[Pkg-swan-devel] [Git][debian/strongswan][debian/master] 5 commits: - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP to...
Yves-Alexis Perez
gitlab at salsa.debian.org
Mon Aug 26 08:56:21 BST 2019
Yves-Alexis Perez pushed to branch debian/master at Debian / strongswan
Commits:
cf44e8c3 by Simon Deziel at 2019-04-25T14:40:38Z
- d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP to apparmor to allow dropping caps
Fixes LP: #1826238 and closes 927961
Signed-off-by: Simon Deziel <simon at sdeziel.info>
- - - - -
4f6b33c3 by Simon Deziel at 2019-04-25T14:42:33Z
- d/usr.sbin.swanctl: add attach_disconnected to work inside containers
Signed-off-by: Simon Deziel <simon at sdeziel.info>
- - - - -
f358e9cf by Simon Deziel at 2019-04-25T14:43:58Z
- d/usr.sbin.charon-systemd: allow accessing the binary
Remove access to /usr/lib/ipsec/charon as that's unneeded when
using strongswan-swanctl.
Signed-off-by: Simon Deziel <simon at sdeziel.info>
- - - - -
21c7ce1f by Simon Deziel at 2019-04-25T14:50:58Z
- d/usr.sbin.swanctl: allow reading own binary
Signed-off-by: Simon Deziel <simon at sdeziel.info>
- - - - -
e3078802 by Yves-Alexis Perez at 2019-08-26T07:56:16Z
Merge branch 'apparmor-fixes' into 'debian/master'
Apparmor fixes
See merge request debian/strongswan!4
- - - - -
3 changed files:
- debian/usr.lib.ipsec.charon
- debian/usr.sbin.charon-systemd
- debian/usr.sbin.swanctl
Changes:
=====================================
debian/usr.lib.ipsec.charon
=====================================
@@ -28,6 +28,7 @@
capability chown,
capability setgid,
capability setuid,
+ capability setpcap,
# libcharon-extra-plugins: xauth-pam
capability audit_write,
=====================================
debian/usr.sbin.charon-systemd
=====================================
@@ -28,6 +28,7 @@
capability chown,
capability setgid,
capability setuid,
+ capability setpcap,
# libcharon-extra-plugins: xauth-pam
capability audit_write,
@@ -60,7 +61,7 @@
/run/charon.* rw,
/run/pcscd/pcscd.comm rw,
- /usr/lib/ipsec/charon rmix,
+ /usr/sbin/charon-systemd rmix,
/usr/lib/ipsec/imcvs/ r,
/usr/lib/ipsec/imcvs/** rm,
=====================================
debian/usr.sbin.swanctl
=====================================
@@ -1,6 +1,6 @@
#include <tunables/global>
-/usr/sbin/swanctl {
+/usr/sbin/swanctl flags=(attach_disconnected) {
#include <abstractions/base>
# Allow /etc/swanctl/x509ca/ files to symlink to system-wide ca-certificates
@@ -21,6 +21,9 @@
# Allow communication with VICI plugin UNIX domain socket
/run/charon.vici rw,
+ # Allow reading own binary
+ /usr/sbin/swanctl r,
+
# As of 5.5.2, swanctl unnecessarily loads plugins by default, even though no
# plugins are actually used by swanctl. The following can be removed if
# plugin loading is disabled.
View it on GitLab: https://salsa.debian.org/debian/strongswan/compare/4a8ddaabf0d1a97d6af38cac8a9be0e11a4f1bb3...e30788020b4ff9e901b199026c44704dc1cdee28
--
View it on GitLab: https://salsa.debian.org/debian/strongswan/compare/4a8ddaabf0d1a97d6af38cac8a9be0e11a4f1bb3...e30788020b4ff9e901b199026c44704dc1cdee28
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-swan-devel/attachments/20190826/8c617072/attachment-0001.html>
More information about the Pkg-swan-devel
mailing list