snapd

Bug #1960259
Comment #0

Comment 0 for bug 1960259

Revision history for this message

Bruno Silva (brsilva) wrote on 2022-02-07:

We aim to use gpiod, which provides libgpiod2 + cli tools (like gpiodetect, gpioinfo, etc.) on one of our snap applications.
https://git.kernel.org/pub/scm/libs/libgpiod/libgpiod.git/

During some experiments, we realized that no one of the supported interfaces allow access to /dev/gpiochip* to our snap application.
https://snapcraft.io/docs/supported-interfaces

Here is the snappy-debug example when we generated our snap configured with gpio + gpio-control + gpio-memory-control plugs and installed with --dangerous:
= AppArmor =
Time: Jan 27 21:22:47
Log: apparmor="DENIED" operation="open" profile="snap.SNAPNAME.APPNAME" name="/dev/gpiochip0" pid=19145 comm="APPNAME" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
File: /dev/gpiochip0 (write)

However, if we install the same snap with --devmode the AppArmor allows access.
= AppArmor =
Time: Jan 27 21:40:14
Log: apparmor="ALLOWED" operation="open" profile="snap.SNAPNAME.APPNAME" name="/dev/gpiochip0" pid=29560 comm="APPNAME" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
File: /dev/gpiochip0 (write)

We already tried adding "/dev/gpiochip0 rw," on apparmor rule (/var/lib/snapd/apparmor/profiles/snap.SNAPNAME.APPNAME), but it didn't work as well.