Snapped Firefox unable to use smart card

To use security cards, we need to point to the opensc library which is installed under /usr/lib/x86_64-linux-gnu/

This does not seem to be possible, get permission denied

2 Likes

What is the output of ‘sudo journalctl | grep audit’ at the time of the denial?

Jun 02 13:09:31 gocarlos-tp260 audit[19759]: AVC apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/etc/fstab" pid=19759 comm=“firefox” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Jun 02 13:09:31 gocarlos-tp260 kernel: audit: type=1400 audit(1527937771.649:145): apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/etc/fstab" pid=19759 comm=“firefox” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Jun 02 13:09:31 gocarlos-tp260 audit[19759]: AVC apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/home/gocarlos/.bash_logout" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Jun 02 13:09:31 gocarlos-tp260 audit[19759]: AVC apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/home/gocarlos/.bashrc" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Jun 02 13:09:31 gocarlos-tp260 kernel: audit: type=1400 audit(1527937771.825:146): apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/home/gocarlos/.bash_logout" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Jun 02 13:09:31 gocarlos-tp260 kernel: audit: type=1400 audit(1527937771.825:147): apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/home/gocarlos/.bashrc" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Jun 02 13:09:31 gocarlos-tp260 audit[19759]: AVC apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/home/gocarlos/.gitconfig" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Jun 02 13:09:31 gocarlos-tp260 audit[19759]: AVC apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/home/gocarlos/.node_repl_history" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Jun 02 13:09:31 gocarlos-tp260 audit[19759]: AVC apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/home/gocarlos/.anyconnect" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Jun 02 13:09:31 gocarlos-tp260 audit[19759]: AVC apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/home/gocarlos/.profile" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Jun 02 13:09:31 gocarlos-tp260 audit[19759]: AVC apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/home/gocarlos/.xsession-errors" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Jun 02 13:09:31 gocarlos-tp260 audit[19759]: AVC apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/home/gocarlos/.python_hue" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Jun 02 13:09:31 gocarlos-tp260 audit[19759]: AVC apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/home/gocarlos/.wget-hsts" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Jun 02 13:09:31 gocarlos-tp260 audit[19759]: AVC apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/home/gocarlos/.bash_history" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Jun 02 13:09:31 gocarlos-tp260 kernel: audit: type=1400 audit(1527937771.829:148): apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/home/gocarlos/.gitconfig" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Jun 02 13:09:31 gocarlos-tp260 kernel: audit: type=1400 audit(1527937771.829:149): apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/home/gocarlos/.node_repl_history" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Jun 02 13:09:31 gocarlos-tp260 kernel: audit: type=1400 audit(1527937771.829:150): apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/home/gocarlos/.anyconnect" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Jun 02 13:09:31 gocarlos-tp260 kernel: audit: type=1400 audit(1527937771.829:151): apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/home/gocarlos/.profile" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Jun 02 13:09:31 gocarlos-tp260 kernel: audit: type=1400 audit(1527937771.829:152): apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/home/gocarlos/.xsession-errors" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Jun 02 13:09:31 gocarlos-tp260 kernel: audit: type=1400 audit(1527937771.829:153): apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/home/gocarlos/.python_hue" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Jun 02 13:09:31 gocarlos-tp260 kernel: audit: type=1400 audit(1527937771.829:154): apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/home/gocarlos/.wget-hsts" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Jun 02 13:09:32 gocarlos-tp260 audit[1866]: USER_AVC pid=1866 uid=105 auid=4294967295 ses=4294967295 msg='apparmor=“DENIED” operation=“dbus_method_call” bus=“system” path="/org/freedesktop/hostname1" interface=“org.freedesktop.DBus.Properties” member=“GetAll” mask=“send” name=":1.24537" pid=19759 label=“snap.firefox.firefox” peer_pid=20994 peer_label=“unconfined”
Jun 02 13:09:32 gocarlos-tp260 audit[1866]: USER_AVC pid=1866 uid=105 auid=4294967295 ses=4294967295 msg='apparmor=“DENIED” operation=“dbus_method_call” bus=“system” path="/org/freedesktop/hostname1" interface=“org.freedesktop.DBus.Properties” member=“GetAll” mask=“send” name=":1.24537" pid=19759 label=“snap.firefox.firefox” peer_pid=20994 peer_label=“unconfined”
Jun 02 13:09:38 gocarlos-tp260 audit[19759]: AVC apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/usr/" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Jun 02 13:09:38 gocarlos-tp260 kernel: kauditd_printk_skb: 3 callbacks suppressed
Jun 02 13:09:38 gocarlos-tp260 kernel: audit: type=1400 audit(1527937778.861:158): apparmor=“DENIED” operation=“open” profile=“snap.firefox.firefox” name="/usr/" pid=19759 comm=“pool” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

I don’t see anything in here related to a smart card. It does look like the firefox interface probably needs to plugs system-observe for the hostname1 denial. Perhaps @oSoMoN can comment further on that, but more importantly the smart card support.

I am having similar problems with my Yubikey NEO. The card is detected fine and works correctly on Firefox ESR and Chromium on Debian stretch. Unfortunately, in Firefox from the snap repository, there is some communication failure. While normally the Yubikey blinks slowly waiting for the U2F tap, there it doesn’t seem to detect it needs to do anything. There’s no error message in Firefox or in the terminal.

I have tried reverting to earlier releases of Firefox using snap revert, back to 59, with no improvement. I have also tried to revert core, and that did not work either. Note that I had to uninstall firefox each time i did a revert otherwise the fonts would become all weird unreadable blocks.

It’s really too bad, because the Firefox snap works on my workstation, in a similar environment, which is an up to date Debian stretch.

Any advice on how to debug this in any way? it’s pretty frustrating… :slight_smile:

Are you sure that Yubikey still works with Firefox after dropping NPAPI support(except Adobe Flash)?

I haven’t tried that: how do i drop NPAPI support or check if it’s enabled?

If you’re using the latest release then the support is already dropped, the problem is whether the web authentication application is really relying on it.

You may also browse about:plugins to see if there’s anything related to it (likely not).

It is possible that the application communicates with a native card reading daemon via a localhost socket, and thus avoid depending on an NPAPI plugin.

I’m running Firefox 60.0.2 on both ends, and so I don’t think NPAPI is enabled.

@anarcat - do you see any security policy denials in journalctl when trying to use the yubikey?

i did not notice anything in the system journal.

I think someone who maintains the firefox snap needs to comment. @willcooke, I’m not sure who that is; can you find someone to look at this?

snap updated to 61, no change. nothing in journalctl, and it works on a different machine with a similar setup. very strange.

@willcooke, ping re Snapped Firefox unable to use smart card

@kenvandine is the person to ping. He’ll take a look as soon as he’s back in the office.

Same issue. I have a pkcs11-enabled smartcard which I’d like to use via opensc-pkcs11.so in Firefox, and there are no denials in the audit log. Non-snap pkcs11-enabled tools work (e.g. ssh).

thresh@coal ~ $ snap version
snap 2.33.1
snapd 2.33.1
series 16
debian -
kernel 4.17.0-1-amd64

firefox is 61.0.1-1 (107).

It sounds like the snap is missing required libraries. This is something the firefox snap developers need to comment on. @kenvandine, did you have a chance to look at this?

I can take a look, does anyone have a hint to what libraries should really be included?

for what it’s worth, now that Debian stretch provides the latest Firefox 60 as a ESR, I have stopped using the snap and the smart card works again, so this is definitely something related to snaps.

Just linking recent discussion about this issue.