Unable to claim USB Interface via electron kiosk snap

dwitz · May 7, 2024, 6:37am

I have been running a electron kiosk snap based off @ogra GitHub - ogra1/electron-kiosk-uc20

connecting to WebSerial devices works well. Im now trying to connect a thermal printer via WebUSB. If I run the electron app outside of snap it works fine, devices connects and prints successfully. However when I run on ubuntuCore as a snap I get the following error after WebUSB API > device.claimInterface(0);

Error: Failed to execute 'claimInterface' on 'USBDevice': Unable to claim interface

I have hardware-observe & raw-usb plugs enabled and connected I can access then snap shell and run echo $ZPL_CODE > /dev/usb/lp1 and successfully print a label

I have some AppArmor errors however nothing after I try to claimInterface

AVC apparmor="DENIED" operation="open" profile="snap.serial-kiosk.serial-kiosk.serial-kiosk" name="/proc/1598/mem" pid=1598 comm="electron-quick-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 07 17:24:39 floorscale-dev audit[1727]: AVC apparmor="DENIED" operation="capable" profile="snap.serial-kiosk.serial-kiosk" pid=1727 comm="desktop-launch" capability=1  capname="dac_override"
May 07 17:24:39 floorscale-dev audit[1730]: AVC apparmor="DENIED" operation="capable" profile="snap.serial-kiosk.serial-kiosk" pid=1730 comm="desktop-launch" capability=2  capname="dac_read_search"

Just wondering do I need to grant some special permission or connect some slot to be able to claim a usb interface?

any advice would be greatly appreciated, thanks!

alan_g · May 7, 2024, 10:34am

Hi, first thing to try is " Debugging policy violation logs" on

dwitz · May 7, 2024, 10:26pm

thank you for the advise @alan_g

output of snappy-debug is bellow however running with --devmode makes no difference. Am I safe to asume it is not a policy violation issue?

kernel.printk_ratelimit = 0
= AppArmor =
Time: May 08 09:16:13
Log: apparmor="ALLOWED" operation="dbus_signal"  bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="SessionNew" name=":1.1" mask="receive" pid=1517 label="snap.serial-kiosk.serial-kiosk" peer_pid=1083 peer_label="unconfined"
DBus access
Suggestion:
* try adding 'shutdown' to 'plugs'

= Seccomp =
Time: May 08 09:16:20
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.serial-kiosk.serial-kiosk pid=2024 comm="dbus-daemon" exe="/snap/serial-kiosk/x1/usr/bin/dbus-daemon" sig=0 arch=c000003e 41(socket) compat=0 ip=0x7fc0a82177ab code=0x7ffc0000
Syscall: socket
Suggestions:
* add account-control (if using NETLINK_AUDIT)
* add audio-playback (if using NETLINK_KOBJECT_UEVENT)
* add bluetooth-control (if using AF_{ALG,BLUETOOTH})
* add firewall-control (if using NETLINK_{FIREWALL,IP6_FW,NETFILTER,NF_LOG,ROUTE})
* add hardware-observe (if using NETLINK_{GENERIC,KOBJECT_UEVENT})
* add netlink-audit (if using NETLINK_AUDIT)
* add netlink-connector (if using NETLINK_CONNECTOR)
* add network (if using AF_INET{,6}, AF_CONN, NETLINK_ROUTE)
* add network-bind (if using AF_INET{,6}, NETLINK_ROUTE)
* add network-control (if using AF_{APPLETALK,BRIDGE,INET,INET6,IPX,PACKET,PPPOX,SNA}, NETLINK_{DNRTMSG,FIB_LOOKUP,GENERIC,INET_DIAG,ISCSI,KOBJECT_UEVENT,RDMA,ROUTE,XFRM})
* add network-observe (if using SOCK_RAW, AF_INET{,6}), NETLINK_{GENERIC,INET_DIAG,KOBJECT_UEVENT,ROUTE})
* add raw-usb (if using NETLINK_KOBJECT_UEVENT)
* add time-control (if using NETLINK_AUDIT)
* add upower-observe (if using NETLINK_KOBJECT_UEVENT)
* add x11 (if using NETLINK_KOBJECT_UEVENT)

= Seccomp =
Time: May 08 09:16:20
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.serial-kiosk.serial-kiosk pid=2037 comm="electron-quick-" exe="/snap/serial-kiosk/x1/electron-helloworld/electron-quick-start" sig=0 arch=c000003e 330(pkey_alloc) compat=0 ip=0x7f25e868700b code=0x7ffc0000
Syscall: pkey_alloc

