Fido U2F authentication fails in Chromium snap build

alduder · June 27, 2018, 5:56pm

When testing Fido U2F authentication with a Yubikey via https://demo.yubico.com/u2f in Chromium snap build 67.0.3396.62 and Ubuntu 18.04, the process fails silently without sending a request to the key (key doesn’t blink), and eventually times out. The browser doesn’t ask for any special permissions in the process. I also tried other websites with U2F authentication and they all fail. U2F works without problem in the Chromium Universe build 66.0.3359.181.

jamesh · July 4, 2018, 4:01am

Presumably Chromium needs to be able to talk to the U2F dongle via USB (probably either raw USB or HID devices), and the confinement policy restricts access. Do you see any denials in the dmesg output when you try to make use of the feature?

@oSoMoN: do you have any ideas about this?

alduder · July 4, 2018, 7:24am

I don’t see any dmesg messages when trying to use U2F authentication, or interacting with the USB token. However, there are denial messages when launching Chromium snap build, which I don’t see when launching the Universe build. Not sure if these have to do with USB communication.

[ 1495.669917] audit: type=1400 audit(1530687588.026:60): apparmor=“DENIED” operation=“open” profile=“snap.chromium.chromium” name="/etc/chromium-browser/policies/managed/" pid=6097 comm=“chromium-browse” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

[ 1495.684406] audit: type=1107 audit(1530687588.042:64): pid=880 uid=103 auid=4294967295 ses=4294967295 msg=‘apparmor=“DENIED” operation=“dbus_method_call” bus=“system” path="/" interface=“org.freedesktop.DBus.ObjectManager” member=“GetManagedObjects” mask=“send” name=“org.bluez” pid=6097 label=“snap.chromium.chromium” peer_pid=896 peer_label=“unconfined” exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?’

oSoMoN · August 20, 2018, 10:09am

This is being tracked by bug #1738164.

@jdstrand: a user observed denials on the following paths:

/run/udev/data/c238:0
/run/udev/data/c239:0
/run/udev/data/c240:0
/run/udev/data/c240:1
/run/udev/data/c240:2

Is there an existing interface that would cover those? Or would it require a new interface for yubikeys and similar devices?

jdstrand · September 19, 2018, 10:17am

No, but this could be added to the browser-support interfacec:

# for U2F yubikey
/run/udev/data/c238:[0-9]* r,
/run/udev/data/c239:[0-9]* r,
/run/udev/data/c240:[0-9]* r,