Unable to create AF_KEY socket

beidl · May 5, 2020, 9:10am

I’m currently porting over ike (Shrewsoft VPN Client) to the snap world but I’m hitting a wall due the daemon not being able to create an AF_KEY socket.

audit: type=1400 audit(1588669050.115:10914): apparmor="DENIED" operation="create" profile="snap.ike-qt-core18.iked" pid=12149 comm="iked" family="key" sock_type="raw" protocol=2 requested_mask="create" denied_mask="create"

Active plugs:
- network
- network-bind
- network-control
- netlink-connector

Is there an existing plug missing or does snapd need support for that in the first place?

Happening on:

snap    2.44.3
snapd   2.44.3
series  16
ubuntu  18.04
kernel  5.3.0-51-generic

ijohnson · May 5, 2020, 4:40pm

Hmm, this is interesting because the default seccomp profile allows socket AF_KEY, but it appears that we are lacking equivalent AppArmor permissions for this. @jdstrand do you think support for this should be added to one of the existing network interfaces or maybe the default template for AppArmor?

jdstrand · May 14, 2020, 10:30pm

No, omitting it from network was intentional. This needs to be in another interface. I’ve added it as a TODO to investigate in the next batches of policy updates.