What interface provides access to /dev/input?

Hi, I have eglfs Qt app snapped. What interface should I use to make mouse/keyboard available?

I20210209 22:13:27.703675  2137 main.cpp:27] evdevkeyboard: Using device discovery
I20210209 22:13:27.703855  2137 main.cpp:27] static device discovery for type QFlags<QDeviceDiscovery::QDeviceType>(Device_Keyboard)
W20210209 22:13:27.704229  2137 main.cpp:30] Device discovery cannot open device "/dev/input/mice"
I20210209 22:13:27.704282  2137 main.cpp:27] Found matching devices ()
I20210209 22:13:27.704370  2137 main.cpp:27] evdevmouse: Using device discovery
I20210209 22:13:27.704438  2137 main.cpp:27] static device discovery for type QFlags<QDeviceDiscovery::QDeviceType>(Device_Mouse|Device_Touchpad)
W20210209 22:13:27.704628  2137 main.cpp:30] Device discovery cannot open device "/dev/input/mice"
I20210209 22:13:27.704674  2137 main.cpp:27] Found matching devices ()
I20210209 22:13:27.704739  2137 main.cpp:27] evdevtouch: Using device discovery
I20210209 22:13:27.704794  2137 main.cpp:27] static device discovery for type QFlags<QDeviceDiscovery::QDeviceType>(Device_Touchpad|Device_Touchscreen)
W20210209 22:13:27.704952  2137 main.cpp:30] Device discovery cannot open device "/dev/input/mice"
I20210209 22:13:27.704994  2137 main.cpp:27] Found matching devices ()

I see that mir/wayland give access to that, but I am a bit confused about how to use them (and that seems to be an overkill anyhow, it gives a lot of other access as well).

I added mir to plugs, but I am not sure how to actually connect it since mir is not a part of the core snap.

Thanks in advance.

sadly there is no interface providing that access standalone, x11, wayland and mir all include /dev/input though (i have a similar problem with https://snapcraft.io/kodi-pi-standalone where i run kodi as GBM app directly on the hardware). Effectively we will need a new devinput interface (i talked to @ijohnson about this before sadly it needs some tinkering to even collect the right denial messages, since /dev/input access is completely quietened in apparmor)

i guess for now your short term solution might be to add a mir slot to your snap (which is the least permissive of x11, wayland and mir) and make a request in the store-requests category to get this slot granted … (just having the slot seems to be enough, no need to have a plug)

So I would have to do something like this?

slots:
  mir-slot:
    interface: mir

my-app:
  slots: [mir-slot]

Since I am running inside the branded store I guess I have to turn to support instead.

AFAICT it’s not apparmor which is denying this, it’s the devices cgroup not allowing access to that, which is not logged anywhere unfortunately. Are you able to just try in devmode where we turn off the devices cgroup entirely (and thus AppArmor would still be in the picture, but just with ALLOW messages)?

i think when i tried i did not even need this:

IIRC just the toplevel slot definition allowed the app to get input events (i think the slot definition simply grants the whole set of permissions to all of the snap (which is most likely also the reason you have to ask for having the slot granted))

sure, if you can give me the secret handshake instructions i will capture them :wink:
(though i guess just cloning the mir interface and ripping out all wayland/graphics bits would also work (i just didnt find the time yet to prepare a PR else i would have gone that route already))

Unfortunately, I can’t run in devmode, after some change it stopped working because it actually fails to access vchiq node while in devmode unlike the confined.

And keyboard detection seems to happen after so I don’t see any logs with the following command:
sudo sysctl -w kernel.printk_ratelimit=0 ; journalctl --follow |grep audit|grep apparmor|grep snap.screenly-client|grep /dev/input

If the snap can’t work in devmode, one can try the following:

