I'm currently trying to use a SocketCAN-enabled device (Kvaser USBcan Light 2xHS) on a Dell Edge Gateway 3002 running Ubuntu Core 16.

This CAN interface has been tested on Ubuntu Desktop successfully.

The CAN kernel modules are not loaded by default on Ubuntu Core 16, so my first step was to load them:

$ lsmod | grep can

can_gw                 20480  0

can_raw                20480  0

can_dev                24576  1 kvaser_usb

can                    45056  2 can_gw,can_raw

Connecting the CAN interface at this point should result in the creation of two new can interfaces (can0 and can1 by default). The problem is that those interfaces are nowhere to be found:

$ ip link show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000

link/ether d8:9e:f3:9c:5f:9f brd ff:ff:ff:ff:ff:ff

3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000

link/ether d8:9e:f3:9c:5f:a1 brd ff:ff:ff:ff:ff:ff

4: wwan0: <BROADCAST,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000

link/ether aa:c6:53:a2:73:a0 brd ff:ff:ff:ff:ff:ff

5: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DORMANT group default qlen 1000

link/ether 00:23:a7:fa:99:68 brd ff:ff:ff:ff:ff:ff

6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default

link/ether 02:42:57:84:86:f6 brd ff:ff:ff:ff:ff:ff

The output of dmesg shows that there was some kind of security issue. I'm not familiar with AppArmor so I'm not exactly sure if this has any relevance:

$ dmesg | tail -n15

[  515.224025] usb 1-1: new high-speed USB device number 6 using xhci_hcd

[  515.353111] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123

[  515.353122] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[  515.353129] usb 1-1: Product: Kvaser USBcan Light

[  515.353134] usb 1-1: Manufacturer: Kvaser AB

[  515.368908] audit: type=1400 audit(1539088148.830:340): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=2327 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 

Is there anyone with previous experience with SocketCAN devices on Ubuntu Core? Any directions on how to debug this?

Thanks!

EDIT 01

We've tried to stop the apparmor service:

# systemctl stop apparmor.service

# systemctl status apparmor.service

● apparmor.service - LSB: AppArmor initialization

   Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)

   Active: inactive (dead) since Tue 2018-10-09 15:40:17 UTC; 1s ago

     Docs: man:systemd-sysv-generator(8)

  Process: 4442 ExecStop=/etc/init.d/apparmor stop (code=exited, status=0/SUCCESS)

  Process: 2345 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS)



Oct 09 15:40:17 ******* systemd[1]: Stopping LSB: AppArmor initialization...

Oct 09 15:40:17 ******* apparmor[4442]:  * Clearing AppArmor profiles cache

Oct 09 15:40:17 ******* apparmor[4442]:    ...done.

Oct 09 15:40:17 ******* apparmor[4442]: All profile caches have been cleared, but no profiles have been unloaded.

Oct 09 15:40:17 ******* apparmor[4442]: Unloading profiles will leave already running processes permanently

Oct 09 15:40:17 ******* apparmor[4442]: unconfined, which can lead to unexpected situations.

Oct 09 15:40:17 ******* apparmor[4442]: To set a process to complain mode, use the command line tool

Oct 09 15:40:17 ******* apparmor[4442]: 'aa-complain'. To really tear down all profiles, run the init script

Oct 09 15:40:17 ******* apparmor[4442]: with the 'teardown' option."

Oct 09 15:40:17 ******* systemd[1]: Stopped LSB: AppArmor initialization.

Curiously enough, the apparmor denial message is still appearing after connecting the USBcan device:

# dmesg | tail -n6

[ 1704.616028] usb 1-1: new high-speed USB device number 8 using xhci_hcd

[ 1704.744895] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123

[ 1704.744907] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[ 1704.744913] usb 1-1: Product: Kvaser USBcan Light

[ 1704.744919] usb 1-1: Manufacturer: Kvaser AB

[ 1704.770397] audit: type=1400 audit(1539099996.288:134): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=4013 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I guess this has something to do with the inherent restrictions of Ubuntu Core.

EDIT 02

I'm afraid I can't use apt on Ubuntu Core and that there are no snaps for apparmor-utils. The aa-enforce and aa-complain commands are not recognized.

I did try to run systemctl disable apparmor.service and rebooting. After this, SSH access to the gateway was lost (it's a headless machine with no GPU) and I had to flash the OS image again. I wonder if this has something to do with Ubuntu Core requiring the apparmor service in order to work properly.

The uefi-fw-tools snap was installed by default on the Ubuntu Core image that came with the gateway.

I'll try to install the uefi-fw-tools snap in devmode to try to avoid any apparmor issues and post the results.

EDIT 03

After installing the uefi-fw-tools snap in devmode the AppArmor DENIED messages disappeared, although the SocketCAN interface still didn't appear when connecting the USBCan device.

I contacted Kvaser support and it seems that the USBcan Light is only supported on kernel >= 4.7, while the gateway is running 4.4. The minimum kernel as mentioned in the docs should be 3.2, but this specific model is not supported.

Thanks a lot anyway for your help in debugging AppArmor.

Don't forget to reboot after loading the kernels.

The standard command to configure a CAN bus interface is:

ip link set can0 type can bitrate 500000 listen-only on

This will set the bitrate of the can0 interface to 500 Kbps.
Now bring up the interface and start dumping frames:

ip link set can0 up

candump -cae can0,0:0,#FFFFFFFF

or do a

ip l sh

Regarding the apparmor message, I'm not sure - but you can try:

• 
  

  First I recommend to install apparmor-utils

  
  
  

  sudo apt install apparmor-utils
  
  

  
  


• 
  

  In your case profile="snap.uefi-fw-tools.fwupd" denies to operation="open" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" with pid=2327

  
  
  

  In your /etc/apparmor.d/snap.uefi-fw-tools.fwupd add the following line (insert 2 spaces before /sys/.... !)

  
  
  

    /sys/devices/pci*/*/usb*/*/busnum rw,
  
  

  
  


• 
  

  Reload all apparmor profiles:

  
  
  

  sudo systemctl reload apparmor.service
  
  

  
  
  

  or if not started/enabled

  
  
  

  sudo systemctl enable apparmor.service
  
  sudo systemctl start apparmor.service
  
  

  
  
  

  You can prove the status with

  
  
  

  sudo systemctl status apparmor.service
  
  

  
  
  

  or

  
  
  

  sudo aa-status
  
  

  
  


• 
  

  I recommend to use

  
  
  

  sudo aa-complain /etc/apparmor.d/snap.uefi-fw-tools.fwupd
  
  

  
  
  

  This will made profile violations permitted and logged. Useful for testing and developing new profiles.
  Later you can set it to enforce with

  
  
  

  sudo aa-enforce /etc/apparmor.d/snap.uefi-fw-tools.fwupd