Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1544463 - ipsec service does not work correctly when seccomp filtering is enabled [NEEDINFO]
ipsec service does not work correctly when seccomp filtering is enabled
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libreswan (Show other bugs)
7.5
All Linux
medium Severity high
: rc
: ---
Assigned To: Paul Wouters
BaseOS QE Security Team
Mirek Jahoda
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-12 09:54 EST by Ondrej Moriš
Modified: 2018-08-10 07:46 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
*Libreswan* is not working properly with "seccomp=enabled" on all configurations The set of allowed syscalls in the *Libreswan* SECCOMP support implementation is currently not complete. Consequently, when SECCOMP is enabled in the `ipsec.conf` file, the syscall filtering rejects even syscalls needed for proper functioning of the *pluto* daemon; the daemon is killed, and the *ipsec* service is restarted. To work around this problem, set the "seccomp=" option back to the `disabled` state. SECCOMP support must remain disabled to run *ipsec* properly.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
mgrepl: needinfo? (pwouters)

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Ondrej Moriš 2018-02-12 09:54:01 EST 
Description of problem:

In RHEL-7.5 libreswan comes with SECCOMP support. By default, it is disabled but it can be set to enabled or tolerant setting by seccomp ipsec.conf option. When seccomp is set to disabled no syscall filtering is done. However, when seccomp is set to enabled, it filters syscalls that come from addconn and pluto binaries based on whitelist (ie. everything not explicitly allowed is forbidden, [1,2]). Unfortunately, even for basic use cases whitelist is not complete. We identified at least the following syscalls missing:

x86_64
======
type=SECCOMP msg=audit(02/08/2018 13:32:09.021:136) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_t:s0 pid=13414 comm=pluto sig=SIGSYS arch=x86_64 syscall=clock_gettime compat=0 ip=0x7ffed90416d2 code=kill 

ppc64
=====
type=SECCOMP msg=audit(02/07/2018 16:47:43.668:176) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_t:s0 pid=8167 comm=pluto sig=SIGSYS arch=ppc64 syscall=waitpid compat=0 ip=0x3fffacf49028 code=kill 

ppc64le
=======
type=SECCOMP msg=audit(02/07/2018 23:07:08.176:126) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_t:s0 pid=13042 comm=pluto sig=SIGSYS arch=ppc64le syscall=waitpid compat=0 ip=0x3fff78084e68 code=kill 

s390x
=====
type=SECCOMP msg=audit(02/07/2018 17:00:11.249:274) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_t:s0 pid=2396 comm=pluto sig=SIGSYS arch=s390x syscall=sigreturn compat=0 ip=0x3fffff20830 code=kill 
----
type=SECCOMP msg=audit(02/07/2018 17:04:43.299:284) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_t:s0 pid=2396 comm=pluto sig=SIGSYS arch=s390x syscall=socketcall compat=0 ip=0x3fffd3a4ffe code=kill 

When SECCOMP event is triggered pluto is killed and systemd restarts ipsec service (after ~3 minutes when a specific timeout is hit). This makes ipsec service unusable.

Version-Release number of selected component (if applicable):

libreswan-3.23-3.el7

How reproducible:

100%

Steps to Reproduce:

1. Set seccomp to enabled and configure connection between two hosts.
2. Try to establish connection.
3. Check audit log for SECCOMP events.

Actual results:

SECCOMP events found. Service ipsec restarted. Connection is not established.

Expected results:

No SECCOMP events and correctly established connection.

Additional info:

Please notice that a set of syscalls called when addconn or pluto are executed might differ for different architectures. That is why we see something missing in the whitelist for s390x and not for x86_64, for instance.

[1] programs/pluto/pluto_seccomp.c 
[2] programs/pluto/addconn.c
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.