This just bit me as well. Refreshing core to beta seems to have solved it.
Still not resolved for me. My snap requires the raw-usb interface. Tested on core stable and beta:
stable: 16-2.28.5
beta: 16-2.29~rc1
This was not an issue before. Whenever I disconnect the raw-usb interface, the error disappears. I have refreshed core several times now. Removed and installed my custom app several times. To no affect.
raw-usb works for me:
$ snap interfaces | grep raw-usb
:raw-usb test-policy-app
$ grep raw /var/lib/snapd/apparmor/profiles/snap.test-policy-app.raw-usb
...
profile "snap.test-policy-app.raw-usb" (attach_disconnected) {
# Description: Allow raw access to all connected USB devices.
$ test-policy-app.raw-usb -c 'cat /run/udev/data/+usb:2-0:1.0'
I:1416103
E:ID_USB_CLASS_FROM_DATABASE=Hub
E:ID_VENDOR_FROM_DATABASE=Linux Foundation
E:ID_MODEL_FROM_DATABASE=3.0 root hub
G:snap_test-policy-app_raw-usb
Can you open a new topic with more details? Please include:
- output of
snap version - output of
journalctl |grep audit(just for entries corresponding to your last failing run) - the OS and kernel you are using
- exact steps to reproduce
1 Like
same here, I’m on 2.29~rc2 and with raw-usb I get same problem once interface is connected.
system is Ubuntu Core16
I just tried on Ubuntu Core 16 in a vm with the core from the beta channel (2.29), and it works fine:
$ snap version
snap 2.29
snapd 2.29
series 16
kernel 4.4.0-96-generic
$ snap interfaces | grep raw-usb
:raw-usb test-policy-app
$ grep raw /var/lib/snapd/apparmor/profiles/snap.test-policy-app.raw-usb
...
profile "snap.test-policy-app.raw-usb" (attach_disconnected) {
# Description: Allow raw access to all connected USB devices.
$ test-policy-app.raw-usb -c 'cat /run/udev/data/+usb:2-0:1.0'
I:2041395
E:ID_USB_CLASS_FROM_DATABASE=Hub
E:ID_USB_PROTOCOL_FROM_DATABASE=Full speed (or root) hub
E:ID_VENDOR_FROM_DATABASE=Linux Foundation
E:ID_MODEL_FROM_DATABASE=1.1 root hub
E:net.ifnames=0
G:snap_test-policy-app_raw-usb
Can you provide more steps on how to reproduce in a VM?
Is there a USB device with a proprietary driver plugged in? (proprietary drivers aren’t allowed to use sysfs. This came up recently with the nvidia driver)
I have not managed to reproduce this in vm so far, I did reproduce it on actual Intel HW running UC16 using this snap
https://launchpad.net/~ondrak/+snap/openhab-master/+build/100066/+files/openhab_2.2.0-SNAPSHOT_amd64.snap
snap rums without problem, but once you connect raw-usb it will be fail.
It does not happen on classic.
There is no USB device plugged in, though I did pugged device before which I was testing.
Rebooting, reinstalling snap makes no difference. (No USB device plugged in)
$ grep raw /var/lib/snapd/apparmor/profiles/snap.openhab.openhab
# Description: Allow raw access to all connected USB devices.
All I can see on syslog is this:
localhost systemd-udevd[536]: Network interface NamePolicy= disabled on kernel command line, ignoring.
localhost udisks2.udisksd[2089]: (udisksd:2089): udisks-CRITICAL **: [2089]: Error creating directory /etc/udisks2: Read-only file system [udiskslinuxdrive.c:244, configuration_get_path()]
localhost kernel: [ 493.552905] intel_soc_dts_thermal: request_threaded_irq ret -22
localhost systemd-udevd[28344]: Process '/sbin/crda' failed with exit code 234.
localhost udisks2.udisksd[2089]: (udisksd:2089): udisks-CRITICAL **: [2089]: Error creating directory /etc/udisks2: Read-only file system [udiskslinuxdrive.c:244, configuration_get_path()]
localhost kernel: [ 524.027079] audit_printk_skb: 6 callbacks suppressed
localhost kernel: [ 524.027086] audit: type=1400 audit(1509475083.271:864): apparmor="DENIED" operation="create" profile="/usr/lib/snapd/snap-confine" pid=28407 comm="snap-confine" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
I tested now different VM with usb connected, and that seems to work. So problem is not there always, seems to be related to underlying system
Does the system use proprietary drivers?
nope, running stock pc-kernel snap.
FYI, https://github.com/snapcore/snapd/pull/4164 and https://github.com/snapcore/snapd/pull/4165 (2.29)
1 Like