[Bug 1333655] Re: strongSwan AppArmor profile does not allow user priv dropping
This bug was fixed in the package strongswan - 5.3.5-1ubuntu1 --- strongswan (5.3.5-1ubuntu1) xenial; urgency=medium * debian/{rules,control,libstrongswan-extra-plugins.install} Enable bliss plugin * debian/{rules,control,libstrongswan-extra-plugins.install} Enable chapoly plugin * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch Upstream suggests to not load this plugin by default as it has some limitations. https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec * debian/patches/increase-bliss-test-timeout.patch Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default * Update Apparmor profiles - usr.lib.ipsec.charon - add capability audit_write for xauth-pam (LP: #1470277) - add capability dac_override (needed by agent plugin) - allow priv dropping (LP: #1333655) - allow caching CRLs (LP: #1505222) - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594) - usr.lib.ipsec.stroke - allow priv dropping (LP: #1333655) - add local include - usr.lib.ipsec.lookip - add local include * Merge from Debian, which includes fixes for all previous CVEs Fixes (LP: #1330504, #1451091, #1448870, #1470277) Remaining changes: * debian/control - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise - Update Maintainer for Ubuntu - Add build-deps - dh-apparmor - iptables-dev - libjson0-dev - libldns-dev - libmysqlclient-dev - libpcsclite-dev - libsoup2.4-dev - libtspi-dev - libunbound-dev - Drop build-deps - libfcgi-dev - clearsilver-dev - Create virtual packages for all strongswan-plugin-* for dist-upgrade - Set XS-Testsuite: autopkgtest * debian/rules: - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking. - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in tests. - Change init/systemd program name to strongswan - Install AppArmor profiles - Removed pieces on 'patching ipsec.conf' on build. - Enablement of features per Ubuntu current config suggested from upstream recommendation - Unpack and sort enabled features to one-per-line - Disable duplicheck as per https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 - Disable libfast (--disable-fast): Requires dropping medsrv, medcli plugins which depend on libfast - Add configure options --with-tss=trousers - Remove configure options: --enable-ha (requires special kernel) --enable-unit-test (unit tests run by default) - Drop logcheck install * debian/tests/* - Add DEP8 test for strongswan service and plugins * debian/strongswan-starter.strongswan.service - Add new systemd file instead of patching upstream * debian/strongswan-starter.links - removed, use Ubuntu systemd file instead of linking to upstream * debian/usr.lib.ipsec.{charon, lookip, stroke} - added AppArmor profiles for charon, lookip and stroke * debian/libcharon-extra-plugins.install - Add plugins - kernel-libipsec.{so, lib, conf, apparmor} - Remove plugins - libstrongswan-ha.so - Relocate plugins - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install) * debian/libstrongswan-extra-plugins.install - Add plugins (so, lib, conf) - acert - attr-sql - coupling - dnscert - fips-prf - gmp - ipseckey - load-tester - mysql - ntru - radattr - soup - sqlite - sql - systime-fix - unbound - whitelist - Relocate plugins (so, lib, conf) - ccm (libstrongswan.install) - test-vectors (libstrongswan.install) * debian/libstrongswan.install - Sort sections - Add plugins (so, lib, conf) - libchecksum - ccm - eap-identity - md4 - test-vectors * debian/strongswan-charon.install - Add AppArmor profile for charon * debian/strongswan-starter.install - Add tools, manpages, conf - openac - pool - _updown_espmark - Add AppArmor profile for stroke * debian/strongswan-tnc-base.install - Add new subpackage for TNC - remove non-existent (dropped in 5.2.1) libpts library files * debian/strongswan-tnc-client.install - Add new subpackage for TNC * debian/strongswan-tnc-ifmap.install - Add new subpackage for TNC * debian/strongswan-tnc-pdp.install - Add new subpackage for
[Bug 1333655] Re: strongSwan AppArmor profile does not allow user priv dropping
** Patch added: allow-user-priv-dropping-stroke.patch https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1333655/+attachment/4318847/+files/allow-user-priv-dropping-stroke.patch -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to strongswan in Ubuntu. https://bugs.launchpad.net/bugs/1333655 Title: strongSwan AppArmor profile does not allow user priv dropping To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1333655/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1333655] Re: strongSwan AppArmor profile does not allow user priv dropping
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: strongswan (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to strongswan in Ubuntu. https://bugs.launchpad.net/bugs/1333655 Title: strongSwan AppArmor profile does not allow user priv dropping To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1333655/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1333655] Re: strongSwan AppArmor profile does not allow user priv dropping
Hi Jonathan, The following 2 patches allow to run charon to setuid/gid to a regular user. The patch for the stroke profile is to allow a different user (like root) to signal the charon daemon running as a regular user. Let me know if you have any comments/suggestions about those patches. ** Patch added: allow-user-priv-dropping-charon.patch https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1333655/+attachment/4318846/+files/allow-user-priv-dropping-charon.patch -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to strongswan in Ubuntu. https://bugs.launchpad.net/bugs/1333655 Title: strongSwan AppArmor profile does not allow user priv dropping To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1333655/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1333655] Re: strongSwan AppArmor profile does not allow user priv dropping
The attachment allow-user-priv-dropping-charon.patch seems to be a patch. If it isn't, please remove the patch flag from the attachment, remove the patch tag, and if you are a member of the ~ubuntu- reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1333655 Title: strongSwan AppArmor profile does not allow user priv dropping To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1333655/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1333655] Re: strongSwan AppArmor profile does not allow user priv dropping
** Changed in: strongswan (Ubuntu) Importance: Undecided = Wishlist -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to strongswan in Ubuntu. https://bugs.launchpad.net/bugs/1333655 Title: strongSwan AppArmor profile does not allow user priv dropping To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1333655/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs