Bug #1967632 “[snap] apparmor denied when trying to load pkcs11 ...” : Bugs : chromium-browser package : Ubuntu

Revision history for this message

In Mozilla Bugzilla #1734371, Olivier Tilloy (osomon) wrote on 2021-10-06:

#25

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0

Steps to reproduce:

This is a snap-specific issue. It was previously reported in various places:
  - https://forum.snapcraft.io/t/cant-load-security-device-in-firefox-snap/12471
  - https://forum.snapcraft.io/t/confined-browser-snaps-cant-use-system-libraries-pkcs11-and-native-host-messaging-what-do-we-do/11828
  - https://forum.snapcraft.io/t/access-external-lib-to-use-usb-token-in-firefox/13959
  - https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1843392

Snapd's strict confinement makes it impossible for the firefox snap to load PKCS#11 security devices from `about:preferences#privacy` ("Security Devices" button in the "Security" section), because it denies access to `/usr/lib/pkcs11` and to `/var/run/pcscd/pcscd.comm`.

Revision history for this message

In Mozilla Bugzilla #1734371, Olivier Tilloy (osomon) wrote on 2021-10-06:

#26

(from https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1843392/comments/1)

The proposed approach to solve this that was discussed with the Ubuntu security team is:
- stage common PKCS modules in the snap
- add a layout for `/usr/lib/pkcs11` pointing to a writeable area of the snap (e.g. `$SNAP_USER_DATA/.local/lib`)
- on first run, copy the common PKCS modules to that writeable area
- document that custom modules (and their dependencies?) should be manually copied to that directory
- create a new interface (not auto-connected, that's okay) for access to `/var/run/pcscd/pcscd.comm`

I'm not familiar with how smart card readers work though, so feedback and suggestions are welcome.

Revision history for this message

In Mozilla Bugzilla #1734371, Release-mgmt-account-bot (release-mgmt-account-bot) wrote on 2021-10-06:

#27

The [Bugbug](https://github.com/mozilla/bugbug/) bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Revision history for this message

In Mozilla Bugzilla #1734371, Dkeeler (dkeeler) wrote on 2021-10-06:

#28

Seems like it would be easier to allow access to `/usr/lib/pkcs11` and `/var/run/pcscd/pcscd.comm`, but I don't know what options snap has for that.

Revision history for this message

In Mozilla Bugzilla #1734371, W-jan-k (w-jan-k) wrote on 2021-10-06:

#29

This seems similar: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_messaging
IIUC Firefox and Chrome (as important as systemd) need to be able to start binaries that are defined in certain json files. Those binaries are installed by non-snap packages or scripts and need to run as the regular user. Such a binary can be used to control other applications or to talk to hardware or to flash firmware.

https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_manifests
> There are three different types of native manifest:
> * Native messaging manifests
> * Managed storage manifests
> * PKCS #11 manifests

> Linux
> For global visibility, store the manifest in either:
> /usr/lib/mozilla/native-messaging-hosts/<name>.json
> /usr/lib/mozilla/managed-storage/<name>.json
> /usr/lib/mozilla/pkcs11-modules/<name>.json
or:
> /usr/lib64/mozilla/native-messaging-hosts/<name>.json
> /usr/lib64/mozilla/managed-storage/<name>.json
> /usr/lib64/mozilla/pkcs11-modules/<name>.json
>
> For per-user visibility, store the manifest in:
> ~/.mozilla/native-messaging-hosts/<name>.json
> ~/.mozilla/managed-storage/<name>.json
> ~/.mozilla/pkcs11-modules/<name>.json

Revision history for this message

In Mozilla Bugzilla #1734371, Olivier Tilloy (osomon) wrote on 2021-10-07:

#30

Right, so for the pkcs11 browser extension API to work, we will also need to grant the firefox snap read access to `/usr/lib{,64}/mozilla/{native-messaging-hosts,managed-storage,pkcs11-modules}`. Thanks @Darkspirit for this additional piece of information.

For future reference, manual installation and provisioning through the API of PKCS#11 modules is documented here: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11/Module_Installation.

