2016-06-01 13:20:11 |
Douglas Kosovic |
bug |
|
|
added bug |
2016-06-01 13:43:12 |
Simon Déziel |
strongswan (Ubuntu): status |
New |
Incomplete |
|
2016-06-01 13:43:22 |
Simon Déziel |
bug |
|
|
added subscriber Simon Déziel |
2016-06-25 14:33:08 |
Douglas Kosovic |
attachment added |
|
/etc/apparmor.d/usr.lib.ipsec.* patch https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1587886/+attachment/4690136/+files/usr.lib.ipsec.patch |
|
2016-06-25 20:24:51 |
Ubuntu Foundations Team Bug Bot |
tags |
apport-bug strongswan xenial |
apport-bug patch strongswan xenial |
|
2016-06-25 20:24:58 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
2016-06-29 11:57:53 |
Robie Basak |
strongswan (Ubuntu): status |
Incomplete |
Invalid |
|
2016-06-29 11:57:55 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |
2016-06-29 14:35:03 |
Robie Basak |
strongswan (Ubuntu): status |
Invalid |
Triaged |
|
2016-07-01 23:13:38 |
Alberto Salvia Novella |
strongswan (Ubuntu): importance |
Undecided |
High |
|
2016-07-01 23:14:20 |
Alberto Salvia Novella |
bug task added |
|
hundredpapercuts |
|
2016-07-01 23:14:25 |
Alberto Salvia Novella |
hundredpapercuts: status |
New |
Triaged |
|
2016-07-01 23:14:26 |
Alberto Salvia Novella |
hundredpapercuts: importance |
Undecided |
High |
|
2016-11-04 08:09:50 |
Christian Ehrhardt |
strongswan (Ubuntu): assignee |
|
ChristianEhrhardt (paelzer) |
|
2016-11-04 08:10:48 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server Team |
2016-11-09 13:44:53 |
Christian Ehrhardt |
strongswan (Ubuntu): status |
Triaged |
In Progress |
|
2016-11-19 22:42:53 |
Aquib Mir |
bug |
|
|
added subscriber Aquib Mir |
2016-12-26 04:17:11 |
Launchpad Janitor |
strongswan (Ubuntu): status |
In Progress |
Fix Released |
|
2017-02-07 14:27:44 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Xenial |
|
2017-02-07 14:27:44 |
Christian Ehrhardt |
bug task added |
|
strongswan (Ubuntu Xenial) |
|
2017-02-07 14:28:15 |
Christian Ehrhardt |
strongswan (Ubuntu Xenial): status |
New |
Triaged |
|
2017-02-07 14:30:13 |
Christian Ehrhardt |
strongswan (Ubuntu): assignee |
ChristianEhrhardt (paelzer) |
|
|
2017-02-07 14:30:15 |
Christian Ehrhardt |
strongswan (Ubuntu Xenial): assignee |
|
ChristianEhrhardt (paelzer) |
|
2017-02-07 14:41:08 |
Christian Ehrhardt |
bug |
|
|
added subscriber ChristianEhrhardt |
2017-02-08 08:56:26 |
Christian Ehrhardt |
description |
$ lsb_release -rd
Description: Ubuntu 16.04 LTS
Release: 16.04
$ apt-cache policy strongswan
strongswan:
Installed: 5.3.5-1ubuntu3
Candidate: 5.3.5-1ubuntu3
Version table:
*** 5.3.5-1ubuntu3 500
500 http://au.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
500 http://au.archive.ubuntu.com/ubuntu xenial/main i386 Packages
100 /var/lib/dpkg/status
Looks like 'ipsec status' might be causing strongswan's charon to write to run/systemd/journal/dev-log instead of /run/systemd/journal/dev-log and apparmor doesn't like it.
Extract from /etc/apparmor.d/abstractions/base :
/{,var/}run/systemd/journal/dev-log w,
With an established ipsec connection, issue the following :
$ sudo ipsec status
connecting to 'unix:///var/run/charon.ctl' failed: Permission denied
failed to connect to stroke socket 'unix:///var/run/charon.ctl'
$ journalctl
...
Jun 01 12:15:07 ThinkCentre-M900 kernel: audit: type=1400 audit(1464785297.366:491): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/ipsec/charon" name="run/systemd/journal/dev-log" pid=4994 comm="charon" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
...
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: strongswan 5.3.5-1ubuntu3
ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
Uname: Linux 4.4.0-22-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Jun 1 23:06:53 2016
InstallationDate: Installed on 2016-05-11 (21 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
PackageArchitecture: all
SourcePackage: strongswan
UpgradeStatus: No upgrade log present (probably fresh install) |
[Impact]
* Certain strongswan based vpn setups fail, especially those based on
network-manager-l2tp or neutron-vpn-netns-wrapper
* The fix is opening up the apparmor profile slightly for charon and
stroke where paths are disconnected
[Test Case]
* valid VPN setup with network-manager-l2tp, then running "sudo ipsec status"
or
* valid neutron-vpn setup and then
# mkdir /tmp/test
# ip netns add testns
# ip netns exec testns neutron-vpn-netns-wrapper --mount_paths "/var/run:/tmp/test" --cmd "ipsec,status"
In both cases the command fails as it can't reach charon log.
