strongSwan

Swanctl segfaults on Ubunut 20.04

Asked by dhananjay

On ubuntu 20.04.06 ( aarch64), swanctl seems to broken, on aws graviton

## Steps to reproduce

1. Install strongswan on ubuntu 20.04

2. Run swanctl
sudo swanctl
Segmentation fault (core dumped)

sudo strace swanctl
execve("/usr/sbin/swanctl", ["swanctl"], 0xffffe6325810 /* 13 vars */) = -1 EACCES (Permission denied)
+++ killed by SIGSEGV +++
Segmentation fault

## More Information about the system
uname -a
Linux ip-192-168-239-108 5.15.0-1051-aws #56~20.04.1-Ubuntu SMP Tue Nov 28 15:43:06 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux
ssm-user@ip-192-168-239-108:/var/snap/amazon-ssm-agent/7629$ apt show strongswan-swanctl
Package: strongswan-swanctl
Version: 5.8.2-1ubuntu3.6
Priority: optional
Section: universe/net
Source: strongswan
Origin: Ubuntu
Maintainer: Ubuntu Developers <email address hidden>
Original-Maintainer: strongSwan Maintainers <email address hidden>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 525 kB
Depends: libstrongswan (= 5.8.2-1ubuntu3.6), libc6 (>= 2.25)
Breaks: strongswan-starter (<< 5.8.0-1)
Replaces: strongswan-starter (<< 5.8.0-1)
Homepage: http://www.strongswan.org
Download-Size: 109 kB
APT-Sources: http://us-west-2.ec2.ports.ubuntu.com/ubuntu-ports focal-updates/universe arm64 Packages
Description: strongSwan IPsec client, swanctl command
 The strongSwan VPN suite uses the native IPsec stack in the standard
 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
 .
 This package contains the swanctl interface, used to configure a running
 charon daemon

N: There is 1 additional record. Please use the '-a' switch to see it
ssm-user@ip-192-168-239-108:/var/snap/amazon-ssm-agent/7629$ swanctl
Segmentation fault
ssm-user@ip-192-168-239-108:/var/snap/amazon-ssm-agent/7629$ uname -a
Linux ip-192-168-239-108 5.15.0-1051-aws #56~20.04.1-Ubuntu SMP Tue Nov 28 15:43:06 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux
ssm-user@ip-192-168-239-108:/var/snap/amazon-ssm-agent/7629$ cat /etc/issue
Ubuntu 20.04.6 LTS \n \l

Question information

Language:
English Edit question
Status:
Solved
For:
strongSwan Edit question
Assignee:
No assignee Edit question
Solved by:
dhananjay
Solved:
Last query:
Last reply:
Revision history for this message
dhananjay (mb-dhananjay) said : 		#1

This was an apparmour execution issue, the swanctl profile was blocking swanctl and we had to add

 cat <<EOF | sudo tee /etc/apparmor.d/local/usr.sbin.swanctl >/dev/null
/usr/sbin/swanctl m,
/dev/pts/* rw,
/dev/tty rw,
EOF

to make it work.

Revision history for this message
Tobias Brunner (tobias-strongswan) said : 		#2

I don't see why `m` would be necessary for the swanctl binary, the others might be for `getpass()` calls, but that should not immediately cause a segmentation fault.

Revision history for this message
dhananjay (mb-dhananjay) said : 		#3

This is what apparmour complains without 'm'

Jan 08 19:01:36 ip-192-168-239-45 audit[915351]: AVC apparmor="DENIED" operation="file_mmap" class="file" profile="/usr/sbin/swanctl" name="/usr/sbin/swanctl" pid=915351 comm="swanctl" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

Revision history for this message
Tobias Brunner (tobias-strongswan) said : 		#4

Weird. So I guess the execve() call triggers an mmap(... PROT_EXEC ...) that's not visible in strace? If so, I wonder why that wouldn't have been a problem before. Or is this maybe something specific to aarch64?