Request classic confinement for "ausweisapp2-ce"


#1

I’m currently trying to get the application “AusweisApp2” work in confined mode. The app needs access to the “PC/SC”-Daemon (pcscd) and some files in the “/sys”-directory to get access to the USB-card-readers.

“hardware-observe” does the job for “/sys” but there is no plug for pcscd. When someone implements a plug for “pcscd” than i can confine the snap. But in the moment there is no possibility other then using “classic”-mode to get it working properly.

apparmor-log for denied “pcscd”:

audit: type=1400 audit(1546515724.106:2048): apparmor="DENIED" operation="connect" profile="snap.ausweisapp2-ce.ausweisapp2-ce" name="/run/pcscd/pcscd.comm" pid=25860 comm="ReaderManagerTh" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0


#2

In the other thread there was talk of shipping pcscd yourself? What happened with this? This technique will make your snap more robust on systems without a running pcscd anyway…


#3

I’m trying to figure out how to integrate “pcscd” into the snap but i don’t know what will happen when two daemons try to access the same hardware if the system has already installed “pcscd”.

I’m also trying to build the version 1.6.1 of the application. It’s a bit more complicated because this version needs Qt 5.10 or above. The source code of the application contains a cmake-file which can build a tool-chain based on OpenSSL 1.1 and Qt 5.11.3 I singled out the Qt part and deliver it with the snap.