[snap] Web Serial fails to access local device

This is most likely the snap strict confinement that prevents communication with the serial device.
Can you please run the following command in a terminal, then run chromium and reproduce the problem, and share the output of the terminal here?

    journalctl -f | grep chromium

The output is shown. Please note that no additional lines show up when I load the page that has that javascript code, or on clicking the button that causes the connect attempt. All of that output is already there.

$ journalctl -f | grep chromium
Aug 05 15:21:33 slon dbus-daemon[1410]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/PowerManagement/Inhibit" interface="org.freedesktop.PowerManagement.Inhibit" member="Inhibit" mask="send" name="org.freedesktop.PowerManagement" pid=2802 label="snap.chromium.chromium" peer_pid=2397 peer_label="unconfined"
Aug 05 15:21:34 slon dbus-daemon[1410]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/PowerManagement/Inhibit" interface="org.freedesktop.PowerManagement.Inhibit" member="Inhibit" mask="send" name="org.freedesktop.PowerManagement" pid=2802 label="snap.chromium.chromium" peer_pid=2397 peer_label="unconfined"
Aug 05 15:21:38 slon dbus-daemon[1410]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/PowerManagement/Inhibit" interface="org.freedesktop.PowerManagement.Inhibit" member="Inhibit" mask="send" name="org.freedesktop.PowerManagement" pid=2802 label="snap.chromium.chromium" peer_pid=2397 peer_label="unconfined"
Aug 05 15:21:43 slon dbus-daemon[1410]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/PowerManagement/Inhibit" interface="org.freedesktop.PowerManagement.Inhibit" member="Inhibit" mask="send" name="org.freedesktop.PowerManagement" pid=2802 label="snap.chromium.chromium" peer_pid=2397 peer_label="unconfined"
Aug 05 15:21:44 slon dbus-daemon[1410]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/PowerManagement/Inhibit" interface="org.freedesktop.PowerManagement.Inhibit" member="Inhibit" mask="send" name="org.freedesktop.PowerManagement" pid=2802 label="snap.chromium.chromium" peer_pid=2397 peer_label="unconfined"
Aug 05 15:21:44 slon dbus-daemon[1410]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/PowerManagement/Inhibit" interface="org.freedesktop.PowerManagement.Inhibit" member="Inhibit" mask="send" name="org.freedesktop.PowerManagement" pid=2802 label="snap.chromium.chromium" peer_pid=2397 peer_label="unconfined"
Aug 05 15:21:44 slon dbus-daemon[1410]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/PowerManagement/Inhibit" interface="org.freedesktop.PowerManagement.Inhibit" member="Inhibit" mask="send" name="org.freedesktop.PowerManagement" pid=2802 label="snap.chromium.chromium" peer_pid=2397 peer_label="unconfined"
Aug 05 15:21:46 slon dbus-daemon[1410]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/PowerManagement/Inhibit" interface="org.freedesktop.PowerManagement.Inhibit" member="Inhibit" mask="send" name="org.freedesktop.PowerManagement" pid=2802 label="snap.chromium.chromium" peer_pid=2397 peer_label="unconfined"
Aug 05 15:21:46 slon dbus-daemon[1410]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/PowerManagement/Inhibit" interface="org.fr...

Also: it is chroME that is installed as a snap package, chroMIUM is installed through apt-get, and it works just fine:

$ journalctl -f | grep chrome
Aug 05 15:26:57 slon dbus-daemon[782]: [system] Activating via systemd: service name='org.bluez' unit='dbus-org.bluez.service' requested by ':1.80' (uid=1000 pid=3623 comm="/home/opt/google/chrome/chrome " label="unconfined")

and no additional messages as the "connect" button is clicked and the serial device accessed.

Disabling apparmor for chromium

$ sudo ln -s /etc/apparmor.d/usr.bin.chromium-browser /etc/apparmor.d/disable/
$ sudo apparmor_parser -R /etc/apparmor.d/disable/usr.bin.chromium-browser

had no effect.

Adding "/dev/tty* rw" right below the line for "/dev/null rw" in /etc/apparmor.d/disable/usr.bin.chromium-browser and removing/re-adding the profile had no effect.

[Expired for chromium-browser (Ubuntu) because there has been no activity for 60 days.]

Does the following help?

    sudo snap connect chromium:raw-usb

Made no difference.  Tried before or after launching the browser.

By the way, this bug is not there in edge.  Only Chromium.

On 10/30/20 12:27 PM, Olivier Tilloy wrote:
> Does the following help?
>
> sudo snap connect chromium:raw-usb
>
> ** Changed in: chromium-browser (Ubuntu)
> Status: Expired => New
>
--
-----------------------------------------------------------------------------
Edward Sternin, Physics Department, Brock U, St.Catharines, Ontario, L2S 3A1
       http://www.physics.brocku.ca/People/Faculty/Sternin/
voice: (905)688-5550x3414 FAX:(905)984-4857 email: <email address hidden>

A relevant denial from comment #2 is:

    AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c166:0" pid=2802 requested_mask="r" denied_mask="r"

That should be allowed by connecting the raw-usb interface though.

Could you please ensure that said interface is connected, and repeat the steps in comment #1 to collect more data? Thanks!

Note that edge isn't affected, because it's not packaged as a snap, and therefore isn't subject to strict confinement as chromium is.

I do not understand your comment, perhaps because I do not understand snap.

/etc/udev/rules.d for this device configure it to be 666, and it works
fine under other browsers, so you are not talking about actual device
access, you are talking about the mapping of this real device onto some
virtual "raw-usb" device of the snap's sandbox ?

I did what you suggested, tried from the command line before and after
launching chromium.  I had previously also turned off apparmor for
chromium altogether (comment #4). None of these affected the outcome.

So, please explain how I "ensure that said interface is connected" for
the purposes of the snap sandbox.

I can use chromium successfully for accessing the device under RedHat,
so this is specifically a Ubuntu/Chromium bug/misfeature.

That's right, snaps run sandboxed, so what matters is not device access on the host, but what the snapd sandbox allows. Strictly speaking this is not an Ubuntu-specific bug, because snaps run on other linux distributions. This is definitely a snap-specific issue, which won't affect the version of the RedHat chromium package.

What is the output of `snap connections chromium | grep raw-usb` ? The third column should be ":raw-usb".

If it isn't, then run `snap connect chromium:raw-usb`.
When it is connected, then please run the steps in comment #1 to collect updated output from the system journal?

'''
$ snap connections chromium | grep usb
raw-usb chromium:raw-usb :raw-usb manual
$ journalctl -f | grep chromium
Nov 05 18:41:42 XXXXXX audit[80101]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/proc/tty/drivers" pid=80101 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

... repeated several times ....

Nov 05 18:42:05 XXXXXX polkitd(authority=local)[1133]: Operator of unix-session:c2 successfully authenticated as unix-user:XXXXX to gain TEMPORARY authorization for action io.snapcraft.snapd.manage-interfaces for unix-process:80462:133089573 [snap connect chromium:raw-usb] (owned by unix-user:XXXXX)
'''

The alert dialog reports "No compatible devices found"

The denial on /proc/tty/drivers looks relevant.

Can you try the following?

    - close chromium

    - edit (with sudo) /var/lib/snapd/apparmor/profiles/snap.chromium.chromium, add the following line to the profile:

        @{PROC}/tty/drivers r,

    - reload the apparmor profile with: "sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.chromium.chromium"

    - run "journalctl -f | grep chromium" in a terminal, start chromium, and try to access your device

    - share the updated journalctl output

Thanks!

Adding
  @{PROC}/tty/drivers r,
to /var/lib/snapd/apparmor/profiles/snap.chromium.chromium did the trick.

The file actually had rwk permissions set to TTY*, and ACM* (mine is one of those), according to the comments in the file.

There was no output in journalctl.

This can be considered a fix, and a return to normal operation for chromium. It should probably be changed for the distribution, not sure who can do that.

Thanks.

I'm glad that this solved the issue!

Please note that the next time the chromium snap is refreshed, the apparmor profile will be re-generated, so you will lose this modification, and will have to re-apply it. So that's not a good long-term workaround.

I will work with the snapd team to have this included in the raw_usb interface.

I submitted https://github.com/snapcore/snapd/pull/9627 to add this to the raw_usb interface.

The above PR was merged and should be part of the snapd 2.48 release.

Confirm resolved, after a system update, under snapd 2.49.1, the default acees is "rwk" and WebUSB device access works.

Thanks, Olivier!