Ssh tunnel : permission denied

Kumikomi · April 27, 2020, 2:50pm

Hello everyone,

I’ve an application [myapp] in legacy C comming from another product.
It’s not sandboxed but I’ve a permission issue when I ask it to make an ssh tunnel.

I was able to reproduce only without any software code :

in /home/root : create a test.sh script - with 755 permissions.

#!/bin/sh
cd /home/root; export DROPBEAR_PASSWORD="<mypassword>"; /usr/bin/ssh -N -R 60000:localhost:22 <myUser>@192.168.2.3

then run it in app context :

root@swi-mdm9x28-wp:~# app runProc myapp --exe=/home/root/test.sh

This script creates an ssh tunel to allow an ssh connection from my computer (192.168.2.3) to my board. To use this tunnel (tunnel is created from my computer local port 60000 to my board port 22) :

<myUser>@MyComputer: ~$ ssh -p 60000 root@localhost

On my computer I’ve :

ssh_exchange_identification: read: Connection reset by peer

and on my board:

root@swi-mdm9x28-wp:~# logread -f
Apr 27 16:22:03 swi-mdm9x28-wp user.notice kernel: [  492.749500] audit: type=1400 audit(1587997323.133:5): lsm=SMACK fn=smk_ipv6_check action=denied subject="app.myapp" object="admin" requested=w pid=2541 comm="ssh" daddr=::1 dest=5632
Apr 27 16:22:03 swi-mdm9x28-wp user.notice kernel: [  492.752289] audit: type=1400 audit(1587997323.133:6): lsm=SMACK fn=smack_socket_sock_rcv_skb action=denied subject="app.myapp" object="admin" requested=w pid=2541 comm="ssh" saddr=127.0.0.1 src=41798 daddr=127.0.0.1 dest=22
Apr 27 16:22:04 swi-mdm9x28-wp user.notice kernel: [  493.752639] audit: type=1400 audit(1587997324.133:7): lsm=SMACK fn=smack_socket_sock_rcv_skb action=denied subject="app.myapp" object="admin" requested=w pid=0 comm="swapper" saddr=127.0.0.1 src=41798 daddr=127.0.0.1 dest=2

If I execute the same script (/home/root/test.sh) it works fine.

I su^pose I should add some permissions in my adef or sdef file.

So far I was able to port my legacy C app to my module without rebuilding legato, I’d like to avoid it so is there something to add in def files ?

Thanks to anyone who is able to provide any help on that topic.

jyijyi · April 27, 2020, 3:26pm

How about using system() api to run the test.sh?

Kumikomi · April 27, 2020, 3:57pm

Thank you for your answer:
In fact my software run the same command by “system()” I had this issue. I tried to find the easiest setup to reproduce it so I published the test.sh.
The result is the same. If I run my legacy app as root, it works, if I run it in myapp context it fails.

jyijyi · April 28, 2020, 12:34am

Not sure if this is same issue

Seems related to SMACK issue, you can give a try by adding:
iptables -I INPUT -j ACCEPT
xattr set ‘security.SMACK64’ ‘app.myapp’ /usr/bin/ssh

maybe you also need to change for security.SMACK64EXEC,security.SMACK64IPIN or security.SMACK64IPOUT

Kumikomi · April 28, 2020, 8:40am

Hello, thanks again for your time:

I tried iptables, I was able to add the rule.
I tried to add smack extended attribute but I had this message:

xattr set ‘security.SMACK64’ ‘app.myapp’ /usr/bin/ssh
Could not set extended attribute. Read-only file system

In the mean time, I’m trying to understand how smack is working.
As it is complaining for subject=“app.myapp” object=“admin” requested=w

I tried to have a look on my app permissions :

root@swi-mdm9x28-wp:~# grep "^app.myapp" /legato/smack/load2 
app.myapp dev.18 r
app.myapp dev.19 r
app.myapp dev.15 r
app.myapp dev.13 rw
app.myapp app.modemService rwx
app.myapp _ rwx
app.myapp syslog w
app.myapp framework rwx
app.myapp app.myapprwx rwx
app.myapp app.myapprw rw
app.myapp app.myapprx rx
app.myapp app.myappr r
app.myapp app.myappwx wx
app.myapp app.myappw w
app.myapp app.myappx x

An I expected, I didn’t find any admin w.
I did the opposite: find “admin w” applications:

root@swi-mdm9x28-wp:~# grep "admin w" /legato/smack/load2 
app.secStore admin w
app.powerMgr admin w
app.dataConnectionService admin w
app.avcService admin w

And I tried my script in one of these app context.

app runProc dataConnectionService --exe=/home/root/test.sh

And everything goes well on my computer:

kumikomi@laptop:~/project/myapp$ ssh -p 60000 root@localhost
root@swi-mdm9x28-wp:~#

So my point becomes : how to add “app.myapp admin w” in smack rules without rebuilding everything.

