[Pkg-swan-devel] [Git][debian/strongswan][debian/master] 15 commits: - d/control: Mention mgf1 plugin which is in libstrongswan now
Yves-Alexis Perez
gitlab at salsa.debian.org
Fri Oct 4 15:38:32 BST 2019
Yves-Alexis Perez pushed to branch debian/master at Debian / strongswan
Commits:
02235c4e by Christian Ehrhardt at 2019-08-29T08:44:09Z
- d/control: Mention mgf1 plugin which is in libstrongswan now
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
b097bd73 by Christian Ehrhardt at 2019-08-29T11:18:35Z
Complete the disabling of libfast
This was partially accepted in Debian, it is no more packaging medcli
and medsrv, but still builds (rules) and mentions (conrol) them.
+ d/rules: Add --disable-fast to avoid build time and dependencies
+ d/control: Remove medcli, medsrv from package description
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
006b278e by Christian Ehrhardt at 2019-08-29T11:18:35Z
- Clean up d/strongswan-starter.postinst: section about runlevel changes
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
020417d8 by Christian Ehrhardt at 2019-08-29T11:18:36Z
Clean up d/strongswan-starter.postinst: opportunistic encryption
Removed entire section on opportunistic encryption disabling.
This was never in strongSwan and won't be see upstream issue #2160.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
2a892daa by Ryan Harper at 2019-08-29T11:18:36Z
Remove code related to unused debconf managed config
- d/rules: Removed patching ipsec.conf on build (not using the
debconf-managed config.)
- d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
used for debconf-managed include of private key).
- - - - -
71b9b809 by Christian Ehrhardt at 2019-08-29T11:18:37Z
Enable kernel-libipsec for use of strongswan in containers
This is a userspace implementation (please do note that this is still
considered experimental by upstream).
+ d/libcharon-extra-plugins.install: Add kernel-libipsec components
+ d/control: List kernel-libipsec plugin at extra plugins description
+ d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
upstream recommends to not load kernel-libipsec by default.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
207c5b82 by Christian Ehrhardt at 2019-08-29T11:41:04Z
d/control, d/libcharon-{extras,extauth}-plugins.install: Add extauth-plugins package (Recommends)
Currently we have some thing in base (almost always needed) and some
others in extras (rarely needed). But there are a few in between which
are neither always nor rarely needed.
Move those more common charon plugins for more common use cases from
extra-plugins into a new extauth-plugins package.
This will allow those use cases without pulling in too much more plugins
from the extra package.
Recommend that package from strongswan-libcharon will install it by
default, but make it removable if needed (e.g. for more secure lockdown).
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
f7406f46 by Christian Ehrhardt at 2019-08-29T11:41:04Z
apparmor: d/usr.lib.ipsec.charon: sync notify rule from charon-systemd
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
bd7fc11a by Christian Ehrhardt at 2019-08-29T11:41:04Z
apparmor: fix apparmor denies reading the own FDs (LP: 1786250)
As per LP #1786250, user noted audit failures in system log
against charon trying to read its own list of file descriptors
in /proc/<pid>/fd/.
We are uncertain when/why this started, however it is not
unreasonable for a process to attempt to read its own fd's,
so allow by extending the apparmor profile for charon.
