SocketCAN device on Ubuntu Core
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I'm currently trying to use a SocketCAN-enabled device (Kvaser USBcan Light 2xHS) on a Dell Edge Gateway 3002 running Ubuntu Core 16.
This CAN interface has been tested on Ubuntu Desktop successfully.
The CAN kernel modules are not loaded by default on Ubuntu Core 16, so my first step was to load them:
$ lsmod | grep can
can_gw 20480 0
can_raw 20480 0
can_dev 24576 1 kvaser_usb
can 45056 2 can_gw,can_raw
Connecting the CAN interface at this point should result in the creation of two new can interfaces (can0
and can1
by default). The problem is that those interfaces are nowhere to be found:
$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:9f brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:a1 brd ff:ff:ff:ff:ff:ff
4: wwan0: <BROADCAST,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether aa:c6:53:a2:73:a0 brd ff:ff:ff:ff:ff:ff
5: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DORMANT group default qlen 1000
link/ether 00:23:a7:fa:99:68 brd ff:ff:ff:ff:ff:ff
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:57:84:86:f6 brd ff:ff:ff:ff:ff:ff
The output of dmesg
shows that there was some kind of security issue. I'm not familiar with AppArmor so I'm not exactly sure if this has any relevance:
$ dmesg | tail -n15
[ 515.224025] usb 1-1: new high-speed USB device number 6 using xhci_hcd
[ 515.353111] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 515.353122] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 515.353129] usb 1-1: Product: Kvaser USBcan Light
[ 515.353134] usb 1-1: Manufacturer: Kvaser AB
[ 515.368908] audit: type=1400 audit(1539088148.830:340): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=2327 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Is there anyone with previous experience with SocketCAN devices on Ubuntu Core? Any directions on how to debug this?
Thanks!
EDIT 01
We've tried to stop the apparmor service:
# systemctl stop apparmor.service
# systemctl status apparmor.service
● apparmor.service - LSB: AppArmor initialization
Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
Active: inactive (dead) since Tue 2018-10-09 15:40:17 UTC; 1s ago
Docs: man:systemd-sysv-generator(8)
Process: 4442 ExecStop=/etc/init.d/apparmor stop (code=exited, status=0/SUCCESS)
Process: 2345 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS)
Oct 09 15:40:17 ******* systemd[1]: Stopping LSB: AppArmor initialization...
Oct 09 15:40:17 ******* apparmor[4442]: * Clearing AppArmor profiles cache
Oct 09 15:40:17 ******* apparmor[4442]: ...done.
Oct 09 15:40:17 ******* apparmor[4442]: All profile caches have been cleared, but no profiles have been unloaded.
Oct 09 15:40:17 ******* apparmor[4442]: Unloading profiles will leave already running processes permanently
Oct 09 15:40:17 ******* apparmor[4442]: unconfined, which can lead to unexpected situations.
Oct 09 15:40:17 ******* apparmor[4442]: To set a process to complain mode, use the command line tool
Oct 09 15:40:17 ******* apparmor[4442]: 'aa-complain'. To really tear down all profiles, run the init script
Oct 09 15:40:17 ******* apparmor[4442]: with the 'teardown' option."
Oct 09 15:40:17 ******* systemd[1]: Stopped LSB: AppArmor initialization.
Curiously enough, the apparmor denial message is still appearing after connecting the USBcan device:
# dmesg | tail -n6
[ 1704.616028] usb 1-1: new high-speed USB device number 8 using xhci_hcd
[ 1704.744895] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 1704.744907] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 1704.744913] usb 1-1: Product: Kvaser USBcan Light
[ 1704.744919] usb 1-1: Manufacturer: Kvaser AB
[ 1704.770397] audit: type=1400 audit(1539099996.288:134): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=4013 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I guess this has something to do with the inherent restrictions of Ubuntu Core.
EDIT 02
I'm afraid I can't use apt
on Ubuntu Core and that there are no snaps for apparmor-utils
. The aa-enforce
and aa-complain
commands are not recognized.
