Can't Load Security Device in Firefox Snap

In order to use my common access card reader I must load a PKCS module found in /usr/lib/pkcs11. I can’t begin to browse /usr through the firefox snap Device manager.

Could not read the contents of usr
Error opening directory ‘/usr’: Permission denied

I can navigate to the folder with no restrictions using the terminal or file manager. How to I grant the snap the permissions needed?

Does it work if you copy the PKCS module file to a location readable by the snap and load it from there? E.g. $HOME/snap/firefox/current/.

Thanks for responding, but no it didn’t work.

Unable to add module

I had a go at loading the coolkey module, and got the same generic error. Unfortunately, the code in firefox that loads PKCS#11 modules (SECMOD_AddNewModuleEx(…) in security/nss/lib/pk11wrap/pk11util.c) doesn’t throw specific errors, nor does it log anything useful.

Here is what I tried:

I copied libcoolkeypk11.so to $HOME/snap/firefox/current/.local/lib/. Strace revealed that loading the shared lib failed to resolve the following dependencies: libckyapplet1.so.1 and libpcsclite.so.1, even when they were copied to the same location.
To continue the experiment, I unpacked the firefox snap, added those shared libs to $SNAP/usr/lib/x86_64-linux-gnu and repacked it.
Strace again revealed that the snap failed to read /var/run/pcscd/pcscd.comm, which would likely require a specific snapd interface.
I didn’t go any further, but this already shows that loading PKCS#11 modules isn’t going to work out of the box without work in the firefox snap and in snapd itself.

@techblue: can you share more info on which security module you were trying to load, and how it interacts with the device? Is it doing something similar to coolkey?

Also, I’d suggest filing an upstream bug that refers to this post.

2 Likes

A similar thread: Access external lib to use USB Token in firefox.