Bug#866327: charon-systemd: Create AppArmor profiles for /usr/sbin/swanctl and /usr/sbin/charon-systemd

[Gerald Turner]

On Fri, Jun 30 2017, Yves-Alexis Perez wrote:
> Thanks! I've integrated your changes locally and will test a few days,
> but I have a quite simple setup too.

Great!

> Once thing I noticed:
>
> juin 30 15:35:03 scapa kernel: audit: type=1400
> audit(1498829703.597:80): apparmor="DENIED" operation="open"
> profile="/usr/sbin/charon-systemd" name="/proc/8865/fd/" pid=8865
> comm="charon-systemd" requested_mask="r" denied_mask="r" fsuid=0
> ouid=0
>
> But it doesn't seem to prevent it to work correctly.

Perhaps that originates from the function "closefrom(lowfd)" in
src/libstrongswan/utils/utils.c, invoked by the function
"process_start(...)"  in src/libstrongswan/utils/process.c, invoked by
updown, resolve, ext_auth, and eap_sim plugins.  I'm not using any of
those plugins.  My guess is the following AppArmor profile entry would
suffice:

  @{PROC}/@{pid}/fd/ r,

-- 
Gerald Turner Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80  3858 EC94 2276 FDB8 716D


signature.asc
Description: PGP signature

Bug#866327: [Pkg-swan-devel] Bug#866327: charon-systemd: Create AppArmor profiles for /usr/sbin/swanctl and /usr/sbin/charon-systemd

[Yves-Alexis Perez]

On Wed, 2017-06-28 at 13:58 -0700, Gerald Turner wrote:
> Control: tags -1 + patch
> 
> Attached is a patch adapts the work Canonical had done for
> /usr/lib/ipsec/charon policy for /usr/sbin/charon-systemd.
> 
> I've tested the swanctl (client) profile thoroughly, however the
> charon-systemd (daemon) profile had only been tested with relatively few
> plugins.

Thanks! I've integrated your changes locally and will test a few days, but I
have a quite simple setup too.

Once thing I noticed:

juin 30 15:35:03 scapa kernel: audit: type=1400 audit(1498829703.597:80):
apparmor="DENIED" operation="open" profile="/usr/sbin/charon-systemd"
name="/proc/8865/fd/" pid=8865 comm="charon-systemd" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0

But it doesn't seem to prevent it to work correctly.

Regards,
-- 
Yves-Alexis

signature.asc
Description: This is a digitally signed message part

Bug#866327: charon-systemd: Create AppArmor profiles for /usr/sbin/swanctl and /usr/sbin/charon-systemd

[Gerald Turner]

Control: tags -1 + patch

Attached is a patch adapts the work Canonical had done for
/usr/lib/ipsec/charon policy for /usr/sbin/charon-systemd.

I've tested the swanctl (client) profile thoroughly, however the
charon-systemd (daemon) profile had only been tested with relatively few
plugins.

-- 
Gerald Turner Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80  3858 EC94 2276 FDB8 716D
commit b1ca98314847ef5db77983122ab855be5b6ff8b7
Author: Gerald Turner 
Date:   Thu May 11 17:15:09 2017 -0700

Install AppArmor profiles for /usr/sbin/swanctl and /usr/sbin/charon-systemd.

The AppArmor profile for charon-systemd was copied from the existing profile
for /usr/lib/ipsec/charon without much scrutiny other than testing basic IPsec
tunnels (no fancy plugin options were tested).  It appears that the team at
Canonical that had written the /usr/lib/ipsec/charon policy had done extensive
testing with several plugins, and it seems likely that applying the same
profile to charon-systemd will allow those plugins to continue to work.

The AppArmor profile for swanctl was written from scratch and well tested.  It
turns out that swanctl unnecessarily loads plugins by default, so a bit of
frivolous access has been granted.

diff --git a/debian/charon-systemd.install b/debian/charon-systemd.install
index 6ab3af8f..a1424ab8 100644
--- a/debian/charon-systemd.install
+++ b/debian/charon-systemd.install
@@ -2,3 +2,4 @@ etc/strongswan.d/charon-systemd.conf
 lib/systemd/system/strongswan-swanctl.service
 usr/sbin/charon-systemd
 usr/share/strongswan/templates/config/strongswan.d/charon-systemd.conf
+debian/usr.sbin.charon-systemd /etc/apparmor.d/
diff --git a/debian/rules b/debian/rules
index dacdb645..184abc7c 100755
--- a/debian/rules
+++ b/debian/rules
@@ -195,6 +195,8 @@ endif
 	dh_apparmor --profile-name=usr.lib.ipsec.charon -p strongswan-charon
 	dh_apparmor --profile-name=usr.lib.ipsec.lookip -p libcharon-extra-plugins
 	dh_apparmor --profile-name=usr.lib.ipsec.stroke -p strongswan-starter
+	dh_apparmor --profile-name=usr.sbin.swanctl -p strongswan-swanctl
+	dh_apparmor --profile-name=usr.sbin.charon-systemd -p charon-systemd
 
