Ubuntu
strongswan package

package:strongswan-plugin-farp may need apparmor config change

Bug #1514794 reported by Steven Bishop
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
strongswan (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

OS : Ubuntu 14.04 LTS server i386 ( with all packages obtained from Ubuntu repos )
Kernel : Linux 3.13.0-66-generic, i686

Running StrongSwan 5.1.2.

Found it was necessary to edit the apparmor profile to permit "strongswan-plugin-farp" to
be loaded at 'ipsec start'.

Reproducable 100% of time.

Following errors are reported in

"/var/log/charon.log" :

Nov 6 14:39:55 00[NET] opening ARP packet socket failed: Permission denied
Nov 6 14:39:55 00[LIB] plugin 'farp': failed to load - farp_plugin_create returned NULL

"/var/log/syslog" :

Nov 6 14:39:55 VMserver1 kernel: [15238.662619] type=1400 audit(1446820795.972:29): apparmor="DENIED" operation="create" profile="/usr/lib/ipsec/charon" pid=3143 comm="charon" family="packet" sock_type="dgram" protocol=1544
Nov 6 14:39:55 VMserver1 kernel: [15238.677435] type=1400 audit(1446820795.988:30): apparmor="DENIED" operation="create" profile="/usr/lib/ipsec/charon" pid=3143 comm="charon" family="packet" sock_type="dgram" protocol=8

Proposed fix
------------

--- /etc/apparmor.d/usr.lib.ipsec.charon 2015-11-06 16:27:22.068674462 +0000
+++ /tmp/tmpvcipywp2 2015-11-06 16:46:16.552658984 +0000
@@ -27,6 +27,8 @@
 # network all,
   network raw,

+ network packet dgram,
+
   /bin/dash mrPUx,
   /etc/ipsec.*.secrets r,
   /etc/ipsec.conf r,

Revision history for this message
Simon Déziel (sdeziel) wrote :

@Steven, is this still an issue? The diff you showed includes "# network all," but this is not in the released version of charon's profile. Maybe you had a locally modified profile when you ran into the issue?

Since the charon's profile in Trusty allows all networking, I don't think that adding "network packet dgram," makes sense. Would you mind confirm if the problem happened with the stock profile or not?

Changed in strongswan (Ubuntu):
status: New → Incomplete
Revision history for this message
Steven Bishop (sib-ubuntu-replies) wrote : Fwd: Re: [Bug 1514794] Re: package:strongswan-plugin-farp may need apparmor config change

Hi there,

Sending again as message didn't show up in the thread.

-------- Forwarded Message --------

Subject: Re: [Bug 1514794] Re: package:strongswan-plugin-farp may need apparmor config change
Date: Thu, 28 Jan 2016 20:26:48 +0000
From: Steven Bishop <xxxxxxxxx@xxxxxx>
To: Bug 1514794 <email address hidden>

Hi Simon,

Thanks for your email.

Had a quick look back at the details.

I've attached the complete copy of "/etc/apparmor.d/usr.lib.ipsec.charon"
that I've got installed and running (post-the-patch).

The excerpt I took from "/var/log/syslog" at the time of the bug-report
showed that apparmor was blocking the dgram packets that the strongswan farp plugin
was trying to generate when I had a Road-Warrior client connected to the VPN
and pinging a LAN-side client.

Until I put in the patch to "/etc/apparmor.d/usr.lib.ipsec.charon" of :

    network packet dgram,

the ping wasn't getting any reply as apparmor was preventing the farp plugin
from generating the correct traffic for the ping to travel back from the LAN-side client
andacross the VPN boundary.

Doing a quick :

$ dpkg -S /etc/apparmor.d/usr.lib.ipsec.charon

returns :

strongswan-ike: /etc/apparmor.d/usr.lib.ipsec.charon

Looking in /var/log/auth.log, I can see that I installed :

     $ sudo apt-get install strongswan-ikev2

On Oct-17-2015 @ 17:30pm (BST = GMT + 1hr)

Looking at the current Trusty repo, the date on their copy is from 15-Nov-2015
so that working copy is actually newer than my bug-report.

I've pulled down a copy that particular .deb and looked at
it's copy of /etc/apparmor.d/usr.lib.ipsec.charon.

Looking at the version I've got installed I can see some noteable style differences
in the layout of the file.
The ordering of the '#include' statements are grouped all together.