Any clue ?
Thanks

jyijyi · April 28, 2020, 10:15am

Then that is easy, you can create same application as powerMgr.
Or you can use the one attached here:
smacktest.rar (11.7 KB)

I guess it is because the Legato Supervisor and Update Daemon is given the label, “admin” to those application you listed above.
Here says Supervisor is binding to these API:

Kumikomi · April 28, 2020, 5:31pm

Hello,

I tried the smacktest.rar : my board was endlessly rebooting until it reverts to previous state.
I noticed in logs that the reboot was because there were already an app providing same service.
I renamed all services by adding an X and the end e.g. le_pmX etc…:
smacktest.tgz (13.4 KB)

It was starting without rebooting but still the same issue.

I did the simplest sources that reproduces the issue :
stest.tgz (593 Bytes)

no script, one c source, using system().
two #define to change for user name and password
The command sent to system() is logged.

when I start the app (app start stest)
If I use the ssh -p 60000 root@localhost on my computer, I’ve the error
If I stop the app and I use command send to system as root, then it works.

I’ve tried in that app to add framework and kernelModule : I had the same error.

I read a lot on smack but any command I found in the web to add rules are not available on legato. So only adef, sdef and cdef seems to be availabe : I’d like to avoid going to yocto

Thanks a lot for your time.

Kumikomi · April 29, 2020, 7:22pm

Still not working and not able to create my tunnel.
I’m looking for alternate solutions:

Doe’s someone have an idea either to add an /etc/init.d script without building everything ?
having a sudo like to allow an user (apllcation user) to execute some stuff as root ?
totally disable smack ?

better thing would be to give “admin w” permission to my app.

jyijyi · April 29, 2020, 11:48pm

Disable smack:

Init script modification:

Kumikomi · May 1, 2020, 9:40am

Hello,

Finally it works

I investigate in legato build first because it was less invasive that rebuilding kernel.
I followed instruction to build legato and update my board: success.

So add admin right to an application, go to

framework/daemons/linux/supervisor/app.c

find

frameworkAppList

and add your app name in this list.

In the if following if condition add the needed smack rule.

else if (0 == strcmp(frameworkAppList[i], "app.myapp"))
{
    smack_SetRule(frameworkAppList[i], "w", "admin");
 }

By doing that, I had my ssh tunnel.

My next step will be to provide a clean sshTunel.api in my custom framework.

thanks @jyijyi for your time and the help you provided.
It will be a pleasure for me to help anyone who’ll face the same kind of issues.

Kalai · July 16, 2021, 12:12pm

Hi,
For ssh tunneling i have tried the steps as mentioned above i.e, added the smack rule for my project , but still facing the same issue
ssh_exchange_identification: Connection closed by remote host
Jan 1 06:15:46 swi-mdm9x28-wp user.notice kernel: [ 2743.493447] audit: type=1400 audit(2746.709:11): lsm=SMACK fn=smk_ipv6_check action=denied subject=“app.Network1” object=“admin” requested=w pid=8571 comm=“ssh” daddr=::1 dest=5632
Jan 1 06:15:46 swi-mdm9x28-wp user.notice kernel: [ 2743.494277] audit: type=1400 audit(2746.709:12): lsm=SMACK fn=smack_socket_sock_rcv_skb action=denied subject=“app.Network1” object=“admin” requested=w pid=8571 comm=“ssh” saddr=127.0.0.1 src=42944 daddr=127.0.0.1 dest=22 ne
Jan 1 06:15:47 swi-mdm9x28-wp user.notice kernel: [ 2744.491195] audit: type=1400 audit(2747.709:13): lsm=SMACK fn=smack_socket_sock_rcv_skb action=denied subject=“app.Network1” object=“admin” requested=w pid=3 comm=“ksoftirqd/0” saddr=127.0.0.1 src=42944 daddr=127.0.0.1 dest=

jyijyi · July 17, 2021, 11:13am

how do you modify framework/daemons/linux/supervisor/app.c?

