Hi,
still facing same issue
/snap/toggle-rf-states/x2/toggle.sh: 17: /snap/toggle-rf-states/x2/toggle.sh: cannot create /sys/class/rfkill/rfkill1/state: Permission denied
/snap/toggle-rf-states/x2/toggle.sh: 18: /snap/toggle-rf-states/x2/toggle.sh: cannot create /sys/class/rfkill/rfkill0/state: Permission denied
i guess this should be /sys/class/…
@laxman456 - you added the rule to your profile and loaded it into the kernel ala Wifi and bluetooth on snappy ubuntu on a dragonboard?? If so, can you paste the most recent denial from /var/log/syslog for this access?
/sys/class/rfkill/* are typically symlinks out to /sys/devices. Eg:
$ ls -l /sys/class/rfkill/
total 0
lrwxrwxrwx 1 root root 0 Jul 31 12:37 rfkill0 -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/bluetooth/hci0/rfkill0
lrwxrwxrwx 1 root root 0 Jul 31 12:37 rfkill2 -> ../../devices/pci0000:00/0000:00:1c.4/0000:3a:00.0/ieee80211/phy0/rfkill2
Aug 1 13:10:34 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 510 on Do: Mount snap “toggle-rf-states” (unset)
Aug 1 13:10:34 localhost systemd[1]: Reloading.
Aug 1 13:10:35 localhost systemd[1]: Reloading.
Aug 1 13:10:35 localhost systemd[1]: Mounting Mount unit for toggle-rf-states…
Aug 1 13:10:35 localhost systemd-udevd[616]: Network interface NamePolicy= disabled on kernel command line, ignoring.
Aug 1 13:10:35 localhost systemd[1]: Mounted Mount unit for toggle-rf-states.
Aug 1 13:10:35 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 511 on Do: Copy snap “toggle-rf-states” data
Aug 1 13:10:35 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 512 on Do: Setup snap “toggle-rf-states” (unset) security profiles
Aug 1 13:10:36 localhost kernel: [27139.086826] audit: type=1400 audit(1501593036.804:108): apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“snap.toggle-rf-states.toggle” pid=6030 comm=“apparmor_parser”
Aug 1 13:10:36 localhost kernel: [27139.181732] audit: type=1400 audit(1501593036.896:109): apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“snap.core.hook.configure” pid=6037 comm=“apparmor_parser”
Aug 1 13:10:37 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 513 on Do: Make snap “toggle-rf-states” (unset) available to the system
Aug 1 13:10:37 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 514 on Do: Setup snap “toggle-rf-states” (unset) security profiles (phase 2)
Aug 1 13:10:37 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 515 on Do: Set automatic aliases for snap “toggle-rf-states”
Aug 1 13:10:37 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 516 on Do: Setup snap “toggle-rf-states” aliases
Aug 1 13:10:37 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 517 on Do: Start snap “toggle-rf-states” (unset) services
Aug 1 13:10:38 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 518 on Do: Run configure hook of “toggle-rf-states” snap if present
Aug 1 13:10:38 localhost /usr/lib/snapd/snapd[1247]: daemon.go:176: DEBUG: uid=0;@ GET /v2/snaps?snaps=toggle-rf-states 4.883ms 200
Aug 1 13:11:37 localhost kernel: [27200.121192] audit: type=1400 audit(1501593097.836:110): apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“snap.toggle-rf-states.toggle” pid=6078 comm=“apparmor_parser”
Aug 1 13:12:00 localhost rsyslogd-2007: action ‘action 10’ suspended, next retry is Tue Aug 1 13:13:30 2017 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
There is no apparmor denial in that paste. Are you running the command as non-root?