I'm guessing that the package that I "apt-get install"ed on 17-Oct-2015
has been updated on the Trusty repo since that time.

By the way, the version currently available in the current Trusty repo has the 2 lines:

line-24:
     network,
line-25:
     network raw,

If I'm reading this correctly, wouldn't line-24 mean that all network traffic is allowed.
and makes line-25 unnecessary.

[ ref : http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Network_rules ]

As long as the current version of the Strongswan package with farp-plugin installed
will permit a road-warrior client connected to the VPN to 'ping' a LAN-side client
then I would be 100% happy.

Kind Regards,

Steven

On 24/01/2016 23:12, Simon Déziel wrote:
> @Steven, is this still an issue? The diff you showed includes "# network
> all," but this is not in the released version of charon's profile. Maybe
> you had a locally modified profile when you ran into the issue?
>
> Since the charon's profile in Trusty allows all networking, I don't
> think that adding "network packet dgram," makes sense. Would you mind
> confirm if the problem happened with the stock profile or not?
>
> ** Changed in: strongswan (Ubuntu)
> Status: New => Incomplete
>

Revision history for this message
Simon Déziel (sdeziel) wrote :

Hi Steven,

Thanks for the thorough analysis.

On 2016-02-29 05:58 AM, Steven Bishop wrote:
> Hi there,
>
>
> Sending again as message didn't show up in the thread.
>
>
> -------- Forwarded Message --------
>
> Subject: Re: [Bug 1514794] Re: package:strongswan-plugin-farp may need apparmor config change
> Date: Thu, 28 Jan 2016 20:26:48 +0000
> From: Steven Bishop <xxxxxxxxx@xxxxxx>
> To: Bug 1514794 <email address hidden>
>
>
> Hi Simon,
>
>
> Thanks for your email.
>
> Had a quick look back at the details.
>
> I've attached the complete copy of "/etc/apparmor.d/usr.lib.ipsec.charon"
> that I've got installed and running (post-the-patch).
>
> The excerpt I took from "/var/log/syslog" at the time of the bug-report
> showed that apparmor was blocking the dgram packets that the strongswan farp plugin
> was trying to generate when I had a Road-Warrior client connected to the VPN
> and pinging a LAN-side client.
>
>
> Until I put in the patch to "/etc/apparmor.d/usr.lib.ipsec.charon" of :
>
> network packet dgram,
>
> the ping wasn't getting any reply as apparmor was preventing the farp plugin
> from generating the correct traffic for the ping to travel back from the LAN-side client
> andacross the VPN boundary.
>
>
> Doing a quick :
>
> $ dpkg -S /etc/apparmor.d/usr.lib.ipsec.charon
>
> returns :
>
> strongswan-ike: /etc/apparmor.d/usr.lib.ipsec.charon
>
>
> Looking in /var/log/auth.log, I can see that I installed :
>
> $ sudo apt-get install strongswan-ikev2
>
> On Oct-17-2015 @ 17:30pm (BST = GMT + 1hr)
>
>
> Looking at the current Trusty repo, the date on their copy is from 15-Nov-2015
> so that working copy is actually newer than my bug-report.
>
> I've pulled down a copy that particular .deb and looked at
> it's copy of /etc/apparmor.d/usr.lib.ipsec.charon.
>
> Looking at the version I've got installed I can see some noteable style differences
> in the layout of the file.
> The ordering of the '#include' statements are grouped all together.
>
> I'm guessing that the package that I "apt-get install"ed on 17-Oct-2015
> has been updated on the Trusty repo since that time.
>
> By the way, the version currently available in the current Trusty repo
> has the 2 lines:
>
> line-24:
> network,
> line-25:
> network raw,
>
>
> If I'm reading this correctly, wouldn't line-24 mean that all network traffic is allowed.
> and makes line-25 unnecessary.

That is also my understanding of those 2 rules. Even if the more
specific one is IMHO not necessary, it is causing no harm either.

> As long as the current version of the Strongswan package with farp-plugin installed
> will permit a road-warrior client connected to the VPN to 'ping' a LAN-side client
> then I would be 100% happy.

Now that you are using the up to date profile from Trusty's repo, do you
still get Apparmor denials? And is the plugin working as it should?

Regards,
Simon

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for strongswan (Ubuntu) because there has been no activity for 60 days.]

Changed in strongswan (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.