Receiving a USB device list with libusb4java fails due to AppArmor

Philipp Lorenz p.lorenz at mwaysolutions.com
Tue Apr 28 07:24:48 UTC 2015 

Hi Jamie,

thank you for responding!
I figured out the following AppArmor rules for usb4java:

   /dev/bus/usb/** rw,
   /sys/class/** r,
   /sys/bus/** r,
   /sys/devices/** r,
   /run/udev/** r,

For now, I solved my problem by putting this AppArmor profile into the 
snap (as suggested by Sergio Schvezov) and it gets installed without any 
problems. However maybe those directories should be assignable by hw-assign?

Additionally, Java (without usb4java) also requests access to these items:

   /etc/writable/timezone (timezone information file, opened for reading)
   /tmp/hsperfdata_root (directory, will be created for Java performance 
data - needs recursive write access - the location is hard coded and 
cannot be changed)

The JVM also runs without having access to them, but I guess the 
timezone will be needed for proper working with dates and the hsperfdata 
directory is needed for performance improvements, so those should maybe 
be added to the default AppArmor profile?

Thanks again!
Philipp

Am 27.04.2015 um 20:04 schrieb Jamie Strandboge:
> On 04/27/2015 03:41 AM, Philipp Lorenz wrote:
>> Hi,
>>
>> I've built a snap package which contains a Java installation and some own Java
>> classes. Those are used to get a list of connected USB devices and their
>> information using the usb4java framework and the snap has been configured to run
>> the Java program as a service.
>> Java is running fine so far, but the USB library gets blocked by AppArmor:
>>
>> root at localhost:~# dmesg | tail
>> ...
>> [ 2011.571481] audit: type=1400 audit(1430121893.543:22): apparmor="DENIED"
>> operation="open" profile="rda-watchdog.sideload_rda-watchdog_0.1"
>> name="/sys/bus/" pid=1648 comm="java" requested_mask="r" denied_mask="r" fsuid=0
>> ouid=0
>> [ 2011.571587] audit: type=1400 audit(1430121893.543:23): apparmor="DENIED"
>> operation="open" profile="rda-watchdog.sideload_rda-watchdog_0.1"
>> name="/sys/class/" pid=1648 comm="java" requested_mask="r" denied_mask="r"
>> fsuid=0 ouid=0
>>
>> It seems like the library needs access to a lot of sub-directories of /sys/ in
>> order to find out which USB devices are connected.
>> For granting access to single device nodes, I know there is "snappy hw-assign",
>> but is there also a way to "unblock" the /sys/ directory for reading? Changing
>> the AppArmor profile by hand and compiling it seems to be a bad option since the
>> changes get lost on updates and/or re-installs.
>>
>> Thanks in advance for any help!
>>
> Currently hw-assign allows specifying files in /dev and /sys/devices, but not
> /sys/bus and /sys/class. Can you add this to
> /var/lib/apparmor/profiles/*_rda-watchdog.sideload_rda-watchdog_0.1 (before the
> closing '}'):
>
>   /sys/**/ r,
>
> then do:
> $ sudo apparmor_parser -r
> /var/lib/apparmor/profiles/*_rda-watchdog.sideload_rda-watchdog_0.1
>
> then report back if you got farther or new denials?
>
> Note: the above changes won't be preserved on app reinstall/upgrade/etc.
>
> I'd like to understand all the accesses that usb4java is attempting before
> suggesting how to proceed.
>
> Thanks!
>
> PS - please reach out to me in #snappy on Freenode (I'm jdstrand) if you have
> questions.
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/snappy-devel/attachments/20150428/8208883f/attachment.html>

More information about the snappy-devel mailing list