Aug 1 13:18:19 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 533 on Do: Setup snap “toggle-rf-states” aliases
Aug 1 13:18:19 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 534 on Do: Start snap “toggle-rf-states” (unset) services
Aug 1 13:18:20 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 535 on Do: Run configure hook of “toggle-rf-states” snap if present
Aug 1 13:18:20 localhost /usr/lib/snapd/snapd[1247]: daemon.go:176: DEBUG: uid=0;@ GET /v2/snaps?snaps=toggle-rf-states 3.509ms 200
Aug 1 13:18:36 localhost rsyslogd-2007: action ‘action 10’ suspended, next retry is Tue Aug 1 13:20:06 2017 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
Aug 1 13:19:08 localhost kernel: [27651.027914] audit: type=1400 audit(1501593548.744:114): apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“snap.toggle-rf-states.toggle” pid=6354 comm=“apparmor_parser”
Aug 1 13:20:15 localhost rsyslogd-2007: action ‘action 10’ suspended, next retry is Tue Aug 1 13:21:45 2017 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
Aug 1 13:20:15 localhost kernel: [27718.208073] audit: type=1400 audit(1501593615.924:115): apparmor=“DENIED” operation=“capable” profile=“snap.toggle-rf-states.toggle” pid=6391 comm=“toggle.sh” capability=12 capname=“net_admin”
if i run with sudo then
/snap/toggle-rf-states/x1/toggle.sh: 11: /snap/toggle-rf-states/x1/toggle.sh: 1: not found
sh: echo: I/O error
sh: echo: I/O error
and syslog
Aug 1 13:18:20 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 535 on Do: Run configure hook of “toggle-rf-states” snap if present
Aug 1 13:18:20 localhost /usr/lib/snapd/snapd[1247]: daemon.go:176: DEBUG: uid=0;@ GET /v2/snaps?snaps=toggle-rf-states 3.509ms 200
Aug 1 13:18:36 localhost rsyslogd-2007: action ‘action 10’ suspended, next retry is Tue Aug 1 13:20:06 2017 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
Aug 1 13:19:08 localhost kernel: [27651.027914] audit: type=1400 audit(1501593548.744:114): apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“snap.toggle-rf-states.toggle” pid=6354 comm=“apparmor_parser”
Aug 1 13:20:15 localhost rsyslogd-2007: action ‘action 10’ suspended, next retry is Tue Aug 1 13:21:45 2017 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
Aug 1 13:20:15 localhost kernel: [27718.208073] audit: type=1400 audit(1501593615.924:115): apparmor=“DENIED” operation=“capable” profile=“snap.toggle-rf-states.toggle” pid=6391 comm=“toggle.sh” capability=12 capname=“net_admin”
Aug 1 13:22:14 localhost rsyslogd-2007: action ‘action 10’ suspended, next retry is Tue Aug 1 13:23:44 2017 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
This indicates that the network-control interface is not connected. Can you connect the interface? Doing that will remove your newly added rfkill rules, so after connecting the interface, can you add back the rfkill rules and try again?
ya i connected and applied rules again
still facing the same issue
/snap/toggle-rf-states/x1/toggle.sh: 11: /snap/toggle-rf-states/x1/toggle.sh: 1: not found
sh: echo: I/O error
sh: echo: I/O error
and syslog
Aug 1 13:37:14 localhost /usr/lib/snapd/snapd[1252]: daemon.go:176: DEBUG: uid=1000;@ GET /v2/snaps?snaps=toggle-rf-states 3.006ms 200
Aug 1 13:37:34 localhost kernel: [ 440.192894] audit: type=1400 audit(1501594654.290:40): apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“snap.toggle-rf-states.toggle” pid=2166 comm=“apparmor_parser”
Aug 1 13:37:34 localhost rsyslogd-2007: action ‘action 10’ suspended, next retry is Tue Aug 1 13:38:04 2017 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
Aug 1 13:37:44 localhost kernel: [ 450.224931] audit: type=1400 audit(1501594664.322:41): apparmor=“DENIED” operation=“capable” profile=“snap.toggle-rf-states.toggle” pid=2187 comm=“toggle.sh” capability=12 capname="net_admin
Can you paste ‘/var/lib/snapd/apparmor/profiles/snap.toggle-rf-states.toggle’?
# Do the same with /sys/devices and /sys/class to help people using hw-assign
/sys/devices/ r,
/sys/devices/**/ r,
/sys/class/ r,
/sys/class/**/ r,
# Allow all snaps to chroot
capability sys_chroot,
/{,usr/}sbin/chroot ixr,
# Description: Can access the network as a client.
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/net/ipv4/tcp_fastopen r,
/sys/class/rfkill/ r,
/sys/devices/{pci[0-9]*,platform,virtual}/**/rfkill[0-9]*/{,*} r,
/sys/devices/{pci[0-9]*,platform,virtual}/**/rfkill[0-9]*/state w,
}
1 Like
could you try to format your pastes a bit better ?
just mark the pasted block with the cursor and click the “<<>>” formatting icon in the input field (or hit shift+ctrl+c), that will make it a lot more readable for us …
Please paste the full contents of the file in the manner ogra described. What you pasted does not indicate that the network-control interface is connected.
