Write to file #agl #koi #permissions


Francesco ARGENTIERI (KINETON)
 

Hi everyone, I developed a custom service, now I want to save the current status as a JSON file.
The code seems to work fine, but the result is a blank file. How it is possible? Can you help me? My code is shown below:

void writeFile(){
  std::ofstream o(f);
  o << std::setw(4) << out << std::endl;
  o.close();
}

The blank file has already installed together with the service.


Stephane Desneux
 

Hi Francesco,

What's the path of the file? Do you have write permissions (DAC & SMACK) on it?

Try to write in a public dir (for example /tmp), and in the service working dir,
which should be writable for the service only.

HTH
---
Stephane Desneux - CTO - IoT.bzh
stephane.desneux@... - www.iot.bzh

On 05/07/2021 16:33, Francesco ARGENTIERI (KINETON) wrote:
Hi everyone, I developed a custom service, now I want to save the current status
as a JSON file.
The code seems to work fine, but the result is a blank file. How it is possible?
Can you help me? My code is shown below:

|void writeFile(){ std::ofstream o(f); o << std::setw(4) << out << std::endl;
o.close(); } |

The blank file has already installed together with the service.


Francesco ARGENTIERI (KINETON)
 

Hi Stephane, Thank you for letting me know.

The file should be written at: /var/local/lib/afm/applications/agl-service-hmi/conf/status.json
and it presents the following smack label:

chsmack /usr/local/lib/afm/applications/agl-service-hmi/lib/
/usr/local/lib/afm/applications/agl-service-hmi/lib/ access="User::App::agl-service-hmi" transmute="TRUE"

Best Regard
FA


Jose Bollo
 

On Tue, 06 Jul 2021 01:26:09 -0700
"Francesco ARGENTIERI (KINETON)" <francesco.argentieri@...>
wrote:

Hi Stephane,
Thank you for letting me know.

The file should be written at:
*/var/local/lib/afm/applications/agl-service-hmi/conf/status.json*
</br> and it presents the following smack label: ```sh
chsmack /usr/local/lib/afm/applications/agl-service-hmi/lib/
/usr/local/lib/afm/applications/agl-service-hmi/lib/
access="User::App::agl-service-hmi" transmute="TRUE" ```

Best Regard</br>
FA
Hi Francesco,

What is the output of

chsmack -r /var/local/lib/afm/applications/agl-service-hmi/conf

?

Best regards
José


Francesco ARGENTIERI (KINETON)
 

Hi Josè,

Thank you for letting me know.

I obtain:

chsmack -r /var/local/lib/afm/applications/agl-service-hmi/conf
/var/local/lib/afm/applications/agl-service-hmi/conf access="User::App::agl-service-hmi" transmute="TRUE"
/var/local/lib/afm/applications/agl-service-hmi/conf/status.json access="User::App::agl-service-hmi"

Best Regards
FA


Jose Bollo
 

On Tue, 06 Jul 2021 02:00:06 -0700
"Francesco ARGENTIERI (KINETON)" <francesco.argentieri@...>
wrote:

Hi Josè,

Thank you for letting me know.

