SocketCAN device on Ubuntu Core The 2019 Stack Overflow Developer Survey Results Are InWireless failed after ubuntu 12.04 updatingWifi issue. Dell Latitude E6400 Ubuntu 12.04What is Ubuntu Core?How are the Ubuntu Core rootfs built?What is Snappy Ubuntu Core?Wifi broadcom, ubuntu 14.04 , Dell Vostro - still diconnecting -need helpOS upgrade from Ubuntu Core 15.04 to Ubuntu Core 16.04 supportUbuntu Core 16 GUI?Editing rc.local for Ubuntu CoreUbuntu-core image for ONIE

What is the best strategy for white in this position?

Deadlock Graph and Interpretation, solution to avoid

How was Skylab's orbit inclination chosen?

Can't find the latex code for the ⍎ (down tack jot) symbol

The difference between dialogue marks

How long do I have to send payment?

What is a mixture ratio of propellant?

Why is the maximum length of openwrt’s root password 8 characters?

Access elements in std::string where positon of string is greater than its size

I see my dog run

Is three citations per paragraph excessive for undergraduate research paper?

Should I use my personal or workplace e-mail when registering to external websites for work purpose?

How to reverse every other sublist of a list?

What could be the right powersource for 15 seconds lifespan disposable giant chainsaw?

Why can Shazam do this?

Why isn't airport relocation done gradually?

is usb on wall sockets live all the time with out switches off

Idiomatic way to prevent slicing?

If a poisoned arrow's piercing damage is reduced to 0, do you still get poisoned?

Limit the amount of RAM Mathematica may access?

Does duplicating a spell with wish count as casting that spell?

In microwave frequencies, do you use a circulator when you need a (near) perfect diode?

A poker game description that does not feel gimmicky

What does "rabbited" mean/imply in this sentence?

SocketCAN device on Ubuntu Core

The 2019 Stack Overflow Developer Survey Results Are InWireless failed after ubuntu 12.04 updatingWifi issue. Dell Latitude E6400 Ubuntu 12.04What is Ubuntu Core?How are the Ubuntu Core rootfs built?What is Snappy Ubuntu Core?Wifi broadcom, ubuntu 14.04 , Dell Vostro - still diconnecting -need helpOS upgrade from Ubuntu Core 15.04 to Ubuntu Core 16.04 supportUbuntu Core 16 GUI?Editing rc.local for Ubuntu CoreUbuntu-core image for ONIE

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

I'm currently trying to use a SocketCAN-enabled device (Kvaser USBcan Light 2xHS) on a Dell Edge Gateway 3002 running Ubuntu Core 16.

This CAN interface has been tested on Ubuntu Desktop successfully.

The CAN kernel modules are not loaded by default on Ubuntu Core 16, so my first step was to load them:

$ lsmod | grep can
can_gw 20480 0
can_raw 20480 0
can_dev 24576 1 kvaser_usb
can 45056 2 can_gw,can_raw

Connecting the CAN interface at this point should result in the creation of two new can interfaces (can0 and can1 by default). The problem is that those interfaces are nowhere to be found:

$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:9f brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:a1 brd ff:ff:ff:ff:ff:ff
4: wwan0: <BROADCAST,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether aa:c6:53:a2:73:a0 brd ff:ff:ff:ff:ff:ff
5: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DORMANT group default qlen 1000
link/ether 00:23:a7:fa:99:68 brd ff:ff:ff:ff:ff:ff
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:57:84:86:f6 brd ff:ff:ff:ff:ff:ff

The output of dmesg shows that there was some kind of security issue. I'm not familiar with AppArmor so I'm not exactly sure if this has any relevance:

$ dmesg | tail -n15
[ 515.224025] usb 1-1: new high-speed USB device number 6 using xhci_hcd
[ 515.353111] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 515.353122] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 515.353129] usb 1-1: Product: Kvaser USBcan Light
[ 515.353134] usb 1-1: Manufacturer: Kvaser AB
[ 515.368908] audit: type=1400 audit(1539088148.830:340): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=2327 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Is there anyone with previous experience with SocketCAN devices on Ubuntu Core? Any directions on how to debug this?

Thanks!

