FORUM CTRLX AUTOMATION
ctrlX World Partner Apps for ctrlX AUTOMATION
01-15-2024 10:39 PM
Hi,
I'm building a snap which needs to bind a raw inet socket to a known and free IP port number within the priviledged/reserved range <1024. AppArmor is preventing that as a security violation:
audit[70451]: AVC apparmor="DENIED" operation="create" profile="snap.myapp.myapp" pid=70451 comm="myapp" family="packet" sock_type="raw" protocol=768 requested_mask="create" denied_mask="create"
As far as I have understood, that should be enabled with network-control plug defined in snapcraft.yaml, but that plug is not allowed for non-signed snaps (a.k.a unknown source).
wasp[1677]: ||080F0510|PackageManager error|0C64100E|Snap connection not allowed for snaps from unknown sources|||web.packagemanager||||Connection of plug myapp:network-control is not allowed
Is this a dead-end of my project, or is there some other way around? Can I inject my own AppArmor profile somehow, as an example? Changing the port number is not feasible as all other programs expect that specific one by default.
01-16-2024 07:47 AM - edited 01-16-2024 07:47 AM
Could you tell us a little bit more abut the project or what you want to achieve? You could send me a private message with your contact data to have a direct discussion.
Some system slots are blocked for security reasons so no harmful software can use them to compromise the system. For testing purposes you could use a root user connect the slot by hand or to install the app in debug mode. See post "SSH to the core disabled" for further information.
01-19-2024 08:07 PM
Got some help from ctrlX team.
With system user (ssh) assertion in place, it is possible manully connect the application to the network-control slot, and then application can bind to the priviledged port number.
snap connect myapp:network-control
This is not scalable solution, but at least enables test and development in local CORE.
01-19-2024 08:17 PM
The above command must be repeated each time the application restarts, e.g. new version installed.