** Description changed:
[Impact]
- * In unprivileged containers there seem to be a few extra apparmor checks
- triggering, in particular a common pattern that usually is granted with
- "rmix" on the own binary.
+ * In unprivileged containers there seem to be a few extra apparmor checks
+ triggering, in particular a common pattern that usually is granted with
+ "rmix" on the own binary.
- * Add the rule to the profile to avoid stroke segfaulting in containers
+ * Add the rule to the profile to avoid stroke segfaulting in containers
[Test Case]
- * Take an unprivileged (default) LXD container and install strongswan
- * Then run stroke:
- $ ipsec status
- or directly via:
- $ /usr/lib/ipsec/stroke
+ * Take an unprivileged (default) LXD container and install strongswan
+ * Then run stroke:
+ $ ipsec status
+ or directly via:
+ $ /usr/lib/ipsec/stroke
+ same for lookip
+ $ /usr/lib/ipsec/lookip
* Without the fix this segfaults on mapping its own binary
[Regression Potential]
- * This is granting ever so slightly more to it through apparmor, there
- should be no existing functionality degrading by it.
+ * This is granting ever so slightly more to it through apparmor, there
+ should be no existing functionality degrading by it.
[Other Info]
-
- * n/a
+
+ * n/a
---
-
Symptoms on a Bionic LXD container running on Bionic server:
- I can start the ipsec service with systemctl
- I can also use the ‘ipsec start|restart|stop’ commands
- The VPN tunnel to a remote host is created.
- However when I issue ‘ipsec status|statusall|listxxx|etc’ commands, I get a
segfault:
root@vpn1:~# ipsec statusall
Segmentation fault
I found that ipsec is just a script calling ‘/usr/lib/ipsec/stroke’ for
getting the status, and this process fails with permission denied:
root@vpn1:~# strace /usr/lib/ipsec/stroke statusall
execve("/usr/lib/ipsec/stroke", ["/usr/lib/ipsec/stroke", "statusall"],
0x7fff5d0ae198 /* 14 vars */) = -1 EACCES (Permission denied)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
+++ killed by SIGSEGV +++
Segmentation fault
This is the AppArmor related log entry:
Jul 7 04:53:32 lxd1 kernel: [ 4526.583617] audit: type=1400
audit(1530939212.389:68): apparmor="DENIED" operation="file_mmap"
namespace="root//lxd-vpn1_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke"
name="/usr/lib/ipsec/stroke" pid=3372 comm="stroke" requested_mask="m"
denied_mask="m" fsuid=100000 ouid=100000
It shows that /usr/lib/ipsec/stroke needs rights for mmap operations,
which is not included in the /etc/apparmor.d/usr.lib.ipsec.stroke file.
I added it (see attachment, line 26) and the error is gone.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780534
Title:
Default usr.lib.ipsec.stroke profile causes segfault for 'ipsec
status'
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1780534/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
