Impossible to use localhost with sandbox


#1

We added a MQTT broker in the user space on WP8548.
An unsandboxed application can access to it… good.
But a sandboxed application can not…
Any idea ?

Thank you


#2

Hi jsu,

Could you give more details on how your application is setup. Is the MQTT broker a separate process or app? How is your client app talking to the MQTT broker (what can of IPC: Legato IPC, Unix domain sockets, mqueues, pipes)?

Thanks,

Alex


#3

Hi jsu,

I think that sandboxed application does not have access to /etc/hosts. As a consequence “localhost” cannot be known by sandboxed applications.
Normally you should be able to connect to your MQTT broker using the IP 127.0.0.1

Hope it will hellp.


#4

Hello,

We are facing same issue here.

case 1 : Legato MQTT client sandboxed => can’t reach local broker on 127.0.0.1
case 2 : Legato MQTT client nonSandBoxed => can’t reach local borker on 127.0.0.1, except if the mosquitto broker is started from the legato application before the client tries to connect. In this case an other legato application can’t access this borker.

If we run the legato application from shell as a standard application ( ./myapp.wp85 ), it is able to connect to the local mosquitto broker on 127.0.0.1.

We want the mosquito to be a separate process outside of legato environment, but we can manage if it is part of the legato environment. We just need a legato sandboxed application to be able to reach a local mosquitto broker.

Thank you all for your support.

Best regards,


#5

Hi,

This is a SMACK permission issue. By default sandboxed apps are not allowed to talk to anything outside the sandbox unless there is a binding between the sandboxed app and the remote app. This is a known issue that we hope to have a solution for soon.

Best regards.


#6

Hi,

If this a known issue for sandboxed app, how can you explain that even in unsandboxed app where we shouldn’t have SMACK permission limitation (if I understood correctly what is a sandboxed and an unsandboxed app), we can’t access to the local broker unless we launch the broker from inside the unsandboxed app ?

Best regards,


#7

Hi,

The reason this doesn’t work is that all Legato apps are given unique SMACK labels. SMACK uses CIPSO to enforce access control on network communications. Legato apps do not have write permission to the “_” label which is the label that the MQTT broker is likely running as. When the MQTT broker is included in the app it takes on the same label as the app which gives it full permissions.

Allowing Legato apps to write to the “_” label is a major security hole. The solution, I think, is to allow communication access between apps even when there is no specified Legato IPC binding between them. This still requires the MQTT broker to be part of a Legato app. I hope to add this functionality soon.

For now, one work around is to put the MQTT broker into a Legato app called something like mqttBroker. Create a dummy Legato IPC API (using a .api file) and have the mqttBroker app be the server for this API. Other Legato apps that want to talk to the MQTT broker should be configured as clients of the dummy API (done in the bindings section in the adef).

HTH


#8

Hi,

Thanks for your reply, I will try this.

Best regards.