Comment 0 for bug 1780534

Symptoms on Bionic server:
- I can start the ipsec service with systemctl
- I can also use the ‘ipsec start|restart|stop’ commands
- The VPN tunnel to a remote host is created.
- However when I issue ‘ipsec status|statusall|listxxx|etc’ commands, I get a segfault:
    root@vpn1:~# ipsec statusall
    Segmentation fault

I found that ipsec is just a script calling ‘/usr/lib/ipsec/stroke’ for getting the status, and this process fails:
    root@vpn1:~# strace /usr/lib/ipsec/stroke statusall
    execve("/usr/lib/ipsec/stroke", ["/usr/lib/ipsec/stroke", "statusall"], 0x7fff5d0ae198 /* 14 vars */) = -1 EACCES (Permission denied)
    --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
    +++ killed by SIGSEGV +++
    Segmentation fault

This is the AppArmor related log entry:
    Jul 7 04:53:32 lxd1 kernel: [ 4526.583617] audit: type=1400 audit(1530939212.389:68): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-vpn1_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/usr/lib/ipsec/stroke" pid=3372 comm="stroke" requested_mask="m" denied_mask="m" fsuid=100000 ouid=100000

It shows that /usr/lib/ipsec/stroke needs rights for mmap operations, which is not included in the /etc/apparmor.d/usr.lib.ipsec.stroke file. I added it (see attachment, line 26) and the error is gone.