Bug 1777474

Summary: ipsec service does not work correctly when seccomp filtering is enabled
Product: Red Hat Enterprise Linux 8 Reporter: Ondrej Moriš <omoris>
Component: libreswanAssignee: Paul Wouters <pwouters>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: medium    
Version: 8.2CC: jaster, mjahoda, omoris, pasik, pvrabec, pwouters, qe-baseos-security
Target Milestone: rcKeywords: Triaged
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
.`Libreswan` does not work properly with `seccomp=enabled` on all configurations The set of allowed syscalls in the `Libreswan` SECCOMP support implementation is currently not complete. Consequently, when SECCOMP is enabled in the `ipsec.conf` file, the syscall filtering rejects even syscalls needed for the proper functioning of the `pluto` daemon; the daemon is killed, and the `ipsec` service is restarted. To work around this problem, set the `seccomp=` option back to the `disabled` state. SECCOMP support must remain disabled to run `ipsec` properly.
 Story Points: ---
Clone Of: 1544463 Environment:
Last Closed: 2020-05-26 14:11:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1820206    
Bug Blocks:    

Description Ondrej Moriš 2019-11-27 16:02:28 UTC 
Description of problem:

When seccomp filtering is enabled, pluto deamon won't start because some syscalls are needed but not allowed.

Version-Release number of selected component (if applicable):

libreswan-3.29-6.el8.x86_64

How reproducible:

100%

Steps to Reproduce:

1. Set seccomp=enabled in ipsec.conf
2. Start ipsec service.
3. Check service status and audit log for SECCOMP events.

Actual results:

SECCOMP events found. Service ipsec keeps reloading and pluto is actually never started.

----
type=SECCOMP msg=audit(11/27/2019 10:52:26.004:458) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_t:s0 pid=6608 comm=pluto exe=/usr/libexec/ipsec/pluto sig=SIGSYS arch=x86_64 syscall=getdents64 compat=0 ip=0x7f0b637c882b code=kill 
----
type=SECCOMP msg=audit(11/27/2019 10:52:26.006:459) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_t:s0 pid=6608 comm=pluto exe=/usr/libexec/ipsec/pluto sig=SIGSYS arch=x86_64 syscall=getpid compat=0 ip=0x7f0b637ce12b code=kill 
----
type=SECCOMP msg=audit(11/27/2019 10:53:42.781:469) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_t:s0 pid=6970 comm=pluto exe=/usr/libexec/ipsec/pluto sig=SIGSYS arch=x86_64 syscall=getdents64 compat=0 ip=0x7f4c74ffe82b code=kill 
----
type=SECCOMP msg=audit(11/27/2019 10:53:42.784:470) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_t:s0 pid=6970 comm=pluto exe=/usr/libexec/ipsec/pluto sig=SIGSYS arch=x86_64 syscall=getpid compat=0 ip=0x7f4c7500412b code=kill 
----
type=SECCOMP msg=audit(11/27/2019 10:54:53.812:482) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_t:s0 pid=7489 comm=pluto exe=/usr/libexec/ipsec/pluto sig=SIGSYS arch=x86_64 syscall=getdents64 compat=0 ip=0x7fd719d6682b code=kill 
----
type=SECCOMP msg=audit(11/27/2019 10:56:48.315:492) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_t:s0 pid=7846 comm=pluto exe=/usr/libexec/ipsec/pluto sig=SIGSYS arch=x86_64 syscall=getdents64 compat=0 ip=0x7f3fc5bc182b code=kill 

Expected results:

No SECCOMP events, pluto starts.

Additional info:

N/A
Comment 1 Paul Wouters 2019-12-16 15:43:18 UTC 
will be in 3.30 upstream, come in via rebase
Comment 7 Paul Wouters 2020-05-26 14:11:30 UTC 

*** This bug has been marked as a duplicate of bug 544463 ***
Comment 8 Paul Wouters 2020-05-26 14:11:58 UTC 

*** This bug has been marked as a duplicate of bug 1544463 ***