Segmentation fault while trying ipsec vpn connection (strongswan) through snap

I am trying to build a snap which manages strongswan service and triggers vpn connection (up/down).
I am using classic confinement and the following plugs:
[ network, network-bind, network-control, firewall-control ]. (connecting manually who are not auto enabled).

Some of the setup related info is below:

“Linux xxxxx 4.10.4-sunxi #2 SMP Tue Mar 21 22:45:28 UTC 2017 armv7l armv7l armv7l GNU/Linux”

ubuntu version:
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial

snap version:
snap 2.22.6
snapd 2.22.6
series 16
ubuntu 16.04
kernel 4.10.4-sunxi

strongswan version:
Linux strongSwan U5.3.5/K4.10.4-sunxi

Loaded plugins:
charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-libipsec kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity

When I trigger the connection from commandline ipsec up “connection name”" , it works fine and connection gets established. But when i tried similar setup from snap got the below issues:
syslog apparmor
Aug 9 00:27:36 localhost kernel: [ 643.132531] audit: type=1400 audit(1502238456.364:23): apparmor=“DENIED” operation=“file_mmap” profile="/usr/lib/ipsec/stroke" name="/usr/lib/ipsec/stroke" pid=2910 comm=“stroke” requested_mask=“m” denied_mask=“m” fsuid=0 ouid=0
traced log from system call
2910 00:27:36.376674 execve("/usr/lib/ipsec/stroke", ["/usr/lib/ipsec/stroke", “up”, “XXXX”], [“IPSEC_VERSION=U5.3.5/K4.10.4-sun”…, “LANGUAGE=en_US.UTF-8”, “SNAP_COMMON=/var/snap/XXXX”…, “IPSEC_STARTER_PID=/var/run/start”…, “SNAP_LIBRARY_PATH=/var/lib/snapd”…, “SNAP_USER_DATA=/root/snap/XXX”…, “IPSEC_CONFDIR=/etc”, “IPSEC_BINDIR=/usr/bin”, “SNAP_REVISION=x1”, “IPSEC_PIDDIR=/var/run”, “IPSEC_NAME=strongSwan”, “IPSEC_SBINDIR=/usr/sbin”, “IPSEC_CHARON_PID=/var/run/charon”…, “SNAP_VERSION=0.01”, “PATH=/usr/local/sbin:/usr/local/”…, “XDG_RUNTIME_DIR=/run/user/0/snap”…, “SNAP_DATA=/var/snap/XXXX/x”…, “LANG=en_US.UTF-8”, “IPSEC_DIR=/usr/lib/ipsec”, “SNAP_USER_COMMON=/root/snap/iotr”…, “LC_MESSAGES=en_US.UTF-8”, “SNAP_ARCH=armhf”, “SNAP_REEXEC=”, “SNAP_NAME=XXXX”, “PWD=/”, “SNAP=/snap/XXXX/x1”, “IPSEC_SCRIPT=ipsec”]) = -1 EACCES (Permission denied)
2910 00:27:36.379439 — SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} —
2910 00:27:36.379757 +++ killed by SIGSEGV +++

One more interesting thing while starting the strongswan service from snap:
ubuntu-512mb-sfo2-01 kernel:[54131.578863] audit: type=1400 audit(1501522634.858:19): apparmor=“DENIED” operation=“open” profile="/usr/lib/ipsec/charon" name="/proc/3044/fd/" pid=3044 comm=“charon” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

I tried adding many more plugs to the snap (connected few of them manually):
- core-support
- firewall-control
- log-observe
- network
- network-bind
- network-control
- network-manager
- network-observe
- network-setup-observe
- openvswitch
- openvswitch-support
- ppp
- process-control
- system-observe
but no luck.

Is presently client connection from snap (strongswan) possible? If yes, What am I doing wrong/missing?
Any help is much appreciated.

So I have a workaround for this now:
Removing stroke from apparmor enforcement list.
sudo apparmor_parser -R /etc/apparmor.d/usr.lib.ipsec.stroke
does the trick, I got ipsec status from snap.
So is this a good idea of doing this?

if you turned on classic confinement in your snapcraft.yaml there should:

  • be no need to use any plugs (afaik they are ignored in classic confinement)
  • mmap (which is blocked in your apparmor syslog output) should be allowed …

@jdstrand is the second a bug in classic confinement or is that wanted ?

Note when your snap uses ‘confinement: classic’, you should not (currently) use ‘plugs’ or ‘slots’.

The mmap denial for stroke and the read denial for charon are not in the snap. They are for system (ie, non-snap) profiles that exist on the system. The stroke profile appears to have a bug in it and can be fixed by adding this:

/usr/lib/ipsec/stroke m,

then reloading it into the kernel with: sudo apparmor_parser -r /etc/apparmor.d/

Similarly the charon profile also has a bug and can be fixed by adding:

owner @{PROC}/[0-9]*/fd/ r,

then reloading it into the kernel with: sudo apparmor_parser -r /etc/apparmor.d/

This should be fixed in the strongswan packaging. Please file a bug at and add the ‘apparmor’ tag.