Sign in with
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

About japikas

since ‎10-26-2022
‎03-20-2024
japikas
Established Member

Re: Snap bind access to privileged/reserved port number range

by in SDK
‎01-19-2024 08:17 PM
‎01-19-2024 08:17 PM
The above command must be repeated each time the application restarts, e.g. new version installed. ... View more

Re: Snap bind access to privileged/reserved port number range

by in SDK
‎01-19-2024 08:07 PM
‎01-19-2024 08:07 PM
Got some help from ctrlX team. With system user (ssh) assertion in place, it is possible manully connect the application to the network-control slot, and then application can bind to the priviledged port number. snap connect myapp:network-control This is not scalable solution, but at least enables test and development in local CORE. ... View more

Snap bind access to privileged/reserved port number range

by in SDK
‎01-15-2024 10:39 PM
‎01-15-2024 10:39 PM
Hi, I'm building a snap which needs to bind a raw inet socket to a known and free IP port number within the priviledged/reserved range <1024. AppArmor is preventing that as a security violation: audit[70451]: AVC apparmor="DENIED" operation="create" profile="snap.myapp.myapp" pid=70451 comm="myapp" family="packet" sock_type="raw" protocol=768 requested_mask="create" denied_mask="create" As far as I have understood, that should be enabled with network-control plug defined in snapcraft.yaml, but that plug is not allowed for non-signed snaps (a.k.a unknown source). wasp[1677]: ||080F0510|PackageManager error|0C64100E|Snap connection not allowed for snaps from unknown sources|||web.packagemanager||||Connection of plug myapp:network-control is not allowed Is this a dead-end of my project, or is there some other way around? Can I inject my own AppArmor profile somehow, as an example? Changing the port number is not feasible as all other programs expect that specific one by default. ... View more

Re: App access permissions of unprivileged user within snap context

by in SDK
‎12-12-2023 09:24 PM
1 Like
‎12-12-2023 09:24 PM
1 Like
Silly me, it's network-bind, not network_bind. Usually snapcraft is very strict when parsing the snapcraft.yaml file, but for some reason it didn't detected this typo, which is also hard for human to recognize. I investigated the interfaces of the snap with 'snap connections' command, and wondered why network-bind is missing. That's how I found the typo. ... View more

App access permissions of unprivileged user within snap context

by in SDK
‎12-12-2023 04:23 PM
‎12-12-2023 04:23 PM
Hi, I'm creating a snap for a 3rd party application. This application refuses to run as root. If the application detects it's running with root permissions, it will terminate, thus the application must be executed with unpriviledged user permission within the snap context. There is a trick how to switch from the default root user to unpriviledged user called snap_daemon inside the snap context: https://snapcraft.io/docs/system-usernames Now the application accepts to run, but the problem is access to system resource. Snap_daemon does not have permission to bind TCP server socket for listening incoming connections (the port number is outsided of restricted range >1024). Is there a way allow network bind for unpriviledged user? Normal application with normal root user would only need 'plugs: network_bind' definition in snapcraft.yaml. For clarity: the problem is not related to permissions of the snap, but permissions of the application inside the snap. Here are selected relevant parts of my snapcraft.yaml: system-usernames:     snap_daemon: shared apps:     myapp:         command: launcher.sh         plugs: [network, network_bind]   ... View more
Latest Tags
No tags yet
Likes given to
Load More
Likes From
Load More

OK
OK
Icon--AD-black-48x48Icon--address-consumer-data-black-48x48Icon--appointment-black-48x48Icon--back-left-black-48x48Icon--calendar-black-48x48Icon--center-alignedIcon--Checkbox-checkIcon--clock-black-48x48Icon--close-black-48x48Icon--compare-black-48x48Icon--confirmation-black-48x48Icon--dealer-details-black-48x48Icon--delete-black-48x48Icon--delivery-black-48x48Icon--down-black-48x48Icon--download-black-48x48Ic-OverlayAlertIcon--externallink-black-48x48Icon-Filledforward-right_adjustedIcon--grid-view-black-48x48IC_gd_Check-Circle170821_Icons_Community170823_Bosch_Icons170823_Bosch_Icons170821_Icons_CommunityIC-logout170821_Icons_Community170825_Bosch_Icons170821_Icons_CommunityIC-shopping-cart2170821_Icons_CommunityIC-upIC_UserIcon--imageIcon--info-i-black-48x48Icon--left-alignedIcon--Less-minimize-black-48x48Icon-FilledIcon--List-Check-grennIcon--List-Check-blackIcon--List-Cross-blackIcon--list-view-mobile-black-48x48Icon--list-view-black-48x48Icon--More-Maximize-black-48x48Icon--my-product-black-48x48Icon--newsletter-black-48x48Icon--payment-black-48x48Icon--print-black-48x48Icon--promotion-black-48x48Icon--registration-black-48x48Icon--Reset-black-48x48Icon--right-alignedshare-circle1Icon--share-black-48x48Icon--shopping-bag-black-48x48Icon-shopping-cartIcon--start-play-black-48x48Icon--store-locator-black-48x48Ic-OverlayAlertIcon--summary-black-48x48tumblrIcon-FilledvineIc-OverlayAlertwhishlist