I did try to run systemctl disable apparmor.service
and rebooting. After this, SSH access to the gateway was lost (it's a headless machine with no GPU) and I had to flash the OS image again. I wonder if this has something to do with Ubuntu Core requiring the apparmor
service in order to work properly.
The uefi-fw-tools
snap was installed by default on the Ubuntu Core image that came with the gateway.
I'll try to install the uefi-fw-tools
snap in devmode to try to avoid any apparmor issues and post the results.
EDIT 03
After installing the uefi-fw-tools
snap in devmode the AppArmor DENIED messages disappeared, although the SocketCAN interface still didn't appear when connecting the USBCan device.
I contacted Kvaser support and it seems that the USBcan Light is only supported on kernel >= 4.7, while the gateway is running 4.4. The minimum kernel as mentioned in the docs should be 3.2, but this specific model is not supported.
Thanks a lot anyway for your help in debugging AppArmor.
dell ubuntu-core
add a comment |
I'm currently trying to use a SocketCAN-enabled device (Kvaser USBcan Light 2xHS) on a Dell Edge Gateway 3002 running Ubuntu Core 16.
This CAN interface has been tested on Ubuntu Desktop successfully.
The CAN kernel modules are not loaded by default on Ubuntu Core 16, so my first step was to load them:
$ lsmod | grep can
can_gw 20480 0
can_raw 20480 0
can_dev 24576 1 kvaser_usb
can 45056 2 can_gw,can_raw
Connecting the CAN interface at this point should result in the creation of two new can interfaces (can0
and can1
by default). The problem is that those interfaces are nowhere to be found:
$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:9f brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:a1 brd ff:ff:ff:ff:ff:ff
4: wwan0: <BROADCAST,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether aa:c6:53:a2:73:a0 brd ff:ff:ff:ff:ff:ff
5: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DORMANT group default qlen 1000
link/ether 00:23:a7:fa:99:68 brd ff:ff:ff:ff:ff:ff
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:57:84:86:f6 brd ff:ff:ff:ff:ff:ff
The output of dmesg
shows that there was some kind of security issue. I'm not familiar with AppArmor so I'm not exactly sure if this has any relevance:
$ dmesg | tail -n15
[ 515.224025] usb 1-1: new high-speed USB device number 6 using xhci_hcd
[ 515.353111] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 515.353122] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 515.353129] usb 1-1: Product: Kvaser USBcan Light
[ 515.353134] usb 1-1: Manufacturer: Kvaser AB
[ 515.368908] audit: type=1400 audit(1539088148.830:340): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=2327 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Is there anyone with previous experience with SocketCAN devices on Ubuntu Core? Any directions on how to debug this?
Thanks!
EDIT 01
We've tried to stop the apparmor service:
# systemctl stop apparmor.service
# systemctl status apparmor.service
● apparmor.service - LSB: AppArmor initialization
Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
Active: inactive (dead) since Tue 2018-10-09 15:40:17 UTC; 1s ago
Docs: man:systemd-sysv-generator(8)
Process: 4442 ExecStop=/etc/init.d/apparmor stop (code=exited, status=0/SUCCESS)
Process: 2345 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS)
Oct 09 15:40:17 ******* systemd[1]: Stopping LSB: AppArmor initialization...
Oct 09 15:40:17 ******* apparmor[4442]: * Clearing AppArmor profiles cache
Oct 09 15:40:17 ******* apparmor[4442]: ...done.
Oct 09 15:40:17 ******* apparmor[4442]: All profile caches have been cleared, but no profiles have been unloaded.
Oct 09 15:40:17 ******* apparmor[4442]: Unloading profiles will leave already running processes permanently
Oct 09 15:40:17 ******* apparmor[4442]: unconfined, which can lead to unexpected situations.
Oct 09 15:40:17 ******* apparmor[4442]: To set a process to complain mode, use the command line tool
Oct 09 15:40:17 ******* apparmor[4442]: 'aa-complain'. To really tear down all profiles, run the init script
Oct 09 15:40:17 ******* apparmor[4442]: with the 'teardown' option."