References:
http://manpages.ubuntu.com/manpages/bionic/en/man5/apparmor.d.5.html
https://linux.die.net/man/5/proc
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
5531a243 by Christian Ehrhardt at 2019-08-29T11:41:05Z
apparmor: d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: 1773956)
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
3b091777 by Christian Ehrhardt at 2019-08-29T11:41:05Z
apparmor: d/usr.lib.ipsec.stroke: executables need to be able to read map and execute themselves
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
45339209 by Christian Ehrhardt at 2019-08-29T11:41:06Z
apparmor: d/usr.lib.ipsec.lookip: executables need to be able to read map and execute themselves
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
ce77e32d by Christian Ehrhardt at 2019-08-29T11:41:06Z
apparmor: d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: 1807962)
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
c8011ec7 by Christian Ehrhardt at 2019-08-29T11:41:06Z
d/control: libtpmtss is actually packaged in libstrongswan-extra-plugins
Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
- - - - -
77495db8 by Yves-Alexis Perez at 2019-10-04T14:38:23Z
Merge branch 'debian-submission-april2019-v3' into 'debian/master'
Feed back Ubuntu Delta
See merge request debian/strongswan!5
- - - - -
13 changed files:
- debian/control
- debian/ipsec.secrets.proto
- + debian/libcharon-extauth-plugins.install
- debian/libcharon-extra-plugins.install
- + debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
- debian/patches/series
- debian/rules
- debian/strongswan-starter.postinst
- debian/usr.lib.ipsec.charon
- debian/usr.lib.ipsec.lookip
- debian/usr.lib.ipsec.stroke
- debian/usr.sbin.charon-systemd
- debian/usr.sbin.swanctl
Changes:
=====================================
debian/control
=====================================
@@ -65,6 +65,7 @@ Description: strongSwan utility and crypto library
- gmp (RSA/DH crypto backend based on libgmp)
- hmac (HMAC wrapper using various hashers)
- md5 (MD5 hasher software implementation)
+ - mgf1 (Mask Generation Functions based on the SHA-1, SHA-256 and SHA-512)
- nonce (Default nonce generation plugin)
- pem (PEM encoding/decoding routines)
- pgp (PGP encoding/decoding routines)
@@ -88,9 +89,6 @@ Description: strongSwan utility and crypto library
- kernel-pfroute [kfreebsd] (Networking kernel interface using PF_ROUTE)
- resolve (Writes name servers received via IKE to a resolv.conf file or
installs them via resolvconf(8))
- .
- Also included is the libtpmtss library adding support for TPM plugin
- (https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin)
Package: libstrongswan-standard-plugins
Architecture: any
@@ -141,6 +139,34 @@ Description: strongSwan utility and crypto library (extra plugins)
- rdrand (High quality / high performance random source using the Intel
rdrand instruction found on Ivy Bridge processors)
- test-vectors (Set of test vectors for various algorithms)
+ .
+ Also included is the libtpmtss library adding support for TPM plugin
+ (https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin)
+
+Package: libcharon-extauth-plugins
+Architecture: any
+Depends: libstrongswan (= ${binary:Version}),
+ ${misc:Depends},
+ ${shlibs:Depends}
+Breaks: libcharon-extra-plugins (<< 5.8.0-2~)
+Replaces: libcharon-extra-plugins (<< 5.8.0-2~)
+Description: strongSwan charon library (extended authentication plugins)
+ The strongSwan VPN suite uses the native IPsec stack in the standard
+ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
+ .
+ This package provides extended authentication plugins for the charon library:
+ - eap-mschapv2 (EAP-MSCHAPv2 protocol handler using passwords/NT hashes)
+ Used for client side to connect to some VPN concentrators configured for
+ Windows 7+ and modern OSX/iOS using IKEv2 (identify with public key,
+ authenticate with MSCHAPv2).
+ - xauth-generic (Generic XAuth backend that provides passwords from
+ ipsec.secrets and other credential sets)
+ Used for the client side to connect to VPN concentrators configured for
+ Android and older OSX/iOS using IKEv1 and XAUTH (identify with public key,
+ authenticate with XAUTH password).
+ .
+ These are the "not always, but still more commonly used" plugins, for further
+ needs even more plugins can be found in the package libcharon-extra-plugins.
