2018-07-07 10:16:38 |
Andras Dosztal |
bug |
|
|
added bug |
2018-07-07 10:16:38 |
Andras Dosztal |
attachment added |
|
modified_ipsec_stroke_apparmor_profile.txt https://bugs.launchpad.net/bugs/1780534/+attachment/5160738/+files/modified_ipsec_stroke_apparmor_profile.txt |
|
2018-07-07 10:17:39 |
Andras Dosztal |
description |
Symptoms on Bionic server:
- I can start the ipsec service with systemctl
- I can also use the ‘ipsec start|restart|stop’ commands
- The VPN tunnel to a remote host is created.
- However when I issue ‘ipsec status|statusall|listxxx|etc’ commands, I get a segfault:
root@vpn1:~# ipsec statusall
Segmentation fault
I found that ipsec is just a script calling ‘/usr/lib/ipsec/stroke’ for getting the status, and this process fails:
root@vpn1:~# strace /usr/lib/ipsec/stroke statusall
execve("/usr/lib/ipsec/stroke", ["/usr/lib/ipsec/stroke", "statusall"], 0x7fff5d0ae198 /* 14 vars */) = -1 EACCES (Permission denied)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
+++ killed by SIGSEGV +++
Segmentation fault
This is the AppArmor related log entry:
Jul 7 04:53:32 lxd1 kernel: [ 4526.583617] audit: type=1400 audit(1530939212.389:68): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-vpn1_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/usr/lib/ipsec/stroke" pid=3372 comm="stroke" requested_mask="m" denied_mask="m" fsuid=100000 ouid=100000
It shows that /usr/lib/ipsec/stroke needs rights for mmap operations, which is not included in the /etc/apparmor.d/usr.lib.ipsec.stroke file. I added it (see attachment, line 26) and the error is gone. |
Symptoms on Bionic server:
- I can start the ipsec service with systemctl
- I can also use the ‘ipsec start|restart|stop’ commands
- The VPN tunnel to a remote host is created.
- However when I issue ‘ipsec status|statusall|listxxx|etc’ commands, I get a segfault:
root@vpn1:~# ipsec statusall
Segmentation fault
I found that ipsec is just a script calling ‘/usr/lib/ipsec/stroke’ for getting the status, and this process fails with permission denied:
root@vpn1:~# strace /usr/lib/ipsec/stroke statusall
execve("/usr/lib/ipsec/stroke", ["/usr/lib/ipsec/stroke", "statusall"], 0x7fff5d0ae198 /* 14 vars */) = -1 EACCES (Permission denied)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
+++ killed by SIGSEGV +++
Segmentation fault
This is the AppArmor related log entry:
Jul 7 04:53:32 lxd1 kernel: [ 4526.583617] audit: type=1400 audit(1530939212.389:68): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-vpn1_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/usr/lib/ipsec/stroke" pid=3372 comm="stroke" requested_mask="m" denied_mask="m" fsuid=100000 ouid=100000
It shows that /usr/lib/ipsec/stroke needs rights for mmap operations, which is not included in the /etc/apparmor.d/usr.lib.ipsec.stroke file. I added it (see attachment, line 26) and the error is gone. |
|
2018-07-07 10:18:04 |
Andras Dosztal |
description |
Symptoms on Bionic server:
- I can start the ipsec service with systemctl
- I can also use the ‘ipsec start|restart|stop’ commands
- The VPN tunnel to a remote host is created.