Revision history for this message

In Mozilla Bugzilla #1734371, W-jan-k (w-jan-k) wrote on 2021-10-07:

#31

Not only that, the snap would need to parse these json files and allow Firefox&Chrome to start the binary defined in "path" with full access to the system as a regular user. The binary needs to be able to do what it wants. (It's somewhat like allowing Firefox to start pre-defined systemd services.)
If that doesn't happen, users might switch to a potentionally less secure alternative to native messaging, for example, running a local webserver accessible by every website and possibly without proper authentication which then executes commands.

Revision history for this message

In Mozilla Bugzilla #1734371, W-b (w-b) wrote on 2021-10-11:

#32

Another option could be to create a dbus service to enumerate and/or use PKCS#11 modules that are registered into p11-kit. This would allow any PKCS#11 module to work, not just those that use pcsclite behind the scenes.

That might be a bit more work (the full p11-kit and PKCS#11 API would need to be mapped onto dbus), but it seems to me to be less of a layering violation?

Revision history for this message

In Mozilla Bugzilla #1734371, Olivier Tilloy (osomon) wrote on 2021-10-25:

#33

As pointed out by several persons in various places, this problem (PKCS#11 modules) and the issue with native messaging share a common denominator: native manifests (https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_manifests).

Revision history for this message

In Mozilla Bugzilla #1734371, W-jan-k (w-jan-k) wrote on 2021-11-03:

#34

> S2 (Serious) Major functionality/product severely impaired and a satisfactory workaround does not exist

Revision history for this message

In Mozilla Bugzilla #1734371, Olivier Tilloy (osomon) wrote on 2021-11-19:

#35

See https://github.com/flatpak/xdg-desktop-portal/issues/662.

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2022-04-02:

#1

Dependencies.txt Edit (3.9 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.1 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (331 bytes, text/plain; charset="utf-8")
Snap.Connections.txt Edit (2.9 KiB, text/plain; charset="utf-8")
Snap.Info.core20.txt Edit (735 bytes, text/plain; charset="utf-8")
Snap.Info.firefox.txt Edit (1.0 KiB, text/plain; charset="utf-8")
Snap.Info.gnome-3-38-2004.txt Edit (795 bytes, text/plain; charset="utf-8")
Snap.Info.gtk-common-themes.txt Edit (816 bytes, text/plain; charset="utf-8")

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2022-04-02:

#2

The upstream firefox binary tarball loads the pkcs11 module just fine from /usr/lib/x86_64-linux-gnu/

Revision history for this message

Sebastien Bacher (seb128) wrote on 2022-04-03:

#3

Thanks, that's known and on the desktop jira and tracked upstream as https://bugzilla.mozilla.org/show_bug.cgi?id=1734371

Adolfo Jayme Barrientos (fitojb) on 2022-04-09

Changed in firefox (Ubuntu):
importance:	Undecided → High
status:	New → Triaged

Revision history for this message

José Marinho (jmarinho) wrote on 2022-04-11:

#4

It's the same with Spain's government electronic ID card. When I try to load the security device on firefox (the smart card reader) it throw me an error.

Output of dmesg:

6930.990257] audit: type=1400 audit(1649676741.715:120): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/2312b93b/libpkcs11-dnie.so" pid=2836 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
[ 6993.801991] audit: type=1400 audit(1649676804.530:121): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/2312b93b/libpkcs11-dnie.so" pid=2836 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0.

The firefox .deb packages (ubuntu 21.10 and 20.04) works fine. I'm on 22.04 with default firefox snap package

Revision history for this message

Marcos Alano (mhalano) wrote on 2022-04-11:

#5

It seems the fix is coming. A new interface called pkcs11 was released. Now it just needs Firefox snap use it.

