> Subject: Re: [RFC] vpn: Restrict connman-vpnd capabilities
> From: Patrik.Flykt@linux.intel.com
> To: ajbibb@outlook.com
> CC: connman@lists.01.org
> Date: Tue, 9 Feb 2016 09:01:28 +0200
>
>
> Hi,
>
> On Mon, 2016-02-08 at 20:19 -0500, Andrew Bibb wrote:
> > Pretty much everything is in ~/.local/share. OpenVNP.CACert,
> > OpenVPN.Cert, OpenVPN.Key, OpenVPN.ConfigFile and OpenVPN.AuthUserPass
> > in the Connman provisioning file all point to files which live in a
> > sub-directory inside ~/.local/share. I'm trying to find where it puts
> > temporary files, but not having a lot of luck so far. I'm using a
> > stock Arch Linux install with no other modifications.
> >
> > From your response it sounds as if putting all these in ~/.local/share
> > is not correct. I was doing that because the VPN connection is only for
> > me, no one else.
>
> Reading stuff from ~/.local/share is ok. And works with the current
> systemd .service file. I also have certs stored in ~/ and it works fine
> here.
>
> Writing temporary and other stuff should go somewhere else, as an
> unmodified connman-vpnd will behave as running system-wide. Probably
> openvpn tries to write somewhere else than /var, which is prevented
> for /home by ProtectHome=read-only and /usr and /etc by
> ProtectSystem=full.
>
> Does the openvpn daemon start (ps axu | grep openvpn) ? Does the
> OpenVPN.ConfigFile point temporary or other configuration directories
> somewhere else than /var ?
>
> Somewhere else someone said that between Arch Linux 1.31-1 and 1.31-2
> modifications were made and /var/run/connman/resolv.conf stopped
> working. So at least something with the Arch packaging has changed.
>
> Cheers,
>
> Patrik
>
>

Patrik,

Thank you for all the pointers and time. 

The file pointed to by OpenVPN.ConfigFile has no entry for --tmp-dir, so I tried adding that line with it pointing /var and then /tmp (reboot between) and no luck.

ps axu | grep openvpn returns one line so it appears that the daemon starts.

In connmanctl immediately after typing "connect" an error is returned:
Error /net/connman/service/SERVICE_NAME: Input/output error

I was thinking it was a permissions error which is what led me to the mailing list posting.  After trying the --tmp-dir option with no luck I removed the single line:

CapabilityBoundingSet=CAP_KILL CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW

The ProtectHome and ProtectSystem lines I left in and that combination of lines work.  I can make a connection just as it used to.  

It is very much sounding like it is not a Connman issue, but rather a packaging issue. I can open a bug report on Arch. I also want to see what they did between 1.31-1 and 1-31-2.  I upgrade on a weekly basis and completely missed the 1.31-1 release.  It must not have been out there for long.

Andrew