Package: libcharon-extra-plugins
Architecture: any
@@ -160,7 +186,6 @@ Description: strongSwan charon library (extra plugins)
- eap-identity (EAP-Identity identity exchange algorithm, to use with other
EAP protocols)
- eap-md5 (EAP-MD5 protocol handler using passwords)
- - eap-mschapv2 (EAP-MSCHAPv2 protocol handler using passwords/NT hashes)
- eap-radius (EAP server proxy plugin forwarding EAP conversations to a
RADIUS server)
- eap-tls (EAP-TLS protocol handler, to authenticate with certificates in
@@ -169,15 +194,12 @@ Description: strongSwan charon library (extra plugins)
- eap-ttls (EAP-TTLS protocol handler, wraps other EAP methods securely)
- error-notify (Notification about errors via UNIX socket)
- ha (High-Availability clustering)
+ - kernel-libipsec (Userspace IPsec Backend with TUN devices)
- led (Let Linux LED subsystem LEDs blink on IKE activity)
- lookip (Virtual IP lookup facility using a UNIX socket)
- - medcli (Web interface based mediation client interface)
- - medsrv (Web interface based mediation server interface)
- tnc (Trusted Network Connect)
- unity (Cisco Unity extensions for IKEv1)
- xauth-eap (XAuth backend that uses EAP methods to verify passwords)
- - xauth-generic (Generic XAuth backend that provides passwords from
- ipsec.secrets and other credential sets)
- xauth-pam (XAuth backend that uses PAM modules to verify passwords)
Package: strongswan-starter
@@ -204,6 +226,7 @@ Depends: libstrongswan (= ${binary:Version}),
${shlibs:Depends}
Breaks: strongswan-starter (<= 5.6.1-2)
Replaces: strongswan-starter (<= 5.6.1-2)
+Recommends: libcharon-extauth-plugins
Suggests: libcharon-extra-plugins
Description: strongSwan charon library
The strongSwan VPN suite uses the native IPsec stack in the standard
=====================================
debian/ipsec.secrets.proto
=====================================
@@ -3,6 +3,3 @@
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
-# this file is managed with debconf and will contain the automatically created private key
-include /var/lib/strongswan/ipsec.secrets.inc
-
=====================================
debian/libcharon-extauth-plugins.install
=====================================
@@ -0,0 +1,19 @@
+# most commonly used libcharon plugins
+# 1) eap-mschapv2 is required on the client side to connect to VPN
+# concentrators configured for Windows 7+ and modern OSX/iOS using IKEv2.
+# In such scenario, the VPN concentrator identifies itself with a public
+# key and asks the client to authenticate with MSCHAPv2.
+# 2) xauth-generic is required on the client side to connect to VPN
+# concentrators configured for Android and older OSX/iOS using IKEv1 and
+# XAUTH. In such scenario, the VPN concentrator identifies itself with a
+# public key or a shared secret and asks the client to authenticate with a
+# XAUTH password.
+# plugins
+usr/lib/ipsec/plugins/libstrongswan-eap-mschapv2.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so
+# config templates
+usr/share/strongswan/templates/config/plugins/eap-mschapv2.conf
+usr/share/strongswan/templates/config/plugins/xauth-generic.conf
+# configuration files
+etc/strongswan.d/charon/eap-mschapv2.conf
+etc/strongswan.d/charon/xauth-generic.conf
=====================================
debian/libcharon-extra-plugins.install
=====================================
@@ -1,46 +1,104 @@
# libcharon plugins
usr/lib/ipsec/plugins/libstrongswan-addrblock.so
usr/lib/ipsec/plugins/libstrongswan-certexpire.so
-usr/lib/ipsec/plugins/libstrongswan-eap*.so
+usr/lib/ipsec/plugins/libstrongswan-eap-aka-3gpp2.so
+usr/lib/ipsec/plugins/libstrongswan-eap-aka.so
+usr/lib/ipsec/plugins/libstrongswan-eap-dynamic.so
+usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so
+usr/lib/ipsec/plugins/libstrongswan-eap-identity.so
+usr/lib/ipsec/plugins/libstrongswan-eap-md5.so
+usr/lib/ipsec/plugins/libstrongswan-eap-peap.so
