[Pkg-swan-devel] Bug#1032110: Apparmor denies access to /etc/ipsec.secrets.d/

James Lownie james at sol1.com.au
Tue Feb 28 05:44:35 GMT 2023 

Version: 5.9.1-1+deb11u3 
Package: strongswan-charon 
Version: 5.9.1-1+deb11u3 
Severity: normal 
X-Debbugs-Cc: none 


Dear maintainer, 

I ran into a problem using Strongswan which looks like a bug to me. I'm not sure if its in strongswan-charon or in Apparmor but I fixed it by editing /etc/apparmor.d/usr.lib.ipsec.charon which is strongswan-charon code, so I'm raising it here first. 

The problem was that when I ran the command 'ipsec rereadsecrets' these messages appeared in syslog: 

Feb 28 14:50:41 myhostname charon: 01[CFG] expanding file expression '/etc/ipsec.secrets.d/*' failed 
Feb 28 14:50:41 myhostname kernel: [2262128.239395] audit: type=1400 audit(1677556241.557:15): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/etc/ipsec.secrets.d/" pid=49996 comm="charon" requested_mask="r" d 
enied_mask="r" fsuid=0 ouid=0 
Feb 28 14:50:41 myhostname kernel: [2262128.239405] audit: type=1400 audit(1677556241.557:16): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/etc/ipsec.secrets.d/99-netier_datacenter.secrets" pid=49996 comm=" 
charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 

Incoming connections were then rejected: 

Feb 28 14:46:57 myhostname charon: 14[CFG] selected peer config 'my_sa_name' 
Feb 28 14:46:57 myhostname charon: 14[IKE] no shared key found for '192.168.XXX.0' - '192.168.XXX.0' 
Feb 28 14:46:57 fw-cwp-dubbo charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 
Feb 28 14:46:57 fw-cwp-dubbo charon: 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 

I disabled this profile using aa-complain and verified that ipsec could read the secrets file and that the connection could be opened. 

I then modified /etc/apparmor.d/usr.lib.ipsec.charon as follows, after which IPSec was able to load the secrets file and authenticate incoming connections: 

+ # Site-specific additions and overrides. See local/README for details. 
+ #include <local/usr.lib.ipsec.charon> 
+ /etc/ipsec.secrets.d/ r, 
+ /etc/ipsec.secrets.d/** r, 

/etc/ipsec.conf r, 
/etc/ipsec.secrets r, 
/etc/ipsec.*.secrets r, 
/etc/ipsec.d/ r, 
/etc/ipsec.d/** r, 
/etc/ipsec.d/crls/* rw, 
/etc/opensc/opensc.conf r, 
/etc/strongswan.conf r, 
/etc/strongswan.d/ r, 
/etc/strongswan.d/** r, 
/etc/tnc_config r, 

/proc/sys/net/core/xfrm_acq_expires w, 

/run/charon.* rw, 
/run/pcscd/pcscd.comm rw, 

/usr/lib/ipsec/charon rmix, 
/usr/lib/ipsec/imcvs/ r, 
/usr/lib/ipsec/imcvs/** rm, 

/usr/lib/*/opensc-pkcs11.so rm, 

/var/lib/strongswan/* r, 

/{,var/}run/systemd/notify w, 

# allow self to read file descriptors (LP #1786250) 
# restrict to our own process-ID as per apparmor vars 
@{PROC}/@{pid}/fd/ r, 

# for using the ha plugin (LP: #1773956) 
@{PROC}/@{pid}/net/ipt_CLUSTERIP/ r, 
@{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw, 

- # Site-specific additions and overrides. See local/README for details. 
- #include <local/usr.lib.ipsec.charon> 
- /etc/ipsec.secrets.d/ r, 
- /etc/ipsec.secrets.d/** r, 
} 

-- System Information: 
Debian Release: 11.6 
APT prefers stable-updates 
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') 
Architecture: amd64 (x86_64) 

Kernel: Linux 5.10.0-21-amd64 (SMP w/4 CPU threads) 
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1), LANGUAGE=en_AU:en 
Shell: /bin/sh linked to /usr/bin/dash 
Init: systemd (via /run/systemd/system) 
LSM: AppArmor: enabled 

Versions of packages strongswan-charon depends on: 
ii debconf [debconf-2.0] 1.5.77 
ii iproute2 5.10.0-4 
ii libc6 2.31-13+deb11u5 
ii libstrongswan 5.9.1-1+deb11u3 
ii strongswan-libcharon 5.9.1-1+deb11u3 
ii strongswan-starter 5.9.1-1+deb11u3 

strongswan-charon recommends no packages. 

strongswan-charon suggests no packages. 

-- Configuration Files: 
/etc/apparmor.d/usr.lib.ipsec.charon changed: 
/usr/lib/ipsec/charon flags=(attach_disconnected) { 
#include <abstractions/base> 
#include <abstractions/nameservice> 
#include <abstractions/authentication> 
#include <abstractions/openssl> 
#include <abstractions/p11-kit> 
capability ipc_lock, 
capability net_admin, 
capability net_raw, 
# allow priv dropping (LP: #1333655) 
capability chown, 
capability setgid, 
capability setuid, 
capability setpcap, 
# libcharon-extra-plugins: xauth-pam 
capability audit_write, 
# libstrongswan-standard-plugins: agent 
capability dac_override, 
network, 
network raw, 
/{,usr/}bin/dash rmPUx, 
# libcharon-extra-plugins: kernel-libipsec 
/dev/net/tun rw, 
# Site-specific additions and overrides. See local/README for details. 
#include <local/usr.lib.ipsec.charon> 
/etc/ipsec.secrets.d/ r, 
/etc/ipsec.secrets.d/** r, 
/etc/ipsec.conf r, 
/etc/ipsec.secrets r, 
/etc/ipsec.*.secrets r, 
/etc/ipsec.d/ r, 
/etc/ipsec.d/** r, 
/etc/ipsec.d/crls/* rw, 
/etc/opensc/opensc.conf r, 
/etc/strongswan.conf r, 
/etc/strongswan.d/ r, 
/etc/strongswan.d/** r, 
/etc/tnc_config r, 
/proc/sys/net/core/xfrm_acq_expires w, 
/run/charon.* rw, 
/run/pcscd/pcscd.comm rw, 
/usr/lib/ipsec/charon rmix, 
/usr/lib/ipsec/imcvs/ r, 
/usr/lib/ipsec/imcvs/** rm, 
/usr/lib/*/opensc-pkcs11.so rm, 
/var/lib/strongswan/* r, 
/{,var/}run/systemd/notify w, 
# allow self to read file descriptors (LP #1786250) 
# restrict to our own process-ID as per apparmor vars 
@{PROC}/@{pid}/fd/ r, 
# for using the ha plugin (LP: #1773956) 
@{PROC}/@{pid}/net/ipt_CLUSTERIP/ r, 
@{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw, 
} 

------------------- 

James Lownie 
Support Engineer 
Sol1 

https://sol1.com.au/ 
1300 765 122 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-swan-devel/attachments/20230228/d77fdf69/attachment.htm>

More information about the Pkg-swan-devel mailing list