EDIT 01

We've tried to stop the apparmor service:

# systemctl stop apparmor.service
# systemctl status apparmor.service
● apparmor.service - LSB: AppArmor initialization
 Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
 Active: inactive (dead) since Tue 2018-10-09 15:40:17 UTC; 1s ago
 Docs: man:systemd-sysv-generator(8)
 Process: 4442 ExecStop=/etc/init.d/apparmor stop (code=exited, status=0/SUCCESS)
 Process: 2345 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS)

Oct 09 15:40:17 ******* systemd[1]: Stopping LSB: AppArmor initialization...
Oct 09 15:40:17 ******* apparmor[4442]: * Clearing AppArmor profiles cache
Oct 09 15:40:17 ******* apparmor[4442]: ...done.
Oct 09 15:40:17 ******* apparmor[4442]: All profile caches have been cleared, but no profiles have been unloaded.
Oct 09 15:40:17 ******* apparmor[4442]: Unloading profiles will leave already running processes permanently
Oct 09 15:40:17 ******* apparmor[4442]: unconfined, which can lead to unexpected situations.
Oct 09 15:40:17 ******* apparmor[4442]: To set a process to complain mode, use the command line tool
Oct 09 15:40:17 ******* apparmor[4442]: 'aa-complain'. To really tear down all profiles, run the init script
Oct 09 15:40:17 ******* apparmor[4442]: with the 'teardown' option."
Oct 09 15:40:17 ******* systemd[1]: Stopped LSB: AppArmor initialization.

Curiously enough, the apparmor denial message is still appearing after connecting the USBcan device:

# dmesg | tail -n6
[ 1704.616028] usb 1-1: new high-speed USB device number 8 using xhci_hcd
[ 1704.744895] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 1704.744907] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 1704.744913] usb 1-1: Product: Kvaser USBcan Light
[ 1704.744919] usb 1-1: Manufacturer: Kvaser AB
[ 1704.770397] audit: type=1400 audit(1539099996.288:134): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=4013 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I guess this has something to do with the inherent restrictions of Ubuntu Core.

EDIT 02

I'm afraid I can't use apt on Ubuntu Core and that there are no snaps for apparmor-utils. The aa-enforce and aa-complain commands are not recognized.

I did try to run systemctl disable apparmor.service and rebooting. After this, SSH access to the gateway was lost (it's a headless machine with no GPU) and I had to flash the OS image again. I wonder if this has something to do with Ubuntu Core requiring the apparmor service in order to work properly.

The uefi-fw-tools snap was installed by default on the Ubuntu Core image that came with the gateway.

I'll try to install the uefi-fw-tools snap in devmode to try to avoid any apparmor issues and post the results.

EDIT 03

After installing the uefi-fw-tools snap in devmode the AppArmor DENIED messages disappeared, although the SocketCAN interface still didn't appear when connecting the USBCan device.

I contacted Kvaser support and it seems that the USBcan Light is only supported on kernel >= 4.7, while the gateway is running 4.4. The minimum kernel as mentioned in the docs should be 3.2, but this specific model is not supported.

Thanks a lot anyway for your help in debugging AppArmor.

edited Oct 10 '18 at 10:21

asked Oct 9 '18 at 12:37

Andrés García Mangas

Please post cat /etc/apparmor.d/snap.uefi-fw-tools.fwupd

– abu_bua
Oct 9 '18 at 16:39

Why did you installed the snap uefi-fw-tools?

– abu_bua
Oct 9 '18 at 16:54

add a comment |

I'm currently trying to use a SocketCAN-enabled device (Kvaser USBcan Light 2xHS) on a Dell Edge Gateway 3002 running Ubuntu Core 16.

This CAN interface has been tested on Ubuntu Desktop successfully.

The CAN kernel modules are not loaded by default on Ubuntu Core 16, so my first step was to load them:

$ lsmod | grep can
can_gw 20480 0
can_raw 20480 0
can_dev 24576 1 kvaser_usb
can 45056 2 can_gw,can_raw

Connecting the CAN interface at this point should result in the creation of two new can interfaces (can0 and can1 by default). The problem is that those interfaces are nowhere to be found:

$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:9f brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:a1 brd ff:ff:ff:ff:ff:ff
4: wwan0: <BROADCAST,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether aa:c6:53:a2:73:a0 brd ff:ff:ff:ff:ff:ff
5: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DORMANT group default qlen 1000
link/ether 00:23:a7:fa:99:68 brd ff:ff:ff:ff:ff:ff
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:57:84:86:f6 brd ff:ff:ff:ff:ff:ff

The output of dmesg shows that there was some kind of security issue. I'm not familiar with AppArmor so I'm not exactly sure if this has any relevance:

$ dmesg | tail -n15
[ 515.224025] usb 1-1: new high-speed USB device number 6 using xhci_hcd
[ 515.353111] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 515.353122] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 515.353129] usb 1-1: Product: Kvaser USBcan Light
[ 515.353134] usb 1-1: Manufacturer: Kvaser AB
[ 515.368908] audit: type=1400 audit(1539088148.830:340): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=2327 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Is there anyone with previous experience with SocketCAN devices on Ubuntu Core? Any directions on how to debug this?