 	# add additional files not covered by upstream makefile...
 	install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
diff --git a/debian/strongswan-swanctl.install b/debian/strongswan-swanctl.install
index 483b0385..561b9d5b 100644
--- a/debian/strongswan-swanctl.install
+++ b/debian/strongswan-swanctl.install
@@ -8,3 +8,4 @@ usr/share/man/man8/swanctl.8
 usr/sbin/swanctl
 usr/lib/ipsec/libvici.so*
 usr/lib/ipsec/plugins/libstrongswan-vici.so
+debian/usr.sbin.swanctl /etc/apparmor.d/
diff --git a/debian/usr.sbin.charon-systemd b/debian/usr.sbin.charon-systemd
new file mode 100644
index ..e1769f29
--- /dev/null
+++ b/debian/usr.sbin.charon-systemd
@@ -0,0 +1,76 @@
+# --
+#
+#   Copyright (C) 2016 Canonical Ltd.
+#
+#   This program is free software; you can redistribute it and/or
+#   modify it under the terms of version 2 of the GNU General Public
+#   License published by the Free Software Foundation.
+#
+#   Author: Jonathan Davies 
+#   Ryan Harper 
+#
+# --
+
+#include 
+
+/usr/sbin/charon-systemd flags=(complain,attach_disconnected) {
+  #include 
+  #include 
+  #include 
+  #include 
+  #include 
+
+  capability ipc_lock,
+  capability net_admin,
+  capability net_raw,
+
+  # allow priv dropping (LP: #1333655)
+  capability chown,
+  capability setgid,
+  capability setuid,
+
+  # libcharon-extra-plugins: xauth-pam
+  capability audit_write,
+
+  # libstrongswan-standard-plugins: agent
+  capability dac_override,
+
+  capability net_admin,
+  capability net_raw,
+
+  network,
+  network raw,
+
+  /bin/dash rmPUx,
+
+  # libchron-extra-plugins: kernel-libipsec
+  /dev/net/tun  rw,
+
+  /etc/ipsec.conf   r,
+  /etc/ipsec.secretsr,
+  /etc/ipsec.*.secrets  r,
+  /etc/ipsec.d/ r,
+  /etc/ipsec.d/**   r,
+  /etc/ipsec.d/crls/*   rw,
+  /etc/opensc/opensc.conf   r,
+  /etc/strongswan.conf  r,
+  /etc/strongswan.d/r,
+  /etc/strongswan.d/**  r,
+  /etc/tnc_config   r,
+
+  /proc/sys/net/core/xfrm_acq_expires   w,
+
+  /run/charon.* rw,
+  /run/pcscd/pcscd.comm rw,
+
+  /usr/lib/ipsec/charon rmix,
+  /usr/lib/ipsec/imcvs/ r,
+  /usr/lib/ipsec/imcvs/**   rm,
+
+  /usr/lib/*/opensc-pkcs11.so rm,
+
+  /var/lib/strongswan/* r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include 
+}
diff --git a/debian/usr.sbin.swanctl b/debian/usr.sbin.swanctl
new file mode 100644
index 

Bug#866327: charon-systemd: Create AppArmor profiles for /usr/sbin/swanctl and /usr/sbin/charon-systemd

[Gerald Turner]

Package: charon-systemd
Version: 5.5.1-4
Severity: normal

Dear Maintainer,

Similar to how strongswan-charon and strongswan-starter have AppArmor
profiles for /usr/lib/ipsec/charon and /usr/lib/ipsec/stroke, the
charon-systemd and strongswan-charon packages should have AppArmor
profiles as well.

-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (601, 'stable'), (500, 'stable-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set 
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages charon-systemd depends on:
ii  init-system-helpers   1.48
ii  libc6 2.24-11+deb9u1
ii  libstrongswan 5.5.1-4
ii  libsystemd0   232-25
ii  strongswan-libcharon  5.5.1-4
ii  strongswan-swanctl5.5.1-4

charon-systemd recommends no packages.

charon-systemd suggests no packages.

-- no debconf information

-- 
Gerald Turner Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80  3858 EC94 2276 FDB8 716D


signature.asc
Description: PGP signature