U2F not working in Firefox Snap

When using Firefox installed from snap, U2F key is not seen by Firefox and it eventually times out. Journalctl displays these logs, which implies the Snap is missing plugs allowing it to access the U2F device:

Nov 06 12:25:34 pax kernel: usb 1-2: new full-speed USB device number 20 using xhci_hcd
Nov 06 12:25:35 pax kernel: usb 1-2: New USB device found, idVendor=1050, idProduct=0120, bcdDevice= 5.02
Nov 06 12:25:35 pax kernel: usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Nov 06 12:25:35 pax kernel: usb 1-2: Product: Security Key by Yubico
Nov 06 12:25:35 pax kernel: usb 1-2: Manufacturer: Yubico
Nov 06 12:25:35 pax kernel: hid-generic 0003:1050:0120.0004: hiddev1,hidraw2: USB HID v1.10 Device [Yubico Security Key by Yubico] on usb-0000:00:14.0-2/input0
Nov 06 12:25:35 pax mtp-probe[18020]: checking bus 1, device 20: "/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2"
Nov 06 12:25:35 pax mtp-probe[18020]: bus: 1, device: 20 was not an MTP device
Nov 06 12:25:35 pax audit[26391]: AVC apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2/busnum" pid=26391 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 06 12:25:35 pax audit[26391]: AVC apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2/devnum" pid=26391 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 06 12:25:35 pax audit[2758]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/dev/hidraw2" pid=2758 comm=4950444C204261636B67726F756E64 requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0

Any idea what plugs they might be missing here? I reported it to Firefox Bugzilla (1594375) and Brave (6782) but I also wanted to find out if this can be fixed easily by enabling some plugs, or requires some improvements in Snapd?

Is the u2f-devices interface connected?

snap connections firefox | grep u2f
1 Like
root@pax:~# snap connections firefox | grep u2f
u2f-devices             firefox:u2f-devices             -                        -
root@pax:~# snap connections brave | grep u2f
root@pax:~#
# snap connect firefox:u2f-devices
# snap connections firefox  | grep u2f
u2f-devices             firefox:u2f-devices             :u2f-devices             manual

And it worked!

So this resolves the issue for Firefox. Shouldn’t they have this auto-connected?

Brave on the other hand doesn’t even expose this plug, but that’s an easy fix for them - will update the ticket.

# snap connect brave:u2f-devices
error: snap "brave" has no plug named "u2f-devices"

Excellent, glad to know this resolved the problem.
I’m not sure about having this interface auto-connected. @jdstrand what do you think? Would that present potential security concerns?

It is manually connected by default because it gives device access to the snap and people may not want to unconditionally grant that to all snaps that ask for it.

That said, if the publisher wanted to request an auto-connection, that can be considered.