Default usr.lib.ipsec.stroke profile causes segfault for 'ipsec status'
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned | ||
strongswan (Ubuntu) |
Fix Released
|
Low
|
Christian Ehrhardt | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Cosmic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* In unprivileged containers there seem to be a few extra apparmor checks
triggering, in particular a common pattern that usually is granted with
"rmix" on the own binary.
* Add the rule to the profile to avoid stroke segfaulting in containers
[Test Case]
* Take an unprivileged (default) LXD container and install strongswan
* Then run stroke:
$ ipsec status
or directly via:
$ /usr/lib/
same for lookip
$ /usr/lib/
* Without the fix this segfaults on mapping its own binary
[Regression Potential]
* This is granting ever so slightly more to it through apparmor, there
should be no existing functionality degrading by it.
[Other Info]
* n/a
---
Symptoms on a Bionic LXD container running on Bionic server:
- I can start the ipsec service with systemctl
- I can also use the ‘ipsec start|restart|stop’ commands
- The VPN tunnel to a remote host is created.
- However when I issue ‘ipsec status|
root@vpn1:~# ipsec statusall
Segmentation fault
I found that ipsec is just a script calling ‘/usr/lib/
root@vpn1:~# strace /usr/lib/
execve(
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
+++ killed by SIGSEGV +++
Segmentation fault
This is the AppArmor related log entry:
Jul 7 04:53:32 lxd1 kernel: [ 4526.583617] audit: type=1400 audit(153093921
It shows that /usr/lib/
Related branches
- Andreas Hasenack: Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 59 lines (+18/-0)4 files modifieddebian/changelog (+10/-0)
debian/usr.lib.ipsec.charon (+4/-0)
debian/usr.lib.ipsec.lookip (+2/-0)
debian/usr.lib.ipsec.stroke (+2/-0)
- Andreas Hasenack: Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 59 lines (+18/-0)4 files modifieddebian/changelog (+10/-0)
debian/usr.lib.ipsec.charon (+4/-0)
debian/usr.lib.ipsec.lookip (+2/-0)
debian/usr.lib.ipsec.stroke (+2/-0)
- Andreas Hasenack: Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 2323 lines (+1744/-90)22 files modifieddebian/changelog (+1317/-0)
debian/control (+122/-6)
debian/ipsec.secrets.proto (+0/-3)
debian/libcharon-extra-plugins.install (+64/-12)
debian/libcharon-standard-plugins.install (+19/-0)
debian/libstrongswan-extra-plugins.install (+55/-0)
debian/libstrongswan.install (+11/-6)
debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch (+11/-0)
debian/patches/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch (+40/-0)
debian/patches/series (+2/-0)
debian/rules (+49/-6)
debian/strongswan-starter.install (+4/-0)
debian/strongswan-starter.postinst (+0/-57)
debian/strongswan-tnc-base.install (+16/-0)
debian/strongswan-tnc-client.install (+5/-0)
debian/strongswan-tnc-ifmap.install (+3/-0)
debian/strongswan-tnc-pdp.install (+3/-0)
debian/strongswan-tnc-server.install (+10/-0)
debian/usr.lib.ipsec.charon (+4/-0)
debian/usr.lib.ipsec.lookip (+2/-0)
debian/usr.lib.ipsec.stroke (+2/-0)
debian/usr.sbin.charon-systemd (+5/-0)
CVE References
Changed in strongswan (Ubuntu): | |
status: | Triaged → In Progress |
assignee: | nobody → Christian Ehrhardt (paelzer) |
Changed in strongswan (Ubuntu Bionic): | |
status: | Incomplete → Triaged |
Changed in strongswan (Ubuntu Cosmic): | |
status: | Incomplete → Triaged |
description: | updated |
description: | updated |
Ack, thanks for the report.
Repro is really as easy as: ipsec/stroke status ipsec/stroke
1. get container
2. apt install strongswan
3. any of the commands:
$ ipsec status
$ /usr/lib/
$ /usr/lib/