strongSwan AppArmor profile doesn't allow smartcard configuration
Bug #1330486 reported by
Jonathan Davies
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
strongswan (Ubuntu) |
Incomplete
|
Medium
|
Jonathan Davies | ||
Bug Description
strongSwan's charon AppArmor profile is so restrictive it doesn't allow for smartcards.
Changed in strongswan (Ubuntu): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Jonathan Davies (jpds) |
To post a comment you must log in.
In particular, it is the charon profile which doesn't allow access to the PC/SC layer and to the specific smartcard files (depending on the vendor).
For example, with a Gemalto IDPrime .NET card, this is what I get in my logs:
#Jun 29 08:29:46 ubuntu kernel: [ 873.811807] type=1400 audit(143555938 6.465:51) : apparmor="DENIED" operation="open" profile= "/usr/lib/ ipsec/charon" name="/ run/shm/ gemalto_ idprime_ sdata" pid=11356 comm="charon" requested_ mask="rwc" denied_mask="rwc" fsuid=0 ouid=0 6.469:52) : apparmor="DENIED" operation="connect" profile= "/usr/lib/ ipsec/charon" name="/ run/pcscd/ pcscd.comm" pid=11356 comm="charon" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
#Jun 29 08:29:46 ubuntu kernel: [ 873.817301] type=1400 audit(143555938