- However when I issue ‘ipsec status|statusall|listxxx|etc’ commands, I get a segfault:
root@vpn1:~# ipsec statusall
Segmentation fault
I found that ipsec is just a script calling ‘/usr/lib/ipsec/stroke’ for getting the status, and this process fails with permission denied:
root@vpn1:~# strace /usr/lib/ipsec/stroke statusall
execve("/usr/lib/ipsec/stroke", ["/usr/lib/ipsec/stroke", "statusall"], 0x7fff5d0ae198 /* 14 vars */) = -1 EACCES (Permission denied)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
+++ killed by SIGSEGV +++
Segmentation fault
This is the AppArmor related log entry:
Jul 7 04:53:32 lxd1 kernel: [ 4526.583617] audit: type=1400 audit(1530939212.389:68): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-vpn1_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/usr/lib/ipsec/stroke" pid=3372 comm="stroke" requested_mask="m" denied_mask="m" fsuid=100000 ouid=100000
It shows that /usr/lib/ipsec/stroke needs rights for mmap operations, which is not included in the /etc/apparmor.d/usr.lib.ipsec.stroke file. I added it (see attachment, line 26) and the error is gone. |
Symptoms on Bionic:
- I can start the ipsec service with systemctl
- I can also use the ‘ipsec start|restart|stop’ commands
- The VPN tunnel to a remote host is created.
- However when I issue ‘ipsec status|statusall|listxxx|etc’ commands, I get a segfault:
root@vpn1:~# ipsec statusall
Segmentation fault
I found that ipsec is just a script calling ‘/usr/lib/ipsec/stroke’ for getting the status, and this process fails with permission denied:
root@vpn1:~# strace /usr/lib/ipsec/stroke statusall
execve("/usr/lib/ipsec/stroke", ["/usr/lib/ipsec/stroke", "statusall"], 0x7fff5d0ae198 /* 14 vars */) = -1 EACCES (Permission denied)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
+++ killed by SIGSEGV +++
Segmentation fault
This is the AppArmor related log entry:
Jul 7 04:53:32 lxd1 kernel: [ 4526.583617] audit: type=1400 audit(1530939212.389:68): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-vpn1_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/usr/lib/ipsec/stroke" pid=3372 comm="stroke" requested_mask="m" denied_mask="m" fsuid=100000 ouid=100000
It shows that /usr/lib/ipsec/stroke needs rights for mmap operations, which is not included in the /etc/apparmor.d/usr.lib.ipsec.stroke file. I added it (see attachment, line 26) and the error is gone. |
|
2018-07-07 10:18:42 |
Andras Dosztal |
description |
Symptoms on Bionic:
- I can start the ipsec service with systemctl
- I can also use the ‘ipsec start|restart|stop’ commands
- The VPN tunnel to a remote host is created.
- However when I issue ‘ipsec status|statusall|listxxx|etc’ commands, I get a segfault:
root@vpn1:~# ipsec statusall
Segmentation fault
I found that ipsec is just a script calling ‘/usr/lib/ipsec/stroke’ for getting the status, and this process fails with permission denied:
root@vpn1:~# strace /usr/lib/ipsec/stroke statusall
execve("/usr/lib/ipsec/stroke", ["/usr/lib/ipsec/stroke", "statusall"], 0x7fff5d0ae198 /* 14 vars */) = -1 EACCES (Permission denied)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
+++ killed by SIGSEGV +++
Segmentation fault
This is the AppArmor related log entry:
Jul 7 04:53:32 lxd1 kernel: [ 4526.583617] audit: type=1400 audit(1530939212.389:68): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-vpn1_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/usr/lib/ipsec/stroke" pid=3372 comm="stroke" requested_mask="m" denied_mask="m" fsuid=100000 ouid=100000
It shows that /usr/lib/ipsec/stroke needs rights for mmap operations, which is not included in the /etc/apparmor.d/usr.lib.ipsec.stroke file. I added it (see attachment, line 26) and the error is gone. |
Symptoms on a Bionic LXD container running on Bionic server:
- I can start the ipsec service with systemctl
- I can also use the ‘ipsec start|restart|stop’ commands
- The VPN tunnel to a remote host is created.
