Sign in with
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Snap bind access to privileged/reserved port number range

Snap bind access to privileged/reserved port number range

japikas
Established Member

‎01-15-2024 10:39 PM

Hi,
I'm building a snap which needs to bind a raw inet socket to a known and free IP port number within the priviledged/reserved range <1024. AppArmor is preventing that as a security violation:

audit[70451]: AVC apparmor="DENIED" operation="create" profile="snap.myapp.myapp" pid=70451 comm="myapp" family="packet" sock_type="raw" protocol=768 requested_mask="create" denied_mask="create"

As far as I have understood, that should be enabled with network-control plug defined in snapcraft.yaml, but that plug is not allowed for non-signed snaps (a.k.a unknown source).

wasp[1677]: ||080F0510|PackageManager error|0C64100E|Snap connection not allowed for snaps from unknown sources|||web.packagemanager||||Connection of plug myapp:network-control is not allowed

Is this a dead-end of my project, or is there some other way around? Can I inject my own AppArmor profile somehow, as an example? Changing the port number is not feasible as all other programs expect that specific one by default.

0 Likes
Reply
4 REPLIES 4

CodeShepherd
Community Moderator
Community Moderator

‎01-16-2024 07:47 AM - edited ‎01-16-2024 07:47 AM

Could you tell us a little bit more abut the project or what you want to achieve? You could send me a private message with your contact data to have a direct discussion.

Some system slots are blocked for security reasons so no harmful software can use them to compromise the system. For testing purposes you could use a root user connect the slot by hand or to install the app in debug mode. See post "SSH to the core disabled" for further information.

0 Likes
Reply

japikas
Established Member
In response to CodeShepherd

‎01-19-2024 08:07 PM

Got some help from ctrlX team.

With system user (ssh) assertion in place, it is possible manully connect the application to the network-control slot, and then application can bind to the priviledged port number.

snap connect myapp:network-control

This is not scalable solution, but at least enables test and development in local CORE.

0 Likes
Reply

japikas
Established Member
In response to japikas

‎01-19-2024 08:17 PM

The above command must be repeated each time the application restarts, e.g. new version installed.

0 Likes
Reply

CodeShepherd
Community Moderator
Community Moderator
In response to japikas

‎09-06-2024 09:20 AM

Are there any news about the status of your app? 

To get access to ports that are not auto connected you need to get an officially signed app, so our device admin will connect your app. Please have a look to the "Service Tickets Licensing with ctrlX AUTOMATION" for further information.

0 Likes
Reply

OK
OK
Icon--AD-black-48x48Icon--address-consumer-data-black-48x48Icon--appointment-black-48x48Icon--back-left-black-48x48Icon--calendar-black-48x48Icon--center-alignedIcon--Checkbox-checkIcon--clock-black-48x48Icon--close-black-48x48Icon--compare-black-48x48Icon--confirmation-black-48x48Icon--dealer-details-black-48x48Icon--delete-black-48x48Icon--delivery-black-48x48Icon--down-black-48x48Icon--download-black-48x48Ic-OverlayAlertIcon--externallink-black-48x48Icon-Filledforward-right_adjustedIcon--grid-view-black-48x48IC_gd_Check-Circle170821_Icons_Community170823_Bosch_Icons170823_Bosch_Icons170821_Icons_CommunityIC-logout170821_Icons_Community170825_Bosch_Icons170821_Icons_CommunityIC-shopping-cart2170821_Icons_CommunityIC-upIC_UserIcon--imageIcon--info-i-black-48x48Icon--left-alignedIcon--Less-minimize-black-48x48Icon-FilledIcon--List-Check-grennIcon--List-Check-blackIcon--List-Cross-blackIcon--list-view-mobile-black-48x48Icon--list-view-black-48x48Icon--More-Maximize-black-48x48Icon--my-product-black-48x48Icon--newsletter-black-48x48Icon--payment-black-48x48Icon--print-black-48x48Icon--promotion-black-48x48Icon--registration-black-48x48Icon--Reset-black-48x48Icon--right-alignedshare-circle1Icon--share-black-48x48Icon--shopping-bag-black-48x48Icon-shopping-cartIcon--start-play-black-48x48Icon--store-locator-black-48x48Ic-OverlayAlertIcon--summary-black-48x48tumblrIcon-FilledvineIc-OverlayAlertwhishlist