[apparmor] missing entry for CLUSTERIP (used by strongswan HA plugin)

Looks like here is the bug where apparmor support was added for charon-system:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866327

There does not seem to be any reference to ipt_CLUSTERIP there and from the source it appears the libcharon does appear to try to write to the referenced dir:

./src/libcharon/plugins/ha/ha_kernel.c:#define CLUSTERIP_DIR "/proc/net/ipt_CLUSTERIP"

@xooloo, can you please show the actual apparmor DENIED messages from your logs? A simple configuration setup that is enough to show them would also be extremely helpful. I'm hoping there is no need to establish a vpn with another node to show this issue.

The rule itself seems reasonable and safe to me.
At least for 19.04 I think I can integrate that on the merge of the latest version.

For any SRU considerations we will need a better "steps to reproduce" as they were requested before.

Since the define in the code is without PID
  #define CLUSTERIP_DIR "/proc/net/ipt_CLUSTERIP"

Due to that shouldn't the rule be more like:
@{PROC}/net/ipt_CLUSTERIP/ r,
@{PROC}/net/ipt_CLUSTERIP/* rw,

To be added to the file debian/usr.sbin.charon-systemd

Verified the paths in a KVM guest with ipt_CLUSTERIP loaded, using these paths for the rule that I add.

This bug was fixed in the package strongswan - 5.7.1-1ubuntu1

---------------
strongswan (5.7.1-1ubuntu1) disco; urgency=medium

  * Merge with Debian unstable (LP: #1806401). Remaining changes:
    - Clean up d/strongswan-starter.postinst: section about runlevel changes
    - Clean up d/strongswan-starter.postinst: Removed entire section on
      opportunistic encryption disabling - this was never in strongSwan and
      won't be see upstream issue #2160.
    - d/rules: Removed patching ipsec.conf on build (not using the
      debconf-managed config.)
    - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
      used for debconf-managed include of private key).
    - Mass enablement of extra plugins and features to allow a user to use
      strongswan for a variety of extra use cases without having to rebuild.
      + d/control: Add required additional build-deps
      + d/control: Mention addtionally enabled plugins
      + d/rules: Enable features at configure stage
      + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
      + d/libstrongswan.install: Add plugins (so, conf)
    - d/strongswan-starter.install: Install pool feature, which is useful since
      we have attr-sql plugin enabled as well using it.
    - Add plugin kernel-libipsec to allow the use of strongswan in containers
      via this userspace implementation (please do note that this is still
      considered experimental by upstream).
      + d/libcharon-extra-plugins.install: Add kernel-libipsec components
      + d/control: List kernel-libipsec plugin at extra plugins description
      + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
        upstream recommends to not load kernel-libipsec by default.
    - Relocate tnc plugin
      + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
      + Add new subpackage for TNC in d/strongswan-tnc-* and d/control
    - d/libstrongswan.install: Reorder conf and .so alphabetically
    - d/libstrongswan.install: Add kernel-netlink configuration files
    - Complete the disabling of libfast; This was partially accepted in Debian,
      it is no more packaging medcli and medsrv, but still builds and
      mentions it.
      + d/rules: Add --disable-fast to avoid build time and dependencies
      + d/control: Remove medcli, medsrv from package description
    - d/control: Mention mgf1 plugin which is in libstrongswan now
    - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
      libstrongswan-extra-plugins (no deps from default plugins).
    - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
      plugins for the most common use cases from extra-plugins into a new
      standard-plugins package. This will allow those use cases without pulling
      in too much more plugins (a bit like the tnc package). Recommend that
      package from strongswan-libcharon.
    - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
      attr-sql plugins (LP #1766240)
    - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
  * Added Changes:
    - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
      fix SIG...

We only fixed this "by source" as Josh found in comment #1, but I really wanted to see what is going on. So I worked a bit on a repro (which I'd need for an SRU anyway), which is:

0. on a virtual Guest or so
1. Install strongswan (which pulls in libcharon-extra-plugins).
Then edit /etc/strongswan.d/charon/ha.conf to something like:
ha {
    load = yes
    local = 192.168.122.248
    monitor = yes
    remote = 192.168.122.94
    resync = yes
    segment_count = 2
}
With your IP and a peer IP (both KVM guests for me)

sudo iptables -I INPUT -i ens3 -d 10.10.10.10 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5E:00:00:20 --total-nodes 2 --local-node 1

As initially reported the deny is on a subtree to the PID now:
AVC apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/11063/net/ipt_CLUSTERIP/" pid=11063 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[LIB] opening directory '/proc/net/ipt_CLUSTERIP' failed: Permission denied

So some weird path remapping takes place and we need the PID path as well (as suggested).

Tested and working - While fixing that I'll spawn also a bug to re-sync both charon profiles (two ways to start it).

Settign this bug to open again.

This bug was fixed in the package strongswan - 5.7.1-1ubuntu2

---------------
strongswan (5.7.1-1ubuntu2) disco; urgency=medium

  * d/usr.sbin.charon-systemd: fix rule for CLUSTERIP to match effective
    path (LP: #1773956)
  * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
    profiles of both ways to start charon (LP: #1807664)
  * d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: #1807962)

 -- Christian Ehrhardt <email address hidden> Mon, 10 Dec 2018 08:30:01 +0100

Hello Jean-Daniel, or anyone else affected,

Accepted strongswan into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/strongswan/5.6.3-1ubuntu4.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Jean-Daniel, or anyone else affected,

Accepted strongswan into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/strongswan/5.6.2-1ubuntu2.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Works for me as it did off of the PPAs before.
Setting both to verified.

This bug was fixed in the package strongswan - 5.6.2-1ubuntu2.4

---------------
strongswan (5.6.2-1ubuntu2.4) bionic; urgency=medium

  * fix stroke and lookip execution in containers (LP: #1780534). Binaries
    need to be able to read map and execute themselves
    - d/usr.lib.ipsec.lookip: add rmix to own binary
    - d/usr.lib.ipsec.stroke: add rmix to own binary
  * d/usr.lib.ipsec.charon: allow CLUSTERIP for ha plugin (LP: #1773956)

 -- Christian Ehrhardt <email address hidden> Wed, 12 Dec 2018 15:52:43 +0100

The verification of the Stable Release Update for strongswan has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package strongswan - 5.6.3-1ubuntu4.1

---------------
strongswan (5.6.3-1ubuntu4.1) cosmic; urgency=medium

  * fix stroke and lookip execution in containers (LP: #1780534). Binaries
    need to be able to read map and execute themselves
    - d/usr.lib.ipsec.lookip: add rmix to own binary
    - d/usr.lib.ipsec.stroke: add rmix to own binary
  * d/usr.lib.ipsec.charon: allow CLUSTERIP for ha plugin (LP: #1773956)

 -- Christian Ehrhardt <email address hidden> Wed, 12 Dec 2018 15:52:43 +0100