<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> Hi Jamie, thank you for responding! I figured out the following AppArmor rules for usb4java: /dev/bus/usb/** rw, /sys/class/** r, /sys/bus/** r, /sys/devices/** r, /run/udev/** r, For now, I solved my problem by putting this AppArmor profile into the snap (as suggested by Sergio Schvezov) and it gets installed without any problems. However maybe those directories should be assignable by hw-assign? Additionally, Java (without usb4java) also requests access to these items: /etc/writable/timezone (timezone information file, opened for reading) /tmp/hsperfdata_root (directory, will be created for Java performance data - needs recursive write access - the location is hard coded and cannot be changed) The JVM also runs without having access to them, but I guess the timezone will be needed for proper working with dates and the hsperfdata directory is needed for performance improvements, so those should maybe be added to the default AppArmor profile? Thanks again! Philipp <div class="moz-cite-prefix">Am 27.04.2015 um 20:04 schrieb Jamie Strandboge: </div> <blockquote cite="mid:553E7A3E.2020206@canonical.com" type="cite"> <pre wrap="">On 04/27/2015 03:41 AM, Philipp Lorenz wrote: </pre> <blockquote type="cite"> <pre wrap="">Hi, I've built a snap package which contains a Java installation and some own Java classes. Those are used to get a list of connected USB devices and their information using the usb4java framework and the snap has been configured to run the Java program as a service. Java is running fine so far, but the USB library gets blocked by AppArmor: root@localhost:~# dmesg | tail ... [ 2011.571481] audit: type=1400 audit(1430121893.543:22): apparmor="DENIED" operation="open" profile="rda-watchdog.sideload_rda-watchdog_0.1" name="/sys/bus/" pid=1648 comm="java" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 2011.571587] audit: type=1400 audit(1430121893.543:23): apparmor="DENIED" operation="open" profile="rda-watchdog.sideload_rda-watchdog_0.1" name="/sys/class/" pid=1648 comm="java" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 It seems like the library needs access to a lot of sub-directories of /sys/ in order to find out which USB devices are connected. For granting access to single device nodes, I know there is "snappy hw-assign", but is there also a way to "unblock" the /sys/ directory for reading? Changing the AppArmor profile by hand and compiling it seems to be a bad option since the changes get lost on updates and/or re-installs. Thanks in advance for any help! </pre> </blockquote> <pre wrap=""> Currently hw-assign allows specifying files in /dev and /sys/devices, but not /sys/bus and /sys/class. Can you add this to /var/lib/apparmor/profiles/*_rda-watchdog.sideload_rda-watchdog_0.1 (before the closing '}'): /sys/**/ r, then do: $ sudo apparmor_parser -r /var/lib/apparmor/profiles/*_rda-watchdog.sideload_rda-watchdog_0.1 then report back if you got farther or new denials? Note: the above changes won't be preserved on app reinstall/upgrade/etc. I'd like to understand all the accesses that usb4java is attempting before suggesting how to proceed. Thanks! PS - please reach out to me in #snappy on Freenode (I'm jdstrand) if you have questions. </pre> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> </body> </html>