Hello,
I request a classic confinement for packaging the rfcat
application.
rfcat
is basically a modulate/demodulate radio signals, using dedicated USB dongles (like Yard Stick One).
In devmode
, it works without issue.
In strict
mode, it segfaults. In the trace bellow, you can see when the USB dongle is inserted and then rfcat
launched.
There is no DENIED
from Apparmor
, and libusb
crashes.
[203152.631594] usb 1-1: new full-speed USB device number 103 using xhci_hcd
[203152.780731] usb 1-1: config 1 descriptor has 1 excess byte, ignoring
[203152.782293] usb 1-1: New USB device found, idVendor=1d50, idProduct=605b, bcdDevice= 1.00
[203152.782295] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[203152.782296] usb 1-1: Product: YARD Stick One
[203152.782297] usb 1-1: Manufacturer: Great Scott Gadgets
[203152.782298] usb 1-1: SerialNumber: 0000
[203253.626076] audit: type=1400 audit(1562447194.394:3592): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.rfcat.rfcat" pid=5522 comm="apparmor_parser"
[203253.637219] audit: type=1400 audit(1562447194.406:3593): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.rfcat" pid=5524 comm="apparmor_parser"
[203253.962553] audit: type=1400 audit(1562447194.734:3594): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/7270/usr/lib/snapd/snap-confine" pid=5526 comm="apparmor_parser"
[203253.962763] audit: type=1400 audit(1562447194.734:3595): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/7270/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=5526 comm="apparmor_parser"
[203253.976057] audit: type=1400 audit(1562447194.746:3596): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=5529 comm="apparmor_parser"
[203254.033294] audit: type=1400 audit(1562447194.802:3597): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=5530 comm="apparmor_parser"
[203258.941898] audit: type=1400 audit(1562447199.710:3598): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/7270/usr/lib/snapd/snap-confine" pid=5615 comm="apparmor_parser"
[203258.942099] audit: type=1400 audit(1562447199.710:3599): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/7270/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=5615 comm="apparmor_parser"
[203258.956139] audit: type=1400 audit(1562447199.726:3600): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=5617 comm="apparmor_parser"
[203259.012354] audit: type=1400 audit(1562447199.782:3601): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=5618 comm="apparmor_parser"
[203259.291726] audit: type=1400 audit(1562447200.062:3602): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.rfcat.rfcat" pid=5632 comm="apparmor_parser"
[203259.302935] audit: type=1400 audit(1562447200.074:3603): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.rfcat" pid=5634 comm="apparmor_parser"
[203264.299631] audit: type=1326 audit(1562447205.070:3604): auid=1000 uid=1000 gid=1000 ses=170 pid=5639 comm="python2" exe="/snap/rfcat/x25/usr/bin/python2.7" sig=0 arch=c000003e syscall=41 compat=0 ip=0x7f2a7067cec7 code=0x50000
[203264.299730] python2[5639]: segfault at 208 ip 00007f2a5fdedf76 sp 00007ffcde816760 error 4 in libusb-1.0.so.0.1.0[7f2a5fde8000+17000]
[203264.299734] Code: e8 1f df ff ff 48 3b 1d 10 14 21 00 0f 84 22 01 00 00 48 8d 3d 3b 14 21 00 e8 36 dd ff ff 48 8d 3d cf 13 21 00 e8 fa de ff ff <48> 8b 93 08 02 00 00 48 8b 83 10 02 00 00 48 8d 3d b5 13 21 00 48
Note that I tried, I believe, to add every plug that could make sense for USB or low level access:
- raw-usb
- hidraw
- hardware-observe
- system-observe
So I would like to push the application in classic mode.
Source : https://github.com/phocean/rfcat-snapcraft/blob/master/snapcraft.yaml
Thank you for your feedback.