FORUM CTRLX AUTOMATION
ctrlX World Partner Apps for ctrlX AUTOMATION
01-15-2024 10:39 PM
Hi,
I'm building a snap which needs to bind a raw inet socket to a known and free IP port number within the priviledged/reserved range <1024. AppArmor is preventing that as a security violation:
audit[70451]: AVC apparmor="DENIED" operation="create" profile="snap.myapp.myapp" pid=70451 comm="myapp" family="packet" sock_type="raw" protocol=768 requested_mask="create" denied_mask="create"
As far as I have understood, that should be enabled with network-control plug defined in snapcraft.yaml, but that plug is not allowed for non-signed snaps (a.k.a unknown source).
wasp[1677]: ||080F0510|PackageManager error|0C64100E|Snap connection not allowed for snaps from unknown sources|||web.packagemanager||||Connection of plug myapp:network-control is not allowed
Is this a dead-end of my project, or is there some other way around? Can I inject my own AppArmor profile somehow, as an example? Changing the port number is not feasible as all other programs expect that specific one by default.
01-16-2024 07:47 AM - edited 01-16-2024 07:47 AM
Could you tell us a little bit more abut the project or what you want to achieve? You could send me a private message with your contact data to have a direct discussion.
Some system slots are blocked for security reasons so no harmful software can use them to compromise the system. For testing purposes you could use a root user connect the slot by hand or to install the app in debug mode. See post "SSH to the core disabled" for further information.
01-19-2024 08:07 PM
Got some help from ctrlX team.
With system user (ssh) assertion in place, it is possible manully connect the application to the network-control slot, and then application can bind to the priviledged port number.
snap connect myapp:network-control
This is not scalable solution, but at least enables test and development in local CORE.
01-19-2024 08:17 PM
The above command must be repeated each time the application restarts, e.g. new version installed.
09-06-2024 09:20 AM
Are there any news about the status of your app?
To get access to ports that are not auto connected you need to get an officially signed app, so our device admin will connect your app. Please have a look to the "Service Tickets Licensing with ctrlX AUTOMATION" for further information.