Webusb vs Chromium (and snaps in general)

nteodosio · August 23, 2023, 11:30am

WebUSB is a JavaScript application programming interface (API) specification for securely providing access to USB devices from web pages (…) and is supported by Google Chrome [and Chromium], Microsoft Edge (…)

— https://en.wikipedia.org/wiki/WebUSB

Bug 1905458 describes how Apparmor denies access to the Chromium snap to /run/udev/data/*.

Since allowing access by default to all those endpoints would be a no-go from the point of view of security, is there an existing canonical approach to give users the option to allow that within snap confinement?

ogra · August 23, 2023, 11:44am

github.com

snapcore/snapd/blob/master/interfaces/builtin/raw_usb.go#L53


# Allow detection of usb devices. Leaks plugged in USB device info
/sys/bus/usb/devices/ r,
/sys/devices/pci**/usb[0-9]** r,
/sys/devices/platform/soc/*.usb/usb[0-9]** r,
/sys/devices/platform/scb/*.pcie/pci**/usb[0-9]** r,
/run/udev/data/c16[67]:[0-9] r, # ACM USB modems
/run/udev/data/b180:*    r, # various USB block devices
/run/udev/data/c18[089]:* r, # various USB character devices: USB serial converters, etc.
/run/udev/data/+usb:* r,
`
const rawusbConnectedPlugSecComp = `
# Description: Allow raw access to all connected USB devices.
# This gives privileged access to the system.
# kernel uevents
socket AF_NETLINK - NETLINK_KOBJECT_UEVENT
`

The raw-usb interface should grant that access for USB devices… perhaps we might need to enhance it for additional devices but the bug above looks more like a general permission issue (device nodes owned by root, while for I.e. webcams they should be root:video)