Joysick access for SDL2 apps?

Hi all,

I’m currently struggling with allowing SDL2-based snapped apps to use joysticks. I works in devmode but not in confined mode. The problems seems to be that the SDL2 joystick enumeration routine queries /sys/devices/…/input***/capabilities/ev, which is apparently denied even if the joystick and raw-usb interfaces are enabled.

Is there something I’m missing? Could someone please point me to a working example?

Many thanks in advance
Jacob

1 Like

there’s also an interface called hid-raw which might help, though IIRC that interface requires a manual approval in the store when it’s first uploaded.

I’ve not yet managed to snap anything and have the joystick work either. Most of these were also SDL2 apps. So I’d welcome a sample working snap too!

It sounds like there is something missing from snapd. With your devmode snap, can you run in a terminal sudo snap install snappy-debug && sudo snappy-debug.security scanlog, then exercise your snap and post the output from snappy-debug? We can then use that to adjust snapd.

Here is the log:

sudo /snap/bin/snappy-debug.security scanlog hatari-emulator
INFO: following ‘/var/log/syslog’. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug.security scanlog
kernel.printk_ratelimit = 0
= AppArmor =
Time: Dec 5 09:21:58
Log: apparmor=“DENIED” operation=“open” profile=“snap.hatari-emulator.hatari” name="/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0D:00/input/input1/capabilities/ev" pid=9118 comm=“hatari” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
File: /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0D:00/input/input1/capabilities/ev (read)
Suggestions:

  • adjust program to not access ‘/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0D:00/input/input1/capabilities/ev’
  • adjust program to not access ‘/sys/devices/LNXSYSTM:[0-9]/LNXSYBUS:[0-9]/PNP[0-9]C[0-9]D:[0-9]/input/input[0-9]/capabilities/ev’

[…]

= AppArmor =
Time: Dec 5 09:21:58
Log: apparmor=“DENIED” operation=“open” profile=“snap.hatari-emulator.hatari” name="/sys/devices/platform/i8042/serio3/input/input10/capabilities/ev" pid=9118 comm=“hatari” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
File: /sys/devices/platform/i8042/serio3/input/input10/capabilities/ev (read)
Suggestions:

  • adjust program to not access ‘/sys/devices/platform/i8042/serio3/input/input10/capabilities/ev’
  • adjust program to not access ‘/sys/devices/platform/i[0-9]/serio[0-9]/input/input[0-9]*/capabilities/ev’

= AppArmor =
Time: Dec 5 09:21:58
Log: apparmor=“DENIED” operation=“open” profile=“snap.hatari-emulator.hatari” name="/sys/devices/platform/lis3lv02d/input/input28/capabilities/ev" pid=9118 comm=“hatari” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
File: /sys/devices/platform/lis3lv02d/input/input28/capabilities/ev (read)
Suggestions:

  • adjust program to not access ‘/sys/devices/platform/lis3lv02d/input/input28/capabilities/ev’
  • adjust program to not access ‘/sys/devices/platform/lis[0-9]*lv[0-9]d/input/input[0-9]/capabilities/ev’

= AppArmor =
Time: Dec 5 09:21:58
Log: apparmor=“DENIED” operation=“open” profile=“snap.hatari-emulator.hatari” name="/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0D:00/input/input1/capabilities/ev" pid=9118 comm=“hatari” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
File: /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0D:00/input/input1/capabilities/ev (read)
Suggestions:

  • adjust program to not access ‘/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0D:00/input/input1/capabilities/ev’
  • adjust program to not access ‘/sys/devices/LNXSYSTM:[0-9]/LNXSYBUS:[0-9]/PNP[0-9]C[0-9]D:[0-9]/input/input[0-9]/capabilities/ev’

etc…

@jzimm - can you (or anyone who is seeing similar denials) test the following:

  1. add to /var/lib/snapd/apparmor/profiles/snap.hatari-emulator.hatari before the trailing '}':

    /sys/devices/**/input/input[0-9]*/capabilities/ev r,
    
  2. load the updated apparmor policy into the kernel with:

    $ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.hatari-emulator.hatari
    
  3. try to use the joystick in your application and report back

Note that if this works, a refresh, remove/install, reboot, etc will regenerate the policy and remove the above rule from the policy.

Thanks!

I tested this without a joystick. This should be the rule:
/sys/devices/**/input[0-9]*/capabilities/* r,

@jzimm (or anyone else who sees the same issue), can you test with this rule instead?

https://github.com/snapcore/snapd/pull/4359 has the needed changes I identified. I’ll adjust as necessary depending on feedback here.

I confirm that it works with the apparmor rule manually added.

Thanks! This is now merged into master and finding its way to 2.30.