Request classic confinement for "ausweisapp2-ce"


#1

I’m currently trying to get the application “AusweisApp2” work in confined mode. The app needs access to the “PC/SC”-Daemon (pcscd) and some files in the “/sys”-directory to get access to the USB-card-readers.

“hardware-observe” does the job for “/sys” but there is no plug for pcscd. When someone implements a plug for “pcscd” than i can confine the snap. But in the moment there is no possibility other then using “classic”-mode to get it working properly.

apparmor-log for denied “pcscd”:

audit: type=1400 audit(1546515724.106:2048): apparmor="DENIED" operation="connect" profile="snap.ausweisapp2-ce.ausweisapp2-ce" name="/run/pcscd/pcscd.comm" pid=25860 comm="ReaderManagerTh" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0


#2

In the other thread there was talk of shipping pcscd yourself? What happened with this? This technique will make your snap more robust on systems without a running pcscd anyway…


#3

I’m trying to figure out how to integrate “pcscd” into the snap but i don’t know what will happen when two daemons try to access the same hardware if the system has already installed “pcscd”.

I’m also trying to build the version 1.6.1 of the application. It’s a bit more complicated because this version needs Qt 5.10 or above. The source code of the application contains a cmake-file which can build a tool-chain based on OpenSSL 1.1 and Qt 5.11.3 I singled out the Qt part and deliver it with the snap.


#4

@glasen77 - any news on this?


#5

Nothing new on my site. I’m currently busy with my Master-thesis. The last thing i tried was to integrate “pcscd” into the snap-package. Snapcraft builds the package but i can’t be installed because some dependency fails.


#6

Update:

Today i’ve worked on my snap-package and i’m stuck at packaging the PCSC-daemon into the snap. The daemon needs files which are provided by the package “libccid” in the classic Debian-package. Packaging a pcscd-snap with “libccid” works flawlessly but after installation the daemon can’t find the files from the package even though they are existing in the snap-directory.

The next thing i stumpled are the interfaces needed for the “AusweisApp2”:

  - desktop
  - home
  - unity7
  - network
  - network-bind
  - network-observe
  - network-manager
  - hardware-observe
  - system-observe

All these interfaces are needed to allow the application to run without any “DENIED”-message.

Because of all these problems i give up packaging the program as a snap. I thought creating a snap is much easier but working with the sandbox is a pain in the a** especially when a program needs access to daemons where no interface exists.


#7

It sounds like you got the snap to work and there is a process for requesting the interfaces be auto-connected: Process for aliases, auto-connections and tracks. If you reconsider, please feel free to use that process.


#8

My problem is solved. I’m closing this thread because classic confinement is not needed anymore.

Thanks for the help.