Thanks!

EDIT 01

We've tried to stop the apparmor service:

# systemctl stop apparmor.service
# systemctl status apparmor.service
● apparmor.service - LSB: AppArmor initialization
 Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
 Active: inactive (dead) since Tue 2018-10-09 15:40:17 UTC; 1s ago
 Docs: man:systemd-sysv-generator(8)
 Process: 4442 ExecStop=/etc/init.d/apparmor stop (code=exited, status=0/SUCCESS)
 Process: 2345 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS)

Oct 09 15:40:17 ******* systemd[1]: Stopping LSB: AppArmor initialization...
Oct 09 15:40:17 ******* apparmor[4442]: * Clearing AppArmor profiles cache
Oct 09 15:40:17 ******* apparmor[4442]: ...done.
Oct 09 15:40:17 ******* apparmor[4442]: All profile caches have been cleared, but no profiles have been unloaded.
Oct 09 15:40:17 ******* apparmor[4442]: Unloading profiles will leave already running processes permanently
Oct 09 15:40:17 ******* apparmor[4442]: unconfined, which can lead to unexpected situations.
Oct 09 15:40:17 ******* apparmor[4442]: To set a process to complain mode, use the command line tool
Oct 09 15:40:17 ******* apparmor[4442]: 'aa-complain'. To really tear down all profiles, run the init script
Oct 09 15:40:17 ******* apparmor[4442]: with the 'teardown' option."
Oct 09 15:40:17 ******* systemd[1]: Stopped LSB: AppArmor initialization.

Curiously enough, the apparmor denial message is still appearing after connecting the USBcan device:

# dmesg | tail -n6
[ 1704.616028] usb 1-1: new high-speed USB device number 8 using xhci_hcd
[ 1704.744895] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 1704.744907] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 1704.744913] usb 1-1: Product: Kvaser USBcan Light
[ 1704.744919] usb 1-1: Manufacturer: Kvaser AB
[ 1704.770397] audit: type=1400 audit(1539099996.288:134): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=4013 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I guess this has something to do with the inherent restrictions of Ubuntu Core.

EDIT 02

I'm afraid I can't use apt on Ubuntu Core and that there are no snaps for apparmor-utils. The aa-enforce and aa-complain commands are not recognized.

The uefi-fw-tools snap was installed by default on the Ubuntu Core image that came with the gateway.

I'll try to install the uefi-fw-tools snap in devmode to try to avoid any apparmor issues and post the results.

EDIT 03

After installing the uefi-fw-tools snap in devmode the AppArmor DENIED messages disappeared, although the SocketCAN interface still didn't appear when connecting the USBCan device.

Thanks a lot anyway for your help in debugging AppArmor.

edited Oct 10 '18 at 10:21

asked Oct 9 '18 at 12:37

Andrés García Mangas

Please post cat /etc/apparmor.d/snap.uefi-fw-tools.fwupd

– abu_bua
Oct 9 '18 at 16:39

Why did you installed the snap uefi-fw-tools?

– abu_bua
Oct 9 '18 at 16:54

add a comment |

I'm currently trying to use a SocketCAN-enabled device (Kvaser USBcan Light 2xHS) on a Dell Edge Gateway 3002 running Ubuntu Core 16.

This CAN interface has been tested on Ubuntu Desktop successfully.

The CAN kernel modules are not loaded by default on Ubuntu Core 16, so my first step was to load them:

$ lsmod | grep can
can_gw 20480 0
can_raw 20480 0
can_dev 24576 1 kvaser_usb
can 45056 2 can_gw,can_raw

Connecting the CAN interface at this point should result in the creation of two new can interfaces (can0 and can1 by default). The problem is that those interfaces are nowhere to be found:

$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:9f brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:a1 brd ff:ff:ff:ff:ff:ff
4: wwan0: <BROADCAST,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether aa:c6:53:a2:73:a0 brd ff:ff:ff:ff:ff:ff
5: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DORMANT group default qlen 1000
link/ether 00:23:a7:fa:99:68 brd ff:ff:ff:ff:ff:ff
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:57:84:86:f6 brd ff:ff:ff:ff:ff:ff

The output of dmesg shows that there was some kind of security issue. I'm not familiar with AppArmor so I'm not exactly sure if this has any relevance:

$ dmesg | tail -n15
[ 515.224025] usb 1-1: new high-speed USB device number 6 using xhci_hcd
[ 515.353111] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 515.353122] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 515.353129] usb 1-1: Product: Kvaser USBcan Light
[ 515.353134] usb 1-1: Manufacturer: Kvaser AB
[ 515.368908] audit: type=1400 audit(1539088148.830:340): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=2327 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Is there anyone with previous experience with SocketCAN devices on Ubuntu Core? Any directions on how to debug this?