Oct 09 15:40:17 ******* systemd[1]: Stopped LSB: AppArmor initialization.
Curiously enough, the apparmor denial message is still appearing after connecting the USBcan device:
# dmesg | tail -n6
[ 1704.616028] usb 1-1: new high-speed USB device number 8 using xhci_hcd
[ 1704.744895] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 1704.744907] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 1704.744913] usb 1-1: Product: Kvaser USBcan Light
[ 1704.744919] usb 1-1: Manufacturer: Kvaser AB
[ 1704.770397] audit: type=1400 audit(1539099996.288:134): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=4013 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I guess this has something to do with the inherent restrictions of Ubuntu Core.
EDIT 02
I'm afraid I can't use apt
on Ubuntu Core and that there are no snaps for apparmor-utils
. The aa-enforce
and aa-complain
commands are not recognized.
I did try to run systemctl disable apparmor.service
and rebooting. After this, SSH access to the gateway was lost (it's a headless machine with no GPU) and I had to flash the OS image again. I wonder if this has something to do with Ubuntu Core requiring the apparmor
service in order to work properly.
The uefi-fw-tools
snap was installed by default on the Ubuntu Core image that came with the gateway.
I'll try to install the uefi-fw-tools
snap in devmode to try to avoid any apparmor issues and post the results.
EDIT 03
After installing the uefi-fw-tools
snap in devmode the AppArmor DENIED messages disappeared, although the SocketCAN interface still didn't appear when connecting the USBCan device.
I contacted Kvaser support and it seems that the USBcan Light is only supported on kernel >= 4.7, while the gateway is running 4.4. The minimum kernel as mentioned in the docs should be 3.2, but this specific model is not supported.
Thanks a lot anyway for your help in debugging AppArmor.
dell ubuntu-core
Please postcat /etc/apparmor.d/snap.uefi-fw-tools.fwupd
– abu_bua
Oct 9 '18 at 16:39
Why did you installed the snap uefi-fw-tools?
– abu_bua
Oct 9 '18 at 16:54
add a comment |
I'm currently trying to use a SocketCAN-enabled device (Kvaser USBcan Light 2xHS) on a Dell Edge Gateway 3002 running Ubuntu Core 16.
This CAN interface has been tested on Ubuntu Desktop successfully.
The CAN kernel modules are not loaded by default on Ubuntu Core 16, so my first step was to load them:
$ lsmod | grep can
can_gw 20480 0
can_raw 20480 0
can_dev 24576 1 kvaser_usb
can 45056 2 can_gw,can_raw
Connecting the CAN interface at this point should result in the creation of two new can interfaces (can0
and can1
by default). The problem is that those interfaces are nowhere to be found:
$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:9f brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:a1 brd ff:ff:ff:ff:ff:ff
4: wwan0: <BROADCAST,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether aa:c6:53:a2:73:a0 brd ff:ff:ff:ff:ff:ff
5: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DORMANT group default qlen 1000
link/ether 00:23:a7:fa:99:68 brd ff:ff:ff:ff:ff:ff
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:57:84:86:f6 brd ff:ff:ff:ff:ff:ff
The output of dmesg
shows that there was some kind of security issue. I'm not familiar with AppArmor so I'm not exactly sure if this has any relevance:
$ dmesg | tail -n15
[ 515.224025] usb 1-1: new high-speed USB device number 6 using xhci_hcd
[ 515.353111] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 515.353122] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 515.353129] usb 1-1: Product: Kvaser USBcan Light
[ 515.353134] usb 1-1: Manufacturer: Kvaser AB
[ 515.368908] audit: type=1400 audit(1539088148.830:340): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=2327 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Is there anyone with previous experience with SocketCAN devices on Ubuntu Core? Any directions on how to debug this?
Thanks!