Jeremy Bícha (jbicha) on 2022-04-14

tags:

added: snap

Revision history for this message

Ubucolors (ubucolors) wrote on 2022-04-24:

#6

Here the BE government application eid-viewer (latest version) dot not load the data on Belgian identity-cards. Not the internal (a Dell-Latitude) , not the external card reader PKCS#11 works. The leds on the reader goes dark 5 seconds after plugging the usb cable in.
I see on the eid-archive.deb that the latest Ubuntu version is still not listed. Ubuntu 21.10 is the last version. https://eid.belgium.be/nl/linux-eid-software-installatie

Olivier Tilloy (osomon) on 2022-04-27

summary:

- apparmor denied when trying to load pkcs11 module for smart card
+ [snap] apparmor denied when trying to load pkcs11 module for smart card
authentication

Revision history for this message

Douglas E Engert (dengert) wrote on 2022-05-16:

#7

Initial problem of:

Initial problem of "[sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0"

can be solved by adding to /var/lib/snapd/apparmor/profiles/snap.firefox.firefox something like:
-- DEE.snap.firefox.firefox 2022-05-15 00:51:38.010651530 -0500
+++ snap.firefox.firefox 2022-05-15 21:18:39.445523027 -0500
@@ -312,6 +312,9 @@
/tmp/ r,
/tmp/** mrwlkix,

+ #DEE
+ /run/user/[0-9]*/** mrwlkix,
+
   # App-specific access to files and directories in /dev/shm. We allow file
   # access in /dev/shm for shm_open() and files in subdirectories for open()
   # bind mount *not* used here (see 'parallel installs', above)

This adds the "m" mask to the "/run/user/1000/doc/e0bac853/" directory but does allow the module to be loaded. This is overkill, for the directory. For a PKCS11 module "mr" maybe all that is needed.

It is not clear why the choice was made to copy the pkcs11 modules to the doc directory in the first place.
Ubuntu appears to install PKCS11 modules (at least some in) in /usr/lib/x86_64-linux-gnu/pkcs11 so why can't this be used without copying?

The above only show how to get around the first of many possible problems.

Not all Ubuntu installed PKCS11 modules are installed in the above directory. p11-kit-client.so is but opensc-pkcs11.so and onepin-opensc-pkcs11.so are not, just symlinks.

Trying to use the apparmor aa-complain to get more info does not work with the way the snap apparmor profiles are named. It appears the profile uses "." inplace of "/" and there is no "snap/firefox/firefox"

Pkcs11 modules may load other PKCS11 modules, i.e. that is what p11-kit does. Each of these modules may have config files with system and user versions. apparmor needs to address how these config files can be read.

Until it can be shown that PKCS11 modules can be easily be used, I would suggest that firefox not be installed by snap.

Also see:
https://github.com/OpenSC/OpenSC/issues/2552

Initial problem of:

Initial problem of "[sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0"

can be solved by adding to  /var/lib/snapd/apparmor/profiles/snap.firefox.firefox something like:
-- DEE.snap.firefox.firefox	2022-05-15 00:51:38.010651530 -0500
+++ snap.firefox.firefox	2022-05-15 21:18:39.445523027 -0500
@@ -312,6 +312,9 @@
   /tmp/   r,
   /tmp/** mrwlkix,
 
+  #DEE
+  /run/user/[0-9]*/** mrwlkix,
+
   # App-specific access to files and directories in /dev/shm. We allow file
   # access in /dev/shm for shm_open() and files in subdirectories for open()
   # bind mount *not* used here (see 'parallel installs', above)

This adds the "m" mask to the  "/run/user/1000/doc/e0bac853/" directory but does allow the module to be loaded. This is overkill, for the directory. For a PKCS11 module "mr" maybe all that is needed.

It is not clear why the choice was made to copy the pkcs11 modules to the doc directory in the first place.
Ubuntu appears to install PKCS11 modules (at least some in) in  /usr/lib/x86_64-linux-gnu/pkcs11 so why can't this be used without copying?

The above only show how to get around the first of many possible problems.

Not all Ubuntu installed PKCS11 modules are installed in the above directory. p11-kit-client.so is but opensc-pkcs11.so and onepin-opensc-pkcs11.so are not, just symlinks.

