Ubuntu
strongswan package

Bug #1786250
Activity log

Activity log for bug #1786250

Date	Who	What changed	Old value	New value	Message
2018-08-09 13:45:01	fermulator	bug			added bug
2018-08-09 13:48:47	fermulator	summary	strongswan (charon) is rejected by apparmor to read /proc/<PID/fd	strongswan (charon) is rejected by apparmor to read /proc/<PID>/fd
2018-08-09 13:50:21	fermulator	attachment added		usr.lib.ipsec.charon https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1786250/+attachment/5173346/+files/usr.lib.ipsec.charon
2018-08-10 07:40:24	Christian Ehrhardt 	bug			added subscriber  Christian Ehrhardt 
2018-08-10 16:50:23	Christian Ehrhardt 	bug			added subscriber Ubuntu Server
2018-08-10 16:50:27	Christian Ehrhardt 	strongswan (Ubuntu): status	New	Triaged
2018-08-10 16:50:35	Christian Ehrhardt 	tags		server-next
2018-08-10 16:51:14	Christian Ehrhardt 	tags	server-next	bitesize server-next
2018-08-20 13:44:05	fermulator	strongswan (Ubuntu): assignee		fermulator (fermulator)
2018-08-20 13:51:42	fermulator	attachment added		proposal for fix to charon apparmor profile https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1786250/+attachment/5178029/+files/0001-As-per-LP-1786250-user-noted-audit-failures-in-syste.patch
2018-08-20 14:13:45	fermulator	strongswan (Ubuntu): status	Triaged	In Progress
2018-08-20 14:45:35	fermulator	merge proposal linked		https://code.launchpad.net/~fermulator/ubuntu/+source/strongswan/+git/strongswan/+merge/353423
2018-08-20 16:21:19	Ubuntu Foundations Team Bug Bot	tags	bitesize server-next	bitesize patch server-next
2018-08-20 16:21:27	Ubuntu Foundations Team Bug Bot	bug			added subscriber Ubuntu Review Team
2018-09-07 16:25:09	Karl Stenerud	description	Used to work fine in Ubuntu 16.04 LTS, and Ubuntu 17.10. ii strongswan 5.6.2-1ubuntu2 all IPsec VPN solution metapackage A while ago I upgrade to 18.04 LTS and had consistent issues with strongswan ipsec connectivity VPN. BASELINE INFO: $ sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64): uptime: 13 seconds, since Aug 09 09:27:35 2018 malloc: sbrk 3268608, mmap 532480, used 1280560, free 1988048 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters Listening IP addresses: 1.0.0.6 192.168.130.9 192.168.140.17 192.168.130.14 192.168.140.2 172.17.0.1 192.168.122.1 Connections: <SITE_SNIPPED>primary: %any...<SITE_SNIPPED>primary.<SNIPPED>.com IKEv2, dpddelay=30s <SITE_SNIPPED>primary: local: [<USER_SNIPPED>] uses EAP_MSCHAPV2 authentication <SITE_SNIPPED>primary: remote: [OU=Domain Control Validated, CN=<SNIPPED>.com] uses public key authentication <SITE_SNIPPED>primary: child: 192.168.140.0/24 === 192.168.128.0/17 10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear <SITE_SNIPPED>secondary: %any...<SITE_SNIPPED>secondary.<SNIPPED>.com IKEv2, dpddelay=30s <SITE_SNIPPED>secondary: local: [<USER_SNIPPED>] uses EAP_MSCHAPV2 authentication <SITE_SNIPPED>secondary: remote: [OU=Domain Control Validated, CN=<SNIPPED>.com] uses public key authentication <SITE_SNIPPED>secondary: child: 192.168.130.0/24 === 192.168.128.0/17 10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear Routed Connections: <SITE_SNIPPED>secondary{2}: ROUTED, TUNNEL, reqid 2 <SITE_SNIPPED>secondary{2}: 192.168.130.0/24 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 <SITE_SNIPPED>primary{1}: ROUTED, TUNNEL, reqid 1 <SITE_SNIPPED>primary{1}: 192.168.140.0/24 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 Security Associations (0 up, 0 connecting): none Then we do: ``` sudo ipsec up <CONNECTION_NAME> ... all the goods happen ... but near the end: IKE_SA <CONNECTION_NAME>[1] established between 1.0.0.6[<USER_SNIPPED>]...64.7.137.180[OU=Domain Control Validated, CN=<SNIPPED_HOST>.com] scheduling reauthentication in 56358s maximum IKE_SA lifetime 56538s installing DNS server 192.168.194.20 via resolvconf installing DNS server 192.168.196.20 via resolvconf <<HANGS FOREVER>> ``` the DNSes are successfully added to resolvconf (/etc/resolv.conf) - however the resolution doesn't work, and no routes work with the VPN. After a fresh reboot, this works. No end of ipsec/strongswan service restarts gets the system out of this "stuck state"; -- Typical workflow (reproduction notes) 1. fresh boot 2. VPN connections fine 3. work work work 4. disconnect VPN 5. use system for personal use (or don't) 6. suspend system overnight 7. resume system morning 8. VPN