Access camera with OpenCV over /dev/video0

Gocarlos · July 27, 2017, 6:05pm

I’m trying to change the confinement of my app to strict.
However, I haven’t found a Interface so far, which allows me to access the /dev/video0 which is used by OpenCV to acess the camera.

My app crashes after start due to this I think.

Jul 27 19:47:52 gocarlos-h760 kernel: [ 6135.010058] audit: type=1400 audit(1501177672.218:818): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.openmapper-desktop.openmapper" pid=12265 comm="apparmor_parser"
Jul 27 19:47:52 gocarlos-h760 kernel: [ 6135.133607] audit: type=1400 audit(1501177672.342:819): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/snap/core/2462/usr/lib/snapd/snap-confine" pid=12271 comm="apparmor_parser"
Jul 27 19:47:52 gocarlos-h760 kernel: [ 6135.161081] audit: type=1400 audit(1501177672.370:820): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/snap/core/2462/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=12271 comm="apparmor_parser"
Jul 27 19:47:52 gocarlos-h760 kernel: [ 6135.165166] audit: type=1400 audit(1501177672.374:821): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.core.hook.configure" pid=12273 comm="apparmor_parser"
Jul 27 19:49:36 gocarlos-h760 kernel: [ 6239.349303] audit: type=1400 audit(1501177776.458:822): apparmor="DENIED" operation="capable" profile="/snap/core/2462/usr/lib/snapd/snap-confine" pid=12697 comm="snap-confine" capability=4  capname="fsetid"
Jul 27 19:49:41 gocarlos-h760 kernel: [ 6244.011609] audit: type=1400 audit(1501177781.117:823): apparmor="DENIED" operation="create" profile="snap.openmapper-desktop.openmapper" pid=12697 comm="OpenMapperDeskt" family="netlink" sock_type="raw" protocol=15 requested_mask="create" denied_mask="create"
Jul 27 19:49:44 gocarlos-h760 kernel: [ 6247.649293] audit: type=1400 audit(1501177784.752:824): apparmor="DENIED" operation="open" profile="snap.openmapper-desktop.openmapper" name="/dev/video0" pid=12697 comm="OpenMapperDeskt" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Is there a solution for that or will it only work with the confinement classic?

PS: I’m already using the interface ‘camera’, my snapcraft for reference

ogra · July 27, 2017, 7:05pm

did you actually connect the camera interface after installing your strict snap (not sure if it is autoconnected, “snap interfaces” should tell you)

also, the netlink stuff is supported by the network-control interface i think … and fsetid should be usable via account-control

jdstrand · July 27, 2017, 7:47pm

You can ignore the fsetid-- it is coming from snap-confine, not the snap (it is also something I am looking into).

Gocarlos · July 28, 2017, 9:25am

I did not know, that I have to connect to the camera.

I was surprised that the only way to connect to the camera is by running some terminal commands:

sudo snap connect openmapper-desktop:camera core:camera

this is not user friendly at all, (use case: user installs App over software center and then has to connect the camera via terminal?!?)

Nevertheless I tried to connect the camera, but it seems like there are some more bugs in the snapcraft, before connecting the camera, Apparmor tells me that I cannot access

 /dev/video0

now it after connecing to the camera, it says that I cannot access

 /sys/devices/pci0000:00/0000:00:14.0/usb1/1-10/1-10:1.0/video4linux/video0/dev

Is there a solution in the future which is more user friendly than using terminal commands.

jdstrand · July 28, 2017, 1:51pm

In terms of user-friendliness, this is being worked on: Connecting plugs and slots in a GUI

In terms of the denied access, that is a bug in the interface. I’ll send up a PR for that.

Gocarlos · July 28, 2017, 9:47pm

@jdstrand Should i open an issue for that?

jdstrand · July 31, 2017, 1:59pm

Typically yes, but I’ve already submitted a PR for it: https://github.com/snapcore/snapd/pull/3634 so no need this time.

Gocarlos · July 31, 2017, 4:59pm

@jdstrand thanks for the quick fix for this problem.

Do you know roughly when this is be out to the users? Or in other words, will this be release soon to the snapd stable version?

jdstrand · July 31, 2017, 5:30pm

I’m not on the snapd release team. As of right now, that PR is not merged. I was hoping it would be available in 2.27, which is the next version. @mvo, can you comment on when 2.27 will be released?

jdstrand · August 8, 2017, 12:17pm

FYI, this apparmor fix will be in 2.27.

niemeyer · August 8, 2017, 6:13pm

We’re aiming to have 2.27 out next week.

@Gocarlos In addition to what @jdstrand pointed out above, note that you can connect the camera more easily from the terminal by just running:

snap connect yoursnap:camera

Gocarlos · August 8, 2017, 6:35pm

Thanks for solving this issue that quick.

Do you have any plans to provide a gui foe users or api for developers (trigger popup like when sudo rights are needed), to change this? As far as I understood, there are plans to integrate the connection to the software store, but I’ve nod heard so far about a terminal free solution for after the installation.

niemeyer · August 8, 2017, 6:45pm

Both of those things are planned. The GUI will be in gnome-software itself, so any user will be able to tune without the terminal. This work is already in progress. In addition to that, there are also plans to have the snap itself being able to tell the user that the interface is disconnected and needs connecting. That will be done inside the snap by calling some subcommand in snapctl. This part is unscheduled right now.