jzimm
December 4, 2017, 12:13am
1
Hi all,
I’m currently struggling with allowing SDL2-based snapped apps to use joysticks. I works in devmode but not in confined mode. The problems seems to be that the SDL2 joystick enumeration routine queries /sys/devices/…/input***/capabilities/ev, which is apparently denied even if the joystick and raw-usb interfaces are enabled.
Is there something I’m missing? Could someone please point me to a working example?
Many thanks in advance
Jacob
1 Like
there’s also an interface called hid-raw
which might help, though IIRC that interface requires a manual approval in the store when it’s first uploaded.
popey
December 4, 2017, 10:00am
3
I’ve not yet managed to snap anything and have the joystick work either. Most of these were also SDL2 apps. So I’d welcome a sample working snap too!
It sounds like there is something missing from snapd. With your devmode snap, can you run in a terminal sudo snap install snappy-debug && sudo snappy-debug.security scanlog
, then exercise your snap and post the output from snappy-debug? We can then use that to adjust snapd.
jzimm
December 4, 2017, 10:29pm
5
Here is the log:
sudo /snap/bin/snappy-debug.security scanlog hatari-emulator
INFO: following ‘/var/log/syslog’. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug.security scanlog
kernel.printk_ratelimit = 0
= AppArmor =
Time: Dec 5 09:21:58
Log: apparmor=“DENIED” operation=“open” profile=“snap.hatari-emulator.hatari” name="/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0D:00/input/input1/capabilities/ev" pid=9118 comm=“hatari” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
File: /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0D:00/input/input1/capabilities/ev (read)
Suggestions:
adjust program to not access ‘/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0D:00/input/input1/capabilities/ev’
adjust program to not access ‘/sys/devices/LNXSYSTM:[0-9]/LNXSYBUS:[0-9] /PNP[0-9]C[0-9]D:[0-9] /input/input[0-9] /capabilities/ev’
[…]
= AppArmor =
Time: Dec 5 09:21:58
Log: apparmor=“DENIED” operation=“open” profile=“snap.hatari-emulator.hatari” name="/sys/devices/platform/i8042/serio3/input/input10/capabilities/ev" pid=9118 comm=“hatari” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
File: /sys/devices/platform/i8042/serio3/input/input10/capabilities/ev (read)
Suggestions:
adjust program to not access ‘/sys/devices/platform/i8042/serio3/input/input10/capabilities/ev’
adjust program to not access ‘/sys/devices/platform/i[0-9]/serio[0-9] /input/input[0-9]*/capabilities/ev’
= AppArmor =
Time: Dec 5 09:21:58
Log: apparmor=“DENIED” operation=“open” profile=“snap.hatari-emulator.hatari” name="/sys/devices/platform/lis3lv02d/input/input28/capabilities/ev" pid=9118 comm=“hatari” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
File: /sys/devices/platform/lis3lv02d/input/input28/capabilities/ev (read)
Suggestions:
adjust program to not access ‘/sys/devices/platform/lis3lv02d/input/input28/capabilities/ev’
adjust program to not access ‘/sys/devices/platform/lis[0-9]*lv[0-9]d/input/input[0-9] /capabilities/ev’
= AppArmor =
Time: Dec 5 09:21:58
Log: apparmor=“DENIED” operation=“open” profile=“snap.hatari-emulator.hatari” name="/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0D:00/input/input1/capabilities/ev" pid=9118 comm=“hatari” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
File: /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0D:00/input/input1/capabilities/ev (read)
Suggestions:
adjust program to not access ‘/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0D:00/input/input1/capabilities/ev’
adjust program to not access ‘/sys/devices/LNXSYSTM:[0-9]/LNXSYBUS:[0-9] /PNP[0-9]C[0-9]D:[0-9] /input/input[0-9] /capabilities/ev’
etc…
@jzimm - can you (or anyone who is seeing similar denials) test the following:
add to /var/lib/snapd/apparmor/profiles/snap.hatari-emulator.hatari before the trailing '}'
:
/sys/devices/**/input/input[0-9]*/capabilities/ev r,
load the updated apparmor policy into the kernel with:
$ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.hatari-emulator.hatari
try to use the joystick in your application and report back
Note that if this works, a refresh, remove/install, reboot, etc will regenerate the policy and remove the above rule from the policy.
Thanks!
I tested this without a joystick. This should be the rule:
/sys/devices/**/input[0-9]*/capabilities/* r,
@jzimm (or anyone else who sees the same issue), can you test with this rule instead?
https://github.com/snapcore/snapd/pull/4359 has the needed changes I identified. I’ll adjust as necessary depending on feedback here.
jzimm
December 6, 2017, 8:25am
9
I confirm that it works with the apparmor rule manually added.
Thanks! This is now merged into master and finding its way to 2.30.