Ssh tunnel : permission denied

Not sure if this is same issue

Seems related to SMACK issue, you can give a try by adding:
iptables -I INPUT -j ACCEPT
xattr set ‘security.SMACK64’ ‘app.myapp’ /usr/bin/ssh

maybe you also need to change for security.SMACK64EXEC,security.SMACK64IPIN or security.SMACK64IPOUT

Hello, thanks again for your time:

I tried iptables, I was able to add the rule.
I tried to add smack extended attribute but I had this message:

xattr set ‘security.SMACK64’ ‘app.myapp’ /usr/bin/ssh
Could not set extended attribute. Read-only file system

In the mean time, I’m trying to understand how smack is working.
As it is complaining for subject=“app.myapp” object=“admin” requested=w

I tried to have a look on my app permissions :

root@swi-mdm9x28-wp:~# grep "^app.myapp" /legato/smack/load2 
app.myapp dev.18 r
app.myapp dev.19 r
app.myapp dev.15 r
app.myapp dev.13 rw
app.myapp app.modemService rwx
app.myapp _ rwx
app.myapp syslog w
app.myapp framework rwx
app.myapp app.myapprwx rwx
app.myapp app.myapprw rw
app.myapp app.myapprx rx
app.myapp app.myappr r
app.myapp app.myappwx wx
app.myapp app.myappw w
app.myapp app.myappx x

An I expected, I didn’t find any admin w.
I did the opposite: find “admin w” applications:

root@swi-mdm9x28-wp:~# grep "admin w" /legato/smack/load2 
app.secStore admin w
app.powerMgr admin w
app.dataConnectionService admin w
app.avcService admin w

And I tried my script in one of these app context.

app runProc dataConnectionService --exe=/home/root/test.sh

And everything goes well on my computer:

kumikomi@laptop:~/project/myapp$ ssh -p 60000 root@localhost
root@swi-mdm9x28-wp:~# 

So my point becomes : how to add “app.myapp admin w” in smack rules without rebuilding everything.

Any clue ?
Thanks

Then that is easy, you can create same application as powerMgr.
Or you can use the one attached here:
smacktest.rar (11.7 KB)

I guess it is because the Legato Supervisor and Update Daemon is given the label, “admin” to those application you listed above.
Here says Supervisor is binding to these API:

Hello,

I tried the smacktest.rar : my board was endlessly rebooting until it reverts to previous state.
I noticed in logs that the reboot was because there were already an app providing same service.
I renamed all services by adding an X and the end e.g. le_pmX etc…:
smacktest.tgz (13.4 KB)

It was starting without rebooting but still the same issue.

I did the simplest sources that reproduces the issue :
stest.tgz (593 Bytes)

  • no script, one c source, using system().
  • two #define to change for user name and password
  • The command sent to system() is logged.

when I start the app (app start stest)
If I use the ssh -p 60000 root@localhost on my computer, I’ve the error
If I stop the app and I use command send to system as root, then it works.

I’ve tried in that app to add framework and kernelModule : I had the same error.

I read a lot on smack but any command I found in the web to add rules are not available on legato. So only adef, sdef and cdef seems to be availabe : I’d like to avoid going to yocto :wink:

Thanks a lot for your time.

Still not working and not able to create my tunnel.
I’m looking for alternate solutions:

  • Doe’s someone have an idea either to add an /etc/init.d script without building everything ?
  • having a sudo like to allow an user (apllcation user) to execute some stuff as root ?
  • totally disable smack ?

better thing would be to give “admin w” permission to my app.

Disable smack:

Init script modification:

Hello,

Finally it works :slight_smile:

I investigate in legato build first because it was less invasive that rebuilding kernel.
I followed instruction to build legato and update my board: success.

So add admin right to an application, go to

framework/daemons/linux/supervisor/app.c

find

frameworkAppList

and add your app name in this list.

In the if following if condition add the needed smack rule.

else if (0 == strcmp(frameworkAppList[i], "app.myapp"))
{
    smack_SetRule(frameworkAppList[i], "w", "admin");
 }

By doing that, I had my ssh tunnel.

My next step will be to provide a clean sshTunel.api in my custom framework.

thanks @jyijyi for your time and the help you provided.
It will be a pleasure for me to help anyone who’ll face the same kind of issues.