BROKEN as noted above -- Digging more, I see these errors in dmesg ``` ... [34218.436021] audit: type=1400 audit(1533821247.602:169): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/21179/fd/" pid=21179 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34368.429799] audit: type=1400 audit(1533821397.596:170): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22483/fd/" pid=22483 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34368.437049] audit: type=1400 audit(1533821397.604:171): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22493/fd/" pid=22493 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34380.630335] audit: type=1400 audit(1533821409.796:172): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22656/fd/" pid=22656 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34395.681889] audit: type=1400 audit(1533821424.847:173): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22882/fd/" pid=22882 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34395.688730] audit: type=1400 audit(1533821424.855:174): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22888/fd/" pid=22888 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ... ``` Does this have anything to do with why the connection is hanging? I have no idea. Tried this: $ sudo /etc/init.d/apparmor status ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: active (exited) since Thu 2018-08-09 09:19:09 EDT; 15min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Process: 9518 ExecStop=/etc/init.d/apparmor stop (code=exited, status=0/SUCCESS) Process: 14731 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS) Main PID: 14731 (code=exited, status=0/SUCCESS) Aug 09 09:19:06 fermmy systemd[1]: Starting AppArmor initialization... Aug 09 09:19:06 fermmy apparmor[14731]: * Starting AppArmor profiles Aug 09 09:19:06 fermmy apparmor[14731]: Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox Aug 09 09:19:06 fermmy apparmor[14731]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 09 09:19:09 fermmy apparmor[14731]: ...done. Aug 09 09:19:09 fermmy systemd[1]: Started AppArmor initialization. $ sudo /etc/init.d/apparmor stop [ ok ] Stopping apparmor (via systemctl): apparmor.service. REPEAT TEST * restart strongswan * unroute all connections manually (sudo ipsec unroute <CONNECTION>) _wtf_, apparmor is STILL rejecting it! (even though it's stopped?) [34756.774786] audit: type=1400 audit(1533821785.933:177): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/26204/fd/" pid=26204 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 -- NO ACCESS to /proc ;/ $ cd /etc/apparmor.d $ grep -rins charon * \| grep proc (EMPTY) -- need to unload charon profile $ sudo apparmor_parser -R /etc/apparmor.d/usr.lib.ipsec.charon but STILL, rejecting [35206.129530] audit: type=1400 audit(1533822235.279:249): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/30951/fd/" pid=30951 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0	[Impact] strongswan needs to read from /proc/<PID>/fd In some configurations, when apparmor blocks access, strongswan fails to set up properly. [Test Case] Unable to set up a reliable test case. [Regression Potential] This is an expansion of permissions, which may increase the attack surface of strongswan. [Original Description] Used to work fine in Ubuntu 16.04 LTS, and Ubuntu 17.10. ii strongswan 5.6.2-1ubuntu2 all IPsec VPN solution metapackage A while ago I upgrade to 18.04 LTS and had consistent issues with strongswan ipsec connectivity VPN. BASELINE INFO: $ sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64): uptime: 13 seconds, since Aug 09 09:27:35 2018 malloc: sbrk 3268608, mmap 532480, used 1280560, free 1988048 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters Listening IP addresses: 1.0.0.6 192.168.130.9 192.168.140.17 192.168.130.14 192.168.140.2 172.17.0.1 192.168.122.1 Connections: <SITE_SNIPPED>primary: %any...<SITE_SNIPPED>primary.<SNIPPED>.com IKEv2, dpddelay=30s <SITE_SNIPPED>primary: local: [<USER_SNIPPED>] uses EAP_MSCHAPV2 authentication <SITE_SNIPPED>primary: remote: [OU=Domain Control Validated, CN=<SNIPPED>.com] uses public key authentication <SITE_SNIPPED>primary: child: 192.168.140.0/24 === 192.168.128.0/17 10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear <SITE_SNIPPED>secondary: %any...<SITE_SNIPPED>secondary.