I tried iptables, I was able to add the rule.
I tried to add smack extended attribute but I had this message:
xattr set ‘security.SMACK64’ ‘app.myapp’ /usr/bin/ssh
Could not set extended attribute. Read-only file system
In the mean time, I’m trying to understand how smack is working.
As it is complaining for subject=“app.myapp” object=“admin” requested=w
I tried to have a look on my app permissions :
root@swi-mdm9x28-wp:~# grep "^app.myapp" /legato/smack/load2
app.myapp dev.18 r
app.myapp dev.19 r
app.myapp dev.15 r
app.myapp dev.13 rw
app.myapp app.modemService rwx
app.myapp _ rwx
app.myapp syslog w
app.myapp framework rwx
app.myapp app.myapprwx rwx
app.myapp app.myapprw rw
app.myapp app.myapprx rx
app.myapp app.myappr r
app.myapp app.myappwx wx
app.myapp app.myappw w
app.myapp app.myappx x
An I expected, I didn’t find any admin w.
I did the opposite: find “admin w” applications:
root@swi-mdm9x28-wp:~# grep "admin w" /legato/smack/load2
app.secStore admin w
app.powerMgr admin w
app.dataConnectionService admin w
app.avcService admin w
And I tried my script in one of these app context.
Then that is easy, you can create same application as powerMgr.
Or you can use the one attached here: smacktest.rar (11.7 KB)
I guess it is because the Legato Supervisor and Update Daemon is given the label, “admin” to those application you listed above.
Here says Supervisor is binding to these API:
I tried the smacktest.rar : my board was endlessly rebooting until it reverts to previous state.
I noticed in logs that the reboot was because there were already an app providing same service.
I renamed all services by adding an X and the end e.g. le_pmX etc…: smacktest.tgz (13.4 KB)
It was starting without rebooting but still the same issue.
I did the simplest sources that reproduces the issue : stest.tgz (593 Bytes)
no script, one c source, using system().
two #define to change for user name and password
The command sent to system() is logged.
when I start the app (app start stest)
If I use the ssh -p 60000 root@localhost on my computer, I’ve the error
If I stop the app and I use command send to system as root, then it works.
I’ve tried in that app to add framework and kernelModule : I had the same error.
I read a lot on smack but any command I found in the web to add rules are not available on legato. So only adef, sdef and cdef seems to be availabe : I’d like to avoid going to yocto
I investigate in legato build first because it was less invasive that rebuilding kernel.
I followed instruction to build legato and update my board: success.
So add admin right to an application, go to
framework/daemons/linux/supervisor/app.c
find
frameworkAppList
and add your app name in this list.
In the if following if condition add the needed smack rule.
how do you modify framework/daemons/linux/supervisor/app.c?
You can also add your script in one of these admin application and rebuild the legato.cwe:
root@swi-mdm9x28-wp:~# grep “admin w” /legato/smack/load2
app.secStore admin w
app.powerMgr admin w
app.dataConnectionService admin w
app.avcService admin w
We have the same issue of needing to create an SSH tunnel from within our application (in our case a reverse tunnel but I assume the fix is the same). Where do we find framework/daemons/linux/supervisor/app.c? (we’re using Legato framework ver. 19.2.0 on a WP76xx).
Just getting back into this after getting sidelined for a bit and we’ve found and edited the relevant section in the app.c file, but we’re having an issue now with building Legato after making the change. Build is failing when we issue the command “make” from the $LEGATO_ROOT directory:
make[2]: *** No rule to make target ‘/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654/platformAdaptor/qmi/bin/localhost/components/le_pa_start/libComponent_le_pa_start.so’, needed by ‘/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654/build/localhost/framework/lib/libComponent_le_pa_start.so’. Stop.
make[2]: Leaving directory ‘/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654’
Makefile:535: recipe for target ‘framework’ failed
make[1]: *** [framework] Error 2
make[1]: Leaving directory ‘/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654’
Makefile:459: recipe for target ‘default’ failed
make: *** [default] Error 2
When we use “make wp76xx” it still fails but with a different error:
(lsh:profile1) dave-k@davek-HP-ProBook-640-G1:~/leafSept29/leaf-data/profile1/wp76-legato$ make
(lsh:profile1) dave-k@davek-HP-ProBook-640-G1:~/leafSept29/leaf-data/profile1/wp76-legato$ make wp76xx
(I’m not sure what the difference is between make by itself vs with a target type specified, maybe it builds for multiple targets when none is specified?)
Outside of the shell I get different errors:
dave-k@davek-HP-ProBook-640-G1:~/leafSept29/leaf-data/profile1/wp76-legato$ make
/home/dave-k/.leaf/wp76-legato_19.11.2-202005290654/framework/daemons/linux/common/ima.c:24:10: fatal error: openssl/x509.h: No such file or directory #include <openssl/x509.h>
^~~~~~~~~~~~~~~~
Thanks, that seemed to work other than producing a few warning messages. There’s a lot of output now in ~/.leaf/wp76-legato_20.04.0-202004151904/build/wp76xx including a .update file but I’m not clear what the purpose of all these files is. I’m assuming to update Legato now we just install the .update file but just wanted to confirm that first, that it’s not the legato.cwe file or something else for example?
Also the OP said he “followed instruction to build legato and update my board” - I can’t find this documented anywhere other than in the KConfig section there’s something about configuring Legato but it doesn’t seem to describe the whole process. Is this documented somewhere else? To complete the Legato customizing process now do we just need to install the .update file produced by make wp76xx?
in case you just need the application .update file, you don’t need to do “make wp76xx”, you can use VSCODE to build your application, the binary output will be .update file.
The solution that worked for Kumikomi doesn’t work for us for some reason. So we tried completely disabling SMACK using the menuConfig tool, and with it disabled we lose all internet connectivity. Even pinging doesn’t work. We can establish a cell connection (using cm data connect) so that’s not the issue. Any reason why disabling SMACK would have this effect?