  • Install the snap version with the mir slot and no devmode
  • Edit the the profile for the main command(s) /var/lib/snapd/apparmor/profiles/snap.<snap-name>.<command>
  • If it’s using the mir slot there should be a line: /dev/input/* rw, replace it with audit allow /dev/input/* rw,
  • reload the profile with:
    sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.<snap-name>.<command>
  • now run the relevant commands, things should still run now because it’s not devmode, but because of the audit accesses to any /dev/input/* should hopefully appear in the log under the patterns described before
1 Like
audit[2472]: AVC apparmor="AUDIT" operation="open" profile="snap.screenly-client.viewer" name="/dev/input/mice" pid=2472 comm="screenly-client" requested_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1613667954.676:85): apparmor="AUDIT" operation="open" profile="snap.screenly-client.viewer" name="/dev/input/event1" pid=2472 comm="screenly-client" requested_mask="r" fsuid=0 ouid=0
audit[2472]: AVC apparmor="AUDIT" operation="open" profile="snap.screenly-client.viewer" name="/dev/input/event1" pid=2472 comm="screenly-client" requested_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1613667954.664:84): apparmor="AUDIT" operation="open" profile="snap.screenly-client.viewer" name="/dev/input/event0" pid=2472 comm="screenly-client" requested_mask="r" fsuid=0 ouid=0
audit[2472]: AVC apparmor="AUDIT" operation="open" profile="snap.screenly-client.viewer" name="/dev/input/event0" pid=2472 comm="screenly-client" requested_mask="r" fsuid=0 ouid=0
: audit: type=1400 audit(1613667954.652:83): apparmor="AUDIT" operation="open" profile="snap.screenly-client.viewer" name="/dev/input/mice" pid=2472 comm="screenly-client" requested_mask="r" fsuid=0 ouid=0
audit[2472]: AVC apparmor="AUDIT" operation="open" profile="snap.screenly-client.viewer" name="/dev/input/mice" pid=2472 comm="screenly-client" requested_mask="r" fsuid=0 ouid=0
: audit: type=1400 audit(1613667954.628:82): apparmor="AUDIT" operation="open" profile="snap.screenly-client.viewer" name="/dev/input/event1" pid=2472 comm="screenly-client" requested_mask="r" fsuid=0 ouid=0
audit[2472]: AVC apparmor="AUDIT" operation="open" profile="snap.screenly-client.viewer" name="/dev/input/event1" pid=2472 comm="screenly-client" requested_mask="r" fsuid=0 ouid=0
: audit: type=1400 audit(1613667954.616:81): apparmor="AUDIT" operation="open" profile="snap.screenly-client.viewer" name="/dev/input/event0" pid=2472 comm="screenly-client" requested_mask="r" fsuid=0 ouid=0
: audit: type=1400 audit(1613667954.616:80): apparmor="AUDIT" operation="open" profile="snap.screenly-client.viewer" name="/dev/input/event0" pid=2472 comm="screenly-client" requested_mask="r" fsuid=0 ouid=0
audit[2472]: AVC apparmor="AUDIT" operation="open" profile="snap.screenly-client.viewer" name="/dev/input/event0" pid=2472 comm="screenly-client" requested_mask="r" fsuid=0 ouid=0
audit[2472]: AVC apparmor="AUDIT" operation="open" profile="snap.screenly-client.viewer" name="/dev/input/event0" pid=2472 comm="screenly-client" requested_mask="r" fsuid=0 ouid=0
: audit: type=1400 audit(1613667954.604:79): apparmor="AUDIT" operation="open" profile="snap.screenly-client.viewer" name="/dev/input/mice" pid=2472 comm="screenly-client" requested_mask="r" fsuid=0 ouid=0
audit[2472]: AVC apparmor="AUDIT" operation="open" profile="snap.screenly-client.viewer" name="/dev/input/mice" pid=2472 comm="screenly-client" requested_mask="r" fsuid=0 ouid=0
: audit: type=1400 audit(1613667954.580:78): apparmor="AUDIT" operation="open" profile="snap.screenly-client.viewer" name="/dev/input/event1" pid=2472 comm="screenly-client" requested_mask="r" fsuid=0 ouid=0
audit[2472]: AVC apparmor="AUDIT" operation="open" profile="snap.screenly-client.viewer" name="/dev/input/event1" pid=2472 comm="screenly-client" requested_mask="r" fsuid=0 ouid=0
: audit: type=1400 audit(1613667954.552:77): apparmor="AUDIT" operation="open" profile="snap.screenly-client.viewer" name="/dev/input/event0" pid=2472 comm="screenly-client" requested_mask="r" fsuid=0 ouid=0
audit[2472]: AVC apparmor="AUDIT" operation="open" profile="snap.screenly-client.viewer" name="/dev/input/event0" pid=2472 comm="screenly-client" requested_mask="r" fsuid=0 ouid=0
1 Like

What’s the output of udevadm info on the device for:

udevadm info /dev/input/mice
udevadm info /dev/input/event0
udevadm info /dev/input/event1
root@srly-8izqeqw70vfyjtc:/# udevadm info /dev/input/mice
P: /devices/virtual/input/mice
N: input/mice
E: DEVNAME=/dev/input/mice
E: DEVPATH=/devices/virtual/input/mice
E: MAJOR=13
E: MINOR=63
E: SUBSYSTEM=input
E: TAGS=:snap_screenly-client_submit-report:snap_screenly-client_logger:snap_screenly-client_netconfig:snap_screenly-client_viewer:snap_screenly-client_websocket:snap_screenly-client_command-executor:snap_screenly-client_playlist:snap_screenly-client_ping:
E: USEC_INITIALIZED=2225594
E: net.ifnames=0