- However when I issue ‘ipsec status|statusall|listxxx|etc’ commands, I get a segfault:
root@vpn1:~# ipsec statusall
Segmentation fault
I found that ipsec is just a script calling ‘/usr/lib/ipsec/stroke’ for getting the status, and this process fails with permission denied:
root@vpn1:~# strace /usr/lib/ipsec/stroke statusall
execve("/usr/lib/ipsec/stroke", ["/usr/lib/ipsec/stroke", "statusall"], 0x7fff5d0ae198 /* 14 vars */) = -1 EACCES (Permission denied)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
+++ killed by SIGSEGV +++
Segmentation fault
This is the AppArmor related log entry:
Jul 7 04:53:32 lxd1 kernel: [ 4526.583617] audit: type=1400 audit(1530939212.389:68): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-vpn1_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/usr/lib/ipsec/stroke" pid=3372 comm="stroke" requested_mask="m" denied_mask="m" fsuid=100000 ouid=100000
It shows that /usr/lib/ipsec/stroke needs rights for mmap operations, which is not included in the /etc/apparmor.d/usr.lib.ipsec.stroke file. I added it (see attachment, line 26) and the error is gone. |
|
2018-07-10 00:21:22 |
Seth Arnold |
bug task added |
|
strongswan (Ubuntu) |
|
2018-07-11 15:10:59 |
Joshua Powers |
bug |
|
|
added subscriber Ubuntu Server |
2018-12-03 13:04:06 |
Christian Ehrhardt |
strongswan (Ubuntu): status |
New |
Triaged |
|
2018-12-03 13:04:11 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Cosmic |
|
2018-12-03 13:04:11 |
Christian Ehrhardt |
bug task added |
|
strongswan (Ubuntu Cosmic) |
|
2018-12-03 13:04:11 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Bionic |
|
2018-12-03 13:04:11 |
Christian Ehrhardt |
bug task added |
|
strongswan (Ubuntu Bionic) |
|
2018-12-03 13:10:37 |
Christian Ehrhardt |
strongswan (Ubuntu): importance |
Undecided |
Low |
|
2018-12-03 13:34:12 |
Christian Ehrhardt |
strongswan (Ubuntu Bionic): status |
New |
Incomplete |
|
2018-12-03 13:34:14 |
Christian Ehrhardt |
strongswan (Ubuntu Cosmic): status |
New |
Incomplete |
|
2018-12-03 15:06:55 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paelzer/ubuntu/+source/strongswan/+git/strongswan/+merge/360004 |
|
2018-12-05 15:50:28 |
Andreas Hasenack |
strongswan (Ubuntu): status |
Triaged |
In Progress |
|
2018-12-05 15:50:41 |
Andreas Hasenack |
strongswan (Ubuntu): assignee |
|
Christian Ehrhardt (paelzer) |
|
2018-12-07 11:26:36 |
Launchpad Janitor |
strongswan (Ubuntu): status |
In Progress |
Fix Released |
|
2018-12-07 11:26:36 |
Launchpad Janitor |
cve linked |
|
2018-16151 |
|
2018-12-07 11:26:36 |
Launchpad Janitor |
cve linked |
|
2018-16152 |
|
2018-12-07 11:26:36 |
Launchpad Janitor |
cve linked |
|
2018-17540 |
|
2018-12-10 06:43:36 |
Christian Ehrhardt |
strongswan (Ubuntu Bionic): status |
Incomplete |
Triaged |
|
2018-12-10 06:43:38 |
Christian Ehrhardt |
strongswan (Ubuntu Cosmic): status |
Incomplete |
Triaged |
|
2018-12-10 08:04:03 |
Christian Ehrhardt |
description |
Symptoms on a Bionic LXD container running on Bionic server:
- I can start the ipsec service with systemctl
- I can also use the ‘ipsec start|restart|stop’ commands
- The VPN tunnel to a remote host is created.
- However when I issue ‘ipsec status|statusall|listxxx|etc’ commands, I get a segfault:
root@vpn1:~# ipsec statusall
Segmentation fault
I found that ipsec is just a script calling ‘/usr/lib/ipsec/stroke’ for getting the status, and this process fails with permission denied:
root@vpn1:~# strace /usr/lib/ipsec/stroke statusall
execve("/usr/lib/ipsec/stroke", ["/usr/lib/ipsec/stroke", "statusall"], 0x7fff5d0ae198 /* 14 vars */) = -1 EACCES (Permission denied)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
+++ killed by SIGSEGV +++
Segmentation fault
This is the AppArmor related log entry:
Jul 7 04:53:32 lxd1 kernel: [ 4526.583617] audit: type=1400 audit(1530939212.389:68): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-vpn1_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/usr/lib/ipsec/stroke" pid=3372 comm="stroke" requested_mask="m" denied_mask="m" fsuid=100000 ouid=100000
It shows that /usr/lib/ipsec/stroke needs rights for mmap operations, which is not included in the /etc/apparmor.d/usr.lib.ipsec.stroke file. I added it (see attachment, line 26) and the error is gone. |
[Impact]
* In unprivileged containers there seem to be a few extra apparmor checks
triggering, in particular a common pattern that usually is granted with
"rmix" on the own binary.
