Auto-connect Request for the guvcview-brlin Snap

Lin-Buo-Ren · June 20, 2018, 10:48pm

Dear @reviewers, I would like to request interface auto-connection for https://snapcraft.io/guvcview-brlin .

Interface Name	Reasoning
`hardware-observe`	Avoid crash on launch, seems to be due to the ungraceful error handling when certain sysfs attribute can’t be accessed. (strace)
`camera`	Because the snapped application is a camera viewer/controller, this snap is essentially useless without it

jdstrand · June 29, 2018, 6:37pm

With the camera interface connected and the hardware-observe interface not connected, are there any security policy denials in journalctl at the time of the crash?

Lin-Buo-Ren · June 29, 2018, 6:39pm

Yes:

Jun 30 02:38:47 Lin-Buo-Ren-SSD480 kernel: [12994.744946] audit: type=1400 audit(1530297527.093:23065): apparmor="DENIED" operation="open" profile="snap.guvcview-brlin.guvcview" name="/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0/modalias" pid=26171 comm="guvcview" requested_mask="r" denied_mask="r" fsuid=12345 ouid=0
Jun 30 02:38:47 Lin-Buo-Ren-SSD480 kernel: [12994.751274] guvcview[26171]: segfault at 0 ip 00007f5a68350924 sp 00007ffda382b980 error 4 in libc-2.23.so[7f5a68315000+1c0000]
Jun 30 02:38:47 Lin-Buo-Ren-SSD480 kernel: [12994.751305] audit: type=1400 audit(1530297527.099:23066): apparmor="DENIED" operation="open" profile="snap.guvcview-brlin.guvcview" name="/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/busnum" pid=26171 comm="guvcview" requested_mask="r" denied_mask="r" fsuid=12345 ouid=0

jdstrand · July 5, 2018, 4:01pm

With the camera interface connected and the hardware-observe interface not connected, can you then modify … to have before the final ‘}’:

/sys/devices/pci[0-9a-f]*/usb*/**/modalias r,
/sys/devices/pci[0-9a-f]*/usb*/**/busnum r,

The run: sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.guvcview-brlin.guvcview and report back if you see any security policy denials in journalctl at the time of the crash?

Lin-Buo-Ren · July 6, 2018, 6:37am

The apparmor rules doesn’t work and I changed it with:

/sys/devices/pci[0-9a-f:]*/[0-9a-f.:]*/usb*/**/modalias r,
/sys/devices/pci[0-9a-f:]*/[0-9a-f.:]*/usb*/**/busnum r,

There’s still security policy denials before the crash:

Jul  6 14:34:33 _hostname_ kernel: [11715.404616] audit: type=1400 audit(1530858873.807:4577): apparmor="DENIED" operation="open" profile="snap.guvcview-brlin.guvcview" name="/sys/devices/pci0000:00/0000:00:1d.7/usb1/1-7/speed" pid=4310 comm="guvcview" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Jul  6 14:34:33 _hostname_ kernel: [11715.407395] audit: type=1400 audit(1530858873.807:4578): apparmor="DENIED" operation="open" profile="snap.guvcview-brlin.guvcview" name="/sys/devices/pci0000:00/0000:00:1d.7/usb1/1-7/devnum" pid=4310 comm="guvcview" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0

Lin-Buo-Ren · July 6, 2018, 7:24am

I appended the rules to allow access of speed and devnum, now the application launches without crashing but with the following security denials:

