Ubuntu
strongswan package

swanctl apparmor DENIED on ppc64el LXD

Bug #1999935 reported by Andreas Hasenack on 2022-12-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	strongswan (Ubuntu)	Fix Released	Undecided	Andreas Hasenack

Bug Description

Given a very peculiar set of conditions, swanctl will segfault because apparmor will deny its execution on a ppc64el lunar LXD:

root@l1:~# swanctl
Segmentation fault

[Fri Dec 16 18:55:58 2022] audit: type=1400 audit(1671216959.000:460): apparmor="DENIED" operation="file_mmap" class="file" namespace="root//lxd-l1_<var-snap-lxd-common-lxd>" profile="/usr/sbin/swanctl" name="/usr/sbin/swanctl" pid=31224 comm="swanctl" requested_mask="m" denied_mask="m" fsuid=1000000 ouid=1000000

This was flagged in the new DEP8 test I added to this package in the lunar cycle:

https://autopkgtest.ubuntu.com/results/autopkgtest-lunar/lunar/ppc64el/s/strongswan/20221216_174334_42f08@/log.gz

This does not happen in other architectures in lunar, just ppc64el.

Adding the "m" flag to the swanctl binary rule fixes the issue.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-12-26:

This bug was fixed in the package strongswan - 5.9.8-3ubuntu2

---------------
strongswan (5.9.8-3ubuntu2) lunar; urgency=medium

* d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl
(LP: #1999935)

-- Andreas Hasenack <email address hidden> Fri, 16 Dec 2022 16:07:51 -0300

Changed in strongswan (Ubuntu):
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntustrongswan package

swanctl apparmor DENIED on ppc64el LXD

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
strongswan package