Some context:
A YubiKey identifies itself over USB in three different ways, and this application uses all them.
- as a USB-HID device / keyboard.
- as a smart card reader with a smart card inserted. To use this we bundle our own
pcscddaemon, but there might be an interface for this in the future. See Best way to talk to smart cards / pcscd? - as a FIDO-HID device. I’m assuming this is what
u2f-devicesenables.
When removing the raw-usb plug the app can’t connect the to the smartcard reader at all, and snappy-debug says
= AppArmor =
Time: Mar 5 08:16:03
Log: apparmor="DENIED" operation="open" profile="snap.yubioath-desktop.pcscd" name="/dev/bus/usb/001/004" pid=10247 comm="pcscd" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
File: /dev/bus/usb/001/004 (write)
There is also a feature in the application where an user defined external smart card reader may be connected over USB, and the YubiKey is then used over NFC. So access to all USB devices may actually be what we need here.