= Seccomp =
Time: May 08 09:16:20
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.serial-kiosk.serial-kiosk pid=2036 comm="electron-quick-" exe="/snap/serial-kiosk/x1/electron-helloworld/electron-quick-start" sig=0 arch=c000003e 330(pkey_alloc) compat=0 ip=0x7f99b8df800b code=0x7ffc0000
Syscall: pkey_alloc

= Seccomp =
Time: May 08 09:16:20
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.serial-kiosk.serial-kiosk pid=2025 comm="electron-quick-" exe="/snap/serial-kiosk/x1/electron-helloworld/electron-quick-start" sig=0 arch=c000003e 203(sched_setaffinity) compat=0 ip=0x7f8d22c22741 code=0x7ffc0000
Syscall: sched_setaffinity
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional sched_setaffinity is often just noise)

= Seccomp =
Time: May 08 09:16:20
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.serial-kiosk.serial-kiosk pid=2025 comm="electron-quick-" exe="/snap/serial-kiosk/x1/electron-helloworld/electron-quick-start" sig=0 arch=c000003e 314(sched_setattr) compat=0 ip=0x7f8d2151073d code=0x7ffc0000
Syscall: sched_setattr
Suggestion:
* add 'process-control' to 'plugs'

= AppArmor =
Time: May 08 09:16:20
Log: apparmor="ALLOWED" operation="open" profile="snap.serial-kiosk.serial-kiosk" name="/proc/2061/mem" pid=2061 comm="electron-quick-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/2061/mem (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/mem'

= AppArmor =
Time: May 08 09:16:21
Log: apparmor="ALLOWED" operation="capable" info="optional: no audit" error=-1 profile="snap.serial-kiosk.serial-kiosk" pid=2025 comm="ThreadPoolSingl" capability=24  capname="sys_resource"
Capability: sys_resource
Suggestions:
* adjust program to not require 'CAP_SYS_RESOURCE' (see 'man 7 capabilities')
* add one of 'process-control, system-trace' to 'plugs'
* do nothing if program otherwise works properly

= Seccomp =
Time: May 08 09:16:21
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.serial-kiosk.serial-kiosk pid=2073 comm="electron-quick-" exe="/snap/serial-kiosk/x1/electron-helloworld/electron-quick-start" sig=0 arch=c000003e 203(sched_setaffinity) compat=0 ip=0x7f99ba502741 code=0x7ffc0000
Syscall: sched_setaffinity
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional sched_setaffinity is often just noise)

= Seccomp =
Time: May 08 09:16:21
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.serial-kiosk.serial-kiosk pid=2098 comm="electron-quick-" exe="/snap/serial-kiosk/x1/electron-helloworld/electron-quick-start" sig=0 arch=c000003e 330(pkey_alloc) compat=0 ip=0x7f8042b8800b code=0x7ffc0000
Syscall: pkey_alloc

= AppArmor =
Time: May 08 09:16:21
Log: apparmor="ALLOWED" operation="capable" profile="snap.serial-kiosk.serial-kiosk" pid=2025 comm="ThreadPoolSingl" capability=23  capname="sys_nice"
Capability: sys_nice
Suggestions:
* adjust program to not require 'CAP_SYS_NICE' (see 'man 7 capabilities')
* add one of 'process-control' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: May 08 09:17:14
Log: apparmor="ALLOWED" operation="capable" info="optional: no audit" error=-1 profile="snap.serial-kiosk.serial-kiosk" pid=2025 comm="ThreadPoolSingl" capability=24  capname="sys_resource"
Capability: sys_resource
Suggestions:
* adjust program to not require 'CAP_SYS_RESOURCE' (see 'man 7 capabilities')
* add one of 'process-control, system-trace' to 'plugs'
* do nothing if program otherwise works properly

dwitz · May 8, 2024, 4:53am

UPDATE: turned out to be an issue with WebUSB on linux, not snap related. The device was automatically binding when plugged in. Unbinding the device allow it to be claimed via WebUSB.

for anyone else with similar issue it was fixed by creating a udev rule to unbind USB Device when detected (idVendor & idProduct need to be replaced with device specific values )

SUBSYSTEM=="usb", ATTRS{idVendor}=="0a5f", ATTRS{idProduct}=="0164", MODE="0664", GROUP="wheel", RUN+="/bin/sh -c 'echo -n $id:1.0 > /sys/bus/usb/drivers/usblp/unbind && echo -n $id:1.0 > /sys/bus/usb/drivers/usbfs/unbind'"

Ref https://stackoverflow.com/questions/60790994/webusb-unable-to-claim-interface-error