EDIT 01
We've tried to stop the apparmor service:
# systemctl stop apparmor.service
# systemctl status apparmor.service
● apparmor.service - LSB: AppArmor initialization
Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
Active: inactive (dead) since Tue 2018-10-09 15:40:17 UTC; 1s ago
Docs: man:systemd-sysv-generator(8)
Process: 4442 ExecStop=/etc/init.d/apparmor stop (code=exited, status=0/SUCCESS)
Process: 2345 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS)
Oct 09 15:40:17 ******* systemd[1]: Stopping LSB: AppArmor initialization...
Oct 09 15:40:17 ******* apparmor[4442]: * Clearing AppArmor profiles cache
Oct 09 15:40:17 ******* apparmor[4442]: ...done.
Oct 09 15:40:17 ******* apparmor[4442]: All profile caches have been cleared, but no profiles have been unloaded.
Oct 09 15:40:17 ******* apparmor[4442]: Unloading profiles will leave already running processes permanently
Oct 09 15:40:17 ******* apparmor[4442]: unconfined, which can lead to unexpected situations.
Oct 09 15:40:17 ******* apparmor[4442]: To set a process to complain mode, use the command line tool
Oct 09 15:40:17 ******* apparmor[4442]: 'aa-complain'. To really tear down all profiles, run the init script
Oct 09 15:40:17 ******* apparmor[4442]: with the 'teardown' option."
Oct 09 15:40:17 ******* systemd[1]: Stopped LSB: AppArmor initialization.
Curiously enough, the apparmor denial message is still appearing after connecting the USBcan device:
# dmesg | tail -n6
[ 1704.616028] usb 1-1: new high-speed USB device number 8 using xhci_hcd
[ 1704.744895] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 1704.744907] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 1704.744913] usb 1-1: Product: Kvaser USBcan Light
[ 1704.744919] usb 1-1: Manufacturer: Kvaser AB
[ 1704.770397] audit: type=1400 audit(1539099996.288:134): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=4013 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I guess this has something to do with the inherent restrictions of Ubuntu Core.
EDIT 02
I'm afraid I can't use apt
on Ubuntu Core and that there are no snaps for apparmor-utils
. The aa-enforce
and aa-complain
commands are not recognized.
I did try to run systemctl disable apparmor.service
and rebooting. After this, SSH access to the gateway was lost (it's a headless machine with no GPU) and I had to flash the OS image again. I wonder if this has something to do with Ubuntu Core requiring the apparmor
service in order to work properly.
The uefi-fw-tools
snap was installed by default on the Ubuntu Core image that came with the gateway.
I'll try to install the uefi-fw-tools
snap in devmode to try to avoid any apparmor issues and post the results.
EDIT 03
After installing the uefi-fw-tools
snap in devmode the AppArmor DENIED messages disappeared, although the SocketCAN interface still didn't appear when connecting the USBCan device.
I contacted Kvaser support and it seems that the USBcan Light is only supported on kernel >= 4.7, while the gateway is running 4.4. The minimum kernel as mentioned in the docs should be 3.2, but this specific model is not supported.
Thanks a lot anyway for your help in debugging AppArmor.
dell ubuntu-core
I'm currently trying to use a SocketCAN-enabled device (Kvaser USBcan Light 2xHS) on a Dell Edge Gateway 3002 running Ubuntu Core 16.
This CAN interface has been tested on Ubuntu Desktop successfully.
The CAN kernel modules are not loaded by default on Ubuntu Core 16, so my first step was to load them:
$ lsmod | grep can
can_gw 20480 0
can_raw 20480 0
can_dev 24576 1 kvaser_usb
can 45056 2 can_gw,can_raw
Connecting the CAN interface at this point should result in the creation of two new can interfaces (can0
and can1
by default). The problem is that those interfaces are nowhere to be found:
$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:9f brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:a1 brd ff:ff:ff:ff:ff:ff
4: wwan0: <BROADCAST,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether aa:c6:53:a2:73:a0 brd ff:ff:ff:ff:ff:ff
5: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DORMANT group default qlen 1000
link/ether 00:23:a7:fa:99:68 brd ff:ff:ff:ff:ff:ff
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:57:84:86:f6 brd ff:ff:ff:ff:ff:ff
The output of dmesg
shows that there was some kind of security issue. I'm not familiar with AppArmor so I'm not exactly sure if this has any relevance:
$ dmesg | tail -n15
[ 515.224025] usb 1-1: new high-speed USB device number 6 using xhci_hcd
[ 515.353111] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 515.353122] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 515.353129] usb 1-1: Product: Kvaser USBcan Light
[ 515.353134] usb 1-1: Manufacturer: Kvaser AB
[ 515.368908] audit: type=1400 audit(1539088148.830:340): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=2327 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Is there anyone with previous experience with SocketCAN devices on Ubuntu Core? Any directions on how to debug this?
