Buffer overflow when open fds exceed FD_SETSIZE
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
strongswan (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
At some conditions AppArmor Deny access of /usr/lib/
Feb 24 07:06:04 vpn-01 kernel: [548017.000283] type=1400 audit(145629756
Feb 24 07:06:10 vpn-01 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-48-generic, x86_64)
I'm not sure why charon request RW access to /dev/tty, but it was started after installing and configuring xauth-eap plugin (it allows EAP plugin to be used as backend for XAuth credential verification).
When strongswan is used with a Radius backend it creates additional issues besides clients reconnection (radius continues to think that all users are still logged in).
# lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04
# apt-cache policy strongswan
strongswan:
Installed: 5.1.2-0ubuntu2.4
Candidate: 5.1.2-0ubuntu2.4
Version table:
*** 5.1.2-0ubuntu2.4 0
500 http://
500 http://
100 /var/lib/
5.1.2-0ubuntu2 0
500 http://
# apt-cache policy strongswan-
strongswan-
Installed: 5.1.2-0ubuntu2.4
Candidate: 5.1.2-0ubuntu2.4
Version table:
*** 5.1.2-0ubuntu2.4 0
500 http://
500 http://
100 /var/lib/
5.1.2-0ubuntu2 0
500 http://
# apt-cache policy apparmor
apparmor:
Installed: 2.8.95~
Candidate: 2.8.95~
Version table:
*** 2.8.95~
500 http://
100 /var/lib/
2.
500 http://
2.
500 http://
Right now I've disabled AppArmor for Strongswan and continue to monitor this:
# sudo apparmor_parser -R /etc/apparmor.
# sudo apparmor_parser -R /etc/apparmor.
# sudo ln -s /etc/apparmor.
# sudo ln -s /etc/apparmor.
# sudo apparmor_status
apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
/sbin/dhclient
/usr/
/usr/
/usr/sbin/named
/usr/
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
/sbin/dhclient (697)
/usr/sbin/named (1097)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
# sudo cat /etc/apparmor.
# -------
#
# Copyright (C) 2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# Author: Jonathan Davies <email address hidden>
#
# -------
#include <tunables/global>
/usr/lib/
#include <abstractions/base>
#include <abstractions/
#include <abstractions/
#include <abstractions/
capability net_admin,
capability net_raw,
network,
network raw,
/bin/dash rmPUx,
/etc/ipsec.conf r,
/etc/
/etc/
/etc/ipsec.d/ r,
/etc/ipsec.d/** r,
/etc/
/etc/
/etc/
/etc/tnc_config r,
/proc/
/run/charon.* rw,
/usr/
/usr/
/usr/
# Site-specific additions and overrides. See local/README for details.
#include <local/
}
@ruslan_ka, after disabling the Apparmor profiles, did you receive a prompt for a user/password or something when starting Strongswan?