Hi,
For ssh tunneling i have tried the steps as mentioned above i.e, added the smack rule for my project , but still facing the same issue
ssh_exchange_identification: Connection closed by remote host
Jan 1 06:15:46 swi-mdm9x28-wp user.notice kernel: [ 2743.493447] audit: type=1400 audit(2746.709:11): lsm=SMACK fn=smk_ipv6_check action=denied subject=“app.Network1” object=“admin” requested=w pid=8571 comm=“ssh” daddr=::1 dest=5632
Jan 1 06:15:46 swi-mdm9x28-wp user.notice kernel: [ 2743.494277] audit: type=1400 audit(2746.709:12): lsm=SMACK fn=smack_socket_sock_rcv_skb action=denied subject=“app.Network1” object=“admin” requested=w pid=8571 comm=“ssh” saddr=127.0.0.1 src=42944 daddr=127.0.0.1 dest=22 ne
Jan 1 06:15:47 swi-mdm9x28-wp user.notice kernel: [ 2744.491195] audit: type=1400 audit(2747.709:13): lsm=SMACK fn=smack_socket_sock_rcv_skb action=denied subject=“app.Network1” object=“admin” requested=w pid=3 comm=“ksoftirqd/0” saddr=127.0.0.1 src=42944 daddr=127.0.0.1 dest=

how do you modify framework/daemons/linux/supervisor/app.c?

You can also add your script in one of these admin application and rebuild the legato.cwe:

root@swi-mdm9x28-wp:~# grep “admin w” /legato/smack/load2
app.secStore admin w
app.powerMgr admin w
app.dataConnectionService admin w
app.avcService admin w

We have the same issue of needing to create an SSH tunnel from within our application (in our case a reverse tunnel but I assume the fix is the same). Where do we find framework/daemons/linux/supervisor/app.c? (we’re using Legato framework ver. 19.2.0 on a WP76xx).

Found it, please disregard

Just getting back into this after getting sidelined for a bit and we’ve found and edited the relevant section in the app.c file, but we’re having an issue now with building Legato after making the change. Build is failing when we issue the command “make” from the $LEGATO_ROOT directory:

make[2]: *** No rule to make target ‘/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654/platformAdaptor/qmi/bin/localhost/components/le_pa_start/libComponent_le_pa_start.so’, needed by ‘/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654/build/localhost/framework/lib/libComponent_le_pa_start.so’. Stop.
make[2]: Leaving directory ‘/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654’
Makefile:535: recipe for target ‘framework’ failed
make[1]: *** [framework] Error 2
make[1]: Leaving directory ‘/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654’
Makefile:459: recipe for target ‘default’ failed
make: *** [default] Error 2

When we use “make wp76xx” it still fails but with a different error:

Makefile.targetTools:107: recipe for target ‘/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654/build/wp76xx/framework/lib/libjansson.so’ failed
make[2]: *** [/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654/build/wp76xx/framework/lib/libjansson.so] Error 127
make[2]: Leaving directory ‘/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654’
Makefile.framework:249: recipe for target ‘targetTools’ failed
make[1]: *** [targetTools] Error 2
make[1]: Leaving directory ‘/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654’
Makefile:535: recipe for target ‘framework’ failed
make: *** [framework] Error 2

We’re using the most recent stable Legato release for the WP76xx. Any idea what the issue could be?

How about do a "make clean"first

Makes no difference, fails with the same errors.

Is that you compile in “leaf shell”

Yes, I thought that was the correct way:

(lsh:profile1) dave-k@davek-HP-ProBook-640-G1:~/leafSept29/leaf-data/profile1/wp76-legato$ make

(lsh:profile1) dave-k@davek-HP-ProBook-640-G1:~/leafSept29/leaf-data/profile1/wp76-legato$ make wp76xx

(I’m not sure what the difference is between make by itself vs with a target type specified, maybe it builds for multiple targets when none is specified?)

Outside of the shell I get different errors:

dave-k@davek-HP-ProBook-640-G1:~/leafSept29/leaf-data/profile1/wp76-legato$ make

/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654/framework/daemons/linux/common/ima.c:24:10: fatal error: openssl/x509.h: No such file or directory
#include <openssl/x509.h>
^~~~~~~~~~~~~~~~

you need to install cmake.


sudo apt-get install cmake
make clean
make wp76xx

Thanks, that seemed to work other than producing a few warning messages. There’s a lot of output now in ~/.leaf/wp76-legato_20.04.0-202004151904/build/wp76xx including a .update file but I’m not clear what the purpose of all these files is. I’m assuming to update Legato now we just install the .update file but just wanted to confirm that first, that it’s not the legato.cwe file or something else for example?

Also the OP said he “followed instruction to build legato and update my board” - I can’t find this documented anywhere other than in the KConfig section there’s something about configuring Legato but it doesn’t seem to describe the whole process. Is this documented somewhere else? To complete the Legato customizing process now do we just need to install the .update file produced by make wp76xx?

Thanks.

you should install the legato.cwe

in case you just need the application .update file, you don’t need to do “make wp76xx”, you can use VSCODE to build your application, the binary output will be .update file.

The solution that worked for Kumikomi doesn’t work for us for some reason. So we tried completely disabling SMACK using the menuConfig tool, and with it disabled we lose all internet connectivity. Even pinging doesn’t work. We can establish a cell connection (using cm data connect) so that’s not the issue. Any reason why disabling SMACK would have this effect?