Thanks!
EDIT 01
We've tried to stop the apparmor service:
# systemctl stop apparmor.service
# systemctl status apparmor.service
● apparmor.service - LSB: AppArmor initialization
Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
Active: inactive (dead) since Tue 2018-10-09 15:40:17 UTC; 1s ago
Docs: man:systemd-sysv-generator(8)
Process: 4442 ExecStop=/etc/init.d/apparmor stop (code=exited, status=0/SUCCESS)
Process: 2345 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS)
Oct 09 15:40:17 ******* systemd[1]: Stopping LSB: AppArmor initialization...
Oct 09 15:40:17 ******* apparmor[4442]: * Clearing AppArmor profiles cache
Oct 09 15:40:17 ******* apparmor[4442]: ...done.
Oct 09 15:40:17 ******* apparmor[4442]: All profile caches have been cleared, but no profiles have been unloaded.
Oct 09 15:40:17 ******* apparmor[4442]: Unloading profiles will leave already running processes permanently
Oct 09 15:40:17 ******* apparmor[4442]: unconfined, which can lead to unexpected situations.
Oct 09 15:40:17 ******* apparmor[4442]: To set a process to complain mode, use the command line tool
Oct 09 15:40:17 ******* apparmor[4442]: 'aa-complain'. To really tear down all profiles, run the init script
Oct 09 15:40:17 ******* apparmor[4442]: with the 'teardown' option."
Oct 09 15:40:17 ******* systemd[1]: Stopped LSB: AppArmor initialization.
Curiously enough, the apparmor denial message is still appearing after connecting the USBcan device:
# dmesg | tail -n6
[ 1704.616028] usb 1-1: new high-speed USB device number 8 using xhci_hcd
[ 1704.744895] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 1704.744907] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 1704.744913] usb 1-1: Product: Kvaser USBcan Light
[ 1704.744919] usb 1-1: Manufacturer: Kvaser AB
[ 1704.770397] audit: type=1400 audit(1539099996.288:134): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=4013 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I guess this has something to do with the inherent restrictions of Ubuntu Core.
EDIT 02
I'm afraid I can't use apt
on Ubuntu Core and that there are no snaps for apparmor-utils
. The aa-enforce
and aa-complain
commands are not recognized.
I did try to run systemctl disable apparmor.service
and rebooting. After this, SSH access to the gateway was lost (it's a headless machine with no GPU) and I had to flash the OS image again. I wonder if this has something to do with Ubuntu Core requiring the apparmor
service in order to work properly.
The uefi-fw-tools
snap was installed by default on the Ubuntu Core image that came with the gateway.
I'll try to install the uefi-fw-tools
snap in devmode to try to avoid any apparmor issues and post the results.
EDIT 03
After installing the uefi-fw-tools
snap in devmode the AppArmor DENIED messages disappeared, although the SocketCAN interface still didn't appear when connecting the USBCan device.
I contacted Kvaser support and it seems that the USBcan Light is only supported on kernel >= 4.7, while the gateway is running 4.4. The minimum kernel as mentioned in the docs should be 3.2, but this specific model is not supported.
Thanks a lot anyway for your help in debugging AppArmor.
dell ubuntu-core
dell ubuntu-core
edited Oct 10 '18 at 10:21
Andrés García Mangas
asked Oct 9 '18 at 12:37
Andrés García MangasAndrés García Mangas
83
83
Please postcat /etc/apparmor.d/snap.uefi-fw-tools.fwupd
– abu_bua
Oct 9 '18 at 16:39
Why did you installed the snap uefi-fw-tools?
