Subject: Re: [RFC] vpn: Restrict connman-vpnd capabilities
Date: Tue, 9 Feb 2016 09:01:28 +0200
On Mon, 2016-02-08 at 20:19 -0500, Andrew Bibb wrote:
> Pretty much everything is in ~/.local/share. OpenVNP.CACert,
> OpenVPN.Cert, OpenVPN.Key, OpenVPN.ConfigFile and OpenVPN.AuthUserPass
> in the Connman provisioning file all point to files which live in a
> sub-directory inside ~/.local/share. I'm trying to find where it puts
> temporary files, but not having a lot of luck so far. I'm using a
> stock Arch Linux install with no other modifications.
> From your response it sounds as if putting all these in ~/.local/share
> is not correct. I was doing that because the VPN connection is only for
> me, no one else.
Reading stuff from ~/.local/share is ok. And works with the current
systemd .service file. I also have certs stored in ~/ and it works fine
Writing temporary and other stuff should go somewhere else, as an
unmodified connman-vpnd will behave as running system-wide. Probably
openvpn tries to write somewhere else than /var, which is prevented
for /home by ProtectHome=read-only and /usr and /etc by
Does the openvpn daemon start (ps axu | grep openvpn) ? Does the
OpenVPN.ConfigFile point temporary or other configuration directories
somewhere else than /var ?
Somewhere else someone said that between Arch Linux 1.31-1 and 1.31-2
modifications were made and /var/run/connman/resolv.conf stopped
working. So at least something with the Arch packaging has changed.
Thank you for all the pointers and time.
The file pointed to by OpenVPN.ConfigFile has no entry for --tmp-dir, so I tried adding
that line with it pointing /var and then /tmp (reboot between) and no luck.
ps axu | grep openvpn returns one line so it appears that the daemon starts.
In connmanctl immediately after typing "connect" an error is returned:Error
/net/connman/service/SERVICE_NAME: Input/output error
I was thinking it was a permissions error which is what led me to the mailing list
posting. After trying the --tmp-dir option with no luck I removed the single line:
CapabilityBoundingSet=CAP_KILL CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
The ProtectHome and ProtectSystem lines I left in and that combination of lines work. I
can make a connection just as it used to.
It is very much sounding like it is not a Connman issue, but rather a packaging issue. I
can open a bug report on Arch. I also want to see what they did between 1.31-1 and 1-31-2.
I upgrade on a weekly basis and completely missed the 1.31-1 release. It must not have
been out there for long.