Ubuntu
strongswan package

please allow alg socket for af-alg

Bug #1807962 reported by Christian Ehrhardt 
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
strongswan (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

af-alg is set to load=yes by default
No other component hit this yet, but swanctl complaind about

apparmor="DENIED" operation="create" profile="/usr/sbin/swanctl" pid=4094 comm="swanctl" family="alg" sock_type="seqpacket" protocol=0 requested_mask="create" denied_mask="create"

lets add a rule for that to swanctl (since we didn#t see it anywhere else not added to other strongswan profiles yet)

This rule will do it:
 network alg seqpacket,

Related branches

~paelzer/ubuntu/+source/strongswan:merge-disco-5.7.1-1-ubuntu2
Andreas Hasenack: Approve
Canonical Server packageset reviewers: Pending requested
git-ubuntu developers: Pending requested
Diff: 81 lines (+26/-2)
4 files modified
debian/changelog (+10/-0)
debian/usr.lib.ipsec.charon (+7/-0)
debian/usr.sbin.charon-systemd (+6/-2)
debian/usr.sbin.swanctl (+3/-0)
Christian Ehrhardt  (paelzer)
Changed in strongswan (Ubuntu):
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package strongswan - 5.7.1-1ubuntu2

---------------
strongswan (5.7.1-1ubuntu2) disco; urgency=medium

  * d/usr.sbin.charon-systemd: fix rule for CLUSTERIP to match effective
    path (LP: #1773956)
  * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
    profiles of both ways to start charon (LP: #1807664)
  * d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: #1807962)

 -- Christian Ehrhardt <email address hidden> Mon, 10 Dec 2018 08:30:01 +0100

Changed in strongswan (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Daniel Miranda (danielkza2) wrote :

I'm seeing this warning in my logs in Bionic. Has a fix been released for it as well? If not, should it be, and does it cause any degradation in functionality?

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi Daniel,
since af-alg is part of the very uncommonly used -extra-plugins and a fix for the user is trivially available this was not backported to not affect any existing systems (suddenly activating more function on an SRU update).

The fix (if affected and important to you) prior to Ubuntu 19.04 is to edit:
  /etc/apparmor.d/local/usr.sbin.swanctl
and there add the line:
  # for af-alg plugin
  network alg seqpacket,

That will fix the issue for you as well then.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.