Ubuntu Snap - Error rfkill: Permission denied

[jmorille]

OS: Ubuntu 22.04.3 LTS SNAP home-assistant: 2023.7.3 With Integration: https://github.com/fsaris/home-assistant-awox

Facing an apparmor problem when it try du scan bluetooth devices with error rfkill: Permission denied

2023-09-26T21:58:43+02:00 home-assistant-snap.home-assistant-snap[14221]: /bin/sh: 1: rfkill: Permission denied

2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13875]: 2023-09-26 21:58:13.440 ERROR (MainThread) [custom_components.awox.scanner] Find devices process error: Command 'PATH=/usr/sbin:$PATH; rfkill unblock bluetooth' returned non-zero exit status 126.
2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13875]: Traceback (most recent call last):
2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13875]:   File "/var/snap/home-assistant-snap/574/custom_components/awox/scanner.py", line 39, in async_find_devices
2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13875]:     bl = await hass.async_add_executor_job(init)
2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13875]:          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13875]:   File "/usr/lib/python3.11/concurrent/futures/thread.py", line 58, in run
2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13875]:     result = self.fn(*self.args, **self.kwargs)
2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13875]:              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13875]:   File "/var/snap/home-assistant-snap/574/custom_components/awox/scanner.py", line 35, in init
2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13875]:     return Bluetoothctl()
2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13875]:            ^^^^^^^^^^^^^^
2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13875]:   File "/var/snap/home-assistant-snap/574/custom_components/awox/bluetoothctl.py", line 18, in __init__
2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13875]:     subprocess.check_output("PATH=/usr/sbin:$PATH; rfkill unblock bluetooth", shell=True)
2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13875]:   File "/usr/lib/python3.11/subprocess.py", line 466, in check_output
2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13875]:     return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13875]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13875]:   File "/usr/lib/python3.11/subprocess.py", line 571, in run
2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13875]:     raise CalledProcessError(retcode, process.args,
2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13875]: subprocess.CalledProcessError: Command 'PATH=/usr/sbin:$PATH; rfkill unblock bluetooth' returned non-zero exit status 126.
2023-09-26T21:58:13+02:00 home-assistant-snap.home-assistant-snap[13

dmesg confirme the apparmor problem for sbin/rfkill

[ 1422.123645] audit: type=1400 audit(1695757723.435:487): apparmor="DENIED" operation="exec" profile="snap.home-assistant-snap.home-assistant-snap" name="/usr/sbin/rfkill" pid=13944 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[ 1422.123757] audit: type=1400 audit(1695757723.435:488): apparmor="DENIED" operation="exec" profile="snap.home-assistant-snap.home-assistant-snap" name="/usr/sbin/rfkill" pid=13944 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

The apparmor config

user@has:/var/lib/snapd/apparmor/profiles$ grep -R rfkill 
snap.home-assistant-snap.home-assistant-snap:/dev/rfkill rw,
snap.home-assistant-snap.home-assistant-snap:/sys/class/rfkill/ r,
snap.home-assistant-snap.home-assistant-snap:/sys/devices/{pci[0-9a-f]*,platform,virtual}/**/rfkill[0-9]*/{,**} r,
snap.home-assistant-snap.home-assistant-snap:/sys/devices/{pci[0-9a-f]*,platform,virtual}/**/rfkill[0-9]*/state w, 

The apparmor define rules for /dev/rfkill binary and not the /usr/sbin/rfkill

[michalpulda]

I would suggest using the ESPHome component instead of this integration. It's more reliable and responsive.

[fsaris]

The apparmor define rules for /dev/rfkill binary and not the /usr/sbin/rfkill

Sorry this is out of scope of this integration. Maybe can ask the maintainer of the snap package to resolve the permission issue.