# Description: Allows access to app-specific directories and basic runtime
# Usage: common
# vim:syntax=apparmor
#include <tunables/global>
@{SNAP_NAME}="toggle-rf-states"
@{SNAP_REVISION}="x1"
@{PROFILE_DBUS}="snap_2etoggle_2drf_2dstates_2etoggle"
@{INSTALL_DIR}="/snap"
profile "snap.toggle-rf-states.toggle" (attach_disconnected) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/openssl>
# While in later versions of the base abstraction, include this explicitly
# for series 16 and cross-distro
/etc/ld.so.preload r,
# for python apps/services
#include <abstractions/python>
/usr/bin/python{,2,2.[0-9]*,3,3.[0-9]*} ixr,
# explicitly deny noisy denials to read-only filesystems (see LP: #1496895
# for details)
deny /usr/lib/python3*/{,**/}__pycache__/ w,
deny /usr/lib/python3*/{,**/}__pycache__/**.pyc.[0-9]* w,
deny @{INSTALL_DIR}/@{SNAP_NAME}/**/__pycache__/ w,
deny @{INSTALL_DIR}/@{SNAP_NAME}/**/__pycache__/*.pyc.[0-9]* w,
# for perl apps/services
#include <abstractions/perl>
/usr/bin/perl{,5*} ixr,
# Note: the following dangerous accesses should not be allowed in most
# policy, but we cannot explicitly deny since other trusted interfaces might
# add them.
# Explicitly deny ptrace for now since it can be abused to break out of the
# seccomp sandbox. https://lkml.org/lkml/2015/3/18/823
#audit deny ptrace (trace),
# Explicitly deny capability mknod so apps can't create devices
#audit deny capability mknod,
# Explicitly deny mount, remount and umount so apps can't modify things in
# their namespace
#audit deny mount,
#audit deny remount,
#audit deny umount,
# End dangerous accesses
# Note: this potentially allows snaps to DoS other snaps via resource
# exhaustion but we can't sensibly mediate this today. In the future we may
# employ cgroup limits, AppArmor rlimit mlock rules or something else.
capability ipc_lock,
# for bash 'binaries' (do *not* use abstractions/bash)
# user-specific bash files
/bin/bash ixr,
/bin/dash ixr,
/etc/bash.bashrc r,
/etc/{passwd,group,nsswitch.conf} r, # very common
/etc/libnl-3/{classid,pktloc} r, # apps that use libnl
/var/lib/extrausers/{passwd,group} r,
/etc/profile r,
/etc/environment r,
/usr/share/terminfo/** r,
/etc/inputrc r,
# Common utilities for shell scripts
/{,usr/}bin/arch ixr,
/{,usr/}bin/{,g,m}awk ixr,
/{,usr/}bin/basename ixr,
/{,usr/}bin/bunzip2 ixr,
/{,usr/}bin/bzcat ixr,
/{,usr/}bin/bzdiff ixr,
/{,usr/}bin/bzgrep ixr,
/{,usr/}bin/bzip2 ixr,
/{,usr/}bin/cat ixr,
/{,usr/}bin/chmod ixr,
/{,usr/}bin/clear ixr,
/{,usr/}bin/cmp ixr,
/{,usr/}bin/cp ixr,
