Configuring Smartcard-Access for snapcraft app

Hello, we have an app that uses pcsc to connect to smartcard readers. This works as long as we don’t try to install via the snap store. If we go through the store the connection attempt fails with errors.

our snap connections look like this:

Interface                 Plug                                 Slot                             Notes
audio-playback            our-app:audio-playback    :audio-playback                  -
browser-support           our-app:browser-support   :browser-support                 -
content[gnome-3-28-1804]  our-app:gnome-3-28-1804   gnome-3-28-1804:gnome-3-28-1804  -
content[gtk-3-themes]     our-app:gtk-3-themes      gtk-common-themes:gtk-3-themes   -
content[icon-themes]      our-app:icon-themes       gtk-common-themes:icon-themes    -
content[sound-themes]     our-app:sound-themes      gtk-common-themes:sound-themes   -
desktop                   our-app:desktop           :desktop                         -
desktop-legacy            our-app:desktop-legacy    :desktop-legacy                  -
gsettings                 our-app:gsettings         :gsettings                       -
hardware-observe          our-app:hardware-observe  :hardware-observe                manual
home                      our-app:home              :home                            -
network                   our-app:network           :network                         -
opengl                    our-app:opengl            :opengl                          -
pulseaudio                our-app:pulseaudio        -                                -
raw-usb                   our-app:raw-usb           :raw-usb                         manual
unity7                    our-app:unity7            :unity7                          -
wayland                   our-app:wayland           :wayland                         -
x11                       our-app:x11               :x11                             -

But the access still doesn’t work.

I would very much appreciate to learn what we must do to make it work.

you can either include pcscd in your snap or you can use my pcsc-daemon snap, which provides a content interface that can be utilized by your snap:

here is an example consumer snap:

(sources for both are:

and https://github.com/ogra1/gscriptor-snap/ )

Oh wow, thanks for building this… we will try it out. But one thing I notice immediately is that there is no license defined. Can we… just use it?

whoops, sorry, fixed …

Wish it was MIT … hehe but yeah this will give us good pointers so we can learn from it anyway.

well, pcscd is GPL3+ … acsccid (the drivers shipped in the snap) are LGPL2.1+ … not much I can do here …

So I set your snap as a dependency in our app like this:

 pcscd:
     interface: content
     content: pcscd-socket
     target: $SNAP_COMMON/pcscd
     default-provider: pcsc-daemon

This leads to pcsc-daemon to be installed along with our app.

I then continued to connect our app to the socket like this:

 sudo snap connect our-app:pcscd pcsc-daemon:socket

But it doesn’t work, and I see this in my logs (as soon as our app tries to access pcsc):

Dec 20 14:27:02 ubuntu-i7 kernel: [ 1919.101019] audit: type=1400 audit(1640006822.278:198): apparmor="DENIED" operation="connect" profile="snap.our-app.our-app" name="/run/pcscd/pcscd.comm" pid=7207 comm="our-app-cli" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0

How can I resolve this issue?

I don’t know why pcsc-gscriptor works with an almost identical setup … I suppose autoconnecting the interfaces also does something to the permissions.

By the way, there are other threads on this forum addressing similar issues, but they are not solved in a way that is feasible for us. We don’t want to ship pcsc-daemon or any drivers for licensing reasons.

I think my problem is that the app is trying to access the pcscd socket at /run/pcscd/pcscd.comm instead of /var/snap/pcsc-daemon/common/pcscd (aka $SNAP_COMMON/pcscd.comm).

I am now trying to find out why this is. Any help is greatly appreciated…

Ok I finally understand how the others do it. They compile their own versions of the libraries but change the socket path.

For example @ogra does it here: https://github.com/ogra1/pcsc-daemon-snap/blob/43fc170bfdf35105eb3a9f3dcba9c238963c0682/snap/snapcraft.yaml#L86

That’s the beauty of OSS… if you can use it.

Sorry of this gets boring as I document my learning journey here, but if I include the content interface of another snap, dies it mean that when I run my snap, then LD_LIBRARY_PATH gets replaced inside my app’s sandbox so that the application loader will automatically find the library you have compiled for your snap?

In other words: Will my app loader load your snap’s dynamic lib instead of the default one that Linux/Ubuntu has installed?

Because if not, then I cannot use your socket, can I? Because I still load the default lib and then it wants to access /run/pcscd/pcscd.comm.

Content interfaces do not automatically change the LD_LIBRARY_PATH, you need to set that in your snap manually

1 Like