Trying to use the apparmor aa-complain to get more info does not work with the way the snap apparmor profiles are named. It appears the profile uses "." inplace of "/" and there is no "snap/firefox/firefox"

Pkcs11 modules may load other PKCS11 modules, i.e. that is what p11-kit does. Each of these modules may have config files with system and user versions. apparmor needs to address how these config files can be read.

Until it can be shown that PKCS11 modules can be easily be used, I would suggest that firefox not be installed by snap.

Also see:
https://github.com/OpenSC/OpenSC/issues/2552

Revision history for this message

In Mozilla Bugzilla #1734371, Douglas E Engert (dengert) wrote on 2022-05-16:

#36

When apparmor is also used, the PKCS11 module also needs "M" (file_mmap) but this is a first step
I believe the idea of copying the files to a the "doc" is not needed, if "M" and "R" access were available to
/usr/lib/x86_64-linux-gnu/pkcs11 (or equivalent on other systems.) This is where the p11-kit-client.so module (and others) resides.

As an OpenSC developer, this problem as been reported on https://github.com/OpenSC/OpenSC/issues/2552
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632.

Let me know if there is anything I can do to assist is getting smart cards working again with snap.

Revision history for this message

Douglas E Engert (dengert) wrote on 2022-05-21:

#8

Download full text (3.3 KiB)

After spending a week on this, I think I see the problem.

(1) pkcs11 modules are dynamically load by mozilla nss and need the /etc/apparmor.d/abstractions/p11-kit as stated in previous comment.

(2) dynamically loaded modules may also load additional shared libraries. So apparmor profiles are need for each possible pkcs11 module. Ubuntu-22.04 has a /etc/apparmor.d/abstractions/p11-kit but needs the "m" file_mmap as stated in previous comment.

(3) /var/lib/snapd/apparmor/profiles/snap.firefox.firefox included these system based profiles:
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/openssl>
But it does not include
  #include <abstractions/p11-kit>
So it can not load the p11-kit or any pkcs11 module p11-kit might try and load.
(/etc/apparmor.d/abstractions/p11-kit will also include any profiles in abstractions/p11-kit.d)

(4) Smartcard pkcs11 modules use the pcscd system service. On most linux system this is the pcscd-lite package: https://github.com/LudovicRousseau/PCSC the ClientSetupSession https://github.com/LudovicRousseau/PCSC/blob/master/src/winscard_msg.c#L107-L167 sets client access to the socket. (I have not looked at what it would take to add the dbus apparmor code needed to do this.)

Observations:

With a modified p11-kit /etc/apparmor.d/abstractions/p11-kit with the "m" file_mmap and adding the #include <abstractions/p11-kit> to /var/lib/snapd/apparmor/profiles/snap.firefox.firefox I can add p11-kit as a "security Device", but it does not load any additional pkcs11 modules.

~/snap/firefox/common/.mozilla/firefox/0i8u9awg.default/pkcs11.txt has:
   library=/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0
    name=p11-kit
   (using symlinks to libs appears to be a problem, so I avoided using them.)

I can not add a "security device" for OpenSC even with adding a /etc/apparmor.d/abstractions/opensc profile.

(Others on the internet have reported problems with other smart card pkcs11 modules not just opensc.)

Using audit on all possible files, does not show a file loading problem or does running
sudo apparmor_parser -v -C -r snap.firefox.firefox to reload with complain only show any problems. So the problme must be somehing else.

P11-kit does not directly need access to pcscd, so (4) is not an issue with p11 kit itself but (4) is an issued with any (or most) pkcs11 modules loaded by p11-kit.

Solutions:

For a snap installed firefox if (1), (2), (3) and (4) where addressed, snap firefox should work.
Adding profiles for each pkcs11 module to /etc/apparmor.d/abstractions and adding an include in /etc/apparmor.d/abstractions/p11-kit.d would require only only adding an include for p11-kit to snap.firefox.firefox. I hope that there is enough info above so someone else can add the dbus code.

Personally:

I find snap to be nightmare and Ubuntu should not have made it the default firefox. Ubuntu should at least continue to give the user a choice. All my testing has been on a virtual test 22.04 system. I was in the process of converting from 20.04 to 22.04, both virtual, when I ran into this problem. I have removed the snap firefox and am working on using the Debian firefox-esr which...

