SocketCAN device on Ubuntu Core





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







1















I'm currently trying to use a SocketCAN-enabled device (Kvaser USBcan Light 2xHS) on a Dell Edge Gateway 3002 running Ubuntu Core 16.



This CAN interface has been tested on Ubuntu Desktop successfully.



The CAN kernel modules are not loaded by default on Ubuntu Core 16, so my first step was to load them:



$ lsmod | grep can
can_gw 20480 0
can_raw 20480 0
can_dev 24576 1 kvaser_usb
can 45056 2 can_gw,can_raw


Connecting the CAN interface at this point should result in the creation of two new can interfaces (can0 and can1 by default). The problem is that those interfaces are nowhere to be found:



$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:9f brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:a1 brd ff:ff:ff:ff:ff:ff
4: wwan0: <BROADCAST,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether aa:c6:53:a2:73:a0 brd ff:ff:ff:ff:ff:ff
5: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DORMANT group default qlen 1000
link/ether 00:23:a7:fa:99:68 brd ff:ff:ff:ff:ff:ff
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:57:84:86:f6 brd ff:ff:ff:ff:ff:ff


The output of dmesg shows that there was some kind of security issue. I'm not familiar with AppArmor so I'm not exactly sure if this has any relevance:



$ dmesg | tail -n15
[ 515.224025] usb 1-1: new high-speed USB device number 6 using xhci_hcd
[ 515.353111] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 515.353122] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 515.353129] usb 1-1: Product: Kvaser USBcan Light
[ 515.353134] usb 1-1: Manufacturer: Kvaser AB
[ 515.368908] audit: type=1400 audit(1539088148.830:340): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=2327 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0


Is there anyone with previous experience with SocketCAN devices on Ubuntu Core? Any directions on how to debug this?



Thanks!



EDIT 01



We've tried to stop the apparmor service:



# systemctl stop apparmor.service
# systemctl status apparmor.service
● apparmor.service - LSB: AppArmor initialization
Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
Active: inactive (dead) since Tue 2018-10-09 15:40:17 UTC; 1s ago
Docs: man:systemd-sysv-generator(8)
Process: 4442 ExecStop=/etc/init.d/apparmor stop (code=exited, status=0/SUCCESS)
Process: 2345 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS)

Oct 09 15:40:17 ******* systemd[1]: Stopping LSB: AppArmor initialization...
Oct 09 15:40:17 ******* apparmor[4442]: * Clearing AppArmor profiles cache
Oct 09 15:40:17 ******* apparmor[4442]: ...done.
Oct 09 15:40:17 ******* apparmor[4442]: All profile caches have been cleared, but no profiles have been unloaded.
Oct 09 15:40:17 ******* apparmor[4442]: Unloading profiles will leave already running processes permanently
Oct 09 15:40:17 ******* apparmor[4442]: unconfined, which can lead to unexpected situations.
Oct 09 15:40:17 ******* apparmor[4442]: To set a process to complain mode, use the command line tool
Oct 09 15:40:17 ******* apparmor[4442]: 'aa-complain'. To really tear down all profiles, run the init script
Oct 09 15:40:17 ******* apparmor[4442]: with the 'teardown' option."
Oct 09 15:40:17 ******* systemd[1]: Stopped LSB: AppArmor initialization.


Curiously enough, the apparmor denial message is still appearing after connecting the USBcan device:



# dmesg | tail -n6
[ 1704.616028] usb 1-1: new high-speed USB device number 8 using xhci_hcd
[ 1704.744895] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 1704.744907] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 1704.744913] usb 1-1: Product: Kvaser USBcan Light
[ 1704.744919] usb 1-1: Manufacturer: Kvaser AB
[ 1704.770397] audit: type=1400 audit(1539099996.288:134): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=4013 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0


I guess this has something to do with the inherent restrictions of Ubuntu Core.



EDIT 02



I'm afraid I can't use apt on Ubuntu Core and that there are no snaps for apparmor-utils. The aa-enforce and aa-complain commands are not recognized.