Jul  6 15:21:59 _host_name_ kernel: [14561.364461] audit: type=1400 audit(1530861719.766:4580): apparmor="DENIED" operation="open" profile="snap.guvcview-brlin.guvcview" name="/sys/devices/virtual/dmi/id/sys_vendor" pid=5353 comm="guvcview" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Jul  6 15:21:59 _host_name_ kernel: [14561.364483] audit: type=1400 audit(1530861719.766:4581): apparmor="DENIED" operation="open" profile="snap.guvcview-brlin.guvcview" name="/sys/devices/virtual/dmi/id/sys_vendor" pid=5353 comm="guvcview" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Jul  6 15:21:59 _host_name_ kernel: [14561.364504] audit: type=1400 audit(1530861719.766:4582): apparmor="DENIED" operation="open" profile="snap.guvcview-brlin.guvcview" name="/sys/devices/virtual/dmi/id/product_name" pid=5353 comm="guvcview" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Jul  6 15:21:59 _host_name_ kernel: [14561.364521] audit: type=1400 audit(1530861719.766:4583): apparmor="DENIED" operation="open" profile="snap.guvcview-brlin.guvcview" name="/sys/devices/virtual/dmi/id/product_name" pid=5353 comm="guvcview" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Jul  6 15:21:59 _host_name_ kernel: [14561.364545] audit: type=1400 audit(1530861719.766:4584): apparmor="DENIED" operation="open" profile="snap.guvcview-brlin.guvcview" name="/sys/devices/virtual/dmi/id/product_version" pid=5353 comm="guvcview" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Jul  6 15:21:59 _host_name_ kernel: [14561.364564] audit: type=1400 audit(1530861719.766:4585): apparmor="DENIED" operation="open" profile="snap.guvcview-brlin.guvcview" name="/sys/devices/virtual/dmi/id/product_version" pid=5353 comm="guvcview" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Jul  6 15:21:59 _host_name_ kernel: [14561.364584] audit: type=1400 audit(1530861719.766:4586): apparmor="DENIED" operation="open" profile="snap.guvcview-brlin.guvcview" name="/sys/devices/virtual/dmi/id/board_vendor" pid=5353 comm="guvcview" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Jul  6 15:21:59 _host_name_ kernel: [14561.364601] audit: type=1400 audit(1530861719.766:4587): apparmor="DENIED" operation="open" profile="snap.guvcview-brlin.guvcview" name="/sys/devices/virtual/dmi/id/board_vendor" pid=5353 comm="guvcview" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Jul  6 15:21:59 _host_name_ kernel: [14561.364624] audit: type=1400 audit(1530861719.766:4588): apparmor="DENIED" operation="open" profile="snap.guvcview-brlin.guvcview" name="/sys/devices/virtual/dmi/id/board_name" pid=5353 comm="guvcview" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0

jdstrand · July 6, 2018, 12:51pm

Thanks for looking into this and sorry the rule was wrong, these are what I would recommend:

/sys/devices/pci[0-9a-f]**/usb*/**/modalias r,
/sys/devices/pci[0-9a-f]**/usb*/**/busnum r,
/sys/devices/pci[0-9a-f]**/usb*/**/devnum r,
/sys/devices/pci[0-9a-f]**/usb*/**/speed r,

I’ve taken a TODO to look into adding the above to the camera interface (as it happens, I have a uvc camera and the source seems to be available at http://guvcview.sourceforge.net/).

jdstrand · July 6, 2018, 12:55pm

+1 to auto-connect the camera interface since this is a UVC camera application.

For now, -1 on auto-connecting hardware-observe. Perhaps the aforementioned investigation will allow the application to not crash, but in the meantime, I suggest you update your snap to check if you have the necessary access and tell the user to connect the hardware-observe interface if you don’t.

jdstrand · July 6, 2018, 12:56pm

@reviewers - can one/some/all of you vote on the auto-connection request?

popey · July 6, 2018, 12:57pm

+1 to auto-connecting the camera interface for a webcam app.

Wimpress · July 6, 2018, 12:58pm

+1 for auto-connecting the camera interface.

jdstrand · July 6, 2018, 1:18pm

Since 16 days have passed, tallying votes.

3 votes for connecting the camera interface, 0 against. Granting auto-connection of the camera interface. This is now live…

0 votes for connecting hardware-observe, 1 against. Not granting auto-connection of hardware-observe.

jdstrand · August 14, 2018, 1:21pm

These rules have been added to the upcoming 2.35 release.

Lin-Buo-Ren · December 23, 2018, 9:33am

@jdstrand Hello, it seems that guvcview disables the H.264 controls widget after failing access to /run/udev/data/+usb*(allowed by the hardware-observe interface but not the camera interface).

Would you mind to evaluate whether the access can be added to the camera interface?

jdstrand · January 7, 2019, 7:37pm

I’ve added this to look at for the next round of policy updates. Can you paste a representative denial?