/{,usr/}bin/cpio ixr,
/{,usr/}bin/cut ixr,
/{,usr/}bin/date ixr,
/{,usr/}bin/dd ixr,
/{,usr/}bin/diff{,3} ixr,
/{,usr/}bin/dir ixr,
/{,usr/}bin/dirname ixr,
/{,usr/}bin/echo ixr,
/{,usr/}bin/{,e,f,r}grep ixr,
/{,usr/}bin/env ixr,
/{,usr/}bin/expr ixr,
/{,usr/}bin/false ixr,
/{,usr/}bin/find ixr,
/{,usr/}bin/flock ixr,
/{,usr/}bin/fmt ixr,
/{,usr/}bin/getent ixr,
/{,usr/}bin/getopt ixr,
/{,usr/}bin/groups ixr,
/{,usr/}bin/gzip ixr,
/{,usr/}bin/head ixr,
/{,usr/}bin/hostname ixr,
/{,usr/}bin/id ixr,
/{,usr/}bin/igawk ixr,
/{,usr/}bin/infocmp ixr,
/{,usr/}bin/kill ixr,
/{,usr/}bin/ldd ixr,
/{usr/,}lib{,32,64}/ld{,32,64}-*.so ix,
/{usr/,}lib/@{multiarch}/ld{,32,64}-*.so ix,
/{,usr/}bin/less{,file,pipe} ixr,
/{,usr/}bin/ln ixr,
/{,usr/}bin/line ixr,
/{,usr/}bin/link ixr,
/{,usr/}bin/locale ixr,
/{,usr/}bin/logger ixr,
/{,usr/}bin/ls ixr,
/{,usr/}bin/md5sum ixr,
/{,usr/}bin/mkdir ixr,
/{,usr/}bin/mkfifo ixr,
/{,usr/}bin/mknod ixr,
/{,usr/}bin/mktemp ixr,
/{,usr/}bin/more ixr,
/{,usr/}bin/mv ixr,
/{,usr/}bin/nice ixr,
/{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial
/{,usr/}bin/pgrep ixr,
/{,usr/}bin/printenv ixr,
/{,usr/}bin/printf ixr,
/{,usr/}bin/ps ixr,
/{,usr/}bin/pwd ixr,
/{,usr/}bin/readlink ixr,
/{,usr/}bin/realpath ixr,
/{,usr/}bin/rev ixr,
/{,usr/}bin/rm ixr,
/{,usr/}bin/rmdir ixr,
/{,usr/}bin/run-parts ixr,
/{,usr/}bin/sed ixr,
/{,usr/}bin/seq ixr,
/{,usr/}bin/sha{1,224,256,384,512}sum ixr,
/{,usr/}bin/shuf ixr,
/{,usr/}bin/sleep ixr,
/{,usr/}bin/sort ixr,
/{,usr/}bin/stat ixr,
/{,usr/}bin/stdbuf ixr,
/{,usr/}bin/stty ixr,
/{,usr/}bin/systemd-cat ixr,
/{,usr/}bin/tac ixr,
/{,usr/}bin/tail ixr,
/{,usr/}bin/tar ixr,
/{,usr/}bin/tee ixr,
/{,usr/}bin/test ixr,
/{,usr/}bin/tempfile ixr,
/{,usr/}bin/tset ixr,
/{,usr/}bin/touch ixr,
/{,usr/}bin/tput ixr,
/{,usr/}bin/tr ixr,
/{,usr/}bin/true ixr,
/{,usr/}bin/tty ixr,
/{,usr/}bin/uname ixr,
/{,usr/}bin/uniq ixr,
/{,usr/}bin/unlink ixr,
/{,usr/}bin/unxz ixr,
/{,usr/}bin/unzip ixr,
/{,usr/}bin/vdir ixr,
/{,usr/}bin/wc ixr,
/{,usr/}bin/which ixr,
/{,usr/}bin/xargs ixr,
/{,usr/}bin/xz ixr,
/{,usr/}bin/yes ixr,
/{,usr/}bin/zcat ixr,
/{,usr/}bin/z{,e,f}grep ixr,
/{,usr/}bin/zip ixr,
/{,usr/}bin/zipgrep ixr,
# For snappy reexec on 4.8+ kernels
/usr/lib/snapd/snap-exec m,
# For in-snap tab completion
/etc/bash_completion.d/{,*} r,
/usr/lib/snapd/etelpmoc.sh ixr, # marshaller (see complete.sh for out-of-snap unmarshal)
/usr/share/bash-completion/bash_completion r, # user-provided completions (run in-snap) may use functions from here
