<div dir="ltr"><div>" Then install it and use 'snappy hw-assign' to give access to the device to your snap." </div>Is that "snappy hw-assign" necessary after every installation? </div><div class="gmail_extra"> <div class="gmail_quote">On Fri, Oct 30, 2015 at 6:58 PM, Jamie Strandboge <<a href="mailto:jamie@canonical.com" target="_blank">jamie@canonical.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 10/30/2015 12:08 PM, Gábor Paller wrote: > "This is an old yaml format and the policy vendor and version you are using > indicate this is from tools from before the 15.04 release (and there was a lot > of snappy activity prior to release)." > > I ran the new packaging tool and it generated an apparmor file like this: > { > "template": "default", > "policy_groups": [ > "networking" > ], > "policy_vendor": "ubuntu-core", > "policy_version": 15.04 > } > > It would be tempting to insert my read_path and write_path statements like > previously except that the packaging tool always overwrites this file whenever I > generate the package. Right, you aren't specifying the security policy correctly. The json file you are using is not how security policy is defined and you should be using the meta/package.yaml file instead and remove the .apparmor files you currently have (also, this intermediate json file is present for historical reasons and is currently in the process of being removed). Eg: <a href="http://bazaar.launchpad.net/~snappy-dev/snappy-hub/snappy-examples/view/head:/python-xkcd-webserver/meta/package.yaml" rel="noreferrer" target="_blank">http://bazaar.launchpad.net/~snappy-dev/snappy-hub/snappy-examples/view/head:/python-xkcd-webserver/meta/package.yaml</a> For your particular case, simply remove any reference to security-* or caps in your binaries and services section and rebuild the snap. This will give you the default policy. Then install it and use 'snappy hw-assign' to give access to the device to your snap. > It may be the limitation of my mental capabilities but a > file like this: > <a href="https://github.com/ubuntu-core/snappy-testdata/blob/master/hello-dbus/package-dir-fwk/meta/svc.apparmor" rel="noreferrer" target="_blank">https://github.com/ubuntu-core/snappy-testdata/blob/master/hello-dbus/package-dir-fwk/meta/svc.apparmor</a> > or this: > <a href="https://github.com/ubuntu-core/snappy-testdata/blob/master/hello-dbus/package-dir-fwk/meta/svc.seccomp" rel="noreferrer" target="_blank">https://github.com/ubuntu-core/snappy-testdata/blob/master/hello-dbus/package-dir-fwk/meta/svc.seccomp</a> > exceeds what I am capable of. > > Is there any way to modify somehow the apparmor file that is generated into my > meta directory and make sure that the packaging tool does not overwrite my changes? > That isn't how it works for the typical cases (see above) and the URLs you gave are for framework snaps with hand-crafted policy. It seems perhaps you are familiar with the out of date tools and instructions; I recommend reading up on the latest documentation here: <a href="http://developer.ubuntu.com/snappy" rel="noreferrer" target="_blank">http://developer.ubuntu.com/snappy</a> That should clear a lot of things up. Also, more documentation updates are pending and should hit the site in the coming weeks. <div class="HOEnZb"><div class="h5"> -- Jamie Strandboge <a href="http://www.ubuntu.com/" rel="noreferrer" target="_blank">http://www.ubuntu.com/</a> </div></div></blockquote></div> </div>