Thanks!

EDIT 01

We've tried to stop the apparmor service:

# systemctl stop apparmor.service
# systemctl status apparmor.service
● apparmor.service - LSB: AppArmor initialization
 Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
 Active: inactive (dead) since Tue 2018-10-09 15:40:17 UTC; 1s ago
 Docs: man:systemd-sysv-generator(8)
 Process: 4442 ExecStop=/etc/init.d/apparmor stop (code=exited, status=0/SUCCESS)
 Process: 2345 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS)

Oct 09 15:40:17 ******* systemd[1]: Stopping LSB: AppArmor initialization...
Oct 09 15:40:17 ******* apparmor[4442]: * Clearing AppArmor profiles cache
Oct 09 15:40:17 ******* apparmor[4442]: ...done.
Oct 09 15:40:17 ******* apparmor[4442]: All profile caches have been cleared, but no profiles have been unloaded.
Oct 09 15:40:17 ******* apparmor[4442]: Unloading profiles will leave already running processes permanently
Oct 09 15:40:17 ******* apparmor[4442]: unconfined, which can lead to unexpected situations.
Oct 09 15:40:17 ******* apparmor[4442]: To set a process to complain mode, use the command line tool
Oct 09 15:40:17 ******* apparmor[4442]: 'aa-complain'. To really tear down all profiles, run the init script
Oct 09 15:40:17 ******* apparmor[4442]: with the 'teardown' option."
Oct 09 15:40:17 ******* systemd[1]: Stopped LSB: AppArmor initialization.

Curiously enough, the apparmor denial message is still appearing after connecting the USBcan device:

# dmesg | tail -n6
[ 1704.616028] usb 1-1: new high-speed USB device number 8 using xhci_hcd
[ 1704.744895] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 1704.744907] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 1704.744913] usb 1-1: Product: Kvaser USBcan Light
[ 1704.744919] usb 1-1: Manufacturer: Kvaser AB
[ 1704.770397] audit: type=1400 audit(1539099996.288:134): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=4013 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I guess this has something to do with the inherent restrictions of Ubuntu Core.

EDIT 02

I'm afraid I can't use apt on Ubuntu Core and that there are no snaps for apparmor-utils. The aa-enforce and aa-complain commands are not recognized.

The uefi-fw-tools snap was installed by default on the Ubuntu Core image that came with the gateway.

I'll try to install the uefi-fw-tools snap in devmode to try to avoid any apparmor issues and post the results.

EDIT 03

After installing the uefi-fw-tools snap in devmode the AppArmor DENIED messages disappeared, although the SocketCAN interface still didn't appear when connecting the USBCan device.

Thanks a lot anyway for your help in debugging AppArmor.

edited Oct 10 '18 at 10:21

asked Oct 9 '18 at 12:37

Andrés García Mangas

I'm currently trying to use a SocketCAN-enabled device (Kvaser USBcan Light 2xHS) on a Dell Edge Gateway 3002 running Ubuntu Core 16.

This CAN interface has been tested on Ubuntu Desktop successfully.

The CAN kernel modules are not loaded by default on Ubuntu Core 16, so my first step was to load them:

$ lsmod | grep can
can_gw 20480 0
can_raw 20480 0
can_dev 24576 1 kvaser_usb
can 45056 2 can_gw,can_raw

Connecting the CAN interface at this point should result in the creation of two new can interfaces (can0 and can1 by default). The problem is that those interfaces are nowhere to be found:

$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:9f brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether d8:9e:f3:9c:5f:a1 brd ff:ff:ff:ff:ff:ff
4: wwan0: <BROADCAST,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether aa:c6:53:a2:73:a0 brd ff:ff:ff:ff:ff:ff
5: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DORMANT group default qlen 1000
link/ether 00:23:a7:fa:99:68 brd ff:ff:ff:ff:ff:ff
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:57:84:86:f6 brd ff:ff:ff:ff:ff:ff

The output of dmesg shows that there was some kind of security issue. I'm not familiar with AppArmor so I'm not exactly sure if this has any relevance:

$ dmesg | tail -n15
[ 515.224025] usb 1-1: new high-speed USB device number 6 using xhci_hcd
[ 515.353111] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 515.353122] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 515.353129] usb 1-1: Product: Kvaser USBcan Light
[ 515.353134] usb 1-1: Manufacturer: Kvaser AB
[ 515.368908] audit: type=1400 audit(1539088148.830:340): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=2327 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Is there anyone with previous experience with SocketCAN devices on Ubuntu Core? Any directions on how to debug this?

