Receiving a USB device list with libusb4java fails due to AppArmor
Philipp Lorenz
p.lorenz at mwaysolutions.com
Tue Apr 28 07:24:48 UTC 2015
Hi Jamie,
thank you for responding!
I figured out the following AppArmor rules for usb4java:
/dev/bus/usb/** rw,
/sys/class/** r,
/sys/bus/** r,
/sys/devices/** r,
/run/udev/** r,
For now, I solved my problem by putting this AppArmor profile into the
snap (as suggested by Sergio Schvezov) and it gets installed without any
problems. However maybe those directories should be assignable by hw-assign?
Additionally, Java (without usb4java) also requests access to these items:
/etc/writable/timezone (timezone information file, opened for reading)
/tmp/hsperfdata_root (directory, will be created for Java performance
data - needs recursive write access - the location is hard coded and
cannot be changed)
The JVM also runs without having access to them, but I guess the
timezone will be needed for proper working with dates and the hsperfdata
directory is needed for performance improvements, so those should maybe
be added to the default AppArmor profile?
Thanks again!
Philipp
Am 27.04.2015 um 20:04 schrieb Jamie Strandboge:
> On 04/27/2015 03:41 AM, Philipp Lorenz wrote:
>> Hi,
>>
>> I've built a snap package which contains a Java installation and some own Java
>> classes. Those are used to get a list of connected USB devices and their
>> information using the usb4java framework and the snap has been configured to run
>> the Java program as a service.
>> Java is running fine so far, but the USB library gets blocked by AppArmor:
>>
>> root at localhost:~# dmesg | tail
>> ...
>> [ 2011.571481] audit: type=1400 audit(1430121893.543:22): apparmor="DENIED"
>> operation="open" profile="rda-watchdog.sideload_rda-watchdog_0.1"
>> name="/sys/bus/" pid=1648 comm="java" requested_mask="r" denied_mask="r" fsuid=0
>> ouid=0
>> [ 2011.571587] audit: type=1400 audit(1430121893.543:23): apparmor="DENIED"
>> operation="open" profile="rda-watchdog.sideload_rda-watchdog_0.1"
>> name="/sys/class/" pid=1648 comm="java" requested_mask="r" denied_mask="r"
>> fsuid=0 ouid=0
>>
>> It seems like the library needs access to a lot of sub-directories of /sys/ in
>> order to find out which USB devices are connected.
>> For granting access to single device nodes, I know there is "snappy hw-assign",
>> but is there also a way to "unblock" the /sys/ directory for reading? Changing
>> the AppArmor profile by hand and compiling it seems to be a bad option since the
>> changes get lost on updates and/or re-installs.
>>
>> Thanks in advance for any help!
>>
> Currently hw-assign allows specifying files in /dev and /sys/devices, but not
> /sys/bus and /sys/class. Can you add this to
> /var/lib/apparmor/profiles/*_rda-watchdog.sideload_rda-watchdog_0.1 (before the
> closing '}'):
>
> /sys/**/ r,
>
> then do:
> $ sudo apparmor_parser -r
> /var/lib/apparmor/profiles/*_rda-watchdog.sideload_rda-watchdog_0.1
>
> then report back if you got farther or new denials?
>
> Note: the above changes won't be preserved on app reinstall/upgrade/etc.
>
> I'd like to understand all the accesses that usb4java is attempting before
> suggesting how to proceed.
>
> Thanks!
>
> PS - please reach out to me in #snappy on Freenode (I'm jdstrand) if you have
> questions.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/snappy-devel/attachments/20150428/8208883f/attachment.html>
More information about the snappy-devel
mailing list