Receiving a USB device list with libusb4java fails due to AppArmor

Jamie Strandboge jamie at canonical.com
Mon Apr 27 18:04:46 UTC 2015


On 04/27/2015 03:41 AM, Philipp Lorenz wrote:
> Hi,
> 
> I've built a snap package which contains a Java installation and some own Java
> classes. Those are used to get a list of connected USB devices and their
> information using the usb4java framework and the snap has been configured to run
> the Java program as a service.
> Java is running fine so far, but the USB library gets blocked by AppArmor:
> 
> root at localhost:~# dmesg | tail
> ...
> [ 2011.571481] audit: type=1400 audit(1430121893.543:22): apparmor="DENIED"
> operation="open" profile="rda-watchdog.sideload_rda-watchdog_0.1"
> name="/sys/bus/" pid=1648 comm="java" requested_mask="r" denied_mask="r" fsuid=0
> ouid=0
> [ 2011.571587] audit: type=1400 audit(1430121893.543:23): apparmor="DENIED"
> operation="open" profile="rda-watchdog.sideload_rda-watchdog_0.1"
> name="/sys/class/" pid=1648 comm="java" requested_mask="r" denied_mask="r"
> fsuid=0 ouid=0
> 
> It seems like the library needs access to a lot of sub-directories of /sys/ in
> order to find out which USB devices are connected.
> For granting access to single device nodes, I know there is "snappy hw-assign",
> but is there also a way to "unblock" the /sys/ directory for reading? Changing
> the AppArmor profile by hand and compiling it seems to be a bad option since the
> changes get lost on updates and/or re-installs.
> 
> Thanks in advance for any help!
> 

Currently hw-assign allows specifying files in /dev and /sys/devices, but not
/sys/bus and /sys/class. Can you add this to
/var/lib/apparmor/profiles/*_rda-watchdog.sideload_rda-watchdog_0.1 (before the
closing '}'):

 /sys/**/ r,

then do:
$ sudo apparmor_parser -r
/var/lib/apparmor/profiles/*_rda-watchdog.sideload_rda-watchdog_0.1

then report back if you got farther or new denials?

Note: the above changes won't be preserved on app reinstall/upgrade/etc.

I'd like to understand all the accesses that usb4java is attempting before
suggesting how to proceed.

Thanks!

PS - please reach out to me in #snappy on Freenode (I'm jdstrand) if you have
questions.

-- 
Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snappy-devel/attachments/20150427/fc56c09d/attachment.pgp>


More information about the snappy-devel mailing list