root@srly-8izqeqw70vfyjtc:/# udevadm info /dev/input/event0
P: /devices/platform/soc/3f980000.usb/usb1/1-1/1-1.3/1-1.3:1.0/0003:1A2C:2C27.0001/input/input0/event0
N: input/event0
S: input/by-id/usb-USB_USB_Keyboard-event-kbd
S: input/by-path/platform-3f980000.usb-usb-0:1.3:1.0-event-kbd
E: DEVLINKS=/dev/input/by-path/platform-3f980000.usb-usb-0:1.3:1.0-event-kbd /dev/input/by-id/usb-USB_USB_Keyboard-event-kbd
E: DEVNAME=/dev/input/event0
E: DEVPATH=/devices/platform/soc/3f980000.usb/usb1/1-1/1-1.3/1-1.3:1.0/0003:1A2C:2C27.0001/input/input0/event0
E: ID_BUS=usb
E: ID_INPUT=1
E: ID_INPUT_KEY=1
E: ID_INPUT_KEYBOARD=1
E: ID_MODEL=USB_Keyboard
E: ID_MODEL_ENC=USB\x20Keyboard
E: ID_MODEL_ID=2c27
E: ID_PATH=platform-3f980000.usb-usb-0:1.3:1.0
E: ID_PATH_TAG=platform-3f980000_usb-usb-0_1_3_1_0
E: ID_REVISION=0110
E: ID_SERIAL=USB_USB_Keyboard
E: ID_TYPE=hid
E: ID_USB_DRIVER=usbhid
E: ID_USB_INTERFACES=:030101:030000:
E: ID_USB_INTERFACE_NUM=00
E: ID_VENDOR=USB
E: ID_VENDOR_ENC=USB
E: ID_VENDOR_ID=1a2c
E: MAJOR=13
E: MINOR=64
E: SUBSYSTEM=input
E: TAGS=:snap_screenly-client_submit-report:snap_screenly-client_netconfig:snap_screenly-client_ping:snap_screenly-client_playlist:snap_screenly-client_websocket:snap_screenly-client_viewer:snap_screenly-client_logger:snap_screenly-client_command-executor:
E: USEC_INITIALIZED=7980549
E: net.ifnames=0
root@srly-8izqeqw70vfyjtc:/# udevadm info /dev/input/event1
P: /devices/platform/soc/3f980000.usb/usb1/1-1/1-1.3/1-1.3:1.1/0003:1A2C:2C27.0002/input/input1/event1
N: input/event1
S: input/by-id/usb-USB_USB_Keyboard-event-if01
S: input/by-path/platform-3f980000.usb-usb-0:1.3:1.1-event
E: DEVLINKS=/dev/input/by-path/platform-3f980000.usb-usb-0:1.3:1.1-event /dev/input/by-id/usb-USB_USB_Keyboard-event-if01
E: DEVNAME=/dev/input/event1
E: DEVPATH=/devices/platform/soc/3f980000.usb/usb1/1-1/1-1.3/1-1.3:1.1/0003:1A2C:2C27.0002/input/input1/event1
E: ID_BUS=usb
E: ID_INPUT=1
E: ID_INPUT_KEY=1
E: ID_MODEL=USB_Keyboard
E: ID_MODEL_ENC=USB\x20Keyboard
E: ID_MODEL_ID=2c27
E: ID_PATH=platform-3f980000.usb-usb-0:1.3:1.1
E: ID_PATH_TAG=platform-3f980000_usb-usb-0_1_3_1_1
E: ID_REVISION=0110
E: ID_SERIAL=USB_USB_Keyboard
E: ID_TYPE=hid
E: ID_USB_DRIVER=usbhid
E: ID_USB_INTERFACES=:030101:030000:
E: ID_USB_INTERFACE_NUM=01
E: ID_VENDOR=USB
E: ID_VENDOR_ENC=USB
E: ID_VENDOR_ID=1a2c
E: MAJOR=13
E: MINOR=65
E: SUBSYSTEM=input
E: TAGS=:snap_screenly-client_netconfig:snap_screenly-client_logger:snap_screenly-client_ping:snap_screenly-client_websocket:snap_screenly-client_command-executor:snap_screenly-client_playlist:snap_screenly-client_viewer:snap_screenly-client_submit-report:
E: USEC_INITIALIZED=8056215
E: net.ifnames=0
root@srly-8izqeqw70vfyjtc:/# udevadm info /dev/input/mice
P: /devices/virtual/input/mice
N: input/mice
E: DEVNAME=/dev/input/mice
E: DEVPATH=/devices/virtual/input/mice
E: MAJOR=13
E: MINOR=63
E: SUBSYSTEM=input
E: TAGS=:snap_screenly-client_submit-report:snap_screenly-client_logger:snap_screenly-client_netconfig:snap_screenly-client_viewer:snap_screenly-client_websocket:snap_screenly-client_command-executor:snap_screenly-client_playlist:snap_screenly-client_ping:
E: USEC_INITIALIZED=2225594
E: net.ifnames=0

Thanks for providing the information. It seems that either a new privileged raw-input (similar to raw-usb) interface that grants access to /dev/input/* and also udev events, or something like a privileged new device-input (similar to device-buttons) interface, would cover this use case.

1 Like