Hi Ximin,
they both are apparmor denies, but this is not the same issue.
The bug here was about self FDs while the one you referred to was about
resolv.conf.
Also there IMHO is a flaw in that suggestion, I'll comment on the Debian bug.
--
You received this bug notification because you are a
> Sep 27 15:28:46 vsrv-bicab-2u charon: 12[IKE] maximum IKE_SA lifetime 10269s
> Sep 27 15:28:46 vsrv-bicab-2u charon: 12[IKE] adding DNS server failed
> Sep 27 15:28:46 vsrv-bicab-2u charon: 12[IKE] adding DNS server failed
> Sep 27 15:28:46 vsrv-bicab-2u charon: 12[CFG] handling INTERNAL_IP4_DNS
@yicwang, did you update the apparmor profile as per this bug for your
tests? The diff can be seen at
https://code.launchpad.net/~ahasenack/ubuntu/+source/strongswan/+git/strongswan/+merge/356135.
Make that change, then run this command:
sudo apparmor_parser -r -T -W
@yicwang, did you update the apparmor profile as per this bug for your
tests? The diff can be seen at
https://code.launchpad.net/~ahasenack/ubuntu/+source/strongswan/+git/strongswan/+merge/356135.
Make that change, then run this command:
sudo apparmor_parser -r -T -W
I've did couple of tests. On iOS 12, I do see this error from
/var/log/messages, but connection can still be established with xl2tpd,
and things are working fine. For Windows 10 clients, seems like it is
blocking and connection cannot be established...
Actually, do we have the plan to back ported
This bug was fixed in the package strongswan - 5.6.3-1ubuntu4
---
strongswan (5.6.3-1ubuntu4) cosmic; urgency=medium
* d/usr.lib.ipsec.charon: allow reading of own FDs (LP: #1786250)
Thanks to Matt Callaghan.
-- Andreas Hasenack Thu, 04 Oct 2018 10:34:01
-0300
** Changed
** Changed in: strongswan (Ubuntu)
Assignee: Christian Ehrhardt (paelzer) => Andreas Hasenack (ahasenack)
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1786250
Title:
strongswan
** Changed in: strongswan (Ubuntu)
Assignee: Christian Ehrhardt (paelzer) => Andreas Hasenack (ahasenack)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1786250
Title:
strongswan (charon)
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/strongswan/+git/strongswan/+merge/356135
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1786250
Title:
strongswan
Hi Christian,
As those are fresh installed machines, I didn't check that there was a
typo in resolve.conf i have solve it and it works now.
Bests,
Boris
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
TL;DR - not the same bug, please open a new one
Hi,
well I only explained how to avoid the issue of the self FD access.
This is what this bug is about.
And your report doesn't have that anymore.
Please open a new bug for your issue.
For the things I see in what you posted seems to be about
Hi Christian,
Did as you said and restarted apparmor but for me is the same.
Connection is established but no traffic goes thru.
root@vsrv-bicab-2u:/home/VPN# cat /etc/apparmor.d/usr.lib.ipsec.charon
# --
#
# Copyright (C) 2016
Hi Boris,
the real fix is on the way, but it will need to complete in 18.10 first (where
currently we have Beta Freeze) and then also needs some time to SRU into Bionic.
For now you can modify your config file in /etc/apparmor.d/usr.lib.ipsec.charon
and add the line
@{PROC}/@{pid}/fd/ r,
That
Hello guys,
Today we have updated our testing environment to Ubuntu 18.04 and also
updated strongSwan from 5.2 to 5.6.2.
After spending all day with migration of configuration we encountered
this problem :/.
Any fast way to fix it because our testing team is stuck.
Best regards,
Boris
--
Yes they have adopted our rules.
Here the Debian file you'd want to change:
https://salsa.debian.org/debian/strongswan/blob/debian/master/debian/usr.lib.ipsec.charon
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
(Does the general debian package though care about the Ubuntu apparmor
rules?)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1786250
Title:
strongswan (charon) is rejected by apparmor to read
The best Debian entry page IMHO is the tracker [1].
That would lead you to bugs [2].
And that would make you aware of bug reporting [3].
TL;DR: a mail to sub...@bugs.debian.org with:
Package: strongswan
Version: 5.7.0-1
[1]: https://tracker.debian.org/pkg/strongswan
[2]:
(where in Debian/upstream should I report to?)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1786250
Title:
strongswan (charon) is rejected by apparmor to read /proc//fd
To manage notifications
(also note, since I went mia not expecting to need to track, Christian
took over and did the cleanup - his merge is
https://code.launchpad.net/~paelzer/ubuntu/+source/strongswan/+git/strongswan/+merge/355589)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
FTBFS resolved (actually is a LP infra issue).
Successfully tested the PPA.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1786250
Title:
strongswan (charon) is rejected by apparmor to read
** Merge proposal linked:
https://code.launchpad.net/~paelzer/ubuntu/+source/strongswan/+git/strongswan/+merge/355589
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1786250
Title:
strongswan
@Fermulator - I polished, your upload and will prepare it.
