Hello!
I am on Ubuntu Core22 on RPI3B+. My snap is accessing a camera with libcamera. I have created a custom interface. With the following in my gadget snap:
camera-media:
interface: custom-device
custom-device: camera-media-device
devices:
- /dev/media[0-9]*
- /dev/video[0-9]*
- /dev/v4l-subdev[0-9]*
files:
read:
- /sys/subsystem/media/devices
- /sys/bus/media/devices
- /sys/class/media/devices
- /sys/bus/usb/devices
- /run/udev/data/c505:[0-4]*
- /run/udev/data/c81:[0-9][0-5]*
- /sys/class/video4linux
- /dev/media[0-9]*
I have also connected hardware-observe and media-control although redundant per snappy-debug recommendations; however, I still get AppArmor denials:
= AppArmor =
Time: Nov 06 04:22:57
Log: apparmor="ALLOWED" operation="open" profile="snap.ramin-image-stream-copy.ramin-image-stream-copy" name="/run/udev/data/c81:0" pid=1796 comm="ramin-image-str" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /run/udev/data/c81:0 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'
= AppArmor =
Time: Nov 06 04:22:57
Log: apparmor="ALLOWED" operation="file_lock" profile="snap.ramin-image-stream-copy.ramin-image-stream-copy" name="/dev/media3" pid=1796 comm="ramin-image-str" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
File: /dev/media3 (write)
Suggestion:
* add 'media-control' to 'plugs'
My snap’s AppArmor profile includes the following:
# some apps also insist on consulting utab
/run/mount/utab r,
"/dev/media[0-9]*" rw,
"/dev/video[0-9]*" rw,
"/dev/v4l-subdev[0-9]*" rw,
"/sys/subsystem/media/devices" r,
"/sys/bus/media/devices" r,
"/sys/class/media/devices" r,
"/sys/bus/usb/devices" r,
"/run/udev/data/c505:[0-4]*" r,
"/run/udev/data/c81:[0-9][0-5]*" r,
"/sys/class/video4linux" r,
"/dev/media[0-9]*" r,
"/sys/kernel/debug/sleep_time" r,
# Allow each snaps to access each their own folder on the
# ubuntu-save partition, with write permissions.
/var/lib/snapd/save/snap/@{SNAP_INSTANCE_NAME}/ rw,
/var/lib/snapd/save/snap/@{SNAP_INSTANCE_NAME}/** mrwklix,
The only fix so far has been to run my snap in --devmode as AppArmor keeps denying me access to the files. Any help is appreciated.
~Ramin
You need to connect to that plug first.
You need to connect to that plug first.
I have connected to the custom-interface plug using:
snap connect <name-of-snap>:camera-media pi:camera-media
and also made sure to connect to the other plugs such as media-control with:
snap connect <name-of-snap>:media-control
ogra
November 6, 2023, 3:32pm
4
why exactly is the existing camera interface not enough ? AFAIK we test the ubuntu core images with libcamera too, so this is surprising (and looking at the source of the current camera interface it seems like the majority of your paths above is already covered by it …
@ogra ,
As you said, having the hardware-observe + media-control + camera plugs is sufficient. camera alone brings some udev issues regarding the /dev/media files. However, these plugs, as with my custom interface, only solve the udev side of things for the most part, and AppArmor still denies access. Hence, I created the custom interface, hoping it might solve the issue, which it did not.
With this plug config:
Interface Plug Slot Notes
camera ramin-image-stream:camera :camera manual
custom-device ramin-image-stream:camera-media - -
hardware-observe ramin-image-stream:hardware-observe :hardware-observe manual
media-control ramin-image-stream:media-control :media-control manual
mount-observe ramin-image-stream:mount-observe :mount-observe manual
mount-observe ramin-image-stream:mount-observe :mount-observe manual
...
...
...
I still get the following denials when inspected with snappy-debug running in --devmode:
= AppArmor =
Time: Nov 06 17:09:04
Log: apparmor="ALLOWED" operation="file_lock" profile="snap.ramin-image-stream.ramin-image-stream" name="/dev/media3" pid=1183 comm="python3" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
File: /dev/media3 (write)
Suggestion:
* add 'media-control' to 'plugs'
= AppArmor =
Time: Nov 06 17:09:04
Log: apparmor="ALLOWED" operation="file_lock" profile="snap.ramin-image-stream.ramin-image-stream" name="/dev/media0" pid=1183 comm="python3" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
File: /dev/media0 (write)
Suggestion:
* add 'media-control' to 'plugs'
= AppArmor =
Time: Nov 06 17:09:04
Log: apparmor="ALLOWED" operation="file_lock" profile="snap.ramin-image-stream.ramin-image-stream" name="/dev/media3" pid=1183 comm="python3" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
File: /dev/media3 (write)
Suggestion:
* add 'media-control' to 'plugs'
= AppArmor =
Time: Nov 06 17:09:04
Log: apparmor="ALLOWED" operation="file_lock" profile="snap.ramin-image-stream.ramin-image-stream" name="/dev/media0" pid=1183 comm="python3" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
File: /dev/media0 (write)
Suggestion:
* add 'media-control' to 'plugs'
EDIT: It seems like libcamera is trying to lock the files, but media-control does not allow that.
~Ramin
@ogra ,
I was able to get everything resolved using hardware-observe, media-control, camera, and opengl. However, libcamera requires locking at some point on /dev/media[0-9]*.
Commit (#d3d978d ) takes care of that as the camera-media definition now has rwk permissions for AppArmor.
Thanks for your help!
~Ramin
1 Like
