Request auto-connect network-control or network-observe for Security Bear

Security Bear is software that grants an easy way for devices to manage and connect first time to WiFi.

Example: The embedded devices come out of the factory with this software pre-installed. User opens hotspot with the default name and password of the software for first-time connection with the device. After the device is connected to the hotspot the user update both First priority and Second priority WiFi names and password, default name and password are deleted (for security reasons) as they were stored in First priority.

The user is connected to his desired WiFi and has a way to connect to the device in case there is a connection problem (like Second priority WiFi changed the password without updating the software beforehand).

I am using ip route to get the default gateway of the device Example:

$ ip route
default via dev wlx20e6170b190c proto dhcp metric 600 dev mpqemubr0 proto kernel scope link src linkdown dev wlx20e6170b190c scope link metric 1000 dev docker0 proto kernel scope link src linkdown dev wlx20e6170b190c proto kernel scope link src metric 600 

I take the line of the result that contains the word default and take the IP from that line. Then I run another command

hostname -I 

And compare the IPs to the default gateway IP from the last command (without last number).

And this way I find the current device IP.

In this example the correct result is

Snappy debug:

me@me-comp:~$ scanlog
INFO: Following '/var/log/syslog'. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug

= AppArmor =
Time: Dec 30 20:30:30
Log: apparmor="DENIED" operation="exec" profile="" name="/usr/bin/ip" pid=20181 comm="DartWorker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
File: /usr/bin/ip (exec)
* adjust snap to ship 'ip'
* adjust program to use relative paths if the snap already ships 'ip'
* add one of 'network-control, network-observe' to 'plugs'

= AppArmor =
Time: Dec 30 20:30:30
Log: apparmor="DENIED" operation="open" profile="" name="/proc/sys/vm/max_map_count" pid=20185 comm="Security-Bear" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/sys/vm/max_map_count (read)
* adjust program to not access '@{PROC}/sys/vm/max_map_count'

= Seccomp =
Time: Dec 30 19:06:39
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=8667 comm="nmcli" exe="/snap/security-bear/52/usr/bin/nmcli" sig=0 arch=c000003e 314(sched_setattr) compat=0 ip=0x7f0c3636389d code=0x50000
Syscall: sched_setattr
* add 'process-control' to 'plugs'

Error in my code: ProcessException: Permission denied for Command: ip route

2021-12-30T20:13:21+02:00[17443]: Unhandled exception:
2021-12-30T20:13:21+02:00[17443]: ProcessException: Permission denied
2021-12-30T20:13:21+02:00[17443]:   Command: ip route
2021-12-30T20:13:21+02:00[17443]: #0      _ProcessImpl._start (dart:io-patch/process_patch.dart:390)
2021-12-30T20:13:21+02:00[17443]: #1      Process.start (dart:io-patch/process_patch.dart:36)
2021-12-30T20:13:21+02:00[17443]: #2      _runNonInteractiveProcess (dart:io-patch/process_patch.dart:565)
2021-12-30T20:13:21+02:00[17443]: #3 (dart:io-patch/process_patch.dart:47)
2021-12-30T20:13:21+02:00[17443]: #4      NetworkActions.getDefaultGateway (package:security_bear/features/security_bear/application/usecases/network_actions/network_actions.dart:226)
2021-12-30T20:13:21+02:00[17443]: #5      NetworkActions.connectToAdminWhenExist (package:security_bear/features/security_bear/application/usecases/network_actions/network_actions.dart:78)
2021-12-30T20:13:21+02:00[17443]: <asynchronous suspension>
2021-12-30T20:13:21+02:00[17443]: #6      SecurityBearManagerU.manegeNetworkConnection (package:security_bear/features/security_bear/application/usecases/core_u/security_bear_manager.dart:38)
2021-12-30T20:13:21+02:00[17443]: <asynchronous suspension>
2021-12-30T20:13:21+02:00 systemd[1]: Main process exited, code=exited, status=255/EXCEPTION
2021-12-30T20:13:21+02:00 systemd[1]: Failed with result 'exit-code'.
2021-12-30T20:13:21+02:00 systemd[1]: Scheduled restart job, restart counter is at 6.
2021-12-30T20:13:21+02:00 systemd[1]: Stopped Service for snap application
2021-12-30T20:13:21+02:00 systemd[1]: Start request repeated too quickly.
2021-12-30T20:13:21+02:00 systemd[1]: Failed with result 'exit-code'.
2021-12-30T20:13:21+02:00 systemd[1]: Failed to start Service for snap application

In this case, network-observe can achieve the required function but provides less authority to applications than network-control - so as per the principle of least authority, this would be the more appropriate interface to use in this case.

+1 from me for auto-connect of network-observe for security-bear.

1 Like

+1 from me as well to auto-connect network-observe to security-bear since its enough to run the ip command and yet is less privileged than the -control one. +2 votes for, 0 votes against, granting auto-connect of network-observe to security-bear. This is now live.

1 Like