– abu_bua
Oct 9 '18 at 16:54
add a comment |
Please postcat /etc/apparmor.d/snap.uefi-fw-tools.fwupd
– abu_bua
Oct 9 '18 at 16:39
Why did you installed the snap uefi-fw-tools?
– abu_bua
Oct 9 '18 at 16:54
Please post
cat /etc/apparmor.d/snap.uefi-fw-tools.fwupd
– abu_bua
Oct 9 '18 at 16:39
Please post
cat /etc/apparmor.d/snap.uefi-fw-tools.fwupd
– abu_bua
Oct 9 '18 at 16:39
Why did you installed the snap uefi-fw-tools?
– abu_bua
Oct 9 '18 at 16:54
Why did you installed the snap uefi-fw-tools?
– abu_bua
Oct 9 '18 at 16:54
add a comment |
1 Answer
1
active
oldest
votes
Don't forget to reboot after loading the kernels.
The standard command to configure a CAN bus interface is:
ip link set can0 type can bitrate 500000 listen-only on
This will set the bitrate of the can0 interface to 500 Kbps.
Now bring up the interface and start dumping frames:
ip link set can0 up
candump -cae can0,0:0,#FFFFFFFF
or do a
ip l sh
Regarding the apparmor message, I'm not sure - but you can try:
First I recommend to install apparmor-utils
sudo apt install apparmor-utils
In your case
profile="snap.uefi-fw-tools.fwupd"
denies tooperation="open"
name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum"
withpid=2327
In your
/etc/apparmor.d/snap.uefi-fw-tools.fwupd
add the following line (insert 2 spaces before /sys/.... !)
/sys/devices/pci*/*/usb*/*/busnum rw,
Reload all apparmor profiles:
sudo systemctl reload apparmor.service
or if not started/enabled
sudo systemctl enable apparmor.service
sudo systemctl start apparmor.service
You can prove the status with
sudo systemctl status apparmor.service
or
sudo aa-status
I recommend to use
sudo aa-complain /etc/apparmor.d/snap.uefi-fw-tools.fwupd
This will made profile violations permitted and logged. Useful for testing and developing new profiles.
Later you can set it to enforce with
sudo aa-enforce /etc/apparmor.d/snap.uefi-fw-tools.fwupd
Thanks :) I've edited my initial question after trying out your suggestion.
– Andrés García Mangas
Oct 9 '18 at 15:50
what is the output ofsudo aa-status
– abu_bua
Oct 9 '18 at 15:55
Did you installed sw from kvaser?
– abu_bua
Oct 9 '18 at 15:56
The output of aa-status is in this gist.
– Andrés García Mangas
Oct 9 '18 at 15:59
No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.
– Andrés García Mangas
Oct 9 '18 at 16:00
|
show 1 more comment
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1082277%2fsocketcan-device-on-ubuntu-core%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Don't forget to reboot after loading the kernels.
The standard command to configure a CAN bus interface is:
ip link set can0 type can bitrate 500000 listen-only on
This will set the bitrate of the can0 interface to 500 Kbps.
Now bring up the interface and start dumping frames:
ip link set can0 up
candump -cae can0,0:0,#FFFFFFFF
or do a
ip l sh
Regarding the apparmor message, I'm not sure - but you can try:
First I recommend to install apparmor-utils
sudo apt install apparmor-utils
In your case
profile="snap.uefi-fw-tools.fwupd"
denies tooperation="open"
name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum"
withpid=2327
In your
/etc/apparmor.d/snap.uefi-fw-tools.fwupd
add the following line (insert 2 spaces before /sys/.... !)