After spending a week on this, I think I see the problem.

(1) pkcs11 modules are dynamically load by mozilla nss and need the /etc/apparmor.d/abstractions/p11-kit   as stated in previous comment.

(2) dynamically loaded modules may also load additional shared libraries. So apparmor profiles are need for each possible pkcs11 module. Ubuntu-22.04 has a /etc/apparmor.d/abstractions/p11-kit but needs the "m" file_mmap as stated in previous comment.

(3) /var/lib/snapd/apparmor/profiles/snap.firefox.firefox included these system based profiles:
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/openssl>
But it does not include 
  #include <abstractions/p11-kit> 
So it can not load the p11-kit or any pkcs11 module p11-kit might try and load.
(/etc/apparmor.d/abstractions/p11-kit will also include any profiles in abstractions/p11-kit.d)

(4) Smartcard pkcs11 modules use the pcscd system service. On most linux system this is the pcscd-lite package: https://github.com/LudovicRousseau/PCSC the ClientSetupSession  https://github.com/LudovicRousseau/PCSC/blob/master/src/winscard_msg.c#L107-L167 sets client access to the socket. (I have not looked at what it would take to add the dbus apparmor code needed to do this.)

Observations:

With a modified p11-kit /etc/apparmor.d/abstractions/p11-kit with the "m" file_mmap and adding the #include <abstractions/p11-kit> to /var/lib/snapd/apparmor/profiles/snap.firefox.firefox I can add p11-kit as a "security Device", but it does not load any additional pkcs11 modules.
 
 ~/snap/firefox/common/.mozilla/firefox/0i8u9awg.default/pkcs11.txt has: 
   library=/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0
    name=p11-kit
   (using symlinks to libs appears to be a problem, so I avoided using them.)

I can not add a "security device" for OpenSC even with adding a /etc/apparmor.d/abstractions/opensc profile.

(Others on the internet have reported problems with other smart card pkcs11 modules not just opensc.)

Using audit on all possible files, does not show a file loading problem or does running
sudo apparmor_parser -v -C -r snap.firefox.firefox to reload with complain only show any problems. So the problme must be somehing else.

P11-kit does not directly need access to pcscd, so (4) is not an issue with p11 kit itself but (4) is an issued with any (or most) pkcs11 modules loaded by p11-kit.

Solutions:

For a snap installed firefox if (1), (2), (3) and (4) where addressed, snap firefox should work.
Adding profiles for each pkcs11 module to /etc/apparmor.d/abstractions and adding an include in /etc/apparmor.d/abstractions/p11-kit.d would require only only adding an include for p11-kit to snap.firefox.firefox. I hope that there is enough info above so someone else can add the dbus code.

Personally:

I find snap to be nightmare and Ubuntu should not have made it the default firefox. Ubuntu should at least continue to give the user a choice. All my testing has been on a virtual test 22.04 system. I was in the process of converting from 20.04 to 22.04, both virtual, when I ran into this problem. I have removed the snap firefox and am working on using the Debian firefox-esr which works great with smartcards and pkcs11, and is much faster. I just have to convert my .mozilla profiles because the name changed from firefox to firefox-esr.

Revision history for this message

In Mozilla Bugzilla #1734371, Lissyx+mozillians (lissyx+mozillians) wrote on 2022-07-20:

#37

The linked https://github.com/flatpak/xdg-desktop-portal/issues/662 has had no activity, can we help in some way?

Revision history for this message

In Mozilla Bugzilla #1734371, Douglas E Engert (dengert) wrote on 2022-07-20:

#38

> The linked https://github.com/flatpak/xdg-desktop-portal/issues/662 has had no activity, can we help in some way?

Maybe. The problem appears to be with the packaging of PKCS11 modules when using SNAP as noted in: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/comments/8

The Debian version of FireFox without SNAP works fine, but Ubuntu in 22.04 packaged FireFox as a SNAP application does not.