<SNIPPED>.com IKEv2, dpddelay=30s <SITE_SNIPPED>secondary: local: [<USER_SNIPPED>] uses EAP_MSCHAPV2 authentication <SITE_SNIPPED>secondary: remote: [OU=Domain Control Validated, CN=<SNIPPED>.com] uses public key authentication <SITE_SNIPPED>secondary: child: 192.168.130.0/24 === 192.168.128.0/17 10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear Routed Connections: <SITE_SNIPPED>secondary{2}: ROUTED, TUNNEL, reqid 2 <SITE_SNIPPED>secondary{2}: 192.168.130.0/24 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 <SITE_SNIPPED>primary{1}: ROUTED, TUNNEL, reqid 1 <SITE_SNIPPED>primary{1}: 192.168.140.0/24 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 Security Associations (0 up, 0 connecting): none Then we do: ``` sudo ipsec up <CONNECTION_NAME> ... all the goods happen ... but near the end: IKE_SA <CONNECTION_NAME>[1] established between 1.0.0.6[<USER_SNIPPED>]...64.7.137.180[OU=Domain Control Validated, CN=<SNIPPED_HOST>.com] scheduling reauthentication in 56358s maximum IKE_SA lifetime 56538s installing DNS server 192.168.194.20 via resolvconf installing DNS server 192.168.196.20 via resolvconf <<HANGS FOREVER>> ``` the DNSes are successfully added to resolvconf (/etc/resolv.conf) - however the resolution doesn't work, and no routes work with the VPN. After a fresh reboot, this works. No end of ipsec/strongswan service restarts gets the system out of this "stuck state"; -- Typical workflow (reproduction notes) 1. fresh boot 2. VPN connections fine 3. work work work 4. disconnect VPN 5. use system for personal use (or don't) 6. suspend system overnight 7. resume system morning 8. VPN BROKEN as noted above -- Digging more, I see these errors in dmesg ``` ... [34218.436021] audit: type=1400 audit(1533821247.602:169): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/21179/fd/" pid=21179 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34368.429799] audit: type=1400 audit(1533821397.596:170): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22483/fd/" pid=22483 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34368.437049] audit: type=1400 audit(1533821397.604:171): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22493/fd/" pid=22493 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34380.630335] audit: type=1400 audit(1533821409.796:172): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22656/fd/" pid=22656 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34395.681889] audit: type=1400 audit(1533821424.847:173): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22882/fd/" pid=22882 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34395.688730] audit: type=1400 audit(1533821424.855:174): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22888/fd/" pid=22888 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ... ``` Does this have anything to do with why the connection is hanging? I have no idea. Tried this: $ sudo /etc/init.d/apparmor status ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: active (exited) since Thu 2018-08-09 09:19:09 EDT; 15min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Process: 9518 ExecStop=/etc/init.d/apparmor stop (code=exited, status=0/SUCCESS) Process: 14731 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS) Main PID: 14731 (code=exited, status=0/SUCCESS) Aug 09 09:19:06 fermmy systemd[1]: Starting AppArmor initialization... Aug 09 09:19:06 fermmy apparmor[14731]: * Starting AppArmor profiles Aug 09 09:19:06 fermmy apparmor[14731]: Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox Aug 09 09:19:06 fermmy apparmor[14731]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 09 09:19:09 fermmy apparmor[14731]: ...done. Aug 09 09:19:09 fermmy systemd[1]: Started AppArmor initialization. $ sudo /etc/init.d/apparmor stop [ ok ] Stopping apparmor (via systemctl): apparmor.service. REPEAT TEST * restart strongswan * unroute all connections manually (sudo ipsec unroute <CONNECTION>) _wtf_, apparmor is STILL rejecting it! (even though it's stopped?) [34756.774786] audit: type=1400 audit(1533821785.933:177): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/26204/fd/" pid=26204 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 -- NO ACCESS to /proc ;/ $ cd /etc/apparmor.d $ grep -rins charon * \| grep proc (EMPTY) -- need to unload charon profile $ sudo apparmor_parser -R /etc/apparmor.d/usr.lib.ipsec.charon but STILL, rejecting [35206.129530] audit: type=1400 audit(1533822235.279:249): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/30951/fd/" pid=30951 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2018-09-07 16:26:58	Karl Stenerud	strongswan (Ubuntu): assignee	fermulator (fermulator)	Karl Stenerud (kstenerud)