/sys/devices/pci*/*/usb*/*/busnum rw,
Reload all apparmor profiles:
sudo systemctl reload apparmor.service
or if not started/enabled
sudo systemctl enable apparmor.service
sudo systemctl start apparmor.service
You can prove the status with
sudo systemctl status apparmor.service
or
sudo aa-status
I recommend to use
sudo aa-complain /etc/apparmor.d/snap.uefi-fw-tools.fwupd
This will made profile violations permitted and logged. Useful for testing and developing new profiles.
Later you can set it to enforce with
sudo aa-enforce /etc/apparmor.d/snap.uefi-fw-tools.fwupd
Thanks :) I've edited my initial question after trying out your suggestion.
– Andrés García Mangas
Oct 9 '18 at 15:50
what is the output ofsudo aa-status
– abu_bua
Oct 9 '18 at 15:55
Did you installed sw from kvaser?
– abu_bua
Oct 9 '18 at 15:56
The output of aa-status is in this gist.
– Andrés García Mangas
Oct 9 '18 at 15:59
No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.
– Andrés García Mangas
Oct 9 '18 at 16:00
|
show 1 more comment
Don't forget to reboot after loading the kernels.
The standard command to configure a CAN bus interface is:
ip link set can0 type can bitrate 500000 listen-only on
This will set the bitrate of the can0 interface to 500 Kbps.
Now bring up the interface and start dumping frames:
ip link set can0 up
candump -cae can0,0:0,#FFFFFFFF
or do a
ip l sh
Regarding the apparmor message, I'm not sure - but you can try:
First I recommend to install apparmor-utils
sudo apt install apparmor-utils
In your case
profile="snap.uefi-fw-tools.fwupd"
denies tooperation="open"
name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum"
withpid=2327
In your
/etc/apparmor.d/snap.uefi-fw-tools.fwupd
add the following line (insert 2 spaces before /sys/.... !)
/sys/devices/pci*/*/usb*/*/busnum rw,
Reload all apparmor profiles:
sudo systemctl reload apparmor.service
or if not started/enabled
sudo systemctl enable apparmor.service
sudo systemctl start apparmor.service
You can prove the status with
sudo systemctl status apparmor.service
or
sudo aa-status
I recommend to use
sudo aa-complain /etc/apparmor.d/snap.uefi-fw-tools.fwupd
This will made profile violations permitted and logged. Useful for testing and developing new profiles.
Later you can set it to enforce with
sudo aa-enforce /etc/apparmor.d/snap.uefi-fw-tools.fwupd
Thanks :) I've edited my initial question after trying out your suggestion.
– Andrés García Mangas
Oct 9 '18 at 15:50
what is the output ofsudo aa-status
– abu_bua
Oct 9 '18 at 15:55
Did you installed sw from kvaser?
– abu_bua
Oct 9 '18 at 15:56
The output of aa-status is in this gist.
– Andrés García Mangas
Oct 9 '18 at 15:59
No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.
– Andrés García Mangas
Oct 9 '18 at 16:00
|
show 1 more comment
Don't forget to reboot after loading the kernels.
The standard command to configure a CAN bus interface is:
ip link set can0 type can bitrate 500000 listen-only on
This will set the bitrate of the can0 interface to 500 Kbps.
Now bring up the interface and start dumping frames:
ip link set can0 up
candump -cae can0,0:0,#FFFFFFFF
or do a
ip l sh
Regarding the apparmor message, I'm not sure - but you can try:
First I recommend to install apparmor-utils
sudo apt install apparmor-utils
In your case
profile="snap.uefi-fw-tools.fwupd"
denies tooperation="open"
name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum"
withpid=2327
In your
/etc/apparmor.d/snap.uefi-fw-tools.fwupd
add the following line (insert 2 spaces before /sys/.... !)
/sys/devices/pci*/*/usb*/*/busnum rw,
Reload all apparmor profiles:
sudo systemctl reload apparmor.service
or if not started/enabled
sudo systemctl enable apparmor.service
sudo systemctl start apparmor.service
You can prove the status with
sudo systemctl status apparmor.service
or
sudo aa-status
I recommend to use
sudo aa-complain /etc/apparmor.d/snap.uefi-fw-tools.fwupd
This will made profile violations permitted and logged. Useful for testing and developing new profiles.