Thanks!

EDIT 01

We've tried to stop the apparmor service:

# systemctl stop apparmor.service
# systemctl status apparmor.service
● apparmor.service - LSB: AppArmor initialization
 Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
 Active: inactive (dead) since Tue 2018-10-09 15:40:17 UTC; 1s ago
 Docs: man:systemd-sysv-generator(8)
 Process: 4442 ExecStop=/etc/init.d/apparmor stop (code=exited, status=0/SUCCESS)
 Process: 2345 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS)

Oct 09 15:40:17 ******* systemd[1]: Stopping LSB: AppArmor initialization...
Oct 09 15:40:17 ******* apparmor[4442]: * Clearing AppArmor profiles cache
Oct 09 15:40:17 ******* apparmor[4442]: ...done.
Oct 09 15:40:17 ******* apparmor[4442]: All profile caches have been cleared, but no profiles have been unloaded.
Oct 09 15:40:17 ******* apparmor[4442]: Unloading profiles will leave already running processes permanently
Oct 09 15:40:17 ******* apparmor[4442]: unconfined, which can lead to unexpected situations.
Oct 09 15:40:17 ******* apparmor[4442]: To set a process to complain mode, use the command line tool
Oct 09 15:40:17 ******* apparmor[4442]: 'aa-complain'. To really tear down all profiles, run the init script
Oct 09 15:40:17 ******* apparmor[4442]: with the 'teardown' option."
Oct 09 15:40:17 ******* systemd[1]: Stopped LSB: AppArmor initialization.

Curiously enough, the apparmor denial message is still appearing after connecting the USBcan device:

# dmesg | tail -n6
[ 1704.616028] usb 1-1: new high-speed USB device number 8 using xhci_hcd
[ 1704.744895] usb 1-1: New USB device found, idVendor=0bfd, idProduct=0123
[ 1704.744907] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 1704.744913] usb 1-1: Product: Kvaser USBcan Light
[ 1704.744919] usb 1-1: Manufacturer: Kvaser AB
[ 1704.770397] audit: type=1400 audit(1539099996.288:134): apparmor="DENIED" operation="open" profile="snap.uefi-fw-tools.fwupd" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" pid=4013 comm="fwupd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I guess this has something to do with the inherent restrictions of Ubuntu Core.

EDIT 02

I'm afraid I can't use apt on Ubuntu Core and that there are no snaps for apparmor-utils. The aa-enforce and aa-complain commands are not recognized.

The uefi-fw-tools snap was installed by default on the Ubuntu Core image that came with the gateway.

I'll try to install the uefi-fw-tools snap in devmode to try to avoid any apparmor issues and post the results.

EDIT 03

After installing the uefi-fw-tools snap in devmode the AppArmor DENIED messages disappeared, although the SocketCAN interface still didn't appear when connecting the USBCan device.

Thanks a lot anyway for your help in debugging AppArmor.

dell ubuntu-core

edited Oct 10 '18 at 10:21

asked Oct 9 '18 at 12:37

Andrés García Mangas

edited Oct 10 '18 at 10:21

asked Oct 9 '18 at 12:37

Andrés García Mangas

edited Oct 10 '18 at 10:21

asked Oct 9 '18 at 12:37

Andrés García Mangas

asked Oct 9 '18 at 12:37

Andrés García Mangas

asked Oct 9 '18 at 12:37

Andrés García Mangas

Please post cat /etc/apparmor.d/snap.uefi-fw-tools.fwupd

– abu_bua
Oct 9 '18 at 16:39

Why did you installed the snap uefi-fw-tools?

– abu_bua
Oct 9 '18 at 16:54

add a comment |

Please post cat /etc/apparmor.d/snap.uefi-fw-tools.fwupd

– abu_bua
Oct 9 '18 at 16:39

Why did you installed the snap uefi-fw-tools?

– abu_bua
Oct 9 '18 at 16:54

Please post cat /etc/apparmor.d/snap.uefi-fw-tools.fwupd

– abu_bua
Oct 9 '18 at 16:39

Why did you installed the snap uefi-fw-tools?

– abu_bua
Oct 9 '18 at 16:54

add a comment |

2 Answers
2

active

oldest

votes

Don't forget to reboot after loading the kernels.

