Rfcat : request for classic confinement

phocean · July 7, 2019, 2:56am

Hello,

I request a classic confinement for packaging the rfcat application.

rfcat is basically a modulate/demodulate radio signals, using dedicated USB dongles (like Yard Stick One).

In devmode, it works without issue.

In strict mode, it segfaults. In the trace bellow, you can see when the USB dongle is inserted and then rfcat launched.
There is no DENIED from Apparmor, and libusb crashes.

[203152.631594] usb 1-1: new full-speed USB device number 103 using xhci_hcd
[203152.780731] usb 1-1: config 1 descriptor has 1 excess byte, ignoring
[203152.782293] usb 1-1: New USB device found, idVendor=1d50, idProduct=605b, bcdDevice= 1.00
[203152.782295] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[203152.782296] usb 1-1: Product: YARD Stick One
[203152.782297] usb 1-1: Manufacturer: Great Scott Gadgets
[203152.782298] usb 1-1: SerialNumber: 0000
[203253.626076] audit: type=1400 audit(1562447194.394:3592): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.rfcat.rfcat" pid=5522 comm="apparmor_parser"
[203253.637219] audit: type=1400 audit(1562447194.406:3593): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.rfcat" pid=5524 comm="apparmor_parser"
[203253.962553] audit: type=1400 audit(1562447194.734:3594): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/7270/usr/lib/snapd/snap-confine" pid=5526 comm="apparmor_parser"
[203253.962763] audit: type=1400 audit(1562447194.734:3595): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/7270/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=5526 comm="apparmor_parser"
[203253.976057] audit: type=1400 audit(1562447194.746:3596): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=5529 comm="apparmor_parser"
[203254.033294] audit: type=1400 audit(1562447194.802:3597): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=5530 comm="apparmor_parser"
[203258.941898] audit: type=1400 audit(1562447199.710:3598): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/7270/usr/lib/snapd/snap-confine" pid=5615 comm="apparmor_parser"
[203258.942099] audit: type=1400 audit(1562447199.710:3599): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/7270/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=5615 comm="apparmor_parser"
[203258.956139] audit: type=1400 audit(1562447199.726:3600): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=5617 comm="apparmor_parser"
[203259.012354] audit: type=1400 audit(1562447199.782:3601): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=5618 comm="apparmor_parser"
[203259.291726] audit: type=1400 audit(1562447200.062:3602): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.rfcat.rfcat" pid=5632 comm="apparmor_parser"
[203259.302935] audit: type=1400 audit(1562447200.074:3603): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.rfcat" pid=5634 comm="apparmor_parser"
[203264.299631] audit: type=1326 audit(1562447205.070:3604): auid=1000 uid=1000 gid=1000 ses=170 pid=5639 comm="python2" exe="/snap/rfcat/x25/usr/bin/python2.7" sig=0 arch=c000003e syscall=41 compat=0 ip=0x7f2a7067cec7 code=0x50000
[203264.299730] python2[5639]: segfault at 208 ip 00007f2a5fdedf76 sp 00007ffcde816760 error 4 in libusb-1.0.so.0.1.0[7f2a5fde8000+17000]
[203264.299734] Code: e8 1f df ff ff 48 3b 1d 10 14 21 00 0f 84 22 01 00 00 48 8d 3d 3b 14 21 00 e8 36 dd ff ff 48 8d 3d cf 13 21 00 e8 fa de ff ff <48> 8b 93 08 02 00 00 48 8b 83 10 02 00 00 48 8d 3d b5 13 21 00 48

Note that I tried, I believe, to add every plug that could make sense for USB or low level access:

raw-usb
hidraw
hardware-observe
system-observe

So I would like to push the application in classic mode.

Source : https://github.com/phocean/rfcat-snapcraft/blob/master/snapcraft.yaml

Thank you for your feedback.

ogra · July 8, 2019, 10:06am

it dies in syscall 41 …

$ scmp_sys_resolver 41
socket

your python script tries to open a socket and dies because it cant do that, just add the network-bind interface to allow the socket syscall …

phocean · July 8, 2019, 10:33am

Thank you, it works for this one. But soon after I get a lot of file system access denied (read-only).

Most are of this kind:

audit: type=1400 audit(1562581342.974:215): apparmor="DENIED" operation="open" profile="snap.rfcat-phocean.rfcat" name="/snap/core18/1049/lib/x86_64-linux-gnu/libtinfo.so.5.9" pid=32693 comm="python2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Which, I believe, I can fix with the system-files interface (https://docs.snapcraft.io/system-files-interface).

But, then, there is:

[41713.649307] audit: type=1400 audit(1562581942.365:239): apparmor="DENIED" operation="open" profile="snap.rfcat-phocean.rfcat" name="/proc/2733/mounts" pid=2733 comm="python2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Which is not supported by any interface, unless I missed it.

ogra · July 8, 2019, 11:09am

phocean:

audit: type=1400 audit(1562581342.974:215): apparmor="DENIED" operation="open" profile="snap.rfcat-phocean.rfcat" name="/snap/core18/1049/lib/x86_64-linux-gnu/libtinfo.so.5.9" pid=32693 comm="python2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

this tries to open the libtinfo.so from the core snap … add libtinfo5 to your stage-packages: so it is contained in your snap instead.

for read access to /proc/mounts there is the mount-observe interface …

phocean · July 8, 2019, 12:36pm

Ok, thanks for libtinfo5, it worked.

However, I had tried mount-observe, and it is still not working:

[49636.620689] audit: type=1326 audit(1562589865.430:264): auid=1000 uid=1000 gid=1000 ses=4 pid=19654 comm="python2" exe="/snap/rfcat-phocean/x3/usr/bin/python2.7" sig=0 arch=c000003e syscall=41 compat=0 ip=0x7f4d9a661ec7 code=0x50000
[49636.620781] python2[19654]: segfault at 208 ip 00007f4d95ea9f76 sp 00007fff5ff54ad0 error 4 in libusb-1.0.so.0.1.0[7f4d95ea4000+17000]
[49636.620786] Code: e8 1f df ff ff 48 3b 1d 10 14 21 00 0f 84 22 01 00 00 48 8d 3d 3b 14 21 00 e8 36 dd ff ff 48 8d 3d cf 13 21 00 e8 fa de ff ff <48> 8b 93 08 02 00 00 48 8b 83 10 02 00 00 48 8d 3d b5 13 21 00 48

% snap connections rfcat-phocean
Interface      Plug                         Slot            Notes
home           rfcat-phocean:home           :home           -
mount-observe  rfcat-phocean:mount-observe  :mount-observe  manual
network-bind   rfcat-phocean:network-bind   :network-bind   -

Sorry for being such a noob.

ijohnson · July 8, 2019, 1:41pm

You will need to re-add the network-bind plug again, I would try adding all of the plugs mentioned thus far at the same time:

mount-observe
network-bind
home
system-observe
raw-usb
hardware-observe
hidraw

and then also add the libtinfo5 package to your snap and try again.

phocean · July 8, 2019, 1:53pm

Based on your, after trial and error with several combinations, these plugs are required:

mount-observe
home
hardware-observe
raw-usb

Thanks a lot @ijohnson and @ogra.

I guess I can now resubmit this app with confinement.