2018-09-07 16:33:34	Karl Stenerud	description	[Impact] strongswan needs to read from /proc/<PID>/fd In some configurations, when apparmor blocks access, strongswan fails to set up properly. [Test Case] Unable to set up a reliable test case. [Regression Potential] This is an expansion of permissions, which may increase the attack surface of strongswan. [Original Description] Used to work fine in Ubuntu 16.04 LTS, and Ubuntu 17.10. ii strongswan 5.6.2-1ubuntu2 all IPsec VPN solution metapackage A while ago I upgrade to 18.04 LTS and had consistent issues with strongswan ipsec connectivity VPN. BASELINE INFO: $ sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64): uptime: 13 seconds, since Aug 09 09:27:35 2018 malloc: sbrk 3268608, mmap 532480, used 1280560, free 1988048 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters Listening IP addresses: 1.0.0.6 192.168.130.9 192.168.140.17 192.168.130.14 192.168.140.2 172.17.0.1 192.168.122.1 Connections: <SITE_SNIPPED>primary: %any...<SITE_SNIPPED>primary.<SNIPPED>.com IKEv2, dpddelay=30s <SITE_SNIPPED>primary: local: [<USER_SNIPPED>] uses EAP_MSCHAPV2 authentication <SITE_SNIPPED>primary: remote: [OU=Domain Control Validated, CN=<SNIPPED>.com] uses public key authentication <SITE_SNIPPED>primary: child: 192.168.140.0/24 === 192.168.128.0/17 10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear <SITE_SNIPPED>secondary: %any...<SITE_SNIPPED>secondary.<SNIPPED>.com IKEv2, dpddelay=30s <SITE_SNIPPED>secondary: local: [<USER_SNIPPED>] uses EAP_MSCHAPV2 authentication <SITE_SNIPPED>secondary: remote: [OU=Domain Control Validated, CN=<SNIPPED>.com] uses public key authentication <SITE_SNIPPED>secondary: child: 192.168.130.0/24 === 192.168.128.0/17 10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear Routed Connections: <SITE_SNIPPED>secondary{2}: ROUTED, TUNNEL, reqid 2 <SITE_SNIPPED>secondary{2}: 192.168.130.0/24 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 <SITE_SNIPPED>primary{1}: ROUTED, TUNNEL, reqid 1 <SITE_SNIPPED>primary{1}: 192.168.140.0/24 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 Security Associations (0 up, 0 connecting): none Then we do: ``` sudo ipsec up <CONNECTION_NAME> ... all the goods happen ... but near the end: IKE_SA <CONNECTION_NAME>[1] established between 1.0.0.6[<USER_SNIPPED>]...64.7.137.180[OU=Domain Control Validated, CN=<SNIPPED_HOST>.com] scheduling reauthentication in 56358s maximum IKE_SA lifetime 56538s installing DNS server 192.168.194.20 via resolvconf installing DNS server 192.168.196.20 via resolvconf <<HANGS FOREVER>> ``` the DNSes are successfully added to resolvconf (/etc/resolv.conf) - however the resolution doesn't work, and no routes work with the VPN. After a fresh reboot, this works. No end of ipsec/strongswan service restarts gets the system out of this "stuck state"; -- Typical workflow (reproduction notes) 1. fresh boot 2. VPN connections fine 3. work work work 4. disconnect VPN 5. use system for personal use (or don't) 6. suspend system overnight 7. resume system morning 8. VPN BROKEN as noted above -- Digging more, I see these errors in dmesg ``` ... [34218.436021] audit: type=1400 audit(1533821247.602:169): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/21179/fd/" pid=21179 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34368.429799] audit: type=1400 audit(1533821397.596:170): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22483/fd/" pid=22483 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34368.437049] audit: type=1400 audit(1533821397.604:171): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22493/fd/" pid=22493 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34380.630335] audit: type=1400 audit(1533821409.796:172): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22656/fd/" pid=22656 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34395.681889] audit: type=1400 audit(1533821424.847:173): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22882/fd/" pid=22882 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34395.688730] audit: type=1400 audit(1533821424.855:174): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22888/fd/" pid=22888 