I obtain:
```sh
chsmack -r /var/local/lib/afm/applications/agl-service-hmi/conf
/var/local/lib/afm/applications/agl-service-hmi/conf
access="User::App::agl-service-hmi" transmute="TRUE"
/var/local/lib/afm/applications/agl-service-hmi/conf/status.json
access="User::App::agl-service-hmi" ```
If your application runs with the label User::App::agl-service-hmi then
it is not an issue with Smack security module.

If your application has an other label, it is an other story. If you
are not sure, you can check it using 'ps -Z'.

Have you checked DAC permissions?

Launched by AGL framework, your application runs in an appropriate
working directory dedicated to its uses. Have you tried to write in the
current working directory?

Best regards
José


Francesco ARGENTIERI (KINETON)
 

On Tue, Jul 6, 2021 at 11:12 AM, Jose Bollo wrote:

If your application runs with the label User::App::agl-service-hmi then it is not an issue with Smack security module.

If your application has an other label, it is an other story. If you are not sure, you can check it using 'ps -Z'.

h3ulcb:~# ps -Z
LABEL                               PID TTY          TIME CMD
System                              701 ttySC0   00:00:00 login
System                             1058 ttySC0   00:00:00 sh
System                             1113 ttySC0   00:00:00 ps

Have you checked DAC permissions?

No, can you explain?

Launched by AGL framework, your application runs in an appropriate working directory dedicated to its uses. Have you tried to write in the current working directory?

Can you be more precise? In this passage what are you referring to?

Best Regards
FA


Jose Bollo
 

On Tue, 06 Jul 2021 02:20:02 -0700
"Francesco ARGENTIERI (KINETON)" <francesco.argentieri@...>
wrote:

On Tue, Jul 6, 2021 at 11:12 AM, Jose Bollo wrote:


If your application runs with the label User::App::agl-service-hmi
then it is not an issue with Smack security module.

If your application has an other label, it is an other story. If you
are not sure, you can check it using 'ps -Z'.
```sh
h3ulcb:~# ps -Z
LABEL PID TTY TIME CMD
System 701 ttySC0 00:00:00 login
System 1058 ttySC0 00:00:00 sh
System 1113 ttySC0 00:00:00 ps
```
That is not the process status of your service. You have to add some
argument to get that status. If you try to run your service from
command line, logged as root, it can explain the issue. Have you
checked audit messages in journal?


Have you checked DAC permissions?

No, can you explain?
user/group/other + read/write/execute from ls -l

Launched by AGL framework, your application runs in an appropriate
working directory dedicated to its uses. Have you tried to write in
the current working directory?
Can you be more precise? In this passage what are you referring to?
How is installed your service? Have you created and installed a widget?


Francesco ARGENTIERI (KINETON)
 

Have you checked audit messages in the journal?

Yes, in the journal there aren't present audit regarding my service.

user/group/other + read/write/execute from ls -l

ls -l /usr/local/lib/afm/applications/agl-service-hmi/lib 
total 8904
-rw-r--r--. 1 root root 9116016 Jul  6 09:35 libafm-hmi-binding.so

ls -l /usr/local/lib/afm/applications/agl-service-hmi/conf
total 8
-rw-r--r--. 1 root root  27 Jul  6 09:35 status.json

How is installed your service? Have you created and installed a widget?

Yes, I used CMake to compile the project make widget, then I installed by afm-util install agl-service-hmi.wgt


Jose Bollo
 

On Tue, 06 Jul 2021 02:43:27 -0700
"Francesco ARGENTIERI (KINETON)" <francesco.argentieri@...>
wrote:

Have you checked audit messages in the journal?
Yes, in the journal there aren't present audit regarding my service.

user/group/other + read/write/execute from ls -l
```sh
ls -l /usr/local/lib/afm/applications/agl-service-hmi/lib
total 8904
-rw-r--r--. 1 root root 9116016 Jul 6 09:35 libafm-hmi-binding.so