+usr/lib/ipsec/plugins/libstrongswan-eap-radius.so
+usr/lib/ipsec/plugins/libstrongswan-eap-sim-file.so
+usr/lib/ipsec/plugins/libstrongswan-eap-sim-pcsc.so
+usr/lib/ipsec/plugins/libstrongswan-eap-sim.so
+usr/lib/ipsec/plugins/libstrongswan-eap-simaka-pseudonym.so
+usr/lib/ipsec/plugins/libstrongswan-eap-simaka-reauth.so
+usr/lib/ipsec/plugins/libstrongswan-eap-simaka-sql.so
+usr/lib/ipsec/plugins/libstrongswan-eap-tls.so
+usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so
+usr/lib/ipsec/plugins/libstrongswan-eap-ttls.so
usr/lib/ipsec/plugins/libstrongswan-error-notify.so
usr/lib/ipsec/plugins/libstrongswan-ha.so
+usr/lib/ipsec/plugins/libstrongswan-kernel-libipsec.so
usr/lib/ipsec/plugins/libstrongswan-led.so
usr/lib/ipsec/plugins/libstrongswan-lookip.so
#usr/lib/ipsec/plugins/libstrongswan-medsrv.so
#usr/lib/ipsec/plugins/libstrongswan-medcli.so
usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so
usr/lib/ipsec/plugins/libstrongswan-unity.so
-usr/lib/ipsec/plugins/libstrongswan-xauth-*.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-noauth.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so
# standard configuration files
usr/share/strongswan/templates/config/plugins/addrblock.conf
usr/share/strongswan/templates/config/plugins/certexpire.conf
-usr/share/strongswan/templates/config/plugins/eap-*.conf
+usr/share/strongswan/templates/config/plugins/eap-aka-3gpp2.conf
+usr/share/strongswan/templates/config/plugins/eap-aka.conf
+usr/share/strongswan/templates/config/plugins/eap-dynamic.conf
+usr/share/strongswan/templates/config/plugins/eap-gtc.conf
+usr/share/strongswan/templates/config/plugins/eap-identity.conf
+usr/share/strongswan/templates/config/plugins/eap-md5.conf
+usr/share/strongswan/templates/config/plugins/eap-peap.conf
+usr/share/strongswan/templates/config/plugins/eap-radius.conf
+usr/share/strongswan/templates/config/plugins/eap-sim-file.conf
+usr/share/strongswan/templates/config/plugins/eap-sim-pcsc.conf
+usr/share/strongswan/templates/config/plugins/eap-sim.conf
+usr/share/strongswan/templates/config/plugins/eap-simaka-pseudonym.conf
+usr/share/strongswan/templates/config/plugins/eap-simaka-reauth.conf
+usr/share/strongswan/templates/config/plugins/eap-simaka-sql.conf
+usr/share/strongswan/templates/config/plugins/eap-tls.conf
+usr/share/strongswan/templates/config/plugins/eap-tnc.conf
+usr/share/strongswan/templates/config/plugins/eap-ttls.conf
usr/share/strongswan/templates/config/plugins/error-notify.conf
usr/share/strongswan/templates/config/plugins/ha.conf
+usr/share/strongswan/templates/config/plugins/kernel-libipsec.conf
usr/share/strongswan/templates/config/plugins/led.conf
usr/share/strongswan/templates/config/plugins/lookip.conf
#usr/share/strongswan/templates/config/plugins/medsrv.conf
#usr/share/strongswan/templates/config/plugins/medcli.conf
usr/share/strongswan/templates/config/plugins/tnc-tnccs.conf
usr/share/strongswan/templates/config/plugins/unity.conf
-usr/share/strongswan/templates/config/plugins/xauth-*.conf
+usr/share/strongswan/templates/config/plugins/xauth-eap.conf
+usr/share/strongswan/templates/config/plugins/xauth-noauth.conf
+usr/share/strongswan/templates/config/plugins/xauth-pam.conf
usr/share/strongswan/templates/config/strongswan.d/tnc.conf
etc/strongswan.d/tnc.conf
etc/strongswan.d/charon/addrblock.conf
etc/strongswan.d/charon/certexpire.conf
-etc/strongswan.d/charon/eap-*.conf
+etc/strongswan.d/charon/eap-aka-3gpp2.conf
+etc/strongswan.d/charon/eap-aka.conf
+etc/strongswan.d/charon/eap-dynamic.conf
+etc/strongswan.d/charon/eap-gtc.conf
+etc/strongswan.d/charon/eap-identity.conf
+etc/strongswan.d/charon/eap-md5.conf
+etc/strongswan.d/charon/eap-peap.conf
+etc/strongswan.d/charon/eap-radius.conf
+etc/strongswan.d/charon/eap-sim-file.conf
+etc/strongswan.d/charon/eap-sim-pcsc.conf
+etc/strongswan.d/charon/eap-sim.conf
+etc/strongswan.d/charon/eap-simaka-pseudonym.conf
