Snapcraft Basler USB camera /sys/bus/usb/ access denied in strict mode

Hi,

I am experimenting with delivering our software via snapcraft, the purpose of software is to grab image frames from USB industrial camera device Basler. It is genicam compliant, and I am using genicam protocol implementation in python named “harvesters” to access frames. I am using raw-usb, camera, home, network plugs. Unfortunately, my app is working in devmode while in strict mode, the read access to /sys/bus/usb/ is getting denied. These are logs of dmesg in devmode

. While going through the raw-usb implementation, i can see that there is read access available to /sys/bus/usb, but unfortunately I am unable to access it; I also tried to run shell inside my snap environment and tried going ls /sys/bus/usb, and it’s permission denied in strict mode. My snapcraft file is

name: test
version: '0.0.1' 
summary: test
description: test
grade: stable 
confinement: strict 
base: core22

apps:
  qaapp: 
    command: main/main
    plugs:
      - raw-usb
      - home
      - network
      - network-bind
parts:
  36zerovision:
    plugin: dump
    source: dist
  basler-camera-driver:
    plugin: nil
    override-build: |
      wget https://example.blob.core.windows.net/publicdatasets/pylon_7.2.1.25747_x86_64.tar.gz
      mkdir $SNAPCRAFT_PART_INSTALL/pylon
      tar -C $SNAPCRAFT_PART_INSTALL/pylon -xzf ./pylon_*.tar.gz
      chmod 755 $SNAPCRAFT_PART_INSTALL/pylon

build-packages:
  - dpkg
  - wget

. Just for information, I am using basler-camera-driver part of snapcraft to install the GenTL producer for basler camera. Any hints, ideas, or answers are highly appreciated!

Try with adding camera plug. Also replace $SNAPCRAFT with $CRAFT

Thanks, added camera and CRAFT, but still no luck.

That is log I am facing in strict mode

[196797.398057] audit: type=1326 audit(1693770070.754:22949180): auid=1000 uid=0 gid=0 ses=3 subj=snap.test.qaapp pid=79864 comm="main" exe="/snap/test/x1/main/main" sig=0 arch=c000003e syscall=41 compat=0 ip=0x7f9fa0532ceb code=0x50000

