How to access some files in "/sys" and "/run"?

snapcraft
1

I’m trying to build a confined snap for the application “AusweisApp2”. This app can read the RFID-tag on the german “Personalausweis” with the help of “pcscd”. Without confinement the snap works perfectly but with confinement the card-reader on the usb port can’t be accessed. I fiddled a bit with my snaps apparmor-profile and the following rules work for the snap:

/run/pcscd/pcscd.comm rw,
/run/udev/data/** r,
/sys/bus/usb/devices/** r,
/sys/devices/** r,

Which interfaces do i have to apply so that the snap can run in a confined context?

2

The exact apparmor rules applied for each interface can be examined at https://github.com/snapcore/snapd/tree/master/interfaces/builtin

Check out the hardware-observe interface

I doubt this is granted for any interfaces as of now, you may want to request/contribute a pcsc interface or something.

3

Thank you for the quick answer.

“hardware-observe” does the job. The only problem is now “pcscd”.

I will now write a request for auto-connect to “hardware-observe” and try to get a plug for pcscd into snapd. If this is not possible the snap must be installed in classic-mode.

4

or you could build pcscd from source in your snap and patch it to use snap compliant dirs by default …
(as an interim solution til that interface exists)

1 Like
5

This could be a solution. Is there a snap which i can use as a template?

6

just add a new part … like:

  pcscd:
    source: https://salsa.debian.org/rousseau/PCSC.git
    plugin: autotools
    override-build:
      # git apply ../../../pcscd.patch
      snapcraftctl build
    build-packages:
      - libsystemd-dev

do a full snapcraft build with the above so that you get a parts/pcscd/build directory with the original upstream source.

now cd into parts/pcscd/build, make your changes and call git diff >../../../pcscd.patch to create the patch file …

uncomment the git apply ... in snapcraft.yaml and build again, but now with the patch applied …

to update the patch you can now always just repeat doing changes in the parts/pcscd/build dir and use the git diff command to make it take effect in the next build.

(indeed you might probably also want to create an “apps” entry for pcscd to be started as a daemon when your snap is installed, i’ll leave that part to the reader to figure out :wink: )

2 Likes
7

Thanks. I will try it :slight_smile:

8

That is asking for trouble! While the idea of patching is fine, it is bad to rely on files existing in a specific location relative to a part’s build directory. Never assume a location unless it is something you directly control. The correct method of patching a part’s source is to add another part to copy the patches into the snap build and then reference them with a known path that you can rely upon:

parts:
  patches:
    source: patches # path relative to the snap’s source (where the snap folder containing snapcraft.yaml lives)
    plugin: dump
    prime: [-*] # we don’t need the patch in the final snap, so remove it

  my-app:
    source: ....
    plugin: ....
    after: [patches]
    override-pull: |
      git apply $SNAPCRAFT-STAGE/some-patch.diff
3 Likes
9

@lucyllewy:
Thanks. Your example helped me a lot. A already made a patch for the source of AusweisApp2 which prevents multiple qDebug-messages to flood the log. Before your post i had no good idea how to apply this patch. Working with relative paths worked for me but didn’t look very good.