I did try to run systemctl disable apparmor.service and rebooting. After this, SSH access to the gateway was lost (it's a headless machine with no GPU) and I had to flash the OS image again. I wonder if this has something to do with Ubuntu Core requiring the apparmor service in order to work properly.



The uefi-fw-tools snap was installed by default on the Ubuntu Core image that came with the gateway.



I'll try to install the uefi-fw-tools snap in devmode to try to avoid any apparmor issues and post the results.



EDIT 03



After installing the uefi-fw-tools snap in devmode the AppArmor DENIED messages disappeared, although the SocketCAN interface still didn't appear when connecting the USBCan device.



I contacted Kvaser support and it seems that the USBcan Light is only supported on kernel >= 4.7, while the gateway is running 4.4. The minimum kernel as mentioned in the docs should be 3.2, but this specific model is not supported.



Thanks a lot anyway for your help in debugging AppArmor.










share|improve this question

























  • Please post cat /etc/apparmor.d/snap.uefi-fw-tools.fwupd

    – abu_bua
    Oct 9 '18 at 16:39











  • Why did you installed the snap uefi-fw-tools?

    – abu_bua
    Oct 9 '18 at 16:54


















1















I'm currently trying to use a SocketCAN-enabled device (Kvaser USBcan Light 2xHS) on a Dell Edge Gateway 3002 running Ubuntu Core 16.



This CAN interface has been tested on Ubuntu Desktop successfully.



The CAN kernel modules are not loaded by default on Ubuntu Core 16, so my first step was to load them:



$ lsmod | grep can
can_gw 20480 0
can_raw 20480 0
can_dev 24576 1 kvaser_usb
can 45056 2 can_gw,can_raw


Connecting the CAN interface at this point should result in the creation of two new can interfaces (can0 and can1 by default). The problem is that those interfaces are nowhere to be found:



$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:9f brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:a1 brd ff:ff:ff:ff:ff:ff
4: wwan0: <BROADCAST,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether aa:c6:53:a2:73:a0 brd ff:ff:ff:ff:ff:ff
5: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DORMANT group default qlen 1000
link/ether 00:23:a7:fa:99:68 brd ff:ff:ff:ff:ff:ff
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:57:84:86:f6 brd ff:ff:ff:ff:ff:ff


The output of dmesg shows that there was some kind of security issue. I'm not familiar with AppArmor so I'm not exactly sure if this has any relevance:



$ dmesg | tail -n15
[ 515.224025] usb 1-1: new high-speed USB device number 6 using xhci_hcd
[ 515.353111] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 515.353122] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 515.353129] usb 1-1: Product: Kvaser USBcan Light
[ 515.353134] usb 1-1: Manufacturer: Kvaser AB
[ 515.368908] audit: type=1400 audit(1539088148.830:340): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=2327 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0


Is there anyone with previous experience with SocketCAN devices on Ubuntu Core? Any directions on how to debug this?



Thanks!



EDIT 01



We've tried to stop the apparmor service:



# systemctl stop apparmor.service
# systemctl status apparmor.service
● apparmor.service - LSB: AppArmor initialization
Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
Active: inactive (dead) since Tue 2018-10-09 15:40:17 UTC; 1s ago
Docs: man:systemd-sysv-generator(8)
Process: 4442 ExecStop=/etc/init.d/apparmor stop (code=exited, status=0/SUCCESS)
Process: 2345 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS)

Oct 09 15:40:17 ******* systemd[1]: Stopping LSB: AppArmor initialization...
Oct 09 15:40:17 ******* apparmor[4442]: * Clearing AppArmor profiles cache
Oct 09 15:40:17 ******* apparmor[4442]: ...done.
Oct 09 15:40:17 ******* apparmor[4442]: All profile caches have been cleared, but no profiles have been unloaded.
Oct 09 15:40:17 ******* apparmor[4442]: Unloading profiles will leave already running processes permanently
Oct 09 15:40:17 ******* apparmor[4442]: unconfined, which can lead to unexpected situations.
Oct 09 15:40:17 ******* apparmor[4442]: To set a process to complain mode, use the command line tool
Oct 09 15:40:17 ******* apparmor[4442]: 'aa-complain'. To really tear down all profiles, run the init script
Oct 09 15:40:17 ******* apparmor[4442]: with the 'teardown' option."
Oct 09 15:40:17 ******* systemd[1]: Stopped LSB: AppArmor initialization.