while in devmode, it’s giving these warnings

[197020.066207] audit: type=1326 audit(1693770293.419:22949208): auid=1000 uid=0 gid=0 ses=3 subj=snap.test.qaapp pid=80440 comm="main" exe="/snap/test/x1/main/main" sig=0 arch=c000003e syscall=41 compat=0 ip=0x7fe6a0078ceb code=0x7ffc0000
[197020.066276] audit: type=1400 audit(1693770293.419:22949209): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/bus/usb/devices/" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066280] audit: type=1400 audit(1693770293.419:22949210): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb2/2-3/busnum" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066330] audit: type=1400 audit(1693770293.419:22949211): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb2/2-3/devnum" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066334] audit: type=1400 audit(1693770293.419:22949212): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb2/2-3/speed" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066337] audit: type=1400 audit(1693770293.419:22949213): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb2/2-3/descriptors" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066351] audit: type=1400 audit(1693770293.419:22949214): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb2/busnum" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066402] audit: type=1400 audit(1693770293.419:22949215): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb2/devnum" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066406] audit: type=1400 audit(1693770293.419:22949216): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb2/speed" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066408] audit: type=1400 audit(1693770293.419:22949217): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb2/descriptors" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066463] audit: type=1400 audit(1693770293.419:22949218): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-7/busnum" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066468] audit: type=1400 audit(1693770293.419:22949219): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-7/devnum" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066470] audit: type=1400 audit(1693770293.419:22949220): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-7/speed" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066527] audit: type=1400 audit(1693770293.419:22949221): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-7/descriptors" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066532] audit: type=1400 audit(1693770293.419:22949222): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/busnum" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066534] audit: type=1400 audit(1693770293.419:22949223): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/devnum" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066536] audit: type=1400 audit(1693770293.419:22949224): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/speed" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066548] audit: type=1400 audit(1693770293.419:22949225): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/descriptors" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066599] audit: type=1400 audit(1693770293.419:22949226): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/busnum" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066604] audit: type=1400 audit(1693770293.419:22949227): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/devnum" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066606] audit: type=1400 audit(1693770293.419:22949228): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066661] audit: type=1400 audit(1693770293.419:22949229): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/devnum" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066665] audit: type=1400 audit(1693770293.419:22949230): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/speed" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066668] audit: type=1400 audit(1693770293.419:22949231): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/descriptors" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066683] audit: type=1400 audit(1693770293.419:22949232): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb2/busnum" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066739] audit: type=1400 audit(1693770293.419:22949233): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb2/devnum" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.066843] audit: type=1400 audit(1693770293.419:22949234): apparmor="ALLOWED" operation="capable" class="cap" profile="snap.test.qaapp" pid=80440 comm="main" capability=23  capname="sys_nice"
[197020.070875] audit: type=1400 audit(1693770293.423:22949235): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb2/2-3/bConfigurationValue" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.070883] audit: type=1400 audit(1693770293.423:22949236): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb2/2-3/bConfigurationValue" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[197020.070927] audit: type=1400 audit(1693770293.423:22949237): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/dev/bus/usb/002/003" pid=80440 comm="main" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[197020.077631] audit: type=1400 audit(1693770293.431:22949238): apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/dev/bus/usb/002/003" pid=80440 comm="main" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[197020.631554] audit: type=1400 audit(1693770293.987:22949239): apparmor="ALLOWED" operation="capable" class="cap" profile="snap.test.qaapp" pid=80440 comm="CUxStream::Xfer" capability=23  capname="sys_nice"

and the strange thing is that, in snappy-debug, it’s printing these warnings,

= AppArmor =
Time: Sep  3 21:44:53
Log: apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/bus/usb/devices/" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/bus/usb/devices/ (read)
Suggestions:
* adjust program to not access '/sys/bus/usb/devices/'
* add one of 'camera, raw-usb' to 'plugs'

= AppArmor =
Time: Sep  3 21:44:53
Log: apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb2/2-3/busnum" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/devices/pci0000:00/0000:00:14.0/usb2/2-3/busnum (read)
Suggestions:
* adjust program to not access '/sys/devices/pci0000:00/0000:00:14.0/usb2/2-3/busnum'
* adjust program to not access '/sys/devices/pci[0-9]*:[0-9]*/[0-9]*:[0-9]*:[0-9]*.[0-9]*/usb[0-9]*/[0-9]*-[0-9]*/busnum'

= AppArmor =
Time: Sep  3 21:44:53
Log: apparmor="ALLOWED" operation="open" class="file" profile="snap.test.qaapp" name="/sys/devices/pci0000:00/0000:00:14.0/usb2/2-3/devnum" pid=80440 comm="main" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/devices/pci0000:00/0000:00:14.0/usb2/2-3/devnum (read)
Suggestions:
* adjust program to not access '/sys/devices/pci0000:00/0000:00:14.0/usb2/2-3/devnum'
* adjust program to not access '/sys/devices/pci[0-9]*:[0-9]*/[0-9]*:[0-9]*:[0-9]*.[0-9]*/usb[0-9]*/[0-9]*-[0-9]*/devnum'

although I added camera, and raw-usb into plugs

plugs:
  - raw-usb
  - home
  - network
  - network-bind
  - camera
  - system-backup
  - process-control

Neither of these interfaces will automatically connect… you will need to use the snap connect... command after installing the snap

Thanks, yes it’s working. My error was; I think related to caching, I built many snaps before with different plugs under same snap name. Although I was using connecting the plug manually, but still no success. I changed a different name, then it’s working. I also tried with snapcraft clean, but no luck with clearing the cache.