* Add the rule to the profile to avoid stroke segfaulting in containers
[Test Case]
* Take an unprivileged (default) LXD container and install strongswan
* Then run stroke:
$ ipsec status
or directly via:
$ /usr/lib/ipsec/stroke
* Without the fix this segfaults on mapping its own binary
[Regression Potential]
* This is granting ever so slightly more to it through apparmor, there
should be no existing functionality degrading by it.
[Other Info]
* n/a
---
Symptoms on a Bionic LXD container running on Bionic server:
- I can start the ipsec service with systemctl
- I can also use the ‘ipsec start|restart|stop’ commands
- The VPN tunnel to a remote host is created.
- However when I issue ‘ipsec status|statusall|listxxx|etc’ commands, I get a segfault:
root@vpn1:~# ipsec statusall
Segmentation fault
I found that ipsec is just a script calling ‘/usr/lib/ipsec/stroke’ for getting the status, and this process fails with permission denied:
root@vpn1:~# strace /usr/lib/ipsec/stroke statusall
execve("/usr/lib/ipsec/stroke", ["/usr/lib/ipsec/stroke", "statusall"], 0x7fff5d0ae198 /* 14 vars */) = -1 EACCES (Permission denied)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
+++ killed by SIGSEGV +++
Segmentation fault
This is the AppArmor related log entry:
Jul 7 04:53:32 lxd1 kernel: [ 4526.583617] audit: type=1400 audit(1530939212.389:68): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-vpn1_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/usr/lib/ipsec/stroke" pid=3372 comm="stroke" requested_mask="m" denied_mask="m" fsuid=100000 ouid=100000
It shows that /usr/lib/ipsec/stroke needs rights for mmap operations, which is not included in the /etc/apparmor.d/usr.lib.ipsec.stroke file. I added it (see attachment, line 26) and the error is gone. |
|
2018-12-12 14:52:10 |
Christian Ehrhardt |
description |
[Impact]
* In unprivileged containers there seem to be a few extra apparmor checks
triggering, in particular a common pattern that usually is granted with
"rmix" on the own binary.
* Add the rule to the profile to avoid stroke segfaulting in containers
[Test Case]
* Take an unprivileged (default) LXD container and install strongswan
* Then run stroke:
$ ipsec status
or directly via:
$ /usr/lib/ipsec/stroke
* Without the fix this segfaults on mapping its own binary
[Regression Potential]
* This is granting ever so slightly more to it through apparmor, there
should be no existing functionality degrading by it.
[Other Info]
* n/a
---
Symptoms on a Bionic LXD container running on Bionic server:
- I can start the ipsec service with systemctl
- I can also use the ‘ipsec start|restart|stop’ commands
- The VPN tunnel to a remote host is created.
- However when I issue ‘ipsec status|statusall|listxxx|etc’ commands, I get a segfault:
root@vpn1:~# ipsec statusall
Segmentation fault
I found that ipsec is just a script calling ‘/usr/lib/ipsec/stroke’ for getting the status, and this process fails with permission denied:
root@vpn1:~# strace /usr/lib/ipsec/stroke statusall
execve("/usr/lib/ipsec/stroke", ["/usr/lib/ipsec/stroke", "statusall"], 0x7fff5d0ae198 /* 14 vars */) = -1 EACCES (Permission denied)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
+++ killed by SIGSEGV +++
Segmentation fault
This is the AppArmor related log entry:
Jul 7 04:53:32 lxd1 kernel: [ 4526.583617] audit: type=1400 audit(1530939212.389:68): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-vpn1_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/usr/lib/ipsec/stroke" pid=3372 comm="stroke" requested_mask="m" denied_mask="m" fsuid=100000 ouid=100000
It shows that /usr/lib/ipsec/stroke needs rights for mmap operations, which is not included in the /etc/apparmor.d/usr.lib.ipsec.stroke file. I added it (see attachment, line 26) and the error is gone. |
[Impact]
* In unprivileged containers there seem to be a few extra apparmor checks
triggering, in particular a common pattern that usually is granted with
"rmix" on the own binary.
