strongswan (charon) is rejected by apparmor to read /proc/<PID>/fd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
strongswan (Ubuntu) |
Fix Released
|
Undecided
|
Andreas Hasenack |
Bug Description
[Impact]
strongswan needs to read from /proc/<PID>/fd
In some configurations, when apparmor blocks access, strongswan fails to set up properly.
[Test Case]
Unable to set up a reliable test case.
Tried setting up a VPN between two hosts, restarting strongswan, taking the eth device down and up, setting and removing routes, rebooting. Nothing seemed to trigger it.
[Regression Potential]
This is an expansion of permissions, which may increase the attack surface of strongswan.
[Original Description]
Used to work fine in Ubuntu 16.04 LTS, and Ubuntu 17.10.
ii strongswan 5.6.2-1ubuntu2 all IPsec VPN solution metapackage
A while ago I upgrade to 18.04 LTS and had consistent issues with strongswan ipsec connectivity VPN.
BASELINE INFO:
$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64):
uptime: 13 seconds, since Aug 09 09:27:35 2018
malloc: sbrk 3268608, mmap 532480, used 1280560, free 1988048
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-
Listening IP addresses:
1.0.0.6
192.168.130.9
192.168.140.17
192.168.130.14
192.168.140.2
172.17.0.1
192.168.122.1
Connections:
<SITE_
<SITE_
<SITE_
<SITE_
<SITE_SNIPPED>
<SITE_SNIPPED>
<SITE_SNIPPED>
<SITE_SNIPPED>
Routed Connections:
<SITE_SNIPPED>
<SITE_SNIPPED>
<SITE_
<SITE_
Security Associations (0 up, 0 connecting):
none
Then we do:
```
sudo ipsec up <CONNECTION_NAME>
... all the goods happen ...
but near the end:
IKE_SA <CONNECTION_
scheduling reauthentication in 56358s
maximum IKE_SA lifetime 56538s
installing DNS server 192.168.194.20 via resolvconf
installing DNS server 192.168.196.20 via resolvconf
<<HANGS FOREVER>>
```
the DNSes are successfully added to resolvconf (/etc/resolv.conf) - however the resolution doesn't work, and no routes work with the VPN.
After a fresh reboot, this works.
No end of ipsec/strongswan service restarts gets the system out of this "stuck state";
--
Typical workflow (reproduction notes)
1. fresh boot
2. VPN connections fine
3. work work work
4. disconnect VPN
5. use system for personal use (or don't)
6. suspend system overnight
7. resume system morning
8. VPN BROKEN as noted above
--
Digging more, I see these errors in dmesg
```
...
[34218.436021] audit: type=1400 audit(153382124
[34368.429799] audit: type=1400 audit(153382139
[34368.437049] audit: type=1400 audit(153382139
[34380.630335] audit: type=1400 audit(153382140
[34395.681889] audit: type=1400 audit(153382142
[34395.688730] audit: type=1400 audit(153382142
...
```
Does this have anything to do with why the connection is hanging? I have no idea.
Tried this:
$ sudo /etc/init.
● apparmor.service - AppArmor initialization
Loaded: loaded (/lib/systemd/
Active: active (exited) since Thu 2018-08-09 09:19:09 EDT; 15min ago
Docs: man:apparmor(7)
http://
Process: 9518 ExecStop=
Process: 14731 ExecStart=
Main PID: 14731 (code=exited, status=0/SUCCESS)
Aug 09 09:19:06 fermmy systemd[1]: Starting AppArmor initialization...
Aug 09 09:19:06 fermmy apparmor[14731]: * Starting AppArmor profiles
Aug 09 09:19:06 fermmy apparmor[14731]: Skipping profile in /etc/apparmor.
Aug 09 09:19:06 fermmy apparmor[14731]: Skipping profile in /etc/apparmor.
Aug 09 09:19:09 fermmy apparmor[14731]: ...done.
Aug 09 09:19:09 fermmy systemd[1]: Started AppArmor initialization.
$ sudo /etc/init.
[ ok ] Stopping apparmor (via systemctl): apparmor.service.
REPEAT TEST
* restart strongswan
* unroute all connections manually (sudo ipsec unroute <CONNECTION>)
_wtf_, apparmor is STILL rejecting it! (even though it's stopped?)
[34756.774786] audit: type=1400 audit(153382178
--
NO ACCESS to /proc ;/
$ cd /etc/apparmor.d
$ grep -rins charon * | grep proc
(EMPTY)
--
need to unload charon profile
$ sudo apparmor_parser -R /etc/apparmor.
but STILL, rejecting
[35206.129530] audit: type=1400 audit(153382223
Related branches
- Robie Basak: Approve
- Canonical Server packageset reviewers: Pending requested
-
Diff: 30 lines (+11/-0)2 files modifieddebian/changelog (+7/-0)
debian/usr.lib.ipsec.charon (+4/-0)
- Andreas Hasenack: Needs Fixing
- fermulator (community): Approve (code inspection)
- Canonical Server packageset reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 30 lines (+11/-0)2 files modifieddebian/changelog (+7/-0)
debian/usr.lib.ipsec.charon (+4/-0)
- Canonical Server packageset reviewers: Pending requested
- Canonical Server: Pending requested
- Karl Stenerud: Pending requested
-
Diff: 15 lines (+4/-0)1 file modifieddebian/usr.lib.ipsec.charon (+4/-0)
Changed in strongswan (Ubuntu): | |
assignee: | nobody → fermulator (fermulator) |
description: | updated |
Changed in strongswan (Ubuntu): | |
assignee: | fermulator (fermulator) → Karl Stenerud (kstenerud) |
description: | updated |
Changed in strongswan (Ubuntu): | |
assignee: | Christian Ehrhardt (paelzer) → Andreas Hasenack (ahasenack) |
Also probably worth including the current ipsec.charon profile contents (even though it's disabled now ...)