Ubuntu
strongswan package

swanctl apparmor DENIED on ppc64el LXD

Bug #1999935 reported by Andreas Hasenack
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
strongswan (Ubuntu)
Fix Released
Undecided
Andreas Hasenack

Bug Description

Given a very peculiar set of conditions, swanctl will segfault because apparmor will deny its execution on a ppc64el lunar LXD:

root@l1:~# swanctl
Segmentation fault

[Fri Dec 16 18:55:58 2022] audit: type=1400 audit(1671216959.000:460): apparmor="DENIED" operation="file_mmap" class="file" namespace="root//lxd-l1_<var-snap-lxd-common-lxd>" profile="/usr/sbin/swanctl" name="/usr/sbin/swanctl" pid=31224 comm="swanctl" requested_mask="m" denied_mask="m" fsuid=1000000 ouid=1000000

This was flagged in the new DEP8 test I added to this package in the lunar cycle:

https://autopkgtest.ubuntu.com/results/autopkgtest-lunar/lunar/ppc64el/s/strongswan/20221216_174334_42f08@/log.gz

This does not happen in other architectures in lunar, just ppc64el.

Adding the "m" flag to the swanctl binary rule fixes the issue.

Related branches

~ahasenack/ubuntu/+source/strongswan:noble-strongswan-merge-2
git-ubuntu bot: Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 2750 lines (+2431/-4)
10 files modified
debian/changelog (+1934/-0)
debian/control (+8/-3)
debian/libcharon-extra-plugins.install (+6/-0)
debian/libcharon-extra-plugins.maintscript (+8/-0)
debian/libstrongswan-extra-plugins.install (+3/-0)
debian/rules (+3/-0)
debian/tests/control (+6/-0)
debian/tests/host-to-host (+401/-0)
debian/tests/utils (+61/-0)
debian/usr.sbin.swanctl (+1/-1)
~ahasenack/ubuntu/+source/strongswan:noble-strongswan-merge-1
git-ubuntu bot: Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 2714 lines (+2402/-4)
10 files modified
debian/changelog (+1905/-0)
debian/control (+8/-3)
debian/libcharon-extra-plugins.install (+6/-0)
debian/libcharon-extra-plugins.maintscript (+8/-0)
debian/libstrongswan-extra-plugins.install (+3/-0)
debian/rules (+3/-0)
debian/tests/control (+6/-0)
debian/tests/host-to-host (+401/-0)
debian/tests/utils (+61/-0)
debian/usr.sbin.swanctl (+1/-1)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package strongswan - 5.9.8-3ubuntu2

---------------
strongswan (5.9.8-3ubuntu2) lunar; urgency=medium

  * d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl
    (LP: #1999935)

 -- Andreas Hasenack <email address hidden> Fri, 16 Dec 2022 16:07:51 -0300

Changed in strongswan (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.