Curiously enough, the apparmor denial message is still appearing after connecting the USBcan device:



# dmesg | tail -n6
[ 1704.616028] usb 1-1: new high-speed USB device number 8 using xhci_hcd
[ 1704.744895] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 1704.744907] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 1704.744913] usb 1-1: Product: Kvaser USBcan Light
[ 1704.744919] usb 1-1: Manufacturer: Kvaser AB
[ 1704.770397] audit: type=1400 audit(1539099996.288:134): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=4013 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0


I guess this has something to do with the inherent restrictions of Ubuntu Core.



EDIT 02



I'm afraid I can't use apt on Ubuntu Core and that there are no snaps for apparmor-utils. The aa-enforce and aa-complain commands are not recognized.



I did try to run systemctl disable apparmor.service and rebooting. After this, SSH access to the gateway was lost (it's a headless machine with no GPU) and I had to flash the OS image again. I wonder if this has something to do with Ubuntu Core requiring the apparmor service in order to work properly.



The uefi-fw-tools snap was installed by default on the Ubuntu Core image that came with the gateway.



I'll try to install the uefi-fw-tools snap in devmode to try to avoid any apparmor issues and post the results.



EDIT 03



After installing the uefi-fw-tools snap in devmode the AppArmor DENIED messages disappeared, although the SocketCAN interface still didn't appear when connecting the USBCan device.



I contacted Kvaser support and it seems that the USBcan Light is only supported on kernel >= 4.7, while the gateway is running 4.4. The minimum kernel as mentioned in the docs should be 3.2, but this specific model is not supported.



Thanks a lot anyway for your help in debugging AppArmor.










share|improve this question

























  • Please post cat /etc/apparmor.d/snap.uefi-fw-tools.fwupd

    – abu_bua
    Oct 9 '18 at 16:39











  • Why did you installed the snap uefi-fw-tools?

    – abu_bua
    Oct 9 '18 at 16:54














1












1








1








I'm currently trying to use a SocketCAN-enabled device (Kvaser USBcan Light 2xHS) on a Dell Edge Gateway 3002 running Ubuntu Core 16.



This CAN interface has been tested on Ubuntu Desktop successfully.



The CAN kernel modules are not loaded by default on Ubuntu Core 16, so my first step was to load them:



$ lsmod | grep can
can_gw 20480 0
can_raw 20480 0
can_dev 24576 1 kvaser_usb
can 45056 2 can_gw,can_raw


Connecting the CAN interface at this point should result in the creation of two new can interfaces (can0 and can1 by default). The problem is that those interfaces are nowhere to be found:



$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:9f brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:a1 brd ff:ff:ff:ff:ff:ff
4: wwan0: <BROADCAST,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether aa:c6:53:a2:73:a0 brd ff:ff:ff:ff:ff:ff
5: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DORMANT group default qlen 1000
link/ether 00:23:a7:fa:99:68 brd ff:ff:ff:ff:ff:ff
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:57:84:86:f6 brd ff:ff:ff:ff:ff:ff


The output of dmesg shows that there was some kind of security issue. I'm not familiar with AppArmor so I'm not exactly sure if this has any relevance:



$ dmesg | tail -n15
[ 515.224025] usb 1-1: new high-speed USB device number 6 using xhci_hcd
[ 515.353111] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 515.353122] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 515.353129] usb 1-1: Product: Kvaser USBcan Light
[ 515.353134] usb 1-1: Manufacturer: Kvaser AB
[ 515.368908] audit: type=1400 audit(1539088148.830:340): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=2327 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0


Is there anyone with previous experience with SocketCAN devices on Ubuntu Core? Any directions on how to debug this?



Thanks!



