Ubuntu
strongswan package

Bug #1514794
Comment #3

Comment 3 for bug 1514794

Revision history for this message

Simon Déziel (sdeziel) wrote on 2016-02-29: Re: Fwd: Re: [Bug 1514794] Re: package:strongswan-plugin-farp may need apparmor config change

Hi Steven,

Thanks for the thorough analysis.

On 2016-02-29 05:58 AM, Steven Bishop wrote:
> Hi there,
>
>
> Sending again as message didn't show up in the thread.
>
>
> -------- Forwarded Message --------
>
> Subject: Re: [Bug 1514794] Re: package:strongswan-plugin-farp may need apparmor config change
> Date: Thu, 28 Jan 2016 20:26:48 +0000
> From: Steven Bishop <xxxxxxxxx@xxxxxx>
> To: Bug 1514794 <email address hidden>
>
>
> Hi Simon,
>
>
> Thanks for your email.
>
> Had a quick look back at the details.
>
> I've attached the complete copy of "/etc/apparmor.d/usr.lib.ipsec.charon"
> that I've got installed and running (post-the-patch).
>
> The excerpt I took from "/var/log/syslog" at the time of the bug-report
> showed that apparmor was blocking the dgram packets that the strongswan farp plugin
> was trying to generate when I had a Road-Warrior client connected to the VPN
> and pinging a LAN-side client.
>
>
> Until I put in the patch to "/etc/apparmor.d/usr.lib.ipsec.charon" of :
>
> network packet dgram,
>
> the ping wasn't getting any reply as apparmor was preventing the farp plugin
> from generating the correct traffic for the ping to travel back from the LAN-side client
> andacross the VPN boundary.
>
>
> Doing a quick :
>
> $ dpkg -S /etc/apparmor.d/usr.lib.ipsec.charon
>
> returns :
>
> strongswan-ike: /etc/apparmor.d/usr.lib.ipsec.charon
>
>
> Looking in /var/log/auth.log, I can see that I installed :
>
> $ sudo apt-get install strongswan-ikev2
>
> On Oct-17-2015 @ 17:30pm (BST = GMT + 1hr)
>
>
> Looking at the current Trusty repo, the date on their copy is from 15-Nov-2015
> so that working copy is actually newer than my bug-report.
>
> I've pulled down a copy that particular .deb and looked at
> it's copy of /etc/apparmor.d/usr.lib.ipsec.charon.
>
> Looking at the version I've got installed I can see some noteable style differences
> in the layout of the file.
> The ordering of the '#include' statements are grouped all together.
>
> I'm guessing that the package that I "apt-get install"ed on 17-Oct-2015
> has been updated on the Trusty repo since that time.
>
> By the way, the version currently available in the current Trusty repo
> has the 2 lines:
>
> line-24:
> network,
> line-25:
> network raw,
>
>
> If I'm reading this correctly, wouldn't line-24 mean that all network traffic is allowed.
> and makes line-25 unnecessary.

That is also my understanding of those 2 rules. Even if the more
specific one is IMHO not necessary, it is causing no harm either.

> As long as the current version of the Strongswan package with farp-plugin installed
> will permit a road-warrior client connected to the VPN to 'ping' a LAN-side client
> then I would be 100% happy.

Now that you are using the up to date profile from Trusty's repo, do you
still get Apparmor denials? And is the plugin working as it should?

Regards,
Simon

Hi Steven,

Thanks for the thorough analysis.

On 2016-02-29 05:58 AM, Steven Bishop wrote:
> Hi there,
> 
> 
> Sending again as message didn't show up in the thread.
> 
> 
> -------- Forwarded Message --------
> 
> Subject: Re: [Bug 1514794] Re: package:strongswan-plugin-farp may need apparmor config change
> Date: Thu, 28 Jan 2016 20:26:48 +0000
> From: Steven Bishop <xxxxxxxxx@xxxxxx>
> To: Bug 1514794 <1514794@bugs.launchpad.net>
> 
> 
> Hi Simon,
> 
> 
> Thanks for your email.
> 
> Had a quick look back at the details.
> 
> I've attached the complete copy of "/etc/apparmor.d/usr.lib.ipsec.charon"
> that I've got installed and running (post-the-patch).
> 
> The excerpt I took from "/var/log/syslog" at the time of the bug-report
> showed that apparmor was blocking the dgram packets that the strongswan farp plugin
> was trying to generate when I had a Road-Warrior client connected to the VPN
> and pinging a LAN-side client.
> 
> 
> Until I put in the patch to "/etc/apparmor.d/usr.lib.ipsec.charon" of :
> 
>     network packet dgram,
> 
> the ping wasn't getting any reply as apparmor was preventing the farp plugin
> from generating the correct traffic for the ping to travel back from the LAN-side client
> andacross the VPN boundary.
> 
> 
> Doing a quick :
> 
> $ dpkg -S /etc/apparmor.d/usr.lib.ipsec.charon
> 
> returns :
> 
> strongswan-ike: /etc/apparmor.d/usr.lib.ipsec.charon
> 
> 
> Looking in /var/log/auth.log, I can see that I installed :
> 
>      $ sudo apt-get install strongswan-ikev2
> 
> On Oct-17-2015 @ 17:30pm (BST = GMT + 1hr)
> 
> 
> Looking at the current Trusty repo, the date on their copy is from 15-Nov-2015
> so that working copy is actually newer than my bug-report.
> 
> I've pulled down a copy that particular .deb and looked at
> it's copy of /etc/apparmor.d/usr.lib.ipsec.charon.
> 
> Looking at the version I've got installed I can see some noteable style differences
> in the layout of the file.
> The ordering of the '#include' statements are grouped all together.
> 
> I'm guessing that the package that I "apt-get install"ed on 17-Oct-2015
> has been updated on the Trusty repo since that time.
> 
> By the way, the version currently available in the current Trusty repo
> has the 2 lines:
> 
> line-24:
>      network,
> line-25:
>      network raw,
> 
> 
> If I'm reading this correctly, wouldn't line-24 mean that all network traffic is allowed.
> and makes line-25 unnecessary.

That is also my understanding of those 2 rules. Even if the more
specific one is IMHO not necessary, it is causing no harm either.

Now that you are using the up to date profile from Trusty's repo, do you
still get Apparmor denials? And is the plugin working as it should?

Regards,
Simon

Ubuntustrongswan package

Comment 3 for bug 1514794

Ubuntu
strongswan package