The standard command to configure a CAN bus interface is:

ip link set can0 type can bitrate 500000 listen-only on

This will set the bitrate of the can0 interface to 500 Kbps.
Now bring up the interface and start dumping frames:

ip link set can0 up
candump -cae can0,0:0,#FFFFFFFF

or do a

ip l sh

Regarding the apparmor message, I'm not sure - but you can try:

First I recommend to install apparmor-utils
```
sudo apt install apparmor-utils
```

In your case profile="snap.uefi-fw-tools.fwupd" denies to operation="open" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" with pid=2327

In your /etc/apparmor.d/snap.uefi-fw-tools.fwupd add the following line (insert 2 spaces before /sys/.... !)
```
 /sys/devices/pci*/*/usb*/*/busnum rw,
```

Reload all apparmor profiles:

sudo systemctl reload apparmor.service

or if not started/enabled

sudo systemctl enable apparmor.service
sudo systemctl start apparmor.service

You can prove the status with

sudo systemctl status apparmor.service

sudo aa-status

I recommend to use
```
sudo aa-complain /etc/apparmor.d/snap.uefi-fw-tools.fwupd
```
This will made profile violations permitted and logged. Useful for testing and developing new profiles.
Later you can set it to enforce with
```
sudo aa-enforce /etc/apparmor.d/snap.uefi-fw-tools.fwupd
```

edited Oct 10 '18 at 11:10

answered Oct 9 '18 at 14:28

abu_bua

4,17981630

Thanks :) I've edited my initial question after trying out your suggestion.

– Andrés García Mangas
Oct 9 '18 at 15:50

what is the output of sudo aa-status

– abu_bua
Oct 9 '18 at 15:55

Did you installed sw from kvaser?

– abu_bua
Oct 9 '18 at 15:56

The output of aa-status is in this gist.

– Andrés García Mangas
Oct 9 '18 at 15:59

No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.

– Andrés García Mangas
Oct 9 '18 at 16:00

|
show 1 more comment

-2

Please send me an email with your contact details. I would like to team up, exchange experience with you on CAN Interface on Dell Edge Gateway 3002.

Thanks.

edited 3 hours ago

guntbert

9,506133170

answered 4 hours ago

Bjørn Tore Garderhagen

New contributor

add a comment |

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);

);

draft saved

draft discarded

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1082277%2fsocketcan-device-on-ubuntu-core%23new-answer', 'question_page');

);

Post as a guest

Name

Required, but never shown

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

Don't forget to reboot after loading the kernels.

The standard command to configure a CAN bus interface is:

ip link set can0 type can bitrate 500000 listen-only on

This will set the bitrate of the can0 interface to 500 Kbps.
Now bring up the interface and start dumping frames:

ip link set can0 up
candump -cae can0,0:0,#FFFFFFFF

or do a

ip l sh

Regarding the apparmor message, I'm not sure - but you can try:

First I recommend to install apparmor-utils
```
sudo apt install apparmor-utils
```

In your case profile="snap.uefi-fw-tools.fwupd" denies to operation="open" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" with pid=2327

In your /etc/apparmor.d/snap.uefi-fw-tools.fwupd add the following line (insert 2 spaces before /sys/.... !)
```
 /sys/devices/pci*/*/usb*/*/busnum rw,
```

Reload all apparmor profiles:

sudo systemctl reload apparmor.service

or if not started/enabled

sudo systemctl enable apparmor.service
sudo systemctl start apparmor.service

You can prove the status with

sudo systemctl status apparmor.service

sudo aa-status

I recommend to use
```
sudo aa-complain /etc/apparmor.d/snap.uefi-fw-tools.fwupd
```
This will made profile violations permitted and logged. Useful for testing and developing new profiles.
Later you can set it to enforce with
```
sudo aa-enforce /etc/apparmor.d/snap.uefi-fw-tools.fwupd
```

edited Oct 10 '18 at 11:10

answered Oct 9 '18 at 14:28

abu_bua

4,17981630

Thanks :) I've edited my initial question after trying out your suggestion.

– Andrés García Mangas
Oct 9 '18 at 15:50

what is the output of sudo aa-status

– abu_bua
Oct 9 '18 at 15:55

Did you installed sw from kvaser?

– abu_bua
Oct 9 '18 at 15:56

The output of aa-status is in this gist.

– Andrés García Mangas
Oct 9 '18 at 15:59

No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.

– Andrés García Mangas
Oct 9 '18 at 16:00

|
show 1 more comment

Don't forget to reboot after loading the kernels.