# For printing the cache (we don't allow updating the cache)
/{,usr/}sbin/ldconfig{,.real} ixr,
# uptime
/{,usr/}bin/uptime ixr,
@{PROC}/uptime r,
@{PROC}/loadavg r,
# lsb-release
/usr/bin/lsb_release ixr,
/usr/bin/ r,
/usr/share/distro-info/*.csv r,
# Allow reading /etc/os-release. On Ubuntu 16.04+ it is a symlink to /usr/lib
# but on 14.04 it is an actual file so it doens't fall under other rules.
/etc/os-release r,
# systemd native journal API (see sd_journal_print(4)). This should be in
# AppArmor's base abstraction, but until it is, include here.
/run/systemd/journal/socket w,
/run/systemd/journal/stdout rw, # 'r' shouldn't be needed, but journald
# doesn't leak anything so allow
# snapctl and its requirements
/usr/bin/snapctl ixr,
@{PROC}/sys/net/core/somaxconn r,
/run/snapd-snap.socket rw,
# Note: for now, don't explicitly deny this noisy denial so --devmode isn't
# broken but eventually we may conditionally deny this since it is an
# information leak.
#deny /{,var/}run/utmp r,
# java
@{PROC}/@{pid}/ r,
@{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/auxv r,
@{PROC}/sys/vm/zone_reclaim_mode r,
/etc/lsb-release r,
/sys/devices/**/read_ahead_kb r,
/sys/devices/system/cpu/** r,
/sys/devices/system/node/node[0-9]*/* r,
/sys/kernel/mm/transparent_hugepage/enabled r,
/sys/kernel/mm/transparent_hugepage/defrag r,
# NOTE: this leaks running process but java seems to want it (even though it
# seems to operate ok without it) and SDL apps crash without it. Allow owner
# match until AppArmor kernel var is available to solve this properly (see
# LP: #1546825 for details)
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/comm r,
# Per man(5) proc, the kernel enforces that a thread may only modify its comm
# value or those in its thread group.
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
# Miscellaneous accesses
/dev/{,u}random w,
/etc/machine-id r,
/etc/mime.types r,
@{PROC}/ r,
@{PROC}/version r,
@{PROC}/version_signature r,
/etc/{,writable/}hostname r,
/etc/{,writable/}localtime r,
/etc/{,writable/}mailname r,
/etc/{,writable/}timezone r,
@{PROC}/@{pid}/io r,
owner @{PROC}/@{pid}/limits r,
@{PROC}/@{pid}/smaps r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/statm r,
@{PROC}/@{pid}/status r,
@{PROC}/@{pid}/task/ r,
@{PROC}/@{pid}/task/[0-9]*/smaps r,
@{PROC}/@{pid}/task/[0-9]*/stat r,
@{PROC}/@{pid}/task/[0-9]*/statm r,
@{PROC}/@{pid}/task/[0-9]*/status r,
@{PROC}/sys/kernel/hostname r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/sys/kernel/shmmax r,
@{PROC}/sys/fs/file-max r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/random/uuid r,