Later you can set it to enforce with
sudo aa-enforce /etc/apparmor.d/snap.uefi-fw-tools.fwupd
Don't forget to reboot after loading the kernels.
The standard command to configure a CAN bus interface is:
ip link set can0 type can bitrate 500000 listen-only on
This will set the bitrate of the can0 interface to 500 Kbps.
Now bring up the interface and start dumping frames:
ip link set can0 up
candump -cae can0,0:0,#FFFFFFFF
or do a
ip l sh
Regarding the apparmor message, I'm not sure - but you can try:
First I recommend to install apparmor-utils
sudo apt install apparmor-utils
In your case
profile="snap.uefi-fw-tools.fwupd"
denies tooperation="open"
name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum"
withpid=2327
In your
/etc/apparmor.d/snap.uefi-fw-tools.fwupd
add the following line (insert 2 spaces before /sys/.... !)
/sys/devices/pci*/*/usb*/*/busnum rw,
Reload all apparmor profiles:
sudo systemctl reload apparmor.service
or if not started/enabled
sudo systemctl enable apparmor.service
sudo systemctl start apparmor.service
You can prove the status with
sudo systemctl status apparmor.service
or
sudo aa-status
I recommend to use
sudo aa-complain /etc/apparmor.d/snap.uefi-fw-tools.fwupd
This will made profile violations permitted and logged. Useful for testing and developing new profiles.
Later you can set it to enforce with
sudo aa-enforce /etc/apparmor.d/snap.uefi-fw-tools.fwupd
edited Oct 10 '18 at 11:10
answered Oct 9 '18 at 14:28
abu_buaabu_bua
4,18981630
4,18981630
Thanks :) I've edited my initial question after trying out your suggestion.
– Andrés García Mangas
Oct 9 '18 at 15:50
what is the output ofsudo aa-status
– abu_bua
Oct 9 '18 at 15:55
Did you installed sw from kvaser?
– abu_bua
Oct 9 '18 at 15:56
The output of aa-status is in this gist.
– Andrés García Mangas
Oct 9 '18 at 15:59
No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.
– Andrés García Mangas
Oct 9 '18 at 16:00
|
show 1 more comment
Thanks :) I've edited my initial question after trying out your suggestion.
– Andrés García Mangas
Oct 9 '18 at 15:50
what is the output ofsudo aa-status
– abu_bua
Oct 9 '18 at 15:55
Did you installed sw from kvaser?
– abu_bua
Oct 9 '18 at 15:56
The output of aa-status is in this gist.
– Andrés García Mangas
Oct 9 '18 at 15:59
No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.
– Andrés García Mangas
Oct 9 '18 at 16:00
Thanks :) I've edited my initial question after trying out your suggestion.
– Andrés García Mangas
Oct 9 '18 at 15:50
Thanks :) I've edited my initial question after trying out your suggestion.
– Andrés García Mangas
Oct 9 '18 at 15:50
what is the output of
sudo aa-status
– abu_bua
Oct 9 '18 at 15:55
what is the output of
sudo aa-status
– abu_bua
Oct 9 '18 at 15:55
Did you installed sw from kvaser?
– abu_bua
Oct 9 '18 at 15:56
Did you installed sw from kvaser?
– abu_bua
Oct 9 '18 at 15:56
The output of aa-status is in this gist.
– Andrés García Mangas
Oct 9 '18 at 15:59
The output of aa-status is in this gist.
– Andrés García Mangas
Oct 9 '18 at 15:59
No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.
– Andrés García Mangas
Oct 9 '18 at 16:00
No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.
– Andrés García Mangas
Oct 9 '18 at 16:00
|
show 1 more comment
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1082277%2fsocketcan-device-on-ubuntu-core%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Please post
cat /etc/apparmor.d/snap.uefi-fw-tools.fwupd
– abu_bua
Oct 9 '18 at 16:39
Why did you installed the snap uefi-fw-tools?
– abu_bua
Oct 9 '18 at 16:54