The standard command to configure a CAN bus interface is:

ip link set can0 type can bitrate 500000 listen-only on

This will set the bitrate of the can0 interface to 500 Kbps.
Now bring up the interface and start dumping frames:

ip link set can0 up
candump -cae can0,0:0,#FFFFFFFF

or do a

ip l sh

Regarding the apparmor message, I'm not sure - but you can try:

First I recommend to install apparmor-utils
```
sudo apt install apparmor-utils
```

In your case profile="snap.uefi-fw-tools.fwupd" denies to operation="open" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" with pid=2327

In your /etc/apparmor.d/snap.uefi-fw-tools.fwupd add the following line (insert 2 spaces before /sys/.... !)
```
 /sys/devices/pci*/*/usb*/*/busnum rw,
```

Reload all apparmor profiles:

sudo systemctl reload apparmor.service

or if not started/enabled

sudo systemctl enable apparmor.service
sudo systemctl start apparmor.service

You can prove the status with

sudo systemctl status apparmor.service

sudo aa-status

I recommend to use
```
sudo aa-complain /etc/apparmor.d/snap.uefi-fw-tools.fwupd
```
This will made profile violations permitted and logged. Useful for testing and developing new profiles.
Later you can set it to enforce with
```
sudo aa-enforce /etc/apparmor.d/snap.uefi-fw-tools.fwupd
```

edited Oct 10 '18 at 11:10

answered Oct 9 '18 at 14:28

abu_bua

4,17981630

Thanks :) I've edited my initial question after trying out your suggestion.

– Andrés García Mangas
Oct 9 '18 at 15:50

what is the output of sudo aa-status

– abu_bua
Oct 9 '18 at 15:55

Did you installed sw from kvaser?

– abu_bua
Oct 9 '18 at 15:56

The output of aa-status is in this gist.

– Andrés García Mangas
Oct 9 '18 at 15:59

No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.

– Andrés García Mangas
Oct 9 '18 at 16:00

|
show 1 more comment

Don't forget to reboot after loading the kernels.

The standard command to configure a CAN bus interface is:

ip link set can0 type can bitrate 500000 listen-only on

This will set the bitrate of the can0 interface to 500 Kbps.
Now bring up the interface and start dumping frames:

ip link set can0 up
candump -cae can0,0:0,#FFFFFFFF

or do a

ip l sh

Regarding the apparmor message, I'm not sure - but you can try:

First I recommend to install apparmor-utils
```
sudo apt install apparmor-utils
```

In your case profile="snap.uefi-fw-tools.fwupd" denies to operation="open" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" with pid=2327

In your /etc/apparmor.d/snap.uefi-fw-tools.fwupd add the following line (insert 2 spaces before /sys/.... !)
```
 /sys/devices/pci*/*/usb*/*/busnum rw,
```

Reload all apparmor profiles:

sudo systemctl reload apparmor.service

or if not started/enabled

sudo systemctl enable apparmor.service
sudo systemctl start apparmor.service

You can prove the status with

sudo systemctl status apparmor.service

sudo aa-status

I recommend to use
```
sudo aa-complain /etc/apparmor.d/snap.uefi-fw-tools.fwupd
```
This will made profile violations permitted and logged. Useful for testing and developing new profiles.
Later you can set it to enforce with
```
sudo aa-enforce /etc/apparmor.d/snap.uefi-fw-tools.fwupd
```

edited Oct 10 '18 at 11:10

answered Oct 9 '18 at 14:28

abu_bua

4,17981630

Don't forget to reboot after loading the kernels.

The standard command to configure a CAN bus interface is:

ip link set can0 type can bitrate 500000 listen-only on

This will set the bitrate of the can0 interface to 500 Kbps.
Now bring up the interface and start dumping frames:

ip link set can0 up
candump -cae can0,0:0,#FFFFFFFF

or do a

ip l sh

Regarding the apparmor message, I'm not sure - but you can try:

First I recommend to install apparmor-utils
```
sudo apt install apparmor-utils
```

In your case profile="snap.uefi-fw-tools.fwupd" denies to operation="open" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/busnum" with pid=2327

In your /etc/apparmor.d/snap.uefi-fw-tools.fwupd add the following line (insert 2 spaces before /sys/.... !)
```
 /sys/devices/pci*/*/usb*/*/busnum rw,
```

Reload all apparmor profiles:

sudo systemctl reload apparmor.service

or if not started/enabled

sudo systemctl enable apparmor.service
sudo systemctl start apparmor.service

You can prove the status with

sudo systemctl status apparmor.service

sudo aa-status

I recommend to use
```
sudo aa-complain /etc/apparmor.d/snap.uefi-fw-tools.fwupd
```
This will made profile violations permitted and logged. Useful for testing and developing new profiles.
Later you can set it to enforce with
```
sudo aa-enforce /etc/apparmor.d/snap.uefi-fw-tools.fwupd
```

edited Oct 10 '18 at 11:10

answered Oct 9 '18 at 14:28

abu_bua

4,17981630

edited Oct 10 '18 at 11:10

answered Oct 9 '18 at 14:28

abu_bua

4,17981630

answered Oct 9 '18 at 14:28

abu_bua

4,17981630

answered Oct 9 '18 at 14:28

abu_bua

4,17981630

Thanks :) I've edited my initial question after trying out your suggestion.