@{PROC}/sys/kernel/random/boot_id r,
/sys/devices/virtual/tty/{console,tty*}/active r,
/{,usr/}lib/ r,
# Reads of oom_adj and oom_score_adj are safe
owner @{PROC}/@{pid}/oom_{,score_}adj r,
# Note: for now, don't explicitly deny write access so --devmode isn't broken
# but eventually we may conditionally deny this since it allows the process
# to increase the oom heuristic of other processes (make them more likely to
# be killed). Once AppArmor kernel var is available to solve this properly,
# this can safely be allowed since non-root processes won't be able to
# decrease the value and root processes will only be able to with
# 'capability sys_resource,' which we deny be default.
# deny owner @{PROC}/@{pid}/oom_{,score_}adj w,
# Eases hardware assignment (doesn't give anything away)
/etc/udev/udev.conf r,
/sys/ r,
/sys/bus/ r,
/sys/class/ r,
# this leaks interface names and stats, but not in a way that is traceable
# to the user/device
@{PROC}/net/dev r,
@{PROC}/@{pid}/net/dev r,
# Read-only for the install directory
@{INSTALL_DIR}/@{SNAP_NAME}/ r,
@{INSTALL_DIR}/@{SNAP_NAME}/@{SNAP_REVISION}/ r,
@{INSTALL_DIR}/@{SNAP_NAME}/@{SNAP_REVISION}/** mrklix,
# Read-only install directory for other revisions to help with bugs like
# LP: #1616650 and LP: #1655992
@{INSTALL_DIR}/@{SNAP_NAME}/** mrkix,
# Read-only home area for other versions
owner @{HOME}/snap/@{SNAP_NAME}/ r,
owner @{HOME}/snap/@{SNAP_NAME}/** mrkix,
# Writable home area for this version.
owner @{HOME}/snap/@{SNAP_NAME}/@{SNAP_REVISION}/** wl,
owner @{HOME}/snap/@{SNAP_NAME}/common/** wl,
# Read-only system area for other versions
/var/snap/@{SNAP_NAME}/ r,
/var/snap/@{SNAP_NAME}/** mrkix,
# Writable system area only for this version
/var/snap/@{SNAP_NAME}/@{SNAP_REVISION}/** wl,
/var/snap/@{SNAP_NAME}/common/** wl,
# The ubuntu-core-launcher creates an app-specific private restricted /tmp
# and will fail to launch the app if something goes wrong. As such, we can
# simply allow full access to /tmp.
/tmp/ r,
/tmp/** mrwlkix,
# App-specific access to files and directories in /dev/shm. We allow file
# access in /dev/shm for shm_open() and files in subdirectories for open()
/{dev,run}/shm/snap.@{SNAP_NAME}.** mrwlkix,
# Also allow app-specific access for sem_open()
/{dev,run}/shm/sem.snap.@{SNAP_NAME}.* mrwk,
# Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user
owner /run/user/[0-9]*/snap.@{SNAP_NAME}/ rw,
owner /run/user/[0-9]*/snap.@{SNAP_NAME}/** mrwklix,
# Allow apps from the same package to communicate with each other via an
# abstract or anonymous socket
unix peer=(label=snap.@{SNAP_NAME}.*),
# Allow apps from the same package to communicate with each other via DBus.
# Note: this does not grant access to the DBus sockets of well known buses
# (will still need to use an appropriate interface for that).
dbus (receive, send) peer=(label=snap.@{SNAP_NAME}.*),
# Allow apps from the same package to signal each other via signals
signal peer=snap.@{SNAP_NAME}.*,
# for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign'
/{,s}bin/udevadm ixr,
/etc/udev/udev.conf r,
/{,var/}run/udev/tags/snappy-assign/ r,
@{PROC}/cmdline r,
/sys/devices/**/uevent r,
# LP: #1447237: adding '--property-match=SNAPPY_APP=<pkgname>' to the above
# requires:
# /run/udev/data/* r,
# but that reveals too much about the system and cannot be granted to apps
# by default at this time.
# For convenience, allow apps to see what is in /dev even though cgroups
# will block most access
/dev/ r,
/dev/**/ r,
# Allow setting up pseudoterminal via /dev/pts system. This is safe because
# the launcher uses a per-app devpts newinstance.
/dev/ptmx rw,
# Do the same with /sys/devices and /sys/class to help people using hw-assign
/sys/devices/ r,
/sys/devices/**/ r,
/sys/class/ r,
/sys/class/**/ r,
# Allow all snaps to chroot
capability sys_chroot,
/{,usr/}sbin/chroot ixr,
# Description: Can access the network as a client.
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/net/ipv4/tcp_fastopen r,
/sys/class/rfkill/ r,
/sys/devices/{pci[0-9]*,platform,virtual}/**/rfkill[0-9]*/{,*} r,
/sys/devices/{pci[0-9]*,platform,virtual}/**/rfkill[0-9]*/state w,
}Right, this indicates that the network-control interface is not connected. Please make sure that the toggle command plugs: [ network, network-control ] (at least), then reinstall the snap. Then do:
$ sudo snap connect toggle-rf-states:network-control
This will regenerate the apparmor profile, so you’ll need to update /var/lib/snapd/apparmor/profiles/snap.toggle-rf-states.toggle to add back these rfkill rules (now committed to trunk):
/sys/class/rfkill/ r,
/sys/devices/{pci[0-9]*,platform,virtual}/**/rfkill[0-9]*/{,**} r,
/sys/devices/{pci[0-9]*,platform,virtual}/**/rfkill[0-9]*/state w,
then run sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.toggle-rf-states.toggle to load your rfkill changes into the kernel.
Hi jdstrand,
now i’m not facing the issue.Thanks alot for the support.
Great! FYI, I requested that the rfkill changes be included in the upcoming 2.27 release.
The rfkill changes will be included in 2.27.