* Add the rule to the profile to avoid stroke segfaulting in containers
[Test Case]
* Take an unprivileged (default) LXD container and install strongswan
* Then run stroke:
$ ipsec status
or directly via:
$ /usr/lib/ipsec/stroke
same for lookip
$ /usr/lib/ipsec/lookip
* Without the fix this segfaults on mapping its own binary
[Regression Potential]
* This is granting ever so slightly more to it through apparmor, there
should be no existing functionality degrading by it.
[Other Info]
* n/a
---
Symptoms on a Bionic LXD container running on Bionic server:
- I can start the ipsec service with systemctl
- I can also use the ‘ipsec start|restart|stop’ commands
- The VPN tunnel to a remote host is created.
- However when I issue ‘ipsec status|statusall|listxxx|etc’ commands, I get a segfault:
root@vpn1:~# ipsec statusall
Segmentation fault
I found that ipsec is just a script calling ‘/usr/lib/ipsec/stroke’ for getting the status, and this process fails with permission denied:
root@vpn1:~# strace /usr/lib/ipsec/stroke statusall
execve("/usr/lib/ipsec/stroke", ["/usr/lib/ipsec/stroke", "statusall"], 0x7fff5d0ae198 /* 14 vars */) = -1 EACCES (Permission denied)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
+++ killed by SIGSEGV +++
Segmentation fault
This is the AppArmor related log entry:
Jul 7 04:53:32 lxd1 kernel: [ 4526.583617] audit: type=1400 audit(1530939212.389:68): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-vpn1_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/usr/lib/ipsec/stroke" pid=3372 comm="stroke" requested_mask="m" denied_mask="m" fsuid=100000 ouid=100000
It shows that /usr/lib/ipsec/stroke needs rights for mmap operations, which is not included in the /etc/apparmor.d/usr.lib.ipsec.stroke file. I added it (see attachment, line 26) and the error is gone. |
|
2018-12-12 15:09:20 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paelzer/ubuntu/+source/strongswan/+git/strongswan/+merge/360800 |
|
2018-12-12 15:10:04 |
Christian Ehrhardt |
merge proposal linked |
|
https://code.launchpad.net/~paelzer/ubuntu/+source/strongswan/+git/strongswan/+merge/360801 |
|
2018-12-18 17:21:14 |
Brian Murray |
strongswan (Ubuntu Cosmic): status |
Triaged |
Fix Committed |
|
2018-12-18 17:21:16 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2018-12-18 17:21:19 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2018-12-18 17:21:22 |
Brian Murray |
tags |
ipsec strongswan |
ipsec strongswan verification-needed verification-needed-cosmic |
|
2018-12-18 17:27:58 |
Brian Murray |
strongswan (Ubuntu Bionic): status |
Triaged |
Fix Committed |
|
2018-12-18 17:28:04 |
Brian Murray |
tags |
ipsec strongswan verification-needed verification-needed-cosmic |
ipsec strongswan verification-needed verification-needed-bionic verification-needed-cosmic |
|
2019-01-07 14:36:54 |
Christian Ehrhardt |
tags |
ipsec strongswan verification-needed verification-needed-bionic verification-needed-cosmic |
ipsec strongswan verification-done verification-done-bionic verification-done-cosmic |
|
2019-01-08 17:37:21 |
Launchpad Janitor |
strongswan (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2019-01-08 17:37:34 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2019-01-08 17:37:49 |
Launchpad Janitor |
strongswan (Ubuntu Cosmic): status |
Fix Committed |
Fix Released |
|