Symptoms on Bionic server:
- I can start the ipsec service with systemctl
- I can also use the ‘ipsec start|restart|stop’ commands
- The VPN tunnel to a remote host is created.
- However when I issue ‘ipsec status|statusall|listxxx|etc’ commands, I get a segfault:
root@vpn1:~# ipsec statusall
Segmentation fault
I found that ipsec is just a script calling ‘/usr/lib/ipsec/stroke’ for getting the status, and this process fails:
root@vpn1:~# strace /usr/lib/ipsec/stroke statusall
execve("/usr/lib/ipsec/stroke", ["/usr/lib/ipsec/stroke", "statusall"], 0x7fff5d0ae198 /* 14 vars */) = -1 EACCES (Permission denied)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
+++ killed by SIGSEGV +++
Segmentation fault
This is the AppArmor related log entry:
Jul 7 04:53:32 lxd1 kernel: [ 4526.583617] audit: type=1400 audit(1530939212.389:68): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-vpn1_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/usr/lib/ipsec/stroke" pid=3372 comm="stroke" requested_mask="m" denied_mask="m" fsuid=100000 ouid=100000
It shows that /usr/lib/ipsec/stroke needs rights for mmap operations, which is not included in the /etc/apparmor.d/usr.lib.ipsec.stroke file. I added it (see attachment, line 26) and the error is gone.
Symptoms on Bionic server: statusall| listxxx| etc’ commands, I get a segfault:
- I can start the ipsec service with systemctl
- I can also use the ‘ipsec start|restart|stop’ commands
- The VPN tunnel to a remote host is created.
- However when I issue ‘ipsec status|
root@vpn1:~# ipsec statusall
Segmentation fault
I found that ipsec is just a script calling ‘/usr/lib/ ipsec/stroke’ for getting the status, and this process fails: ipsec/stroke statusall "/usr/lib/ ipsec/stroke" , ["/usr/ lib/ipsec/ stroke" , "statusall"], 0x7fff5d0ae198 /* 14 vars */) = -1 EACCES (Permission denied)
root@vpn1:~# strace /usr/lib/
execve(
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
+++ killed by SIGSEGV +++
Segmentation fault
This is the AppArmor related log entry: 2.389:68) : apparmor="DENIED" operation= "file_mmap" namespace= "root// lxd-vpn1_ <var-lib- lxd>" profile= "/usr/lib/ ipsec/stroke" name="/ usr/lib/ ipsec/stroke" pid=3372 comm="stroke" requested_mask="m" denied_mask="m" fsuid=100000 ouid=100000
Jul 7 04:53:32 lxd1 kernel: [ 4526.583617] audit: type=1400 audit(153093921
It shows that /usr/lib/ ipsec/stroke needs rights for mmap operations, which is not included in the /etc/apparmor. d/usr.lib. ipsec.stroke file. I added it (see attachment, line 26) and the error is gone.