Requesting auto-connect for gphoto2


#1

Requesting auto-connecting interfaces for https://snapcraft.io/gphoto2-eberkund

Also if I could takeover the “gphoto2” namespace since it doesn’t appear to being used that would be nice also.

    plugs: 
      - camera
      - raw-usb 
      - network-control
      - removable-media
      - home

#2

home already autoconnects.

I find it surprising that a photo application requires being able to configure the network via network-control. Why is this needed?

Can you provide more details why the others are required to auto-connect?


#3

That was because of an error where libusb was throwing “unable to initialize libusb: -99”. There was a bug on launchpad somewhere which suggested adding the network-control interface and after I did that the error went away. Unable to find that link now…


#4

Can you snap disconnect that interface and try to reproduce, then add any policy violations from journalctl/syslog? I suspect you only need network and not network-control.


#5

I can confirm it works when network-control is connected and does not work when network-control is disconnected.

Output from grep audit /var/log/syslog:

Mar 26 20:02:10 ubuntu kernel: [17572.048184] kauditd_printk_skb: 5 callbacks suppressed
Mar 26 20:02:10 ubuntu kernel: [17572.048287] audit: type=1400 audit(1553655730.183:306): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap-update-ns.gphoto2-eberkund" pid=48505 comm="apparmor_parser"
Mar 26 20:02:10 ubuntu kernel: [17572.111469] audit: type=1400 audit(1553655730.247:307): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.gphoto2-eberkund.gphoto2" pid=48506 comm="apparmor_parser"
Mar 26 20:02:10 ubuntu kernel: [17572.119303] audit: type=1400 audit(1553655730.255:308): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6531/usr/lib/snapd/snap-confine" pid=48508 comm="apparmor_parser"
Mar 26 20:02:10 ubuntu kernel: [17572.119317] audit: type=1400 audit(1553655730.255:309): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6531/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=48508 comm="apparmor_parser"
Mar 26 20:02:10 ubuntu kernel: [17572.127153] audit: type=1400 audit(1553655730.263:310): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=48510 comm="apparmor_parser"
Mar 26 20:02:10 ubuntu kernel: [17572.127958] audit: type=1400 audit(1553655730.263:311): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=48511 comm="apparmor_parser"
Mar 26 20:02:16 ubuntu kernel: [17577.850936] audit: type=1400 audit(1553655735.995:312): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/etc/fstab" pid=48544 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:02:16 ubuntu kernel: [17577.850945] audit: type=1400 audit(1553655735.995:313): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/proc/48544/mounts" pid=48544 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Mar 26 20:02:16 ubuntu kernel: [17577.863291] audit: type=1326 audit(1553655736.007:314): auid=1000 uid=1000 gid=1000 ses=4 subj==snap.gphoto2-eberkund.gphoto2 (enforce) pid=48544 comm="gphoto2" exe="/snap/gphoto2-eberkund/x6/usr/bin/gphoto2" sig=0 arch=c000003e syscall=41 compat=0 ip=0x7f700f2fbec7 code=0x50000
Mar 26 20:02:16 ubuntu kernel: [17577.864188] audit: type=1400 audit(1553655736.007:315): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/sys/block/" pid=48544 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:02:16 ubuntu kernel: [17577.864940] audit: type=1400 audit(1553655736.007:316): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/sys/devices/pci0000:00/0000:00:10.0/modalias" pid=48544 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:02:28 ubuntu kernel: [17590.073952] audit: type=1400 audit(1553655748.226:317): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6531/usr/lib/snapd/snap-confine" pid=48618 comm="apparmor_parser"
Mar 26 20:02:28 ubuntu kernel: [17590.073956] audit: type=1400 audit(1553655748.226:318): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6531/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=48618 comm="apparmor_parser"
Mar 26 20:02:28 ubuntu kernel: [17590.079387] audit: type=1400 audit(1553655748.234:319): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=48620 comm="apparmor_parser"
Mar 26 20:02:28 ubuntu kernel: [17590.079971] audit: type=1400 audit(1553655748.234:320): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=48621 comm="apparmor_parser"
Mar 26 20:02:30 ubuntu kernel: [17592.217798] audit: type=1400 audit(1553655750.393:321): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.gphoto2-eberkund.gphoto2" pid=48732 comm="apparmor_parser"
Mar 26 20:02:30 ubuntu kernel: [17592.227465] audit: type=1400 audit(1553655750.401:322): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.gphoto2-eberkund" pid=48734 comm="apparmor_parser"
Mar 26 20:02:32 ubuntu kernel: [17594.128590] audit: type=1400 audit(1553655752.318:323): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/etc/fstab" pid=48735 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:02:32 ubuntu kernel: [17594.133305] audit: type=1400 audit(1553655752.322:324): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/sys/block/" pid=48735 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:02:32 ubuntu kernel: [17594.133486] audit: type=1400 audit(1553655752.322:325): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/sys/devices/pci0000:00/0000:00:10.0/modalias" pid=48735 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:02:33 ubuntu kernel: [17595.696496] audit: type=1400 audit(1553655753.894:326): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/etc/fstab" pid=48780 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:02:33 ubuntu kernel: [17595.700792] audit: type=1400 audit(1553655753.898:327): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/sys/block/" pid=48780 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:02:33 ubuntu kernel: [17595.700975] audit: type=1400 audit(1553655753.898:328): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/sys/devices/pci0000:00/0000:00:10.0/modalias" pid=48780 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:03:10 ubuntu kernel: [17631.997365] audit: type=1400 audit(1553655790.296:329): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.gphoto2-eberkund.gphoto2" pid=48948 comm="apparmor_parser"
Mar 26 20:03:10 ubuntu kernel: [17632.005506] audit: type=1400 audit(1553655790.304:330): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.gphoto2-eberkund" pid=48950 comm="apparmor_parser"
Mar 26 20:03:10 ubuntu kernel: [17632.040357] audit: type=1400 audit(1553655790.336:331): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6531/usr/lib/snapd/snap-confine" pid=48958 comm="apparmor_parser"
Mar 26 20:03:10 ubuntu kernel: [17632.040367] audit: type=1400 audit(1553655790.336:332): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6531/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=48958 comm="apparmor_parser"
Mar 26 20:03:10 ubuntu kernel: [17632.049451] audit: type=1400 audit(1553655790.348:333): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=48960 comm="apparmor_parser"
Mar 26 20:03:10 ubuntu kernel: [17632.050818] audit: type=1400 audit(1553655790.348:334): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=48961 comm="apparmor_parser"
Mar 26 20:03:12 ubuntu kernel: [17634.196237] audit: type=1400 audit(1553655792.502:335): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/etc/fstab" pid=48962 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:03:12 ubuntu kernel: [17634.196241] audit: type=1400 audit(1553655792.502:336): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/proc/48962/mounts" pid=48962 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Mar 26 20:03:12 ubuntu kernel: [17634.196962] audit: type=1326 audit(1553655792.502:337): auid=1000 uid=1000 gid=1000 ses=4 subj==snap.gphoto2-eberkund.gphoto2 (enforce) pid=48962 comm="gphoto2" exe="/snap/gphoto2-eberkund/x6/usr/bin/gphoto2" sig=0 arch=c000003e syscall=41 compat=0 ip=0x7ff1809ceec7 code=0x50000
Mar 26 20:03:12 ubuntu kernel: [17634.197131] audit: type=1400 audit(1553655792.502:338): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/sys/block/" pid=48962 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

