Request auto-connection for hardware-observe for capturegrid4 [Was: Problem with runtime permissions for snap service process]

My snap contains a single executable, which can either be run manually from the command line, or via a snap service. So actually when the snap is first installed, the app service is automatically started.

The executable uses libusb, and during startup it will call libusb_open().
When running manually from the command line, this works as expected.

However when running as a snap service, this function call always fails!

Here is the error from journalctl:

 63702 May 24 12:13:05 odroid audit[20267]: SECCOMP auid=4294967295 uid=0 gid=0 ses=4294967295 pid=20267 comm="CaptureGRID4" exe="/snap/capturegrid4/8/CaptureGRID4" sig=0 arch=40000028   63702 syscall=281 compat=0 ip=0xb57fb898 code=0x50000
 63703 May 24 12:13:05 odroid kernel: audit: type=1326 audit(1558699985.433:57): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=20267 comm="CaptureGRID4" exe="/snap/capturegrid4/8/Captu  63703 reGRID4" sig=0 arch=40000028 syscall=281 compat=0 ip=0xb57fb898 code=0x50000
 63704 May 24 12:13:05 odroid capturegrid4.node[20267]: [12:13:05.441   Camera    Error:  1] failed to open USB: -99 LIBUSB_ERROR_OTHER (Other error)

Does this give some indication of what going wrong?
(I’m not sure how to debug this issue)

Is there some permission missing from my snap service definition?

Here is what it currently looks like:

apps:
  capturegrid4:
    command: desktop-launch $SNAP/CaptureGRID4
    plugs:
      - camera
      - home
      - network
      - network-bind
      - raw-usb
      - removable-media
      - desktop
      - opengl
      - x11
    environment:
      LANG: "C"
      LC_ALL: "C"
  node:
    command: CaptureGRID4 --cli --grid --api
    daemon: simple
    restart-condition: always
    plugs:
      - camera
      - home
      - network
      - network-bind
      - raw-usb
      - removable-media
    environment:
      LANG: "C"
      LC_ALL: "C"

This snap is running on armhf ubuntu18 odroid-xu4.
I’ve tried it on a pi3 ubuntu18 armhf image, and same problem
If I build the same snap for arm64 and run it on a pi3 ubuntu18 arm64 image, it works ok.

Note that snappy-debug would help slightly here, but since you said it is arm:

$ scmp_sys_resolver -a arm 281
socket

This sounds similar to Different seccomp behaviors on amd64 and pi2/armhf.

Unfortunately the kernel doesn’t give us the arguments used in the logged denial so the best we can do is: sudo snap run --strace="-e socket" -- <snap name>.<command> and look for the failed permission denied call. With that you should see the arguments to socket which will help you to better understand what is happening.

I have a hunch that you need NETLINK_KOBJECT_UEVENT and so you should add ‘hardware-observe’ to your plugs. If that works, I’ll look into adding this to raw-usb.

Yes I think you were right!

I ran with strace enabled, this is the output when libusb_open() gets called:

[pid 23205] socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_KOBJECT_UEVENT) = -1307579796
[13:57:10.364   Camera    Error:  1] failed to open USB: -99 LIBUSB_ERROR_OTHER (Other error)

(the second line as an error print coming from my app)

Adding and connecting the hardware-observe interface fixes it.
And here is the same point of execution, when its working:

[pid 23860] socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_KOBJECT_UEVENT) = 16

@jdstrand whats the quickest way to resolve this?
Should I request auto-connect permissions for hardware-observe?

Yes. I converted this topic to that request.

+1 to auto-connect hardware-observe. @reviewers - this is ready to vote on

I am :+1: on auto-connection of the hardware-observe interface.

I +1 as well on hardware-observe.

@jdstrand polite ping, hopefully this is ready :slight_smile:

While numerous people have voted, there is a 7 day voting period that must expire before the votes are tallied (see Process for aliases, auto-connections and tracks).

3 votes for, 0 against. Granting auto-connection for hardware-observe. This is now live.

FYI, https://github.com/snapcore/snapd/pull/7019 add the new rule to raw-usb so hardware-observe is not required.