apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/swanctl" name="/dev/net/tun" pid=490601 comm="swanctl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

Bug #1875504 reported by Philipp Dreimann
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
strongswan (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

The swanctl apparmor profile leads to the following deny:

apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/swanctl" name="/dev/net/tun" pid=490601 comm="swanctl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

I'm using charon-systemd instead of strongswan-starter.

$ dpkg -l|grep "strongswan\|charon"
ii charon-systemd 5.8.2-1ubuntu3 amd64 strongSwan IPsec client, systemd support
ii libcharon-extauth-plugins 5.8.2-1ubuntu3 amd64 strongSwan charon library (extended authentication plugins)
ii libcharon-extra-plugins 5.8.2-1ubuntu3 amd64 strongSwan charon library (extra plugins)
ii libcharon-standard-plugins 5.8.2-1ubuntu3 all transitional package
ii libstrongswan 5.8.2-1ubuntu3 amd64 strongSwan utility and crypto library
ii libstrongswan-extra-plugins 5.8.2-1ubuntu3 amd64 strongSwan utility and crypto library (extra plugins)
ii strongswan 5.8.2-1ubuntu3 all IPsec VPN solution metapackage
ii strongswan-charon 5.8.2-1ubuntu3 amd64 strongSwan Internet Key Exchange daemon
ii strongswan-libcharon 5.8.2-1ubuntu3 amd64 strongSwan charon library
ii strongswan-pki 5.8.2-1ubuntu3 amd64 strongSwan IPsec client, pki command
ii strongswan-starter 5.8.2-1ubuntu3 amd64 strongSwan daemon starter and configuration file parser
ii strongswan-swanctl 5.8.2-1ubuntu3 amd64 strongSwan IPsec client, swanctl command

Revision history for this message
Simon Déziel (sdeziel) wrote :

I suspect you using kernel-libipsec which would explain why you are running into this, right? Could you please try the following:

cat << EOF | sudo tee -a /etc/apparmor.d/local/usr.sbin.swanctl
  # libcharon-extra-plugins: kernel-libipsec
  /dev/net/tun rw,
EOF
sudo apparmor_parser -rTW /etc/apparmor.d/usr.sbin.swanctl

Then restart strongswan?

If that fixes the problem, I'll submit a pull request. Setting as incomplete until then.

Changed in strongswan (Ubuntu):
status: New → Incomplete
Revision history for this message
Philipp Dreimann (philipp-dreimann) wrote :

No, I'm not running kernel-libipsec.

My configured ipsec connections work despite the apparmor deny action.

Revision history for this message
Simon Déziel (sdeziel) wrote :

If the libipsec plugin is not loaded then I cannot explain why it would try to use /dev/net/tun so it's hard to make a case of extending the profile.

Revision history for this message
Tobias Brunner (tobias-strongswan) wrote :

There are only three components in strongSwan that open TUN devices, charon-xpc (on macOS), the kernel-pfroute plugin (also not on Linux but macOS and *BSD) and kernel-libipsec, as pointed out by Simon. However, swanctl has no business loading kernel plugins (it doesn't by default), as it is no IKE daemon. It just loads configs/credentials and passes them to the daemon via VICI. So no idea where this comes from, unless strongswan.conf or any includes are somehow messed up and swanctl loads that plugin inadvertently.

Revision history for this message
Philipp Dreimann (philipp-dreimann) wrote :

# grep -R kernel-libipsec /etc/strongswan.* /etc/swanctl/
/etc/strongswan.d/charon/kernel-libipsec.conf:kernel-libipsec {

The whole file /etc/strongswan.d/charon/kernel-libipsec.conf:
kernel-libipsec {
    load = no
}

Anything else that I could check?

Revision history for this message
Tobias Brunner (tobias-strongswan) wrote :

That file is not relevant for swanctl (unless it was manually included, check the main strongswan.conf file). Check the output of `swanctl --help` (lists the plugins), use strace to see when exactly that access happens.

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Hi Philipp,

Thank you for taking the time to file a bug report.

I was not able to reproduce the issue reported by you using the default configuration provided by the packages. Could you please provide your configuration files? They should live in:

- /etc/strongswan.d/
- /etc/swanctl/
- /etc/strongswan.conf
- /etc/ipsec.conf

You can also use dpkg to help you identify the modified files:

$ sudo dpkg --verify charon-systemd libcharon-extauth-plugins libcharon-extra-plugins libstrongswan strongswan-charon strongswan-libcharon strongswan-pki strongswan-starter strongswan-swanctl

Since there is not enough information in your report to begin triage or to
differentiate between a local configuration problem and a bug in Ubuntu, I
am marking this bug as "Incomplete". We would be grateful if you would:
provide a more complete description of the problem, explain why you
believe this is a bug in Ubuntu rather than a problem specific to your
system, and then change the bug status back to "New".

For local configuration issues, you can find assistance here:
http://www.ubuntu.com/support/community

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for strongswan (Ubuntu) because there has been no activity for 60 days.]

Changed in strongswan (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.