EDIT 01



We've tried to stop the apparmor service:



# systemctl stop apparmor.service
# systemctl status apparmor.service
● apparmor.service - LSB: AppArmor initialization
Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
Active: inactive (dead) since Tue 2018-10-09 15:40:17 UTC; 1s ago
Docs: man:systemd-sysv-generator(8)
Process: 4442 ExecStop=/etc/init.d/apparmor stop (code=exited, status=0/SUCCESS)
Process: 2345 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS)

Oct 09 15:40:17 ******* systemd[1]: Stopping LSB: AppArmor initialization...
Oct 09 15:40:17 ******* apparmor[4442]: * Clearing AppArmor profiles cache
Oct 09 15:40:17 ******* apparmor[4442]: ...done.
Oct 09 15:40:17 ******* apparmor[4442]: All profile caches have been cleared, but no profiles have been unloaded.
Oct 09 15:40:17 ******* apparmor[4442]: Unloading profiles will leave already running processes permanently
Oct 09 15:40:17 ******* apparmor[4442]: unconfined, which can lead to unexpected situations.
Oct 09 15:40:17 ******* apparmor[4442]: To set a process to complain mode, use the command line tool
Oct 09 15:40:17 ******* apparmor[4442]: 'aa-complain'. To really tear down all profiles, run the init script
Oct 09 15:40:17 ******* apparmor[4442]: with the 'teardown' option."
Oct 09 15:40:17 ******* systemd[1]: Stopped LSB: AppArmor initialization.


Curiously enough, the apparmor denial message is still appearing after connecting the USBcan device:



# dmesg | tail -n6
[ 1704.616028] usb 1-1: new high-speed USB device number 8 using xhci_hcd
[ 1704.744895] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 1704.744907] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 1704.744913] usb 1-1: Product: Kvaser USBcan Light
[ 1704.744919] usb 1-1: Manufacturer: Kvaser AB
[ 1704.770397] audit: type=1400 audit(1539099996.288:134): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=4013 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0


I guess this has something to do with the inherent restrictions of Ubuntu Core.



EDIT 02



I'm afraid I can't use apt on Ubuntu Core and that there are no snaps for apparmor-utils. The aa-enforce and aa-complain commands are not recognized.



I did try to run systemctl disable apparmor.service and rebooting. After this, SSH access to the gateway was lost (it's a headless machine with no GPU) and I had to flash the OS image again. I wonder if this has something to do with Ubuntu Core requiring the apparmor service in order to work properly.



The uefi-fw-tools snap was installed by default on the Ubuntu Core image that came with the gateway.



I'll try to install the uefi-fw-tools snap in devmode to try to avoid any apparmor issues and post the results.



EDIT 03



After installing the uefi-fw-tools snap in devmode the AppArmor DENIED messages disappeared, although the SocketCAN interface still didn't appear when connecting the USBCan device.



I contacted Kvaser support and it seems that the USBcan Light is only supported on kernel >= 4.7, while the gateway is running 4.4. The minimum kernel as mentioned in the docs should be 3.2, but this specific model is not supported.



Thanks a lot anyway for your help in debugging AppArmor.










share|improve this question
















I'm currently trying to use a SocketCAN-enabled device (Kvaser USBcan Light 2xHS) on a Dell Edge Gateway 3002 running Ubuntu Core 16.



This CAN interface has been tested on Ubuntu Desktop successfully.



The CAN kernel modules are not loaded by default on Ubuntu Core 16, so my first step was to load them:



$ lsmod | grep can
can_gw 20480 0
can_raw 20480 0
can_dev 24576 1 kvaser_usb
can 45056 2 can_gw,can_raw


Connecting the CAN interface at this point should result in the creation of two new can interfaces (can0 and can1 by default). The problem is that those interfaces are nowhere to be found:



$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:9f brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:a1 brd ff:ff:ff:ff:ff:ff
4: wwan0: <BROADCAST,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether aa:c6:53:a2:73:a0 brd ff:ff:ff:ff:ff:ff
5: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DORMANT group default qlen 1000
link/ether 00:23:a7:fa:99:68 brd ff:ff:ff:ff:ff:ff
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:57:84:86:f6 brd ff:ff:ff:ff:ff:ff


