On 04/27/2015 03:41 AM, Philipp Lorenz wrote: > Hi, > > I've built a snap package which contains a Java installation and some own Java > classes. Those are used to get a list of connected USB devices and their > information using the usb4java framework and the snap has been configured to > run > the Java program as a service. > Java is running fine so far, but the USB library gets blocked by AppArmor: > > root@localhost:~# dmesg | tail > ... > [ 2011.571481] audit: type=1400 audit(1430121893.543:22): apparmor="DENIED" > operation="open" profile="rda-watchdog.sideload_rda-watchdog_0.1" > name="/sys/bus/" pid=1648 comm="java" requested_mask="r" denied_mask="r" > fsuid=0 > ouid=0 > [ 2011.571587] audit: type=1400 audit(1430121893.543:23): apparmor="DENIED" > operation="open" profile="rda-watchdog.sideload_rda-watchdog_0.1" > name="/sys/class/" pid=1648 comm="java" requested_mask="r" denied_mask="r" > fsuid=0 ouid=0 > > It seems like the library needs access to a lot of sub-directories of /sys/ in > order to find out which USB devices are connected. > For granting access to single device nodes, I know there is "snappy > hw-assign", > but is there also a way to "unblock" the /sys/ directory for reading? Changing > the AppArmor profile by hand and compiling it seems to be a bad option since > the > changes get lost on updates and/or re-installs. > > Thanks in advance for any help! >
Currently hw-assign allows specifying files in /dev and /sys/devices, but not /sys/bus and /sys/class. Can you add this to /var/lib/apparmor/profiles/*_rda-watchdog.sideload_rda-watchdog_0.1 (before the closing '}'): /sys/**/ r, then do: $ sudo apparmor_parser -r /var/lib/apparmor/profiles/*_rda-watchdog.sideload_rda-watchdog_0.1 then report back if you got farther or new denials? Note: the above changes won't be preserved on app reinstall/upgrade/etc. I'd like to understand all the accesses that usb4java is attempting before suggesting how to proceed. Thanks! PS - please reach out to me in #snappy on Freenode (I'm jdstrand) if you have questions. -- Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- snappy-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snappy-devel