+etc/strongswan.d/charon/eap-simaka-reauth.conf
+etc/strongswan.d/charon/eap-simaka-sql.conf
+etc/strongswan.d/charon/eap-tls.conf
+etc/strongswan.d/charon/eap-tnc.conf
+etc/strongswan.d/charon/eap-ttls.conf
etc/strongswan.d/charon/error-notify.conf
etc/strongswan.d/charon/ha.conf
+etc/strongswan.d/charon/kernel-libipsec.conf
etc/strongswan.d/charon/led.conf
etc/strongswan.d/charon/lookip.conf
#etc/strongswan.d/charon/medsrv.conf
#etc/strongswan.d/charon/medcli.conf
etc/strongswan.d/charon/tnc-tnccs.conf
etc/strongswan.d/charon/unity.conf
-etc/strongswan.d/charon/xauth-*.conf
+etc/strongswan.d/charon/xauth-eap.conf
+etc/strongswan.d/charon/xauth-noauth.conf
+etc/strongswan.d/charon/xauth-pam.conf
debian/usr.lib.ipsec.lookip /etc/apparmor.d/
# support libs
#usr/lib/ipsec/libfast.so*
+usr/lib/ipsec/libipsec.so*
usr/lib/ipsec/libpttls.so*
usr/lib/ipsec/libradius.so*
usr/lib/ipsec/libsimaka.so*
=====================================
debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
=====================================
@@ -0,0 +1,11 @@
+--- a/conf/plugins/kernel-libipsec.conf
++++ b/conf/plugins/kernel-libipsec.conf
+@@ -5,7 +5,7 @@
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+- load = yes
++ load = no
+
+ }
+
=====================================
debian/patches/series
=====================================
@@ -2,3 +2,4 @@
02_disable-bypass-lan.patch
03_systemd-service.patch
04_disable-libtls-tests.patch
+dont-load-kernel-libipsec-plugin-by-default.patch
=====================================
debian/rules
=====================================
@@ -26,6 +26,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
--enable-gcm \
--enable-gcrypt \
--enable-ha \
+ --enable-kernel-libipsec \
--enable-ldap \
--enable-led \
--enable-lookip \
@@ -38,6 +39,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
--enable-xauth-eap \
--enable-xauth-pam \
--disable-blowfish \
+ --disable-fast \
--disable-des # BSD-Young license
#--with-user=strongswan --with-group=nogroup
# --enable-kernel-pfkey --enable-kernel-klips \
@@ -191,12 +193,6 @@ endif
# add additional files not covered by upstream makefile...
install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
- # also "patch" ipsec.conf to include the debconf-managed file
- echo >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
- echo "include /var/lib/strongswan/ipsec.conf.inc" >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
- # and to enable both IKEv1 and IKEv2 by default
- sed -r 's/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp
- mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
# set permissions on ipsec.secrets and private key directories
chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
=====================================
debian/strongswan-starter.postinst
=====================================
@@ -220,63 +220,6 @@ case "$1" in
db_set strongswan/install_x509_certificate false
fi
- # lets see if we are already using dependency based booting or the correct runlevel parameters
- if ! ( [ "`find /etc/init.d/ -name '.depend.*'`" ] || [ "$runlevels" = "0K841K842S163S164S165S166K84" ] ); then
- db_fset strongswan/runlevel_changes seen false
- db_input high strongswan/runlevel_changes || true
- db_go
-
- # if the admin did not change the runlevels which got installed by older packages we can modify them
- if [ "$runlevels" = "0K346K34SS41" ] || [ "$runlevels" = "0K301K302S153S154S155S156K30" ] || [ "$runlevels" = "0K191K192S213S214S215S216K19" ]; then
- update-rc.d -f ipsec remove
- fi
-
- update-rc.d ipsec defaults 16 84 > /dev/null
- fi
-
- db_get strongswan/enable-oe
- if [ "$RET" != "true" ]; then
- echo -n "Disabling opportunistic encryption (OE) in config file ... "
- if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then
- # also update to new-style config
- sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
- mv $CONF_FILE.tmp $CONF_FILE