The output of dmesg shows that there was some kind of security issue. I'm not familiar with AppArmor so I'm not exactly sure if this has any relevance:



$ dmesg | tail -n15
[ 515.224025] usb 1-1: new high-speed USB device number 6 using xhci_hcd
[ 515.353111] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 515.353122] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 515.353129] usb 1-1: Product: Kvaser USBcan Light
[ 515.353134] usb 1-1: Manufacturer: Kvaser AB
[ 515.368908] audit: type=1400 audit(1539088148.830:340): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=2327 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0


Is there anyone with previous experience with SocketCAN devices on Ubuntu Core? Any directions on how to debug this?



Thanks!



EDIT 01



We've tried to stop the apparmor service:



# systemctl stop apparmor.service
# systemctl status apparmor.service
● apparmor.service - LSB: AppArmor initialization
Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
Active: inactive (dead) since Tue 2018-10-09 15:40:17 UTC; 1s ago
Docs: man:systemd-sysv-generator(8)
Process: 4442 ExecStop=/etc/init.d/apparmor stop (code=exited, status=0/SUCCESS)
Process: 2345 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS)

Oct 09 15:40:17 ******* systemd[1]: Stopping LSB: AppArmor initialization...
Oct 09 15:40:17 ******* apparmor[4442]: * Clearing AppArmor profiles cache
Oct 09 15:40:17 ******* apparmor[4442]: ...done.
Oct 09 15:40:17 ******* apparmor[4442]: All profile caches have been cleared, but no profiles have been unloaded.
Oct 09 15:40:17 ******* apparmor[4442]: Unloading profiles will leave already running processes permanently
Oct 09 15:40:17 ******* apparmor[4442]: unconfined, which can lead to unexpected situations.
Oct 09 15:40:17 ******* apparmor[4442]: To set a process to complain mode, use the command line tool
Oct 09 15:40:17 ******* apparmor[4442]: 'aa-complain'. To really tear down all profiles, run the init script
Oct 09 15:40:17 ******* apparmor[4442]: with the 'teardown' option."
Oct 09 15:40:17 ******* systemd[1]: Stopped LSB: AppArmor initialization.


Curiously enough, the apparmor denial message is still appearing after connecting the USBcan device:



# dmesg | tail -n6
[ 1704.616028] usb 1-1: new high-speed USB device number 8 using xhci_hcd
[ 1704.744895] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 1704.744907] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 1704.744913] usb 1-1: Product: Kvaser USBcan Light
[ 1704.744919] usb 1-1: Manufacturer: Kvaser AB
[ 1704.770397] audit: type=1400 audit(1539099996.288:134): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=4013 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0


I guess this has something to do with the inherent restrictions of Ubuntu Core.



EDIT 02



I'm afraid I can't use apt on Ubuntu Core and that there are no snaps for apparmor-utils. The aa-enforce and aa-complain commands are not recognized.



I did try to run systemctl disable apparmor.service and rebooting. After this, SSH access to the gateway was lost (it's a headless machine with no GPU) and I had to flash the OS image again. I wonder if this has something to do with Ubuntu Core requiring the apparmor service in order to work properly.



The uefi-fw-tools snap was installed by default on the Ubuntu Core image that came with the gateway.



I'll try to install the uefi-fw-tools snap in devmode to try to avoid any apparmor issues and post the results.



EDIT 03



After installing the uefi-fw-tools snap in devmode the AppArmor DENIED messages disappeared, although the SocketCAN interface still didn't appear when connecting the USBCan device.



I contacted Kvaser support and it seems that the USBcan Light is only supported on kernel >= 4.7, while the gateway is running 4.4. The minimum kernel as mentioned in the docs should be 3.2, but this specific model is not supported.



Thanks a lot anyway for your help in debugging AppArmor.







dell ubuntu-core






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Oct 10 '18 at 10:21







Andrés García Mangas

















asked Oct 9 '18 at 12:37









Andrés García MangasAndrés García Mangas

83




83













  • Please post cat /etc/apparmor.d/snap.uefi-fw-tools.fwupd

    – abu_bua
    Oct 9 '18 at 16:39











  • Why did you installed the snap uefi-fw-tools?