[Regression Potential]
* Since the profile for strongswan is opened up a bit (and not more
restricted) the regression potential for strongswan should be minimal.
* Yet OTOH due to the change there is a slightly higher security risk
now. That said the case seems to be exactly what the feature was
designed for [1] and there are several other packages holding a similar
flag.
[1]: http://wiki.apparmor.net/index.php/ReleaseNotes_2_5#path_name_lookup_and_mediation_of
[Other Info]
* The part of the "valid VPN setup" both Test cases would need some more
input by the reporters if possible - to easen testing (see comments
#5+#6 and #28+#29 for the current status on tests).
* Unless this is done we have to rely more than usual on the reporters to
verify this.
$ lsb_release -rd
Description: Ubuntu 16.04 LTS
Release: 16.04
$ apt-cache policy strongswan
strongswan:
Installed: 5.3.5-1ubuntu3
Candidate: 5.3.5-1ubuntu3
Version table:
*** 5.3.5-1ubuntu3 500
500 http://au.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
500 http://au.archive.ubuntu.com/ubuntu xenial/main i386 Packages
100 /var/lib/dpkg/status
Looks like 'ipsec status' might be causing strongswan's charon to write to run/systemd/journal/dev-log instead of /run/systemd/journal/dev-log and apparmor doesn't like it.
Extract from /etc/apparmor.d/abstractions/base :
/{,var/}run/systemd/journal/dev-log w,
With an established ipsec connection, issue the following :
$ sudo ipsec status
connecting to 'unix:///var/run/charon.ctl' failed: Permission denied
failed to connect to stroke socket 'unix:///var/run/charon.ctl'
$ journalctl
...
Jun 01 12:15:07 ThinkCentre-M900 kernel: audit: type=1400 audit(1464785297.366:491): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/ipsec/charon" name="run/systemd/journal/dev-log" pid=4994 comm="charon" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
...
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: strongswan 5.3.5-1ubuntu3
ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
Uname: Linux 4.4.0-22-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Jun 1 23:06:53 2016
InstallationDate: Installed on 2016-05-11 (21 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
PackageArchitecture: all
SourcePackage: strongswan
UpgradeStatus: No upgrade log present (probably fresh install) |
|
2017-02-16 21:00:20 |
Brian Murray |
bug |
|
|
added subscriber Brian Murray |
2017-02-16 21:01:05 |
Brian Murray |
strongswan (Ubuntu Xenial): status |
Triaged |
Fix Committed |
|
2017-02-16 21:01:07 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-02-16 21:01:10 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2017-02-16 21:01:21 |
Brian Murray |
tags |
apport-bug patch strongswan xenial |
apport-bug patch strongswan verification-needed xenial |
|
2017-02-17 06:36:21 |
Christian Ehrhardt |
tags |
apport-bug patch strongswan verification-needed xenial |
apport-bug patch strongswan verification-done xenial |
|
2017-02-17 06:38:10 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Yakkety |
|
2017-02-17 06:38:10 |
Christian Ehrhardt |
bug task added |
|
strongswan (Ubuntu Yakkety) |
|
2017-02-17 06:43:41 |
Christian Ehrhardt |
tags |
apport-bug patch strongswan verification-done xenial |
apport-bug patch strongswan verification-needed xenial |
|
2017-02-17 06:45:51 |
Christian Ehrhardt |
tags |
apport-bug patch strongswan verification-needed xenial |
apport-bug patch strongswan verification-done xenial |
|
2017-02-17 18:51:57 |
Brian Murray |
strongswan (Ubuntu Yakkety): status |
New |
Fix Committed |
|
2017-02-17 18:52:08 |
Brian Murray |
tags |
apport-bug patch strongswan verification-done xenial |
apport-bug patch strongswan xenial |
|
2017-02-17 18:52:09 |
Brian Murray |
tags |
apport-bug patch strongswan xenial |
apport-bug patch strongswan verification-needed xenial |
|
2017-02-20 07:10:09 |
Christian Ehrhardt |
tags |
apport-bug patch strongswan verification-needed xenial |
apport-bug patch strongswan verification-done verification-done-xenial verification-done-yakkety xenial |
|
2017-02-23 21:28:38 |
Launchpad Janitor |
strongswan (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2017-02-23 21:28:52 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2017-02-27 23:36:19 |
Launchpad Janitor |
strongswan (Ubuntu Yakkety): status |
Fix Committed |
Fix Released |
|
2017-04-09 13:04:47 |
Amr Ibrahim |
hundredpapercuts: status |
Triaged |
Fix Released |
|