Sign in with
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Snap bind access to privileged/reserved port number range

Snap bind access to privileged/reserved port number range

japikas
Established Member

‎01-15-2024 10:39 PM

Hi,
I'm building a snap which needs to bind a raw inet socket to a known and free IP port number within the priviledged/reserved range <1024. AppArmor is preventing that as a security violation:

audit[70451]: AVC apparmor="DENIED" operation="create" profile="snap.myapp.myapp" pid=70451 comm="myapp" family="packet" sock_type="raw" protocol=768 requested_mask="create" denied_mask="create"

As far as I have understood, that should be enabled with network-control plug defined in snapcraft.yaml, but that plug is not allowed for non-signed snaps (a.k.a unknown source).

wasp[1677]: ||080F0510|PackageManager error|0C64100E|Snap connection not allowed for snaps from unknown sources|||web.packagemanager||||Connection of plug myapp:network-control is not allowed

Is this a dead-end of my project, or is there some other way around? Can I inject my own AppArmor profile somehow, as an example? Changing the port number is not feasible as all other programs expect that specific one by default.

0 Likes
Reply
3 REPLIES 3

CodeShepherd
Community Moderator
Community Moderator

‎01-16-2024 07:47 AM - edited ‎01-16-2024 07:47 AM

Could you tell us a little bit more abut the project or what you want to achieve? You could send me a private message with your contact data to have a direct discussion.

Some system slots are blocked for security reasons so no harmful software can use them to compromise the system. For testing purposes you could use a root user connect the slot by hand or to install the app in debug mode. See post "SSH to the core disabled" for further information.

0 Likes
Reply

japikas
Established Member
In response to CodeShepherd

‎01-19-2024 08:07 PM

Got some help from ctrlX team.

With system user (ssh) assertion in place, it is possible manully connect the application to the network-control slot, and then application can bind to the priviledged port number.

snap connect myapp:network-control

This is not scalable solution, but at least enables test and development in local CORE.

0 Likes
Reply

japikas
Established Member
In response to japikas

‎01-19-2024 08:17 PM

The above command must be repeated each time the application restarts, e.g. new version installed.

0 Likes
Reply

OK
OK
Icon--AD-black-48x48Icon--address-consumer-data-black-48x48Icon--appointment-black-48x48Icon--back-left-black-48x48Icon--calendar-black-48x48Icon--center-alignedIcon--Checkbox-checkIcon--clock-black-48x48Icon--close-black-48x48Icon--compare-black-48x48Icon--confirmation-black-48x48Icon--dealer-details-black-48x48Icon--delete-black-48x48Icon--delivery-black-48x48Icon--down-black-48x48Icon--download-black-48x48Ic-OverlayAlertIcon--externallink-black-48x48Icon-Filledforward-right_adjustedIcon--grid-view-black-48x48IC_gd_Check-Circle170821_Icons_Community170823_Bosch_Icons170823_Bosch_Icons170821_Icons_CommunityIC-logout170821_Icons_Community170825_Bosch_Icons170821_Icons_CommunityIC-shopping-cart2170821_Icons_CommunityIC-upIC_UserIcon--imageIcon--info-i-black-48x48Icon--left-alignedIcon--Less-minimize-black-48x48Icon-FilledIcon--List-Check-grennIcon--List-Check-blackIcon--List-Cross-blackIcon--list-view-mobile-black-48x48Icon--list-view-black-48x48Icon--More-Maximize-black-48x48Icon--my-product-black-48x48Icon--newsletter-black-48x48Icon--payment-black-48x48Icon--print-black-48x48Icon--promotion-black-48x48Icon--registration-black-48x48Icon--Reset-black-48x48Icon--right-alignedshare-circle1Icon--share-black-48x48Icon--shopping-bag-black-48x48Icon-shopping-cartIcon--start-play-black-48x48Icon--store-locator-black-48x48Ic-OverlayAlertIcon--summary-black-48x48tumblrIcon-FilledvineIc-OverlayAlertwhishlist