[Pkg-swan-devel] Bug#915147: strongswan-charon: apparmor profile should allow writing to /etc/resolv.conf

Ximin Luo infinity0 at debian.org
Sat Dec 1 03:03:18 GMT 2018 

Package: strongswan-charon
Version: 5.7.1-1
Severity: important
Tags: patch

Dear Maintainer,

If the VPN one is connecting to wants to add additional DNS servers, charon needs
write access to /etc/resolv.conf. Otherwise we get an error like the following:

  # ipsec up XXX
  [..]
  IKE_SA XXX{X} established between XXX...YYY
  adding DNS server failed
  adding DNS server failed
  handling INTERNAL_IP4_DNS attribute failed
  installing new virtual IP XXX
  [..]

And in dmesg logs:

  audit: type=1400 audit(NNN): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/etc/resolv.conf" pid=ZZZ comm="charon" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
  audit: type=1400 audit(NNN): apparmor="DENIED" operation="unlink" profile="/usr/lib/ipsec/charon" name="/etc/resolv.conf" pid=ZZZ comm="charon" requested_mask="d" denied_mask="d" fsuid=0 ouid=0

Note that the "#include <abstractions/nameservice>" that already exists in charon's profile, is only for *read* access to /etc/resolv.conf, but charon really does need write access.

A patch that worked for me was:

--- /etc/apparmor.d/usr.lib.ipsec.charon	2018-11-30 19:02:12.585715570 -0800
+++ /etc/apparmor.d/usr.lib.ipsec.charon	2018-11-30 18:50:39.850426475 -0800
@@ -68,6 +68,8 @@
 
   /var/lib/strongswan/*     r,
 
+  /etc/resolv.conf          w,
+
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.ipsec.charon>
 }

X

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable'), (300, 'unstable'), (100, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages strongswan-charon depends on:
ii  debconf [debconf-2.0]  1.5.69
ii  iproute2               4.18.0-2
ii  libc6                  2.27-8
pn  libstrongswan          <none>
pn  strongswan-libcharon   <none>
pn  strongswan-starter     <none>

strongswan-charon recommends no packages.

strongswan-charon suggests no packages.

More information about the Pkg-swan-devel mailing list