+1 from me too, for auto-connection of serial-port, as this is required for data input into the network-sports-icarus snap.
+2 votes for, 0 votes against, granting auto-connect of serial-port with greedy plugs - note for this to work best you may want to enable hotplug as well (or if you are using a custom gadget snap which provides the serial-port slot then instead we can look at granting a store declaration for this gadget snap to specify auto-connect for serial-port of network-sports-icarus on the slot side as that would be more specific).
I notice the snap now declares it’s own serial port slot - this doesn’t make sense as serial-ports can only be provided by gadget snaps (or the system when using hotplug as detailed above). So please remove this serial-port slot and any reference to it (but keep the serial-port plug entry) and it should then pass automated review.
Good day,
following instructions I modified the .yaml file and left plugs: [serial-port].
When trying to run the application it crashed and the system logs i could see several apparmor DENIED logs. Reading through the forums I was able to clear some apparmor DENIED logs by adding desktop, desktop-legacy, network, network-control plugs etc, etc.
One issue I have is apparmor DENIED for ‘/run/systemd/resolve/resolv.conf’. A suggestion on How to modify name resolution parameters from a snap? is to add the plug for system-files and this requires to be manual reviews.
Can I get system-files permissions to pass automatically? @alexmurray
Can you please provide details as to why access to this file is needed and also whether you are requesting permission just to read it or to read/write to it? Thanks.
Also I took a quick look at your latest uploaded snap - to use the system-files interface you can’t just declare plugs: system-files - please take a closer look at the documentation for this interface at The system-files interface.
Instead you need to define a system-files plug for your own snap which declares what file paths are being accessed and what permissions are being used and you need to give that interface a nice user-understandable name - for instance you could use something like the following if you need just read access to this file:
plugs:
run-systemd-resolve-resolve-conf:
interface: system-files
read:
- /run/systemd/resolve/resolve.conf
apps:
network-sports-icarus:
plugs:
- run-systemd-resolve-resolve-conf
...
If however you wish to have read+write access then change the read: to write:.
But can you please elaborate on why your snap requires access to this file and for what purpose so we can properly understand this request? Thanks.
Hello @alexmurray,
Thanks for the reply and the example, I appreciate it much. I’m new to snapcraft and learning in the way.
The application needs to access system files because the game is developed in react and mounted in electron, I believe the services required are used by chromium, in the link you sent me the example says that The Firefox, Chromium and Thunderbird snaps use this interface to enable access to system-installed policies to customise each respective application.
I am using electron-builder top-level snap key contains set of options to build the snap.
I cant seem to find a way to use apps: option like your example but I managed to upload a new snap build configured this way:
plugs:
- serial-port
- desktop
- desktop-legacy
- home
- browser-support
- unity7
- network
- network-control
- chromium:
interface: system-files
read:
- /run/systemd/resolve/stub-resolve.conf
- /etc/hosts
- /etc/host.confs
- /home/darts/.config/dconf/userbumping this thread waiting for reply.
Ok, so it looks like you are correctly defining your systems-files plug correctly now, which is good.
However, I am wondering if you actually need this system-files plug at all:
-
readaccess to/run/systemd/resolve/stub-resolv.confis already provided when pluggingnetwork -
/etc/hostsand/etc/hosts.confis not normally required by snaps - can you please show any errors which occur when running your snap for this file? - Finally if you plug the
gsettingsinterface your snap should gain the access for/home/darts/.config/dconf/user.
So in summary: since your snap already plugs network you can remove the /run/systemd/resolve/stub-resolve.conf - and if you plug gsettings you can remove /home/darts/.config/dconf/user - and I suspect /etc/hosts should not actually be required either so please can you provide more info regarding that.
Hello @alexmurray and @emitorino,
I changed my snap configuration to suggested. The snap application is not crashing anymore and I was able to run the application on beta channel.
When I tested I am not able to register any kind of input using serial port. When I check the logs this is the permission denied i am getting. Can you please assist me what could i be missing? Thanks in advanced!
Hi @alexmurray
I enabled hotplugs using command $ sudo snap set system experimental.hotplug=true
I still get the same error Permission denied, cannot open /dev/ttyS0
Do I need to do additional configuration like adding slots to the .yaml?
does your app have serial-port defined in plugs: and did you use snap connect ... to connect your app to the hotpluggable slot as described in the hotplug doc ?
(also, is your user in the “dialout” group ? snap interfaces do not change permissions so if your user can not write to the interface outside of the snap env, it wont be able to do that inside either)
Hello @ogra
Thanks for jumping in!
- I enabled hot plugs and reboot.
- serial-port is listed in plugs (Im pasting an image of my .yaml configuration).
- My user is in the dialout group (I previously did this in order to make it work on devmode).
- I ran
snap interface serial-portand no slots are listed, see image (I assume the slot listed here is the one I would need tosnap connect ...). - By the way the device im connecting is NOT via USB.
oh, then hotplug wont help i fear, it currently only works for usb-serial devices i think…
Hello,
Im still having this issue when running the app in beta in strict confinement gives me a permission denied to the serial port im trying to connect to.
If running in edge channel in --devmode the serial port works good. Any thoughts what could i be missing or why i keep getting serial port permission denied?
In devmode, the snap sandbox is effectively disabled so this gives the snap access to the system. In general, the snap system expects a serial port slot to be provided by an appropriate gadget snap - and these are only applicable on Ubuntu Core systems. For classic Ubuntu / other distros there is no standard way for an application level snap to be provided access to a non-hotplugged serial port - whilst you could perhaps use system-files to specify access to the device node on the file-system, the snap would still likely not be able to access it since the device node would not be present in the snap’s device-cgroup.
So since you are not using a hotpluggable serial port, your use-case sounds more like a kiosk-type device on known hardware - in which case I think using Ubuntu Core would be more appropriate and hence then a custom gadget snap which can declare the serial-port slot for this device node would be the best approach.
Hi all, I work with @dguerrero5. All of these suggestions have been great.
couple of questions:
- Is there a reason why we can’t be granted classic permissions for our snap? This app isn’t for public consumption. It runs on"off the shelf" desktop motherboards and a custom i/o board from the year one that we didn’t build or know much about.
- Anyone have contractor hours available to help sort this out?