You can also add your script in one of these admin application and rebuild the legato.cwe:

root@swi-mdm9x28-wp:~# grep “admin w” /legato/smack/load2
app.secStore admin w
app.powerMgr admin w
app.dataConnectionService admin w
app.avcService admin w

dave-k · August 26, 2021, 6:45pm

We have the same issue of needing to create an SSH tunnel from within our application (in our case a reverse tunnel but I assume the fix is the same). Where do we find framework/daemons/linux/supervisor/app.c? (we’re using Legato framework ver. 19.2.0 on a WP76xx).

dave-k · August 26, 2021, 7:00pm

Found it, please disregard

dave-k · October 6, 2021, 7:20pm

Just getting back into this after getting sidelined for a bit and we’ve found and edited the relevant section in the app.c file, but we’re having an issue now with building Legato after making the change. Build is failing when we issue the command “make” from the $LEGATO_ROOT directory:

make[2]: *** No rule to make target ‘/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654/platformAdaptor/qmi/bin/localhost/components/le_pa_start/libComponent_le_pa_start.so’, needed by ‘/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654/build/localhost/framework/lib/libComponent_le_pa_start.so’. Stop.
make[2]: Leaving directory ‘/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654’
Makefile:535: recipe for target ‘framework’ failed
make[1]: *** [framework] Error 2
make[1]: Leaving directory ‘/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654’
Makefile:459: recipe for target ‘default’ failed
make: *** [default] Error 2

When we use “make wp76xx” it still fails but with a different error:

Makefile.targetTools:107: recipe for target ‘/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654/build/wp76xx/framework/lib/libjansson.so’ failed
make[2]: *** [/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654/build/wp76xx/framework/lib/libjansson.so] Error 127
make[2]: Leaving directory ‘/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654’
Makefile.framework:249: recipe for target ‘targetTools’ failed
make[1]: *** [targetTools] Error 2
make[1]: Leaving directory ‘/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654’
Makefile:535: recipe for target ‘framework’ failed
make: *** [framework] Error 2

We’re using the most recent stable Legato release for the WP76xx. Any idea what the issue could be?

jyijyi · October 6, 2021, 7:25pm

How about do a "make clean"first

dave-k · October 6, 2021, 7:43pm

Makes no difference, fails with the same errors.

jyijyi · October 6, 2021, 8:50pm

Is that you compile in “leaf shell”

dave-k · October 6, 2021, 9:09pm

Yes, I thought that was the correct way:

(lsh:profile1) dave-k@davek-HP-ProBook-640-G1:~/leafSept29/leaf-data/profile1/wp76-legato$ make

(lsh:profile1) dave-k@davek-HP-ProBook-640-G1:~/leafSept29/leaf-data/profile1/wp76-legato$ make wp76xx

(I’m not sure what the difference is between make by itself vs with a target type specified, maybe it builds for multiple targets when none is specified?)

Outside of the shell I get different errors:

dave-k@davek-HP-ProBook-640-G1:~/leafSept29/leaf-data/profile1/wp76-legato$ make

/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654/framework/daemons/linux/common/ima.c:24:10: fatal error: openssl/x509.h: No such file or directory
#include <openssl/x509.h>
^~~~~~~~~~~~~~~~

jyijyi · October 7, 2021, 1:17am

you need to install cmake.


sudo apt-get install cmake
make clean
make wp76xx

Topic		Replies	Views
Permission denied with the httpServer example Legato Application Framework	5	3994	August 9, 2017
HttpGet(sample code) don't work on WP7605. "failed to read /etc/resolv.conf: Permission denied" Legato Application Framework	2	343	September 1, 2022
Resolving DNS Permission Denied [FX30] Legato Application Framework	1	335	November 16, 2020
Sandboxed app can't listen on a high-numbered port	1	674	August 9, 2017
Legato legacy App - Directory permissions Legato Application Framework	5	1228	April 3, 2018

Ssh tunnel : permission denied

Related topics