    – abu_bua
    Oct 9 '18 at 16:54



















  • Please post cat /etc/apparmor.d/snap.uefi-fw-tools.fwupd

    – abu_bua
    Oct 9 '18 at 16:39











  • Why did you installed the snap uefi-fw-tools?

    – abu_bua
    Oct 9 '18 at 16:54

















Please post cat /etc/apparmor.d/snap.uefi-fw-tools.fwupd

– abu_bua
Oct 9 '18 at 16:39





Please post cat /etc/apparmor.d/snap.uefi-fw-tools.fwupd

– abu_bua
Oct 9 '18 at 16:39













Why did you installed the snap uefi-fw-tools?

– abu_bua
Oct 9 '18 at 16:54





Why did you installed the snap uefi-fw-tools?

– abu_bua
Oct 9 '18 at 16:54










1 Answer
1






active

oldest

votes


















0














Don't forget to reboot after loading the kernels.



The standard command to configure a CAN bus interface is:



ip link set can0 type can bitrate 500000 listen-only on


This will set the bitrate of the can0 interface to 500 Kbps.
Now bring up the interface and start dumping frames:



ip link set can0 up
candump -cae can0,0:0,#FFFFFFFF


or do a



ip l sh


Regarding the apparmor message, I'm not sure - but you can try:





  • First I recommend to install apparmor-utils



    sudo apt install apparmor-utils



  • In your case profile="snap.uefi-fw-tools.fwupd" denies to operation="open" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" with pid=2327



    In your /etc/apparmor.d/snap.uefi-fw-tools.fwupd add the following line (insert 2 spaces before /sys/.... !)



      /sys/devices/pci*/*/usb*/*/busnum rw,



  • Reload all apparmor profiles:



    sudo systemctl reload apparmor.service


    or if not started/enabled



    sudo systemctl enable apparmor.service
    sudo systemctl start apparmor.service


    You can prove the status with



    sudo systemctl status apparmor.service


    or



    sudo aa-status



  • I recommend to use



    sudo aa-complain /etc/apparmor.d/snap.uefi-fw-tools.fwupd


    This will made profile violations permitted and logged. Useful for testing and developing new profiles.
    Later you can set it to enforce with



    sudo aa-enforce /etc/apparmor.d/snap.uefi-fw-tools.fwupd







share|improve this answer


























  • Thanks :) I've edited my initial question after trying out your suggestion.

    – Andrés García Mangas
    Oct 9 '18 at 15:50











  • what is the output of sudo aa-status

    – abu_bua
    Oct 9 '18 at 15:55











  • Did you installed sw from kvaser?

    – abu_bua
    Oct 9 '18 at 15:56











  • The output of aa-status is in this gist.

    – Andrés García Mangas
    Oct 9 '18 at 15:59











  • No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.

    – Andrés García Mangas
    Oct 9 '18 at 16:00












Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1082277%2fsocketcan-device-on-ubuntu-core%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Don't forget to reboot after loading the kernels.



The standard command to configure a CAN bus interface is:



ip link set can0 type can bitrate 500000 listen-only on


This will set the bitrate of the can0 interface to 500 Kbps.
Now bring up the interface and start dumping frames:



ip link set can0 up
candump -cae can0,0:0,#FFFFFFFF


or do a



ip l sh


Regarding the apparmor message, I'm not sure - but you can try:





  • First I recommend to install apparmor-utils



    sudo apt install apparmor-utils



  • In your case profile="snap.uefi-fw-tools.fwupd" denies to operation="open" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" with pid=2327



    In your /etc/apparmor.d/snap.uefi-fw-tools.fwupd add the following line (insert 2 spaces before /sys/.... !)