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ... ``` Does this have anything to do with why the connection is hanging? I have no idea. Tried this: $ sudo /etc/init.d/apparmor status ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: active (exited) since Thu 2018-08-09 09:19:09 EDT; 15min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Process: 9518 ExecStop=/etc/init.d/apparmor stop (code=exited, status=0/SUCCESS) Process: 14731 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS) Main PID: 14731 (code=exited, status=0/SUCCESS) Aug 09 09:19:06 fermmy systemd[1]: Starting AppArmor initialization... Aug 09 09:19:06 fermmy apparmor[14731]: * Starting AppArmor profiles Aug 09 09:19:06 fermmy apparmor[14731]: Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox Aug 09 09:19:06 fermmy apparmor[14731]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 09 09:19:09 fermmy apparmor[14731]: ...done. Aug 09 09:19:09 fermmy systemd[1]: Started AppArmor initialization. $ sudo /etc/init.d/apparmor stop [ ok ] Stopping apparmor (via systemctl): apparmor.service. REPEAT TEST * restart strongswan * unroute all connections manually (sudo ipsec unroute <CONNECTION>) _wtf_, apparmor is STILL rejecting it! (even though it's stopped?) [34756.774786] audit: type=1400 audit(1533821785.933:177): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/26204/fd/" pid=26204 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 -- NO ACCESS to /proc ;/ $ cd /etc/apparmor.d $ grep -rins charon * \| grep proc (EMPTY) -- need to unload charon profile $ sudo apparmor_parser -R /etc/apparmor.d/usr.lib.ipsec.charon but STILL, rejecting [35206.129530] audit: type=1400 audit(1533822235.279:249): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/30951/fd/" pid=30951 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0	[Impact] strongswan needs to read from /proc/<PID>/fd In some configurations, when apparmor blocks access, strongswan fails to set up properly. [Test Case] Unable to set up a reliable test case. Tried setting up a VPN between two hosts, restarting strongswan, taking the eth device down and up, setting and removing routes, rebooting. Nothing seemed to trigger it. [Regression Potential] This is an expansion of permissions, which may increase the attack surface of strongswan. [Original Description] Used to work fine in Ubuntu 16.04 LTS, and Ubuntu 17.10. ii strongswan 5.6.2-1ubuntu2 all IPsec VPN solution metapackage A while ago I upgrade to 18.04 LTS and had consistent issues with strongswan ipsec connectivity VPN. BASELINE INFO: $ sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64): uptime: 13 seconds, since Aug 09 09:27:35 2018 malloc: sbrk 3268608, mmap 532480, used 1280560, free 1988048 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters Listening IP addresses: 1.0.0.6 192.168.130.9 192.168.140.17 192.168.130.14 192.168.140.2 172.17.0.1 192.168.122.1 Connections: <SITE_SNIPPED>primary: %any...<SITE_SNIPPED>primary.<SNIPPED>.com IKEv2, dpddelay=30s <SITE_SNIPPED>primary: local: [<USER_SNIPPED>] uses EAP_MSCHAPV2 authentication <SITE_SNIPPED>primary: remote: [OU=Domain Control Validated, CN=<SNIPPED>.com] uses public key authentication <SITE_SNIPPED>primary: child: 192.168.140.0/24 === 192.168.128.0/17 10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear <SITE_SNIPPED>secondary: %any...<SITE_SNIPPED>secondary.<SNIPPED>.com IKEv2, dpddelay=30s <SITE_SNIPPED>secondary: local: [<USER_SNIPPED>] uses EAP_MSCHAPV2 authentication <SITE_SNIPPED>secondary: remote: [OU=Domain Control Validated, CN=<SNIPPED>.com] uses public key authentication <SITE_SNIPPED>secondary: child: 192.168.130.0/24 === 192.168.128.0/17 10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear Routed Connections: <SITE_SNIPPED>secondary{2}: ROUTED, TUNNEL, reqid 2 <SITE_SNIPPED>secondary{2}: 192.168.130.0/24 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 <SITE_SNIPPED>primary{1}: ROUTED, TUNNEL, reqid 1 <SITE_SNIPPED>primary{1}: 192.168.140.0/24 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 Security Associations (0 up, 0 connecting): none Then we do: ``` sudo ipsec up <CONNECTION_NAME> ... all the goods happen ... but near the end: IKE_SA <CONNECTION_NAME>[1] established between 1.0.0.6[<USER_SNIPPED>]...64.7.137.180[OU=Domain Control Validated, CN=<SNIPPED_HOST>.com] scheduling reauthentication in 56358s maximum