Ssh tunnel : permission denied

Hello everyone,

I’ve an application [myapp] in legacy C comming from another product.
It’s not sandboxed but I’ve a permission issue when I ask it to make an ssh tunnel.

I was able to reproduce only without any software code :

in /home/root : create a script - with 755 permissions.

cd /home/root; export DROPBEAR_PASSWORD="<mypassword>"; /usr/bin/ssh -N -R 60000:localhost:22 <myUser>@

then run it in app context :

root@swi-mdm9x28-wp:~# app runProc myapp --exe=/home/root/ 

This script creates an ssh tunel to allow an ssh connection from my computer ( to my board. To use this tunnel (tunnel is created from my computer local port 60000 to my board port 22) :

<myUser>@MyComputer: ~$ ssh -p 60000 root@localhost

On my computer I’ve :

ssh_exchange_identification: read: Connection reset by peer

and on my board:

root@swi-mdm9x28-wp:~# logread -f
Apr 27 16:22:03 swi-mdm9x28-wp user.notice kernel: [  492.749500] audit: type=1400 audit(1587997323.133:5): lsm=SMACK fn=smk_ipv6_check action=denied subject="app.myapp" object="admin" requested=w pid=2541 comm="ssh" daddr=::1 dest=5632
Apr 27 16:22:03 swi-mdm9x28-wp user.notice kernel: [  492.752289] audit: type=1400 audit(1587997323.133:6): lsm=SMACK fn=smack_socket_sock_rcv_skb action=denied subject="app.myapp" object="admin" requested=w pid=2541 comm="ssh" saddr= src=41798 daddr= dest=22
Apr 27 16:22:04 swi-mdm9x28-wp user.notice kernel: [  493.752639] audit: type=1400 audit(1587997324.133:7): lsm=SMACK fn=smack_socket_sock_rcv_skb action=denied subject="app.myapp" object="admin" requested=w pid=0 comm="swapper" saddr= src=41798 daddr= dest=2

If I execute the same script (/home/root/ it works fine.

I su^pose I should add some permissions in my adef or sdef file.

So far I was able to port my legacy C app to my module without rebuilding legato, I’d like to avoid it so is there something to add in def files ?

Thanks to anyone who is able to provide any help on that topic.

How about using system() api to run the

Thank you for your answer:
In fact my software run the same command by “system()” I had this issue. I tried to find the easiest setup to reproduce it so I published the
The result is the same. If I run my legacy app as root, it works, if I run it in myapp context it fails.

Not sure if this is same issue

Seems related to SMACK issue, you can give a try by adding:
iptables -I INPUT -j ACCEPT
xattr set ‘security.SMACK64’ ‘app.myapp’ /usr/bin/ssh

maybe you also need to change for security.SMACK64EXEC,security.SMACK64IPIN or security.SMACK64IPOUT

Hello, thanks again for your time:

I tried iptables, I was able to add the rule.
I tried to add smack extended attribute but I had this message:

xattr set ‘security.SMACK64’ ‘app.myapp’ /usr/bin/ssh
Could not set extended attribute. Read-only file system

In the mean time, I’m trying to understand how smack is working.
As it is complaining for subject=“app.myapp” object=“admin” requested=w

I tried to have a look on my app permissions :

root@swi-mdm9x28-wp:~# grep "^app.myapp" /legato/smack/load2 
app.myapp dev.18 r
app.myapp dev.19 r
app.myapp dev.15 r
app.myapp dev.13 rw
app.myapp app.modemService rwx
app.myapp _ rwx
app.myapp syslog w
app.myapp framework rwx
app.myapp app.myapprwx rwx
app.myapp app.myapprw rw
app.myapp app.myapprx rx
app.myapp app.myappr r
app.myapp app.myappwx wx
app.myapp app.myappw w
app.myapp app.myappx x

An I expected, I didn’t find any admin w.
I did the opposite: find “admin w” applications:

root@swi-mdm9x28-wp:~# grep "admin w" /legato/smack/load2 
app.secStore admin w
app.powerMgr admin w
app.dataConnectionService admin w
app.avcService admin w

And I tried my script in one of these app context.

app runProc dataConnectionService --exe=/home/root/

And everything goes well on my computer:

kumikomi@laptop:~/project/myapp$ ssh -p 60000 root@localhost

So my point becomes : how to add “app.myapp admin w” in smack rules without rebuilding everything.

Any clue ?

Then that is easy, you can create same application as powerMgr.
Or you can use the one attached here:
smacktest.rar (11.7 KB)

I guess it is because the Legato Supervisor and Update Daemon is given the label, “admin” to those application you listed above.
Here says Supervisor is binding to these API:


I tried the smacktest.rar : my board was endlessly rebooting until it reverts to previous state.
I noticed in logs that the reboot was because there were already an app providing same service.
I renamed all services by adding an X and the end e.g. le_pmX etc…:
smacktest.tgz (13.4 KB)

It was starting without rebooting but still the same issue.

I did the simplest sources that reproduces the issue :
stest.tgz (593 Bytes)

  • no script, one c source, using system().
  • two #define to change for user name and password
  • The command sent to system() is logged.

when I start the app (app start stest)
If I use the ssh -p 60000 root@localhost on my computer, I’ve the error
If I stop the app and I use command send to system as root, then it works.

I’ve tried in that app to add framework and kernelModule : I had the same error.

I read a lot on smack but any command I found in the web to add rules are not available on legato. So only adef, sdef and cdef seems to be availabe : I’d like to avoid going to yocto :wink:

Thanks a lot for your time.

Still not working and not able to create my tunnel.
I’m looking for alternate solutions:

  • Doe’s someone have an idea either to add an /etc/init.d script without building everything ?
  • having a sudo like to allow an user (apllcation user) to execute some stuff as root ?
  • totally disable smack ?

better thing would be to give “admin w” permission to my app.

Disable smack:

Init script modification:


Finally it works :slight_smile:

I investigate in legato build first because it was less invasive that rebuilding kernel.
I followed instruction to build legato and update my board: success.

So add admin right to an application, go to




and add your app name in this list.

In the if following if condition add the needed smack rule.

else if (0 == strcmp(frameworkAppList[i], "app.myapp"))
    smack_SetRule(frameworkAppList[i], "w", "admin");

By doing that, I had my ssh tunnel.

My next step will be to provide a clean sshTunel.api in my custom framework.

thanks @jyijyi for your time and the help you provided.
It will be a pleasure for me to help anyone who’ll face the same kind of issues.