      /sys/devices/pci*/*/usb*/*/busnum rw,



  • Reload all apparmor profiles:



    sudo systemctl reload apparmor.service


    or if not started/enabled



    sudo systemctl enable apparmor.service
    sudo systemctl start apparmor.service


    You can prove the status with



    sudo systemctl status apparmor.service


    or



    sudo aa-status



  • I recommend to use



    sudo aa-complain /etc/apparmor.d/snap.uefi-fw-tools.fwupd


    This will made profile violations permitted and logged. Useful for testing and developing new profiles.
    Later you can set it to enforce with



    sudo aa-enforce /etc/apparmor.d/snap.uefi-fw-tools.fwupd







share|improve this answer


























  • Thanks :) I've edited my initial question after trying out your suggestion.

    – Andrés García Mangas
    Oct 9 '18 at 15:50











  • what is the output of sudo aa-status

    – abu_bua
    Oct 9 '18 at 15:55











  • Did you installed sw from kvaser?

    – abu_bua
    Oct 9 '18 at 15:56











  • The output of aa-status is in this gist.

    – Andrés García Mangas
    Oct 9 '18 at 15:59











  • No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.

    – Andrés García Mangas
    Oct 9 '18 at 16:00
















0














Don't forget to reboot after loading the kernels.



The standard command to configure a CAN bus interface is:



ip link set can0 type can bitrate 500000 listen-only on


This will set the bitrate of the can0 interface to 500 Kbps.
Now bring up the interface and start dumping frames:



ip link set can0 up
candump -cae can0,0:0,#FFFFFFFF


or do a



ip l sh


Regarding the apparmor message, I'm not sure - but you can try:





  • First I recommend to install apparmor-utils



    sudo apt install apparmor-utils



  • In your case profile="snap.uefi-fw-tools.fwupd" denies to operation="open" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" with pid=2327



    In your /etc/apparmor.d/snap.uefi-fw-tools.fwupd add the following line (insert 2 spaces before /sys/.... !)



      /sys/devices/pci*/*/usb*/*/busnum rw,



  • Reload all apparmor profiles:



    sudo systemctl reload apparmor.service


    or if not started/enabled



    sudo systemctl enable apparmor.service
    sudo systemctl start apparmor.service


    You can prove the status with



    sudo systemctl status apparmor.service


    or



    sudo aa-status



  • I recommend to use



    sudo aa-complain /etc/apparmor.d/snap.uefi-fw-tools.fwupd


    This will made profile violations permitted and logged. Useful for testing and developing new profiles.
    Later you can set it to enforce with



    sudo aa-enforce /etc/apparmor.d/snap.uefi-fw-tools.fwupd







share|improve this answer


























  • Thanks :) I've edited my initial question after trying out your suggestion.

    – Andrés García Mangas
    Oct 9 '18 at 15:50











  • what is the output of sudo aa-status

    – abu_bua
    Oct 9 '18 at 15:55











  • Did you installed sw from kvaser?

    – abu_bua
    Oct 9 '18 at 15:56











  • The output of aa-status is in this gist.

    – Andrés García Mangas
    Oct 9 '18 at 15:59











  • No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.

    – Andrés García Mangas
    Oct 9 '18 at 16:00














0












0








0







Don't forget to reboot after loading the kernels.



The standard command to configure a CAN bus interface is:



ip link set can0 type can bitrate 500000 listen-only on


This will set the bitrate of the can0 interface to 500 Kbps.
Now bring up the interface and start dumping frames:



ip link set can0 up
candump -cae can0,0:0,#FFFFFFFF


or do a



ip l sh


Regarding the apparmor message, I'm not sure - but you can try:





  • First I recommend to install apparmor-utils



    sudo apt install apparmor-utils



  • In your case profile="snap.uefi-fw-tools.fwupd" denies to operation="open" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" with pid=2327



    In your /etc/apparmor.d/snap.uefi-fw-tools.fwupd add the following line (insert 2 spaces before /sys/.... !)



      /sys/devices/pci*/*/usb*/*/busnum rw,



  • Reload all apparmor profiles:



    sudo systemctl reload apparmor.service


    or if not started/enabled



    sudo systemctl enable apparmor.service
    sudo systemctl start apparmor.service


    You can prove the status with



    sudo systemctl status apparmor.service


    or



    sudo aa-status



  • I recommend to use



    sudo aa-complain /etc/apparmor.d/snap.uefi-fw-tools.fwupd


    This will made profile violations permitted and logged. Useful for testing and developing new profiles.
    Later you can set it to enforce with



    sudo aa-enforce /etc/apparmor.d/snap.uefi-fw-tools.fwupd







share|improve this answer















Don't forget to reboot after loading the kernels.



