From 10c8847e0d321e9969a6eb49e1a93c46c82fe8b4 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 6 Oct 2021 15:03:56 -0400 Subject: [PATCH] apparmor: allow charon, charon-systemd and swanctl to read ssl keys from common locations With the popularity of ACME clients providing access to free "official" TLS certs some users want to make use of those with strongSwan. The too restrictive AppArmor policy caused grief to some users which reported about it on the upstream mailing list: https://lists.strongswan.org/pipermail/users/2017-February/010537.html https://lists.strongswan.org/pipermail/users/2021-October/015121.html Signed-off-by: Simon Deziel --- debian/usr.lib.ipsec.charon | 1 + debian/usr.sbin.charon-systemd | 1 + debian/usr.sbin.swanctl | 6 +++++- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/debian/usr.lib.ipsec.charon b/debian/usr.lib.ipsec.charon index 7cdec0aeb..0858d5638 100644 --- a/debian/usr.lib.ipsec.charon +++ b/debian/usr.lib.ipsec.charon @@ -19,6 +19,7 @@ #include #include #include + #include capability ipc_lock, capability net_admin, diff --git a/debian/usr.sbin.charon-systemd b/debian/usr.sbin.charon-systemd index a9df80e2f..29aea3aa9 100644 --- a/debian/usr.sbin.charon-systemd +++ b/debian/usr.sbin.charon-systemd @@ -19,6 +19,7 @@ #include #include #include + #include capability ipc_lock, capability net_admin, diff --git a/debian/usr.sbin.swanctl b/debian/usr.sbin.swanctl index 455c7cbf4..86eea636d 100644 --- a/debian/usr.sbin.swanctl +++ b/debian/usr.sbin.swanctl @@ -15,9 +15,13 @@ /etc/strongswan.d/ r, /etc/strongswan.d/** r, - # All reading configuration, certificate, and key files beneath /etc/swanctl/ + # Allow reading configuration, certificate, and key files beneath /etc/swanctl/ /etc/swanctl/** r, + # Allow reading system certs/keys beneath /etc/ssl and other locations + # used by common ACME/Let's Encrypt clients + #include + # Allow communication with VICI plugin UNIX domain socket /run/charon.vici rw, -- GitLab