- echo -n "converted old config line to new format"
- fi
- if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
- sed 's/include \/etc\/ipsec.d\/examples\/oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
- mv $CONF_FILE.tmp $CONF_FILE
- echo "done"
- elif [ ! -e $CONF_FILE ]; then
- echo "#include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE
- else
- echo "already disabled"
- fi
- else
- echo -n "Enabling opportunistic encryption (OE) in config file ... "
- if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then
- # also update to new-style config
- sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
- mv $CONF_FILE.tmp $CONF_FILE
- echo -n "converted old config line to new format"
- fi
- if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
- echo "already enabled"
- elif [ -e $CONF_FILE ] && egrep -q "^#.*include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
- sed 's/#.*include \/etc\/ipsec.d\/examples\/oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
- mv $CONF_FILE.tmp $CONF_FILE
- echo "done"
- elif [ ! -e $CONF_FILE ]; then
- echo "include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE
- else
- cat <<EOF >> $CONF_FILE
-#Enable Opportunistic Encryption
-include /etc/ipsec.d/examples/oe.conf
-EOF
- echo "done"
- fi
- fi
-
# disabled for now, until we can solve the don't-edit-conffiles issue
#db_get strongswan/ikev1
#if [ "$RET" != "true" ]; then
=====================================
debian/usr.lib.ipsec.charon
=====================================
@@ -69,6 +69,16 @@
/var/lib/strongswan/* r,
+ /{,var/}run/systemd/notify w,
+
+ # allow self to read file descriptors (LP #1786250)
+ # restrict to our own process-ID as per apparmor vars
+ @{PROC}/@{pid}/fd/ r,
+
+ # for using the ha plugin (LP: #1773956)
+ @{PROC}/@{pid}/net/ipt_CLUSTERIP/ r,
+ @{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw,
+
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.ipsec.charon>
}
=====================================
debian/usr.lib.ipsec.lookip
=====================================
@@ -15,6 +15,8 @@
/usr/lib/ipsec/lookip {
#include <abstractions/base>
+ /usr/lib/ipsec/lookip rmix,
+
/run/charon.lkp rw,
# Site-specific additions and overrides. See local/README for details.
=====================================
debian/usr.lib.ipsec.stroke
=====================================
@@ -17,6 +17,8 @@
capability dac_override,
+ /usr/lib/ipsec/stroke rmix,
+
/etc/strongswan.conf r,
/etc/strongswan.d/ r,
/etc/strongswan.d/** r,
=====================================
debian/usr.sbin.charon-systemd
=====================================
@@ -71,6 +71,14 @@
/{,var/}run/systemd/notify w,
+ # allow self to read file descriptors (LP #1786250)
+ # restrict to our own process-ID as per apparmor vars
+ @{PROC}/@{pid}/fd/ r,
+
+ # for using the ha plugin (LP: #1773956)
+ @{PROC}/@{pid}/net/ipt_CLUSTERIP/ r,
+ @{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw,
+
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.charon-systemd>
}
=====================================
debian/usr.sbin.swanctl
=====================================
@@ -24,6 +24,9 @@
# Allow reading own binary
/usr/sbin/swanctl r,
+ # for af-alg plugin
+ network alg seqpacket,
+
# As of 5.5.2, swanctl unnecessarily loads plugins by default, even though no
# plugins are actually used by swanctl. The following can be removed if
# plugin loading is disabled.
View it on GitLab: https://salsa.debian.org/debian/strongswan/compare/7d3b80760fc63b891a7bfa10af590bdeca9e1963...77495db864055d524a3f3a8f3c918f4889b1dd5c
--
View it on GitLab: https://salsa.debian.org/debian/strongswan/compare/7d3b80760fc63b891a7bfa10af590bdeca9e1963...77495db864055d524a3f3a8f3c918f4889b1dd5c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-swan-devel/attachments/20191004/9b5c0682/attachment-0001.html>
More information about the Pkg-swan-devel
mailing list