Without a real hard issue other than the error dmesg I'd not try to SRu to
former releases.
Debian should be affected just as much, would you mind reporting a bug there as
well so that they acn also pick the change at some point?
If you
Taking over the cleanup as Beta Freeze is close and the change is too
easy to miss it and have much more work later on.
** Changed in: strongswan (Ubuntu)
Assignee: Karl Stenerud (kstenerud) => Christian Ehrhardt (paelzer)
--
You received this bug notification because you are a member
** Description changed:
+ [Impact]
+
+ strongswan needs to read from /proc//fd
+ In some configurations, when apparmor blocks access, strongswan fails to set
up properly.
+
+ [Test Case]
+
+ Unable to set up a reliable test case.
+
+ [Regression Potential]
+
+ This is an expansion of
Karl, could you add this comment in the MP instead please?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1786250
Title:
strongswan (charon) is rejected by apparmor to read /proc//fd
To manage
Karl, could you add this comment in the MP instead please?
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1786250
Title:
strongswan (charon) is rejected by apparmor to read /proc//fd
To
@fermulator - Thanks for the merge proposal! We're getting started on it
but in the meantime, could you help with a couple of things?
1. We are trying to come up with a simple test case, but if you have one
already (config files, etc), that would help a lot!
2. Could you add a commit to your
The attachment "proposal for fix to charon apparmor profile" seems to be
a patch. If it isn't, please remove the "patch" flag from the
attachment, remove the "patch" tag, and if you are a member of the
~ubuntu-reviewers, unsubscribe the team.
[This is an automated message performed by a
@kstenerud - please review, integrate, fixup, test, build, ... the usual things.
@fermulator - kstenerud will take care to carry your fix into Ubuntu.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
merge proposal:
https://code.launchpad.net/~fermulator/ubuntu/+source/strongswan/+git/strongswan/+merge/353423
** Merge proposal linked:
https://code.launchpad.net/~fermulator/ubuntu/+source/strongswan/+git/strongswan/+merge/353423
--
You received this bug notification because you are a
https://git.launchpad.net/~fermulator/ubuntu/+source/strongswan/commit/?h=allow_charon_apparmor_read_proc_fd_LP_%231786250=d0ec74d30d6742d34b3dc72113bbc933c608fffa
** Changed in: strongswan (Ubuntu)
Status: Triaged => In Progress
--
You received this bug notification because you are a
Patched:
$ git status
On branch allow_charon_apparmor_read_proc_fd_LP_#1786250
commit d0ec74d30d6742d34b3dc72113bbc933c608fffa (HEAD ->
allow_charon_apparmor_read_proc_fd_LP_#1786250)
Author: (SNIP)
Date: Mon Aug 20 09:40:38 2018 -0400
As per LP #1786250, user noted audit failures in
** Changed in: strongswan (Ubuntu)
Assignee: (unassigned) => fermulator (fermulator)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1786250
Title:
strongswan (charon) is rejected by apparmor to
TODO:
add
@{PROC}/@{pid}/fd/ r,
to the charon apparmor profile
** Tags added: bitesize
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1786250
Title:
strongswan (charon) is rejected by apparmor
I assume, as you have found completely disabling it before - your'd
actual hang isn't gone by that - right?
** Changed in: strongswan (Ubuntu)
Status: New => Triaged
** Tags added: server-next
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Did this:
```
$ grep include /etc/apparmor.d/usr.lib.ipsec.charon | grep local
include
$ cat /etc/apparmor.d/local/usr.lib.ipsec.charon
# Site-specific additions and overrides for usr.lib.ipsec.charon.
# For more details, please see /etc/apparmor.d/local/README.
#
#
Hi,
could you add to the apparmor profile of charon this line
@{PROC}/@{pid}/fd/ r,
Then reload it via:
sudo apparmor_parser -r /etc/apparmor.d/usr.lib.ipsec.charon
While I never have heard of charon needing this, if the above works you
could add it for youself as a config and I could make
Submitted a "fork" bug report for the connection hang issue
(https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1786261), let
this bug report stay for the charon apparmor profile issue.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
repeated with more care to ensure profiles are actually unloaded
running this twice, confirms profiles are now not loaded
$ for profile in $(find . | egrep "charon|ipsec" | grep -v local); do sudo
apparmor_parser -R /etc/apparmor.d/$profile; done
apparmor_parser: Unable to remove
** Attachment added: "usr.lib.ipsec.charon"
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1786250/+attachment/5173346/+files/usr.lib.ipsec.charon
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
while ipsec is still, here are the contents of the /proc//fd it's trying
to access
```
$ sudo ls -al /proc/3014/fd/
total 0
dr-x-- 2 root root 0 Aug 9 09:51 .
dr-xr-xr-x 9 root root 0 Aug 9 09:51 ..
lr-x-- 1 root root 64 Aug 9 09:51 0 -> 'pipe:[2972727]'
l-wx-- 1 root root 64 Aug
Also probably worth including the current ipsec.charon profile contents
(even though it's disabled now ...)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1786250
Title:
strongswan (charon) is
42 matches
Mail list logo
