Classic confinement for Charta app (smartcard reader)

I developed Charta

Cross platform (electron) app which lets smartcard developers like me to send apdus to smartcard with a PCSC/CCID usb reader.

I can confirm this app works in debug mode and with binary executable, but using a snap package it cannot access to usb smartcard readers.

I ask admins to this section to enable classic confinement for my app

Let me know if you need more infos.
Thank you.


Hi! Thanks for the request. What exactly fails when strictly confined? You can use snappy-debug as detailed in the “Identifying missing interfaces” section of the debugging documentation.
If you use devmode rather than classic what errors occur in snappy-debug?

Thank you for your fast reply

snappy-debug shows me this output

= AppArmor =
Time: Dec 19 17:03:00
Log: apparmor=“DENIED” operation=“dbus_method_call” bus=“system” path="/" interface=“org.freedesktop.DBus.ObjectManager” member=“GetManagedObjects” mask=“send” name=“org.bluez” pid=4120 label=“snap.charta.charta”
DBus access

= AppArmor =
Time: Dec 19 17:03:02
Log: apparmor=“DENIED” operation=“connect” profile=“snap.charta.charta” name="/run/pcscd/pcscd.comm" pid=4242 comm=“charta” requested_mask=“wr” denied_mask=“wr” fsuid=1000 ouid=0
File: /run/pcscd/pcscd.comm (write)

  • adjust program to use $SNAP_DATA
  • adjust program to use /run/shm/snap.$SNAP_NAME.*
  • adjust program to use /run/snap.$SNAP_NAME.*
  • adjust snap to use snap layouts (Snap layouts)

Could you help to understand where I’m missing/wrong?
It seems related to system pcscd daemon, needed by Charta to communicate via usb to smartcards
Thank you again.


looks like this is very similar to

Thank you @ogra,
so do you confirm, for app using pcsd daemon, classic mode is required?
Did you successfully public your app in classi mode approved by snapcraft staff?


no, the opposite … see the other discussion … there are also other threads about pcscd in this forum, the search function is really helpful :wink:

MMM yes, I know search function in forums :grin:
I was too optimist, I hoped you found the way to use pcscd in snap.
Sorry I wrote while I following my little daughter, I will check what @glasen77 did.


1 Like

I’ve packaged my application together with the PC/SC-daemon. It’s a workaround because there is no interface for the card-daemon yet.

1 Like

I think we have two options here:

  1. pursue new interface for working with smart cards - I claim ignorance here and would need someone with hardware and some know-how to tell me how those are exposed in Linux first
  2. pursue classic confinement

Traditionally we would lean towards 1) because interfaces are typically not that hard to add and using an interface over classic confinement is really beneficial for the application developer. Making classic snaps is very difficult in practice.

Can you tell me what PC/SC-daemon needs to access to operate? I already noticed a socket in /run but is there something else? How would the presence of the daemon inside your snap affect someone who already has that deamon running as a part of their IT setup / distribution (I assume that would be common for users of smart cards).

Well, per the other post, it is possible to ship the PC/SC-daemon as the other snap does. Classic is not required. An interface could help people, but there is no guarantee that the PC/SC-daemon will be running on the classic distro system, so it makes some sense to ship it in the snap.

Yes but it’s a kind of thing where I would expect the workstation to handle the daemon side since you are already probably using it for authentication. Smart cards smell of enterprise Fortune 500 companies and I think it would make sense to click into that rather than trying to ship it in a snap.

I don’t oppose being able to ship the daemon there but I think that’s a separate and lower priority project.