AppArmor denies bind UNIX socket to address

Hello,

I am trying to build a strictly confined snap for srsRAN, an open-source network, radio and UE (cellphone) simulator. Among other things, this software creates a UNIX process and binds it to an address. Unfortunately, AppArmor denies this bind action. Can you please advise on what I should do with this issue?

Here is the content of the snapcraft.yaml file:

name: srsran
base: core20
version: '22.04.1'
summary: srsRAN is a 4G/5G software radio suite developed by SRS.
description: srsRAN is a 4G/5G software radio suite developed by SRS.

grade: devel
confinement: strict

apps:
  srsepc:
    command: usr/local/bin/srsepc
    plugs:
      - home
      - network
      - network-bind
      - network-control

parts:

  srsran:
    plugin: cmake
    source: https://github.com/srsRAN/srsRAN.git
    source-type: git
    source-tag: release_22_04_1
    build-packages:
      - build-essential
      - cmake
      - libfftw3-dev
      - libmbedtls-dev
      - libboost-program-options-dev
      - libconfig++-dev
      - libsctp-dev
    stage-packages:
      - libboost-program-options1.71.0
      - libconfig++9v5
      - libfftw3-single3
      - libmbedcrypto3
      - libsctp1

Logs taken from syslog:

Oct 18 21:09:33 alert-firebrat kernel: [103995.593067] audit: type=1400 audit(1666127373.616:521): apparmor="DENIED" operation="bind" profile="snap.srsran.srsepc" pid=10838 comm="srsepc" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@6D6D655F73313100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"

Here is the upstream source code and line where the binding action is called: https://github.com/srsran/srsRAN/blob/master/srsepc/src/mme/mme_gtpc.cc#L77

1 Like