– Andrés García Mangas
Oct 9 '18 at 15:50

what is the output of sudo aa-status

– abu_bua
Oct 9 '18 at 15:55

Did you installed sw from kvaser?

– abu_bua
Oct 9 '18 at 15:56

The output of aa-status is in this gist.

– Andrés García Mangas
Oct 9 '18 at 15:59

No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.

– Andrés García Mangas
Oct 9 '18 at 16:00

|
show 1 more comment

Thanks :) I've edited my initial question after trying out your suggestion.

– Andrés García Mangas
Oct 9 '18 at 15:50

what is the output of sudo aa-status

– abu_bua
Oct 9 '18 at 15:55

Did you installed sw from kvaser?

– abu_bua
Oct 9 '18 at 15:56

The output of aa-status is in this gist.

– Andrés García Mangas
Oct 9 '18 at 15:59

No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.

– Andrés García Mangas
Oct 9 '18 at 16:00

Thanks :) I've edited my initial question after trying out your suggestion.

– Andrés García Mangas
Oct 9 '18 at 15:50

what is the output of sudo aa-status

– abu_bua
Oct 9 '18 at 15:55

Did you installed sw from kvaser?

– abu_bua
Oct 9 '18 at 15:56

The output of aa-status is in this gist.

– Andrés García Mangas
Oct 9 '18 at 15:59

No, I didn't install the CANlib propietary drivers from Kvaser (I'm aware that those drivers blacklist socketcan). The built-in CAN drivers in the Linux Kernel should suffice.

– Andrés García Mangas
Oct 9 '18 at 16:00

|
show 1 more comment

-2

Please send me an email with your contact details. I would like to team up, exchange experience with you on CAN Interface on Dell Edge Gateway 3002.

Thanks.

edited 3 hours ago

guntbert

9,506133170

answered 4 hours ago

Bjørn Tore Garderhagen

New contributor

add a comment |

-2

Please send me an email with your contact details. I would like to team up, exchange experience with you on CAN Interface on Dell Edge Gateway 3002.

Thanks.

edited 3 hours ago

guntbert

9,506133170

answered 4 hours ago

Bjørn Tore Garderhagen

New contributor

add a comment |

-2

Please send me an email with your contact details. I would like to team up, exchange experience with you on CAN Interface on Dell Edge Gateway 3002.

Thanks.

edited 3 hours ago

guntbert

9,506133170

answered 4 hours ago

Bjørn Tore Garderhagen

New contributor

Please send me an email with your contact details. I would like to team up, exchange experience with you on CAN Interface on Dell Edge Gateway 3002.

Thanks.

edited 3 hours ago

guntbert

9,506133170

answered 4 hours ago

Bjørn Tore Garderhagen

New contributor

edited 3 hours ago

guntbert

9,506133170

edited 3 hours ago

guntbert

9,506133170

edited 3 hours ago

guntbert

9,506133170

answered 4 hours ago

Bjørn Tore Garderhagen

New contributor

answered 4 hours ago

Bjørn Tore Garderhagen

answered 4 hours ago

Bjørn Tore Garderhagen

New contributor

Bjørn Tore Garderhagen is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment |

draft saved

draft discarded

Thanks for contributing an answer to Ask Ubuntu!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Ttgjyuk

2 Answers
2

Regarding the apparmor message, I'm not sure - but you can try:

Your Answer

Post as a guest

2 Answers
2

2 Answers
2

Regarding the apparmor message, I'm not sure - but you can try:

Regarding the apparmor message, I'm not sure - but you can try:

Regarding the apparmor message, I'm not sure - but you can try:

Regarding the apparmor message, I'm not sure - but you can try:

Post as a guest

Popular posts from this blog

2 Answers 2

Regarding the apparmor message, I'm not sure - but you can try:

Your Answer

Sign up or log in

Post as a guest

Post as a guest

2 Answers 2

2 Answers 2

Regarding the apparmor message, I'm not sure - but you can try:

Regarding the apparmor message, I'm not sure - but you can try:

Regarding the apparmor message, I'm not sure - but you can try:

Regarding the apparmor message, I'm not sure - but you can try:

Sign up or log in

Post as a guest

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Popular posts from this blog

2 Answers
2

2 Answers
2

2 Answers
2