Project

General

Profile

Issue #996

allocating SPI failed

Added by Source Builder over 6 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Category:
kernel
Affected version:
dr|rc|master
Resolution:
No change required

Description

Thankyou for taking the time to read this
First time ppsting
Please accept my apologies if i am posting in the wrong place
( I would welcome direction to the right place if this the case )

Installed latest version on repl and trying to figure out the best way to run the program
It works well as root

But if i run as non root i get the following errors when trying to bring a connection up
allow ps -ax shows charon running with the appropriate non root user uid

allocating SPI failed: Operation not permitted
unable to get SPI for regid
unable to allocate SPI's from kernel

Its not clear from the documentation whether libcap is required or not
Currently not installed id prefer not to have to use it

thanks for your help again

SBuilder

History

#1 Updated by Tobias Brunner over 6 years ago

  • Status changed from New to Feedback

Have you read ReducedPrivileges?

But if i run as non root i get the following errors when trying to bring a connection up
allow ps -ax shows charon running with the appropriate non root user uid

allocating SPI failed: Operation not permitted
unable to get SPI for regid
unable to allocate SPI's from kernel

strongSwan requires the CAP_NET_ADMIN capability to do this (i.e. to use the XFRM/Netlink or PF_KEY interface). The user that starts the daemon (or the charon executable, set via setcap(8)) have to have this capability, otherwise it won't work.

Its not clear from the documentation whether libcap is required or not

strongSwan also supports the Linux-specific native interface (capset(2)), try --with-capabilities=native.

#2 Updated by Source Builder over 6 years ago

Thankyou for the fast reply .
You response led me to exploring XFRM with iproute2 ,
and then to setting SAD and SPD with setkey
This has side tracked me , so i have yet to try with-capabilities=native
but i had missed that so thankyou for pointing it out

I had read ReducedPrivileges .
Does strongswan recommend a prefferred way to drop privileges
Obviously no one wants to make it easier for outsiders to apply root kits

As this is my first time posting is there anything i am supposed to do to close the issue , etc
Please let , me know otherwise I'll consider the matter closed

Thanks again for your help

#3 Updated by Tobias Brunner over 6 years ago

I had read ReducedPrivileges .
Does strongswan recommend a prefferred way to drop privileges

You mean native or libcap? On Linux that doesn't really matter.

As this is my first time posting is there anything i am supposed to do to close the issue , etc
Please let , me know otherwise I'll consider the matter closed

No you don't have to do anything. Just let us know and we'll close it.

#4 Updated by Tobias Brunner over 6 years ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF