U2F not working in Firefox Snap

kravietz · November 6, 2019, 2:13pm

When using Firefox installed from snap, U2F key is not seen by Firefox and it eventually times out. Journalctl displays these logs, which implies the Snap is missing plugs allowing it to access the U2F device:

Nov 06 12:25:34 pax kernel: usb 1-2: new full-speed USB device number 20 using xhci_hcd
Nov 06 12:25:35 pax kernel: usb 1-2: New USB device found, idVendor=1050, idProduct=0120, bcdDevice= 5.02
Nov 06 12:25:35 pax kernel: usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Nov 06 12:25:35 pax kernel: usb 1-2: Product: Security Key by Yubico
Nov 06 12:25:35 pax kernel: usb 1-2: Manufacturer: Yubico
Nov 06 12:25:35 pax kernel: hid-generic 0003:1050:0120.0004: hiddev1,hidraw2: USB HID v1.10 Device [Yubico Security Key by Yubico] on usb-0000:00:14.0-2/input0
Nov 06 12:25:35 pax mtp-probe[18020]: checking bus 1, device 20: "/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2"
Nov 06 12:25:35 pax mtp-probe[18020]: bus: 1, device: 20 was not an MTP device
Nov 06 12:25:35 pax audit[26391]: AVC apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2/busnum" pid=26391 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 06 12:25:35 pax audit[26391]: AVC apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2/devnum" pid=26391 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 06 12:25:35 pax audit[2758]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/dev/hidraw2" pid=2758 comm=4950444C204261636B67726F756E64 requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0

Any idea what plugs they might be missing here? I reported it to Firefox Bugzilla (1594375) and Brave (6782) but I also wanted to find out if this can be fixed easily by enabling some plugs, or requires some improvements in Snapd?

oSoMoN · November 6, 2019, 2:36pm

Is the u2f-devices interface connected?

snap connections firefox | grep u2f

kravietz · November 6, 2019, 3:06pm

root@pax:~# snap connections firefox | grep u2f
u2f-devices             firefox:u2f-devices             -                        -
root@pax:~# snap connections brave | grep u2f
root@pax:~#

kravietz · November 6, 2019, 3:16pm

# snap connect firefox:u2f-devices
# snap connections firefox  | grep u2f
u2f-devices             firefox:u2f-devices             :u2f-devices             manual

And it worked!

kravietz · November 6, 2019, 3:18pm

So this resolves the issue for Firefox. Shouldn’t they have this auto-connected?

Brave on the other hand doesn’t even expose this plug, but that’s an easy fix for them - will update the ticket.

# snap connect brave:u2f-devices
error: snap "brave" has no plug named "u2f-devices"

oSoMoN · November 6, 2019, 3:25pm

Excellent, glad to know this resolved the problem.
I’m not sure about having this interface auto-connected. @jdstrand what do you think? Would that present potential security concerns?

jdstrand · November 6, 2019, 9:42pm

It is manually connected by default because it gives device access to the snap and people may not want to unconditionally grant that to all snaps that ask for it.

That said, if the publisher wanted to request an auto-connection, that can be considered.