The standard command to configure a CAN bus interface is:



ip link set can0 type can bitrate 500000 listen-only on


This will set the bitrate of the can0 interface to 500 Kbps.
Now bring up the interface and start dumping frames:



ip link set can0 up
candump -cae can0,0:0,#FFFFFFFF


or do a



ip l sh


Regarding the apparmor message, I'm not sure - but you can try:





  • First I recommend to install apparmor-utils



    sudo apt install apparmor-utils



  • In your case profile="snap.uefi-fw-tools.fwupd" denies to operation="open" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" with pid=2327



    In your /etc/apparmor.d/snap.uefi-fw-tools.fwupd add the following line (insert 2 spaces before /sys/.... !)



      /sys/devices/pci*/*/usb*/*/busnum rw,



  • Reload all apparmor profiles:



    sudo systemctl reload apparmor.service


    or if not started/enabled



    sudo systemctl enable apparmor.service
    sudo systemctl start apparmor.service


    You can prove the status with



    sudo systemctl status apparmor.service


    or



    sudo aa-status



  • I recommend to use



    sudo aa-complain /etc/apparmor.d/snap.uefi-fw-tools.fwupd


    This will made profile violations permitted and logged. Useful for testing and developing new profiles.
    Later you can set it to enforce with



    sudo aa-enforce /etc/apparmor.d/snap.uefi-fw-tools.fwupd








share|improve this answer














share|improve this answer



share|improve this answer








edited Oct 10 '18 at 11:10

























answered Oct 9 '18 at 14:28









abu_buaabu_bua

4,18981630




4,18981630













  • Thanks :) I've edited my initial question after trying out your suggestion.

    – Andrés García Mangas
    Oct 9 '18 at 15:50











  • what is the output of sudo aa-status

    – abu_bua
    Oct 9 '18 at 15:55











  • Did you installed sw from kvaser?

    – abu_bua
    Oct 9 '18 at 15:56











  • The output of aa-status is in this gist.

    – Andrés García Mangas
    Oct 9 '18 at 15:59











  • No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.

    – Andrés García Mangas
    Oct 9 '18 at 16:00



















  • Thanks :) I've edited my initial question after trying out your suggestion.

    – Andrés García Mangas
    Oct 9 '18 at 15:50











  • what is the output of sudo aa-status

    – abu_bua
    Oct 9 '18 at 15:55











  • Did you installed sw from kvaser?

    – abu_bua
    Oct 9 '18 at 15:56











  • The output of aa-status is in this gist.

    – Andrés García Mangas
    Oct 9 '18 at 15:59











  • No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.

    – Andrés García Mangas
    Oct 9 '18 at 16:00

















Thanks :) I've edited my initial question after trying out your suggestion.

– Andrés García Mangas
Oct 9 '18 at 15:50





Thanks :) I've edited my initial question after trying out your suggestion.

– Andrés García Mangas
Oct 9 '18 at 15:50













what is the output of sudo aa-status

– abu_bua
Oct 9 '18 at 15:55





what is the output of sudo aa-status

– abu_bua
Oct 9 '18 at 15:55













Did you installed sw from kvaser?

– abu_bua
Oct 9 '18 at 15:56





Did you installed sw from kvaser?

– abu_bua
Oct 9 '18 at 15:56













The output of aa-status is in this gist.

– Andrés García Mangas
Oct 9 '18 at 15:59





The output of aa-status is in this gist.

– Andrés García Mangas
Oct 9 '18 at 15:59













No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.

– Andrés García Mangas
Oct 9 '18 at 16:00





No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.

– Andrés García Mangas
Oct 9 '18 at 16:00


















draft saved

draft discarded




















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1082277%2fsocketcan-device-on-ubuntu-core%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

GameSpot

日野市

Tu-95轟炸機