Hi Sergio,
After extracting the meta directory from the docker snap, I figured out
how to add custom AppArmor and seccomp profiles.
Thanks a bunch!
Philipp
Am 27.04.2015 um 22:39 schrieb Sergio Schvezov:
El lunes, 27 de abril de 2015 10h'41:40 CEST, Philipp Lorenz escribió:
Hi,
I've built a snap package which contains a Java installation and some
own Java classes. Those are used to get a list of connected USB
devices and their information using the usb4java framework and the
snap has been configured to run the Java program as a service.
Java is running fine so far, but the USB library gets blocked by
AppArmor:
root@localhost:~# dmesg | tail
...
[ 2011.571481] audit: type=1400 audit(1430121893.543:22):
apparmor="DENIED" operation="open"
profile="rda-watchdog.sideload_rda-watchdog_0.1" name="/sys/bus/"
pid=1648 comm="java" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 2011.571587] audit: type=1400 audit(1430121893.543:23):
apparmor="DENIED" operation="open"
profile="rda-watchdog.sideload_rda-watchdog_0.1" name="/sys/class/"
pid=1648 comm="java" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
It seems like the library needs access to a lot of sub-directories of
/sys/ in order to find out which USB devices are connected.
For granting access to single device nodes, I know there is "snappy
hw-assign", but is there also a way to "unblock" the /sys/ directory
for reading? Changing the AppArmor profile by hand and compiling it
seems to be a bad option since the changes get lost on updates and/or
re-installs.
Thanks in advance for any help!
You can look at docker on snappy hub or install docker and look at the
package layout under /apps or look at installing webdm and use it for
inspiration.
--
snappy-devel mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/snappy-devel
