Request for Change to Apparmor setting

stuartofmt

I'm developing a lightweight plugin to stream raspberry pi cameras via a url (piStream)
Apparmor blocks a vital part of the proceedings (3.5.0-rc.1). One of the underlying libraries needs access to /dev/media*.
There does not seem to be an sbcPermissions setting to accomodate this.

As a workaround I manually edited /etc/apparmor.d/dsf.piStream to include /dev/media* rwmlk,

Can the setting for webcamAccess be modified to include /dev/media (seems appropriate)? Or some other solution?

Thanks in advance.

<snip>
  network,
  /dev/video* rwmlk,
  /dev/media* rwmlk,
  /usr/bin/libcamerify rm,
<snip>

My current sbcPermissions are:

"sbcPermissions": ["commandExecution", "objectModelReadWrite", "objectModelRead","networkAccess", "webcamAccess", "readSystem", "writeSystem", "fileSystemAccess","launchProcesses", "managePlugins"],

chrishamm

@stuartofmt What does /dev/media* expose?

stuartofmt

@chrishamm said in Request for Change to Apparmor setting:

@stuartofmt What does /dev/media* expose?

Its one of the usual places (along with /dev/video) where camera device nodes are created. Specifically the new (Bullseye) pi camera libraries use it for the pi native cameras. Of course other "media" devices may get a node in /dev/media (camera-microphone combos, microphones, tv tuners etc.)

I think the subtle distinction (by convention ?) is that a devices with a node in /dev/media can be interrogated via various API's e.g. V4L2 and ALSA.

Here is the full dsf.piStream I am using. I did not add anything other than the one line /dev/media* rwmlk. As you can see the libcameraxx are already included. I'm actually using the picamera2 python module (but that calls the libcameraxx api's)

pi@srsender:~ $ cat /etc/apparmor.d/dsf.piStream
# Last Modified: Thu Feb 17 11:26:25 2022
#include <tunables/global>

/opt/dsf/plugins/piStream/** {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/python>
  #include <abstractions/user-tmp>
  #include <abstractions/nameservice>


  /usr/bin/python{2.[4-7],3.[0-9]} ix,
  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/** r,
  /opt/vc/lib/** rm,

  capability dac_override,
  capability dac_read_search,
  capability sys_nice,

  /opt/dsf/bin/* rm,
  owner /opt/dsf/plugins/piStream/ r,
  owner /opt/dsf/plugins/piStream/** rwmlk,
  owner /proc/** rw,
  /sys/** r,
  /{,var/}run/dsf/** rw,

  /opt/dsf/plugins/ r,
  /opt/dsf/plugins/** rw,
  /opt/dsf/sd/sys/ r,
  /opt/dsf/sd/sys/** r,
  /opt/dsf/sd/sys/** wk,
  / rw,
  /** rw,
  /** mix,
  network,
  /dev/video* rwmlk,
  /dev/media* rwmlk,
  /usr/bin/libcamerify rm,
  /usr/share/libcamera/** r,
  /usr/libexec/libcamera/* rm,

}

chrishamm

@stuartofmt Okay thanks for the info. I will add this particular rule to v3.5.