Ssh tunnel : permission denied

Hello everyone,

I’ve an application [myapp] in legacy C comming from another product.
It’s not sandboxed but I’ve a permission issue when I ask it to make an ssh tunnel.

I was able to reproduce only without any software code :

in /home/root : create a test.sh script - with 755 permissions.

#!/bin/sh
cd /home/root; export DROPBEAR_PASSWORD="<mypassword>"; /usr/bin/ssh -N -R 60000:localhost:22 <myUser>@192.168.2.3

then run it in app context :

root@swi-mdm9x28-wp:~# app runProc myapp --exe=/home/root/test.sh 

This script creates an ssh tunel to allow an ssh connection from my computer (192.168.2.3) to my board. To use this tunnel (tunnel is created from my computer local port 60000 to my board port 22) :

<myUser>@MyComputer: ~$ ssh -p 60000 root@localhost

On my computer I’ve :

ssh_exchange_identification: read: Connection reset by peer

and on my board:

root@swi-mdm9x28-wp:~# logread -f
Apr 27 16:22:03 swi-mdm9x28-wp user.notice kernel: [  492.749500] audit: type=1400 audit(1587997323.133:5): lsm=SMACK fn=smk_ipv6_check action=denied subject="app.myapp" object="admin" requested=w pid=2541 comm="ssh" daddr=::1 dest=5632
Apr 27 16:22:03 swi-mdm9x28-wp user.notice kernel: [  492.752289] audit: type=1400 audit(1587997323.133:6): lsm=SMACK fn=smack_socket_sock_rcv_skb action=denied subject="app.myapp" object="admin" requested=w pid=2541 comm="ssh" saddr=127.0.0.1 src=41798 daddr=127.0.0.1 dest=22
Apr 27 16:22:04 swi-mdm9x28-wp user.notice kernel: [  493.752639] audit: type=1400 audit(1587997324.133:7): lsm=SMACK fn=smack_socket_sock_rcv_skb action=denied subject="app.myapp" object="admin" requested=w pid=0 comm="swapper" saddr=127.0.0.1 src=41798 daddr=127.0.0.1 dest=2

If I execute the same script (/home/root/test.sh) it works fine.

I su^pose I should add some permissions in my adef or sdef file.

So far I was able to port my legacy C app to my module without rebuilding legato, I’d like to avoid it so is there something to add in def files ?

Thanks to anyone who is able to provide any help on that topic.

How about using system() api to run the test.sh?

Thank you for your answer:
In fact my software run the same command by “system()” I had this issue. I tried to find the easiest setup to reproduce it so I published the test.sh.
The result is the same. If I run my legacy app as root, it works, if I run it in myapp context it fails.

Not sure if this is same issue

Seems related to SMACK issue, you can give a try by adding:
iptables -I INPUT -j ACCEPT
xattr set ‘security.SMACK64’ ‘app.myapp’ /usr/bin/ssh

https://docs.legato.io/latest/conceptsSecuritySmack.html

maybe you also need to change for security.SMACK64EXEC,security.SMACK64IPIN or security.SMACK64IPOUT

Hello, thanks again for your time:

I tried iptables, I was able to add the rule.
I tried to add smack extended attribute but I had this message:

xattr set ‘security.SMACK64’ ‘app.myapp’ /usr/bin/ssh
Could not set extended attribute. Read-only file system

In the mean time, I’m trying to understand how smack is working.
As it is complaining for subject=“app.myapp” object=“admin” requested=w

I tried to have a look on my app permissions :

root@swi-mdm9x28-wp:~# grep "^app.myapp" /legato/smack/load2 
app.myapp dev.18 r
app.myapp dev.19 r
app.myapp dev.15 r
app.myapp dev.13 rw
app.myapp app.modemService rwx
app.myapp _ rwx
app.myapp syslog w
app.myapp framework rwx
app.myapp app.myapprwx rwx
app.myapp app.myapprw rw
app.myapp app.myapprx rx
app.myapp app.myappr r
app.myapp app.myappwx wx
app.myapp app.myappw w
app.myapp app.myappx x

An I expected, I didn’t find any admin w.
I did the opposite: find “admin w” applications:

root@swi-mdm9x28-wp:~# grep "admin w" /legato/smack/load2 
app.secStore admin w
app.powerMgr admin w
app.dataConnectionService admin w
app.avcService admin w

And I tried my script in one of these app context.

app runProc dataConnectionService --exe=/home/root/test.sh

And everything goes well on my computer:

kumikomi@laptop:~/project/myapp$ ssh -p 60000 root@localhost
root@swi-mdm9x28-wp:~# 

So my point becomes : how to add “app.myapp admin w” in smack rules without rebuilding everything.

Any clue ?
Thanks

Then that is easy, you can create same application as powerMgr.
Or you can use the one attached here:
smacktest.rar (11.7 KB)

I guess it is because the Legato Supervisor and Update Daemon is given the label, “admin” to those application you listed above.
Here says Supervisor is binding to these API:
https://docs.legato.io/latest/legatoServicesSupervisor.html

Hello,

I tried the smacktest.rar : my board was endlessly rebooting until it reverts to previous state.
I noticed in logs that the reboot was because there were already an app providing same service.
I renamed all services by adding an X and the end e.g. le_pmX etc…:
smacktest.tgz (13.4 KB)

It was starting without rebooting but still the same issue.

I did the simplest sources that reproduces the issue :
stest.tgz (593 Bytes)

  • no script, one c source, using system().
  • two #define to change for user name and password
  • The command sent to system() is logged.

when I start the app (app start stest)
If I use the ssh -p 60000 root@localhost on my computer, I’ve the error
If I stop the app and I use command send to system as root, then it works.

I’ve tried in that app to add framework and kernelModule : I had the same error.

I read a lot on smack but any command I found in the web to add rules are not available on legato. So only adef, sdef and cdef seems to be availabe : I’d like to avoid going to yocto :wink:

Thanks a lot for your time.

Still not working and not able to create my tunnel.
I’m looking for alternate solutions:

  • Doe’s someone have an idea either to add an /etc/init.d script without building everything ?
  • having a sudo like to allow an user (apllcation user) to execute some stuff as root ?
  • totally disable smack ?

better thing would be to give “admin w” permission to my app.

Disable smack:

Init script modification:

Hello,

Finally it works :slight_smile:

I investigate in legato build first because it was less invasive that rebuilding kernel.
I followed instruction to build legato and update my board: success.

So add admin right to an application, go to

framework/daemons/linux/supervisor/app.c

find

frameworkAppList

and add your app name in this list.

In the if following if condition add the needed smack rule.

else if (0 == strcmp(frameworkAppList[i], "app.myapp"))
{
    smack_SetRule(frameworkAppList[i], "w", "admin");
 }

By doing that, I had my ssh tunnel.

My next step will be to provide a clean sshTunel.api in my custom framework.

thanks @jyijyi for your time and the help you provided.
It will be a pleasure for me to help anyone who’ll face the same kind of issues.