IKE_SA lifetime 56538s installing DNS server 192.168.194.20 via resolvconf installing DNS server 192.168.196.20 via resolvconf <<HANGS FOREVER>> ``` the DNSes are successfully added to resolvconf (/etc/resolv.conf) - however the resolution doesn't work, and no routes work with the VPN. After a fresh reboot, this works. No end of ipsec/strongswan service restarts gets the system out of this "stuck state"; -- Typical workflow (reproduction notes) 1. fresh boot 2. VPN connections fine 3. work work work 4. disconnect VPN 5. use system for personal use (or don't) 6. suspend system overnight 7. resume system morning 8. VPN BROKEN as noted above -- Digging more, I see these errors in dmesg ``` ... [34218.436021] audit: type=1400 audit(1533821247.602:169): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/21179/fd/" pid=21179 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34368.429799] audit: type=1400 audit(1533821397.596:170): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22483/fd/" pid=22483 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34368.437049] audit: type=1400 audit(1533821397.604:171): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22493/fd/" pid=22493 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34380.630335] audit: type=1400 audit(1533821409.796:172): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22656/fd/" pid=22656 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34395.681889] audit: type=1400 audit(1533821424.847:173): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22882/fd/" pid=22882 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [34395.688730] audit: type=1400 audit(1533821424.855:174): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/22888/fd/" pid=22888 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ... ``` Does this have anything to do with why the connection is hanging? I have no idea. Tried this: $ sudo /etc/init.d/apparmor status ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: active (exited) since Thu 2018-08-09 09:19:09 EDT; 15min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Process: 9518 ExecStop=/etc/init.d/apparmor stop (code=exited, status=0/SUCCESS) Process: 14731 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS) Main PID: 14731 (code=exited, status=0/SUCCESS) Aug 09 09:19:06 fermmy systemd[1]: Starting AppArmor initialization... Aug 09 09:19:06 fermmy apparmor[14731]: * Starting AppArmor profiles Aug 09 09:19:06 fermmy apparmor[14731]: Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox Aug 09 09:19:06 fermmy apparmor[14731]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Aug 09 09:19:09 fermmy apparmor[14731]: ...done. Aug 09 09:19:09 fermmy systemd[1]: Started AppArmor initialization. $ sudo /etc/init.d/apparmor stop [ ok ] Stopping apparmor (via systemctl): apparmor.service. REPEAT TEST * restart strongswan * unroute all connections manually (sudo ipsec unroute <CONNECTION>) _wtf_, apparmor is STILL rejecting it! (even though it's stopped?) [34756.774786] audit: type=1400 audit(1533821785.933:177): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/26204/fd/" pid=26204 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 -- NO ACCESS to /proc ;/ $ cd /etc/apparmor.d $ grep -rins charon * \| grep proc (EMPTY) -- need to unload charon profile $ sudo apparmor_parser -R /etc/apparmor.d/usr.lib.ipsec.charon but STILL, rejecting [35206.129530] audit: type=1400 audit(1533822235.279:249): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/30951/fd/" pid=30951 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2018-09-24 13:11:07	Christian Ehrhardt 	strongswan (Ubuntu): assignee	Karl Stenerud (kstenerud)	 Christian Ehrhardt  (paelzer)
2018-09-25 08:24:11	Launchpad Janitor	merge proposal linked		https://code.launchpad.net/~paelzer/ubuntu/+source/strongswan/+git/strongswan/+merge/355589
2018-10-04 13:37:19	Andreas Hasenack	strongswan (Ubuntu): assignee	 Christian Ehrhardt  (paelzer)	Andreas Hasenack (ahasenack)
2018-10-04 13:43:39	Launchpad Janitor	merge proposal linked		https://code.launchpad.net/~ahasenack/ubuntu/+source/strongswan/+git/strongswan/+merge/356135
2018-10-04 23:02:00	Launchpad Janitor	strongswan (Ubuntu): status	In Progress	Fix Released
2018-10-08 14:16:30	Andreas Hasenack	bug			added subscriber Andreas Hasenack

Ubuntustrongswan package

Activity log for bug #1786250

Ubuntu
strongswan package