AppArmor not obeying interface rules

ramindehghan · November 6, 2023, 4:52am

Hello!

I am on Ubuntu Core22 on RPI3B+. My snap is accessing a camera with libcamera. I have created a custom interface. With the following in my gadget snap:

  camera-media:
    interface: custom-device
    custom-device: camera-media-device
    devices:
      - /dev/media[0-9]*
      - /dev/video[0-9]*
      - /dev/v4l-subdev[0-9]*
    files:
      read:
        - /sys/subsystem/media/devices
        - /sys/bus/media/devices
        - /sys/class/media/devices
        - /sys/bus/usb/devices
        - /run/udev/data/c505:[0-4]*
        - /run/udev/data/c81:[0-9][0-5]*
        - /sys/class/video4linux
        - /dev/media[0-9]*

I have also connected hardware-observe and media-control although redundant per snappy-debug recommendations; however, I still get AppArmor denials:

= AppArmor =
Time: Nov 06 04:22:57
Log: apparmor="ALLOWED" operation="open" profile="snap.ramin-image-stream-copy.ramin-image-stream-copy" name="/run/udev/data/c81:0" pid=1796 comm="ramin-image-str" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /run/udev/data/c81:0 (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'hardware-observe' to 'plugs'

= AppArmor =
Time: Nov 06 04:22:57
Log: apparmor="ALLOWED" operation="file_lock" profile="snap.ramin-image-stream-copy.ramin-image-stream-copy" name="/dev/media3" pid=1796 comm="ramin-image-str" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
File: /dev/media3 (write)
Suggestion:
* add 'media-control' to 'plugs'

My snap’s AppArmor profile includes the following:

# some apps also insist on consulting utab
/run/mount/utab r,

"/dev/media[0-9]*" rw,
"/dev/video[0-9]*" rw,
"/dev/v4l-subdev[0-9]*" rw,
"/sys/subsystem/media/devices" r,
"/sys/bus/media/devices" r,
"/sys/class/media/devices" r,
"/sys/bus/usb/devices" r,
"/run/udev/data/c505:[0-4]*" r,
"/run/udev/data/c81:[0-9][0-5]*" r,
"/sys/class/video4linux" r,
"/dev/media[0-9]*" r,
"/sys/kernel/debug/sleep_time" r,

# Allow each snaps to access each their own folder on the
# ubuntu-save partition, with write permissions.
/var/lib/snapd/save/snap/@{SNAP_INSTANCE_NAME}/ rw,
/var/lib/snapd/save/snap/@{SNAP_INSTANCE_NAME}/** mrwklix,

The only fix so far has been to run my snap in --devmode as AppArmor keeps denying me access to the files. Any help is appreciated.

~Ramin

soumyaDghosh · November 6, 2023, 8:24am

You need to connect to that plug first.

ramindehghan · November 6, 2023, 9:20am

You need to connect to that plug first.

I have connected to the custom-interface plug using:

snap connect <name-of-snap>:camera-media pi:camera-media

and also made sure to connect to the other plugs such as media-control with:

snap connect <name-of-snap>:media-control

ogra · November 6, 2023, 3:32pm

why exactly is the existing camera interface not enough ? AFAIK we test the ubuntu core images with libcamera too, so this is surprising (and looking at the source of the current camera interface it seems like the majority of your paths above is already covered by it …

ramindehghan · November 6, 2023, 5:16pm

@ogra,

As you said, having the hardware-observe + media-control + camera plugs is sufficient. camera alone brings some udev issues regarding the /dev/media files. However, these plugs, as with my custom interface, only solve the udev side of things for the most part, and AppArmor still denies access. Hence, I created the custom interface, hoping it might solve the issue, which it did not.

With this plug config:

Interface         Plug                                 Slot               Notes
camera            ramin-image-stream:camera            :camera            manual
custom-device     ramin-image-stream:camera-media      -                  -
hardware-observe  ramin-image-stream:hardware-observe  :hardware-observe  manual
media-control     ramin-image-stream:media-control     :media-control     manual
mount-observe     ramin-image-stream:mount-observe     :mount-observe     manual
mount-observe     ramin-image-stream:mount-observe     :mount-observe     manual
...
...
...

I still get the following denials when inspected with snappy-debug running in --devmode:

= AppArmor =
Time: Nov 06 17:09:04
Log: apparmor="ALLOWED" operation="file_lock" profile="snap.ramin-image-stream.ramin-image-stream" name="/dev/media3" pid=1183 comm="python3" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
File: /dev/media3 (write)
Suggestion:
* add 'media-control' to 'plugs'

= AppArmor =
Time: Nov 06 17:09:04
Log: apparmor="ALLOWED" operation="file_lock" profile="snap.ramin-image-stream.ramin-image-stream" name="/dev/media0" pid=1183 comm="python3" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
File: /dev/media0 (write)
Suggestion:
* add 'media-control' to 'plugs'

= AppArmor =
Time: Nov 06 17:09:04
Log: apparmor="ALLOWED" operation="file_lock" profile="snap.ramin-image-stream.ramin-image-stream" name="/dev/media3" pid=1183 comm="python3" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
File: /dev/media3 (write)
Suggestion:
* add 'media-control' to 'plugs'

= AppArmor =
Time: Nov 06 17:09:04
Log: apparmor="ALLOWED" operation="file_lock" profile="snap.ramin-image-stream.ramin-image-stream" name="/dev/media0" pid=1183 comm="python3" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
File: /dev/media0 (write)
Suggestion:
* add 'media-control' to 'plugs'

EDIT: It seems like libcamera is trying to lock the files, but media-control does not allow that.

~Ramin

ramindehghan · November 10, 2023, 3:21am

@ogra,

I was able to get everything resolved using hardware-observe, media-control, camera, and opengl. However, libcamera requires locking at some point on /dev/media[0-9]*.

Commit (#d3d978d) takes care of that as the camera-media definition now has rwk permissions for AppArmor.

Thanks for your help!

~Ramin