#6

You can plug the mount-observe interface for some of these. hardware-observe would cover many of the others. I suspect what network-control is giving you is access to some AF_NETLINK sockets. I suggest removing network-control and trying network and if that doesn’t work, network-observe might (but I would still ask why gphoto2 needs to observe the network).

If network doesn’t work, can you install your snap in devmode (snap install --dangerous --devmode /path/to/you/snap then do snap run --strace gphoto2-eberkund... and exercise your snap then put the output of this command somewhere so I can review what it is doing?


#7

This request cannot proceed without the above.


#8

Hi, your suggestion worked. This is the new set of plugs:

    plugs:
      - camera
      - raw-usb 
      - mount-observe
      - hardware-observe
      - removable-media
      - home

#9

@jdstrand can this been approved now with those changes?


#10

+1 to auto-connect camera, raw-usb, moutn-observe, hardware-observe and home.

-1 to auto-connect removable-media.

UPDATE: based on @popey’s comments, I’m changing this to +1

@reviewers - can some of you vote?


#11

I’m +1 to auto-connect camera, raw-usb, mount-observe, hardware observe (and home, but that does already, surely)

I don’t understand why -1 on removable-media. If I put an SD card from my DSLR in my PC, can gphoto2 see that without jumping through hoops to connect it? I’d expect that to work.


#12

I tend to not vote to auto-connect removable-media unless it is core functionality. I’m happy to hear others on this point. I was thinking about the SD card scenario and that is very valid. I’ll adjust my vote.


#13

2 votes for, 0 against. Granting auto-connect. This is now live.


#14

How about the namespace also? Or are there additional requirements for that?


#15

I think this was missed by the store team since the topic title was for auto-connect. @store (cc @advocacy) - could someone take a look at this?


#16

We don’t have the ability to rename snaps in the store (AIUI) so you’d need to upload a new snap as gphoto2 rather than the current name with the suffix. Unless you’re requesting gphoto2 as an alias in your current snap? I’d certainly prefer the former than the latter. I’m not a fan of namespaced snaps where no existing snap exists for the non-namespaced name.


#17

Sorry for missing the request for the gphoto2 name(space). Registering the gphoto2 snap name and then republishing your snap there is the way to go - we don’t typically service registration requests for reserved names via the forum.

You’ll need to find a way to tell users of gphoto2-eberkund to switch to the other snap (which might involve data loss - you need to research this and provide a procedure for them to migrate the data), unless you plan to keep publishing updates to gphoto2-eberkund (not recommended).

Try to register it normally, you’re likely to get a “Request reserved name XXX in the Global store” page which looks a bit scary - just document your rationale for claiming the name in the comment box and the store reviewers will evaluate the request.

Once registered, you can simply publish your snap there and close all channels for gphoto2-eberkund.

  • Daniel

#18

Last time I tried that it said the namespace was taken, but as far as I can see it’s not actually in use (but still reserved). If that namespace could be deleted then I would be able to upload a new snap with the correct name.


#19

How long ago was this? I just tried registering gphoto2 and got:

The name ‘gphoto2’ is reserved.
Here’s what you can do:

  • Choose an alternative name that people can associate with you, for example ‘roadmr-gphoto2’.
  • Request this name to be manually reviewed: please enter a rationale in the ‘Comment’ box and click the ‘Request reserved name’ button below.

I don’t see mention of it being taken - “reserved” is something else (it means it can’t just be registered by anyone, since it’s a well-known application name we want to ensure the registrant has a good claim and rationale to the name).

Let me know if you see something different. If you do not, the thing to do would be indeed : “enter a rationale in the ‘Comment’ box and click the ‘Request reserved name’ button below.”

  • Daniel

#20

I do not see a comment box like you describe, perhaps your account has some extra permissions that I do not?

But yes, I would like to request that name which is why I made this thread. I am just packaging the official deb package from the repos so I think it should be okay.