Bug 1544463
Summary: | ipsec service does not work correctly when seccomp filtering is enabled | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Ondrej Moriš <omoris> | |
Component: | libreswan | Assignee: | Paul Wouters <pwouters> | |
Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> | |
Severity: | high | Docs Contact: | Mirek Jahoda <mjahoda> | |
Priority: | medium | |||
Version: | 8.0 | CC: | mjahoda, omoris, pasik, pvrabec, pwouters | |
Target Milestone: | rc | Keywords: | TestOnly, Triaged | |
Target Release: | 8.3 | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | 3.32-4 | Doc Type: | Bug Fix | |
Doc Text: |
.`Libreswan` now works with `seccomp=enabled` on all configurations
Prior to this update, the set of allowed syscalls in the `Libreswan` SECCOMP support implementation did not match new usage of RHEL libraries. Consequently, when SECCOMP was enabled in the `ipsec.conf` file, the syscall filtering rejected even syscalls required for the proper functioning of the `pluto` daemon; the daemon was killed, and the `ipsec` service was restarted. With this update, all newly required syscalls have been allowed, and `Libreswan` now works with the `seccomp=enabled` option correctly.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1777474 (view as bug list) | Environment: | ||
Last Closed: | 2020-11-04 03:18:00 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1820206 | |||
Bug Blocks: |
Description
Ondrej Moriš
2018-02-12 14:54:01 UTC
upstream test cases: seccomp-01-enabled seccomp-02-tolerant seccomp-03-updown *** Bug 1777474 has been marked as a duplicate of this bug. *** Hi Paul, it looks like the issue is still there. seccomp doesn't work on non-intel architectures. Switching it back to assigned state. aarch64 ------- type=SECCOMP msg=audit(06/25/2020 09:15:05.092:490) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_t:s0 pid=25883 comm=pluto exe=/usr/libexec/ipsec/pluto sig=SIGSYS arch=aarch64 syscall=ppoll compat=0 ip=0xffff862b866c code=kill ppc64le ------- type=SECCOMP msg=audit(06/25/2020 09:38:36.535:513) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_mgmt_t:s0 pid=29865 comm=sh exe=/usr/bin/bash sig=SIGSY S arch=ppc64le syscall=send compat=0 ip=0x7fffa6c321b4 code=kill Unfortunately, I do not have results from s390x yet. Hi Paul, s390x is ok and works. Anyway, is it ok, that libreswan crashes and coredump is created when seccomp is set to tolerant or enabled? Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (libreswan bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:4722 |