Request: confinement interface auto-connect for capturegrid4 [Was: smartshooter4]

Please add auto-connect permissions to my snap package, which is currently under development.
These are the interfaces that are needed:

:camera
:network-control
:raw-usb
:removable-media

Auto connect is needed as eventually this package will be part of a custom ubuntu core image, for use on headless raspberry pi devices; end user is will not be present to manually connect these interfaces.

This is the link for the snap package. It is currently set as private, while it is being developed:
https://dashboard.snapcraft.io/snaps/smartshooter4/

Is there some other process for requesting this help?

if you are doing a custom image with custom gadget you can easily use the connect statement in the gadget.yaml:

Current plan is to distribute the app in two ways.

  1. Custom image for raspberry pi 3
    Here I can use the custom gadget snap, as suggested

  2. Generic snap package, use can install on their own device
    Here I can’t use a custom gadget snap. The user can install it on an compatible device. I would provide arm and intel builds of the snap. (provided custom images for all possible devices would be just too much work to maintain!). I prefer not to mandate that the users have to explicitly connect those interfaces after install. The app is useless without the connected interfaces, so doing it automatically will be much better user experience!

Can you describe what smartshooter4 does and why these interfaces are needed? I looked in the store and much of the information is boilerplate.

Its an application for photography and camera control. When a camera device is connected via USB to the computer, the software will communicate with the camera, and allow the user to:

  1. Change settings on the camera, trigger camera
  2. Download photos from the camera

For the snap package to work, the app needs permissions for the following interfaces:

  • network-control
    Seems that “libusb_open()” requires that the app has this interface connected.

  • camera

  • raw-usb
    This is needs for the low-level camera communication

  • removable-media
    This is so the user can control whether the photos are downloaded to removable storage, instead of the app’s data directory.

Can you give the exact security policy violations from journactl that caused you to want to add this?

Ping. This request can’t move forward without the requested information.

@jdstrand apologies for going quiet on this thread!

Here are the logs from journalctl, from when the snap tries to call libusb_open()

May 06 18:53:07 ubuntu audit[3959]: SECCOMP auid=4294967295 uid=1001 gid=1001 ses=4294967295 pid=3959 comm="CaptureGRID4" exe="/snap/capturegrid4/1/CaptureGRID4" sig=0 arch=c00000b7 syscall=198 compat=0 ip=0xffffb415a808 code=0x50000
May 06 18:53:07 ubuntu kernel: audit: type=1326 audit(1557168787.467:91): auid=4294967295 uid=1001 gid=1001 ses=4294967295 pid=3959 comm="CaptureGRID4" exe="/snap/capturegrid4/1/CaptureGRID4" sig=0 arch=c00000b7 syscall=198 compat=0 ip=0xffffb415a808 code=0x50000

Also note, since the start of this thread, my development switched to a different snap. So instead of this being a request for “smartshooter4” snap, it should be for the “capturegrid4” snap instead. Maybe I should start a new thread for it?

FYI, you can use the snappy-debug command to help with this. Not needed now:

$ scmp_sys_resolver -a aarch64 198
socket

Can you disconnect the network-control interface and then run:

$ sudo snap run --strace="-e socket" -- capturegrid4.<your command>

and paste the results? I’m most interested in the ones that fail with permission denied.

This is weird now; I had already removed the snap, so I just installed it again, and tried to run the app before manually connecting the plug/slots. I expected libusb_open() to fail again, but now it works ok.

Now the app runs correctly even when network-control is not connected, its enough that the raw-usb plug/slot is connected and then the app can succesfully communicate over USB to a camera.

One more data point about this.
When I first installed the capturegrid4 snap (after which it failed to run due to the libusb_open() failure), I then got the journalctl logs, and then tried to connect its network-control plug.

The interface connect failed, because there were no slots available (ie “snap interface” returned no slots). Apparently there is an issue with the core18 snap right now, and that it does not provide any of these standard slots. So I installed the the “core” snap, and then was able to do “snap connect capturegrid4:network-control”.

This second time round, the core snap is already installed, so maybe that explains the weird difference I see in behaviour after I removed and re-installed my snap.

The original request said “Auto connect is needed as eventually this package will be part of a custom ubuntu core image, for use on headless raspberry pi devices” - would not gadget auto-connections be sufficient for your use case?

There are a few reasons why auto-connect for this snaps plugs would be beneficial:

  1. Don’t have to maintain a custom gadget snap, I can just use the standard ones with the “ubuntu-image” tool to create the image.
  2. Easier to create new images for different platforms (without creating/maintaining another custom gadget snap), some users have pi3 boards and some have Up boards.
  3. Some users want to install via snap command on their own systems.

The app runs on different classes of machines, from headless raspberry pi (which would use an ubuntu core image on sd card), to desktop intel machines running standard ubuntu (where user will install via snap command).

Ok, it sounds like it is useful on more than just your custom image.

+1 to auto-connect camera and raw-usb. +1 to auto-connect removeable-media on non-classic (ie Ubuntu Core) since there isn’t a UI for this on the headless devices.

Whats the next step to get approval active in the store?

@reviewers - can some of you vote on this request?

I agree with @jdstrand as quoted above ^^^ so +1 from those from me as well.

Does the snap still require network-control and is this still being requested?

No, network-control is not needed/requested anymore.

Is there any other info I need to supply?
I’d like to get this request completed.