I am trying to build a snap which manages strongswan service and triggers vpn connection (up/down).
I am using classic confinement and the following plugs:
[ network, network-bind, network-control, firewall-control ]. (connecting manually who are not auto enabled).
Some of the setup related info is below:
platform:
“Linux xxxxx 4.10.4-sunxi #2 SMP Tue Mar 21 22:45:28 UTC 2017 armv7l armv7l armv7l GNU/Linux”
ubuntu version:
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial
snap version:
snap 2.22.6
snapd 2.22.6
series 16
ubuntu 16.04
kernel 4.10.4-sunxi
strongswan version:
Linux strongSwan U5.3.5/K4.10.4-sunxi
Loaded plugins:
charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-libipsec kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
When I trigger the connection from commandline ipsec up “connection name”" , it works fine and connection gets established. But when i tried similar setup from snap got the below issues:
syslog apparmor
Aug 9 00:27:36 localhost kernel: [ 643.132531] audit: type=1400 audit(1502238456.364:23): apparmor=“DENIED” operation=“file_mmap” profile="/usr/lib/ipsec/stroke" name="/usr/lib/ipsec/stroke" pid=2910 comm=“stroke” requested_mask=“m” denied_mask=“m” fsuid=0 ouid=0
traced log from system call
2910 00:27:36.376674 execve("/usr/lib/ipsec/stroke", ["/usr/lib/ipsec/stroke", “up”, “XXXX”], [“IPSEC_VERSION=U5.3.5/K4.10.4-sun”…, “LANGUAGE=en_US.UTF-8”, “SNAP_COMMON=/var/snap/XXXX”…, “IPSEC_STARTER_PID=/var/run/start”…, “SNAP_LIBRARY_PATH=/var/lib/snapd”…, “SNAP_USER_DATA=/root/snap/XXX”…, “IPSEC_CONFDIR=/etc”, “IPSEC_BINDIR=/usr/bin”, “SNAP_REVISION=x1”, “IPSEC_PIDDIR=/var/run”, “IPSEC_NAME=strongSwan”, “IPSEC_SBINDIR=/usr/sbin”, “IPSEC_CHARON_PID=/var/run/charon”…, “SNAP_VERSION=0.01”, “PATH=/usr/local/sbin:/usr/local/”…, “XDG_RUNTIME_DIR=/run/user/0/snap”…, “SNAP_DATA=/var/snap/XXXX/x”…, “LANG=en_US.UTF-8”, “IPSEC_DIR=/usr/lib/ipsec”, “SNAP_USER_COMMON=/root/snap/iotr”…, “LC_MESSAGES=en_US.UTF-8”, “SNAP_ARCH=armhf”, “SNAP_REEXEC=”, “SNAP_NAME=XXXX”, “PWD=/”, “SNAP=/snap/XXXX/x1”, “IPSEC_SCRIPT=ipsec”]) = -1 EACCES (Permission denied)
2910 00:27:36.379439 — SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} —
2910 00:27:36.379757 +++ killed by SIGSEGV +++
One more interesting thing while starting the strongswan service from snap:
ubuntu-512mb-sfo2-01 kernel:[54131.578863] audit: type=1400 audit(1501522634.858:19): apparmor=“DENIED” operation=“open” profile="/usr/lib/ipsec/charon" name="/proc/3044/fd/" pid=3044 comm=“charon” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
I tried adding many more plugs to the snap (connected few of them manually):
- core-support
- firewall-control
- log-observe
- network
- network-bind
- network-control
- network-manager
- network-observe
- network-setup-observe
- openvswitch
- openvswitch-support
- ppp
- process-control
- system-observe
but no luck.
Is presently client connection from snap (strongswan) possible? If yes, What am I doing wrong/missing?
Any help is much appreciated.