Not able to start/configure custom built ubuntu core

PiotrD · November 14, 2019, 3:57pm

@ogra One more question, I was able to connect my snap to interface provided by this gadget. As you saw it was a serial interface, but I get denied by apparmor.

16.277054] audit: type=1400 audit(1573746595.092:31): apparmor=“DENIED” operation=“capable” profile=“snap.terminal-app.terminal-kiosk” pid=1893 comm=“terminal” capability=23 capname=“sys_nice”
[ 16.611495] audit: type=1400 audit(1573746595.433:32): apparmor=“DENIED” operation=“file_lock” profile=“snap.terminal-app.terminal-kiosk” name="/dev/ttyACM0" pid=1831 comm=“terminal” requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0
[ 16.934880] audit: type=1400 audit(1573746595.761:33): apparmor=“DENIED” operation=“capable” profile=“snap.terminal-app.terminal-kiosk” pid=1831 comm=“ThreadPoolForeg” capability=23 capname=“sys_nice”

Should it be like this if I access this device via gadget ?

ijohnson · November 14, 2019, 4:00pm

@pstolowski @jdstrand here’s another case of file locking on a serial port device node being denied

ogra · November 14, 2019, 4:16pm

are you root when running the app ? (device permissions are not overridden by adding an interface, it is likely the /dev/ttyACM0 device node is only accessible by root … )

ijohnson · November 14, 2019, 4:33pm

@ogra IIUC this means it’s being run as root and the object being access is also owned by root

ogra · November 14, 2019, 4:34pm

oh, i’m blind !

pstolowski · November 14, 2019, 4:35pm

Thanks for spotting, that at least confirms that problem is not unique to hotplug and we may be simply missing this permission for some use cases.

ijohnson · November 14, 2019, 4:36pm

Yeah I’m leaning towards thinking we should just add that permission to the rules

PiotrD · November 15, 2019, 7:34am

I assume that is a bug ? So is there a work around for this ? Can I just add additional apparmor rule manually ?

PiotrD · November 15, 2019, 9:54am

Or maybe building app in classic or devmode enabled will help ?

ogra · November 15, 2019, 10:31am

no need to build it with --devmode, but installing it manually with the --devmode flag should work … classic snaps are not option on ubuntu core (they are refused installation)

PiotrD · November 15, 2019, 10:45am

@ogra Oh, thanks it works.
One more thing, so I guess this is a bug, because it should work with standard installation, without devmode, right ?

ogra · November 15, 2019, 11:28am

yes, that is right and @pstolowski and @ijohnson are the right guys to fix it, so all is in good hands

jdstrand · November 15, 2019, 8:20pm

There was a bug in the kernel where ‘k’ was not properly mediated in all cases. I suspect the current policy works on kernels with that bug but not on kernels where this bug is fixed (ie, ‘k’ is always properly mediated). We should add ‘k’ to the policy.

PiotrD · November 26, 2019, 3:01pm

Great, where can I check if the fix for it was merged to ubuntu core ? or where can I find a ticket for this issue to follow?

Apart from this, I have a question regarding this workaround with devmode flag set you mentioned. Can I somehow provide this flag, while I am creating a custom core image with my snap attached?

Like in this example:

sudo ubuntu-image snap --channel stable -O ubuntu-core-18-terminal-amd64 --snap ubuntu-core/pc-amd64-gadget-terminal/terminal-device_0.1.0_amd64.snap --snap terminal-app_0.1.3_amd64.snap --snap ubuntu-core/mir-kiosk_2593.snap ubuntu-core/terminal-device.model

I provide my gadget.snap, mir-kiosk and my terminal app. Is there a way to set devmode flag here ?
Also, is there a way to provide some additional config here ? E.g I want to set default orientation for mir-kiosk from a different layout. Is there a way to provide it during custom image build? Or maybe the only way here is to rebuild a mir-kiosk with custom hooks ?

ijohnson · November 26, 2019, 3:15pm

@jdstrand has submitted the PR fixing this here: https://github.com/snapcore/snapd/pull/7779

After that is merged, the fix will be available in the snapd/core snap edge channels and will likely be released with 2.43, which I think should be out in the next couple weeks. See The snapd roadmap for more details

PiotrD · November 27, 2019, 11:36am

Thanks. I will check them in next weeks.

FYI, I found How to preconfigure custom image? topic so I guess I have all answers I need regarding preconfigured custom image.

PiotrD · December 31, 2019, 11:06am

Hi,
Today, I tried to switch back to strict confinement to check if the fix was already in place for it (it is not in stable yet, I found out), but I found another issue maybe related to this.

My app writes to a file, this file is in /var/snap dir, so it should be writable by it, but I get following apparmor error:

8.715146] audit: type=1400 audit(1577789331.199:173): apparmor="DENIED" operation="open" profile="snap.terminal-app.terminal-kiosk" name="/var/snap/terminal-app/x1/config/html/qr.html" pid=12648 comm="terminal" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0

Is it related to same thing ? Or am I just missing something again?

ogra · December 31, 2019, 11:57am

writing underneath /var typically needs root permissions, this is not snap specific though …

if you want to write stuff as a user, make your app use $SNAP_USER_DATA (~/snap/<package>/current/) and not $SNAP_DATA (/var/snap/<package>/current/)…

PiotrD · December 31, 2019, 12:08pm

hmm what do you mean as a user, system one ? In my case application run in a snap wants RW access to this file, system user is not going to write it, only app itself and it is running as a root. Shouldn’t it have rw access then ?

PiotrD · January 2, 2020, 2:09pm

@ogra Thanks, your suggestion helped.