After upgrade to 11.0.93 firmware, my eap application can no longer access network

[hqm]

I have an eap application which installs a script into systemd, that runs an ssh client to hold open a connection to a server in the cloud. .

When my P3255 camera upgraded to firmware 11.0.93, this app stopped working, and in the logs I see this error

 /usr/local/packages/SSHConnector/dbclient: Connection to axis@192.168.0.166:22 exited: Connect failed: Network is unreachable
2022-10-07T23:36:53.709-04:00 axis-b8a44f45ce28 [ NOTICE  ] systemd[1]: ssh_client.service: Main process exited, code=exited, status=1/FAILURE
2022-10-07T23:36:56.798-04:00 axis-b8a44f45ce28 [ INFO    ] systemd[1]: ssh_client.service: Scheduled restart job, restart counter is at 142.
2022-10-07T23:36:56.798-04:00 axis-b8a44f45ce28 [ INFO    ] systemd[1]: Stopped SSH client reverse proxy to dev server.
2022-10-07T23:36:56.819-04:00 axis-b8a44f45ce28 [ INFO    ] systemd[1]: Started SSH client reverse proxy to dev server.
2022-10-07T23:36:56.842-04:00 axis-b8a44f45ce28 [ INFO    ] dbclient[7503]: /usr/local/packages/SSHConnector/dbclient: Connection to axis@192.168.0.166:22 exited: Connect failed: Network is unreachable

The strange thing is that when I type in the same command by hand to the shell, to open an ssh connection using the 'dbclient' ssh client, it works fine.

It seems like the daemon process being launched by systemd does not have access to the network somehow. Is this a new change in the firmware?
I was told a while ago I should be signing my apps, maybe this is a new security feature? Is access to the network purposely restricted so that processes run under systemd cannot open outgoing connections?

thank you

[hqm]

Did the boot sequence for systemd change the order in which network services come up ?

[mattias-kindborg-at-work]

Hi @hqm! Which version of ACAP are you using?

[hqm]

I have tried these versions

# armv7hf
ARG ARCH=aarch64
ARG VERSION=3.5
ARG UBUNTU_VERSION=20.04
ARG REPO=axisecp
ARG SDK=acap-sdk

and

ARG ARCH=armv7hf
ARG VERSION=1.4
ARG UBUNTU_VERSION=22.04
ARG REPO=axisecp
ARG SDK=acap-native-sdk

I tried also just putting a call to "ping" in my systemd .service file, and it also cannot reach network. I'm wondering if some tightened security on systemd launched processes has been added to prevent them from accesing the network?

[mattias-kindborg-at-work]

I'll see what I can find.

[mattias-kindborg-at-work]

The specific release is describing general performance optimizations. Those can affect process startup sequences, it's hard to know. There has also been changes to the network firewall settings that might affect outcomes of ping. Sorry that I cannot give you a more detailed explanation than this.

[hqm]

Turns out this is expected behavior of the default sandbox settings for apps

/usr/lib/systemd/system/service.d/10-axis-sandbox.conf

[mattias-kindborg-at-work]

As a security measure disabling network access for all services was implemented. If you install a service you can add the service to a whitelist to grant it access to the network.

Create the file /etc/systemd/system/<service>.service.d/50-axis-network.conf, where <service> is the name of your service, with the following content:

[Service]
PrivateNetwork=no
CapabilityBoundingSet=~

If you know exactly what capabilities your service needs, then it will be better to specify only the ones that you need instead of resetting everything by setting it to nothing (meaning your service will have all kinds of capabilities, which is not desired in a security perspective).

[hqm]

ok thank you for explaining!