Bug 1777474 - ipsec service does not work correctly when seccomp filtering is enabled
Summary: ipsec service does not work correctly when seccomp filtering is enabled
Keywords:
Status: CLOSED DUPLICATE of bug 1544463
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: libreswan
Version: 8.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.0
Assignee: Paul Wouters
QA Contact: BaseOS QE Security Team
Mirek Jahoda
URL:
Whiteboard:
Depends On: 1820206
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-27 16:02 UTC by Ondrej Moriš
Modified: 2020-08-12 14:57 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.`Libreswan` does not work properly with `seccomp=enabled` on all configurations The set of allowed syscalls in the `Libreswan` SECCOMP support implementation is currently not complete. Consequently, when SECCOMP is enabled in the `ipsec.conf` file, the syscall filtering rejects even syscalls needed for the proper functioning of the `pluto` daemon; the daemon is killed, and the `ipsec` service is restarted. To work around this problem, set the `seccomp=` option back to the `disabled` state. SECCOMP support must remain disabled to run `ipsec` properly.
Clone Of: 1544463
Environment:
Last Closed: 2020-05-26 14:11:30 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

Description Ondrej Moriš 2019-11-27 16:02:28 UTC 
Description of problem:

When seccomp filtering is enabled, pluto deamon won't start because some syscalls are needed but not allowed.

Version-Release number of selected component (if applicable):

libreswan-3.29-6.el8.x86_64

How reproducible:

100%

Steps to Reproduce:

1. Set seccomp=enabled in ipsec.conf
2. Start ipsec service.
3. Check service status and audit log for SECCOMP events.

Actual results:

SECCOMP events found. Service ipsec keeps reloading and pluto is actually never started.

----
type=SECCOMP msg=audit(11/27/2019 10:52:26.004:458) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_t:s0 pid=6608 comm=pluto exe=/usr/libexec/ipsec/pluto sig=SIGSYS arch=x86_64 syscall=getdents64 compat=0 ip=0x7f0b637c882b code=kill 
----
type=SECCOMP msg=audit(11/27/2019 10:52:26.006:459) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_t:s0 pid=6608 comm=pluto exe=/usr/libexec/ipsec/pluto sig=SIGSYS arch=x86_64 syscall=getpid compat=0 ip=0x7f0b637ce12b code=kill 
----
type=SECCOMP msg=audit(11/27/2019 10:53:42.781:469) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_t:s0 pid=6970 comm=pluto exe=/usr/libexec/ipsec/pluto sig=SIGSYS arch=x86_64 syscall=getdents64 compat=0 ip=0x7f4c74ffe82b code=kill 
----
type=SECCOMP msg=audit(11/27/2019 10:53:42.784:470) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_t:s0 pid=6970 comm=pluto exe=/usr/libexec/ipsec/pluto sig=SIGSYS arch=x86_64 syscall=getpid compat=0 ip=0x7f4c7500412b code=kill 
----
type=SECCOMP msg=audit(11/27/2019 10:54:53.812:482) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_t:s0 pid=7489 comm=pluto exe=/usr/libexec/ipsec/pluto sig=SIGSYS arch=x86_64 syscall=getdents64 compat=0 ip=0x7fd719d6682b code=kill 
----
type=SECCOMP msg=audit(11/27/2019 10:56:48.315:492) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_t:s0 pid=7846 comm=pluto exe=/usr/libexec/ipsec/pluto sig=SIGSYS arch=x86_64 syscall=getdents64 compat=0 ip=0x7f3fc5bc182b code=kill 

Expected results:

No SECCOMP events, pluto starts.

Additional info:

N/A
Comment 1 Paul Wouters 2019-12-16 15:43:18 UTC 
will be in 3.30 upstream, come in via rebase
Comment 7 Paul Wouters 2020-05-26 14:11:30 UTC 

*** This bug has been marked as a duplicate of bug 544463 ***
Comment 8 Paul Wouters 2020-05-26 14:11:58 UTC 

*** This bug has been marked as a duplicate of bug 1544463 ***
Note You need to log in before you can comment on or make changes to this bug.