ls -l /usr/local/lib/afm/applications/agl-service-hmi/conf
total 8
-rw-r--r--. 1 root root 27 Jul 6 09:35 status.json
```
the owner is root

How is installed your service? Have you created and installed a
widget?
Yes, I used CMake to compile the project ```make widget```, then I
installed by ```afm-util install agl-service-hmi.wgt```
your widget probably runs as a not root user.


Jan Simon Moeller
 

Isn't the writeable application home directory like
/home/<userid-number>/app-data/<name-of-app>/

e.g.

/home/0/app-data/agl-service-hmi  ?

/usr/local/lib/.... is the 'installation' directory and should not be writeable by default.


Best regards,
Jan-Simon

------
Jan-Simon Möller
AGL Release Manager
The Linux Foundation

Visit us at:
www.automotivegradelinux.org
lists.automotivelinux.org
www.linuxfoundation.org


On Tue, Jul 6, 2021 at 12:20 PM Jose Bollo <jose.bollo@...> wrote:
On Tue, 06 Jul 2021 02:43:27 -0700
"Francesco ARGENTIERI (KINETON)" <francesco.argentieri@...>
wrote:

> > Have you checked audit messages in the journal? 
>
> Yes, in the journal there aren't present audit regarding my service.
>
> > user/group/other + read/write/execute from ls -l 
>
> ```sh
> ls -l /usr/local/lib/afm/applications/agl-service-hmi/lib
> total 8904
> -rw-r--r--. 1 root root 9116016 Jul  6 09:35 libafm-hmi-binding.so
>
> ls -l /usr/local/lib/afm/applications/agl-service-hmi/conf
> total 8
> -rw-r--r--. 1 root root  27 Jul  6 09:35 status.json
> ```

the owner is root

> >How is installed your service? Have you created and installed a
> >widget? 
>
> Yes, I used CMake to compile the project ```make widget```, then I
> installed by ```afm-util install agl-service-hmi.wgt```

your widget probably runs as a not root user.







Jose Bollo
 

On Tue, 6 Jul 2021 13:52:18 +0200
"Jan Simon Moeller" <jsmoeller@...> wrote:

Isn't the writeable application home directory like
/home/<userid-number>/app-data/<name-of-app>/

e.g.

/home/0/app-data/agl-service-hmi ?

/usr/local/lib/.... is the 'installation' directory and should not be
writeable by default.
Yes that is also my idea. The default working directory of the
application

$HOME/app-data/<name-of-app>/

is writable but the installation directory is not necessarily writeable.

It is of importance for multi-user behaviour.

I suggest to ste a hierachy of configuration if possible: use the
configuration file of the working directory, then a system config file
and then the install config file.

Best regards
José


Best regards,
Jan-Simon

------
Jan-Simon Möller
AGL Release Manager
The Linux Foundation

Visit us at:
www.automotivegradelinux.org
lists.automotivelinux.org
www.linuxfoundation.org


On Tue, Jul 6, 2021 at 12:20 PM Jose Bollo <jose.bollo@...> wrote:

On Tue, 06 Jul 2021 02:43:27 -0700
"Francesco ARGENTIERI (KINETON)" <francesco.argentieri@...>
wrote:

Have you checked audit messages in the journal?
Yes, in the journal there aren't present audit regarding my
service.
user/group/other + read/write/execute from ls -l
```sh
ls -l /usr/local/lib/afm/applications/agl-service-hmi/lib
total 8904
-rw-r--r--. 1 root root 9116016 Jul 6 09:35 libafm-hmi-binding.so

ls -l /usr/local/lib/afm/applications/agl-service-hmi/conf
total 8
-rw-r--r--. 1 root root 27 Jul 6 09:35 status.json
```
the owner is root

How is installed your service? Have you created and installed a
widget?
Yes, I used CMake to compile the project ```make widget```, then I
installed by ```afm-util install agl-service-hmi.wgt```
your widget probably runs as a not root user.










Francesco ARGENTIERI (KINETON)
 

Well, I will try. Thanks for your help, I really appreciate it.

Best Regards
FA


Francesco ARGENTIERI (KINETON)
 

Hi everyone, Currently, I'm not able to write to a file on disk using my service. So, I've understood that to store a file correctly, I need to write a file in a folder such as $HOME/app-data/<name-of-app>/ and similar. Could you provide an example, couldn’t you?

Best Regards, FA


Jose Bollo
 

On Tue, 03 Aug 2021 03:52:44 -0700
"Francesco ARGENTIERI (KINETON)" <francesco.argentieri@...>
wrote:

Hi everyone,
Currently, I'm not able to write to a file on disk using my service.
So, I've understood that to store a file correctly, I need to write a
file in a folder such as ```$HOME/app-data/<name-of-app>/``` and
similar. Could you provide an example, couldn’t you?
Hi Francesco,

The systemd's service that launch your service should have setup the
working directory to that directory ([1] & [2]). So you can assume that
the current working directory is writable.

If it is not the case it implies that something is broken.

Best regards
José Bollo

[1]
https://git.automotivelinux.org/src/app-framework-main/tree/conf/unit/service.inc#n108
[2]
https://git.automotivelinux.org/src/app-framework-main/tree/conf/unit/macros.inc#n63



Best Regards,
FA





Francesco ARGENTIERI (KINETON)
 

Hi everyone, Thank you for your help. I found the mistake and solved the problem.

Best Regards, FA


Nenad Milidrag
 

Hi Francesco,

Can you share what is your mistake?

Thanks,

Nenad


Francesco ARGENTIERI (KINETON)
 

Hi Nenad, Initially, it was wrong the path where I want to store the file, after Jose's suggestion I changed the path.

After, when I wrote the path /home/1001/app-data/name-service/file.ext while copying of path for the writable folder from this web page the character "-" was not copied as ASCII standard value, but a different representation format. So the smack had correctly denied the permission to write a file.

That is all

Best regards, FA


Nenad Milidrag
 

Hi Francesco,

Thank you for the details. 

Regards,
Nenad