/libstrongswan.install: Add kernel-netlink configuration files
    - Complete the disabling of libfast; This was partially accepted in Debian,
      it is no more packaging medcli and medsrv, but still builds and
      mentions it.
      + d/rules: Add --disable-fast to avoid build time and dependencies
      + d/control: Remove medcli, medsrv from package description
    - d/control: Mention mgf1 plugin which is in libstrongswan now
    - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
      libstrongswan-extra-plugins (no deps from default plugins).
    - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
      plugins for the most common use cases from extra-plugins into a new
      standard-plugins package. This will allow those use cases without pulling
      in too much more plugins (a bit like the tnc package). Recommend that
      package from strongswan-libcharon.
    - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
      attr-sql plugins (LP #1766240)
    - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
  * Added Changes:
    - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
      fix SIG...

Read more...

Changed in strongswan (Ubuntu):
status: In Progress → Fix Released
Changed in strongswan (Ubuntu Bionic):
status: Incomplete → Triaged
Changed in strongswan (Ubuntu Cosmic):
status: Incomplete → Triaged
description: updated
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Andras, or anyone else affected,

Accepted strongswan into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/strongswan/5.6.3-1ubuntu4.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in strongswan (Ubuntu Cosmic):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Andras, or anyone else affected,

Accepted strongswan into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/strongswan/5.6.2-1ubuntu2.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in strongswan (Ubuntu Bionic):
status: Triaged → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Andras Dosztal (adosztal) wrote :

It definitely fixed the issue for Bionic; I couldn't test Cosmic but I doubt if the outcome would be different since the bug was an obvious configuration setting. Please alert me if you insist doing a full check for Cosmic too.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Tested an upgrade on Cosmic and it makes it work there as well.
Per this and the former comment setting both tasks to verified.

tags: added: verification-done verification-done-bionic verification-done-cosmic
removed: verification-needed verification-needed-bionic verification-needed-cosmic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package strongswan - 5.6.2-1ubuntu2.4

---------------
strongswan (5.6.2-1ubuntu2.4) bionic; urgency=medium

  * fix stroke and lookip execution in containers (LP: #1780534). Binaries
    need to be able to read map and execute themselves
    - d/usr.lib.ipsec.lookip: add rmix to own binary
    - d/usr.lib.ipsec.stroke: add rmix to own binary
  * d/usr.lib.ipsec.charon: allow CLUSTERIP for ha plugin (LP: #1773956)

 -- Christian Ehrhardt <email address hidden> Wed, 12 Dec 2018 15:52:43 +0100

Changed in strongswan (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for strongswan has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package strongswan - 5.6.3-1ubuntu4.1

---------------
strongswan (5.6.3-1ubuntu4.1) cosmic; urgency=medium

  * fix stroke and lookip execution in containers (LP: #1780534). Binaries
    need to be able to read map and execute themselves
    - d/usr.lib.ipsec.lookip: add rmix to own binary
    - d/usr.lib.ipsec.stroke: add rmix to own binary
  * d/usr.lib.ipsec.charon: allow CLUSTERIP for ha plugin (LP: #1773956)

 -- Christian Ehrhardt <email address hidden> Wed, 12 Dec 2018 15:52:43 +0100

Changed in strongswan (Ubuntu Cosmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers