snap/apparmor default confinement rejects socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_KOBJECT_UEVENT);

Based on the bug description, it sounds like you want this rule:

network netlink raw,

To be sure, can you paste the denial from /var/log/syslog? I spoke to mterry about a similar issue and AIUI, this only happens on X and not mir, is that correct?

The denial is

Feb 9 14:22:08 tsdgeos-ThinkPad-Yoga-460 kernel: [17683.935917] audit: type=1400 audit(1486646528.842:73): apparmor="DENIED" operation="create" profile="snap.red-rectangle-uitk.red-rectangle-uitk" pid=27306 comm="qmlscene" family="netlink" sock_type="raw" protocol=15 requested_mask="create" denied_mask="create"

Yes, this particular case is only happening in X since when using Mir QtSystems uses QInputInfoManagerMir instead of QInputInfoManagerUdev that doesn't need udev since it talks directly to mir

Unfortunately 'network netlink raw' isn't finely mediated, but since this only happens on X, adding this rule to the transitional unity7 and x11 interfaces should be fine. Justification: DAC offers some protections for netlink raw on the system, most applications using X/unity7 run as non-root, X is insecure so blocking this particular rule needed by Qt on X is arguably specious, and breaking out 'netlink raw' into an interface isn't very interesting because it is entirely too general.

@Albert, can you provide a snap or snapcraft.yaml that can be used to demonstrate the problem?

Here it comes.

Currently it crashes because of the code was not prepared for the socket to be denied, that part is fixed in https://codereview.qt-project.org/#/c/185071/

If you had that fix you'd see that it says you don't have a mouse even if you actually do.

As a sidenote the fixed qtsystems is now in zesty and xenial overlay PPA, so the latter part of Albert's message applies now.

In discussing this more we decided that 'netlink raw' was too broad of a stroke. We can however adjust our seccomp policy for socket() for something like this:

socket PF_NETLINK SOCK_RAW NETLINK_KOBJECT_UEVENT

and then apparmor with:

# apparmor
# needed by QtSystems on X to detect mouse and keyboard. Note, the 'netlink raw'
# rule is not finely mediated by apparmor so we mediate with seccomp arg filtering.
network netlink raw,
/run/udev/data/c13:[0-9]* r,
/run/udev/data/+input:* r,

The above should be fine for non-root, but there is some more investigating to be had here. Allowing NETLINK_KOBJECT_UEVENT for a root process is undesirable.

I guess if what we care is user applications running under X that need udev, rejecting for the root case is ok

This is fixed in 2.26.

Fine grained netlink mediation was added in 2.26 but rules weren't added to unity7 and x11. I'll fix that.

I believe this was fixed and released as snapd 2.27.2