I would hope that Mozilla developers could could work with Ubuntu SNAP developers to resolve the issue. Either to get it to work with SNAP or talk Ubuntu in to not making the default FireFox be the SNAP version.
As best as I can tell every PKCS11 module would have to be configured for SNAP and that does not look easy.

Revision history for this message

In Mozilla Bugzilla #1734371, Olivier Tilloy (osomon) wrote on 2022-07-21:

#39

For the proposal of a PKCS#11 portal to stand a reasonable chance of being accepted and implemented, I think we need to wait for the WebExtensions portal to prove itself (this is in a fairly advanced state, the portal is already available in Ubuntu 22.04, and integration in Firefox is complete and I'm hoping it'll land soon).

Revision history for this message

In Mozilla Bugzilla #1734371, Lissyx+mozillians (lissyx+mozillians) wrote on 2022-07-22:

#40

(In reply to deengert from comment #13)
> > The linked https://github.com/flatpak/xdg-desktop-portal/issues/662 has had no activity, can we help in some way?
>
> Maybe. The problem appears to be with the packaging of PKCS11 modules when using SNAP as noted in: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/comments/8

Thanks, it's detailed, having a quick look it seems like it's already properly documented as distro-level packaging issue then ?

Revision history for this message

In Mozilla Bugzilla #1734371, Douglas E Engert (dengert) wrote on 2022-07-23:

#41

Yes it looks like distro-level packaging issue. But to end user it looks like a regression of FireFox and/or smartcard support which is important to only a small percentage of FireFox users. So distro maybe slow to do anything about it. A few words to the distro from Mozilla might help get this fixed.

Revision history for this message

Luca Ferroni (liuck) wrote on 2022-08-22:

#9

Hi, this bug also affects me.

TLDR and as a confirm of the workaround, as root digit:

# mkdir /etc/apparmor.d/abstractions/p11-kit.d/
# echo "/run/user/[0-9]*/** mr," > /etc/apparmor.d/abstractions/p11-kit.d/snap

add "#include <abstractions/p11-kit>" in /var/lib/snapd/apparmor/profiles/snap.firefox.firefox after #include <abstractions/openssl>

# apparmor_parser -v -C -r /var/lib/snapd/apparmor/profiles/snap.firefox.firefox

Revision history for this message

ThomasN (tnetter) wrote on 2022-08-24:

#10

Many thanks to Luca Ferroni for summarizing a solution.
For users of European Patent Office smart cards seeing
Secure Connection Failed... Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT

please see instructions posted by thomasip on Wed Aug 24, 2022 2:29 pm at:
https://forums.epo.org/new-version-of-the-cryptovision-software-12191#p40162

Revision history for this message

Douglas E Engert (dengert) wrote on 2022-08-24:

#11

https://launchpad.net/~liuck can you give some more information:

What PKCS11 module are you using?

What version of Ubuntu?

From my testing with a fresh copy install of XUbuntu-22.04.1 as guest of VirtualBox, the "/run/user/[0-9]*/** mr," appears to allow access to any file in my /usr/run/1000 directory.

When I use firefox's "Security Devices... Load" and browse for a module, I give the path to the system version of the module(s) I have tried: both /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-client.so and /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so. Both get a "Unable to add module" and the location shown in /run/user/1000/doc/48e09223/p11-kit-client.so /run/user/1000/doc/e3261d9/opensc-pkcs11.so

So it looks like it find the files and copies to /run/user/1000/doc/*.

But both of these modules need access to other libs and also need to use pcscd to access the smartcard readers.

https://launchpad.net/~tnetter
Can you give some more information about "/usr/local/lib/libcvP11.so"
It is not clear why this works with: https://forums.epo.org/new-version-of-the-cryptovision-software-12191#p40162

It may be that this is a simple library and does not use pcscd.

Revision history for this message

Luca Ferroni (liuck) wrote on 2022-08-25:

#12

https://launchpad.net/~dengert , https://launchpad.net/~tnetter

unfortunately my summary of @dengert instructions is nor a solution / nor a workaround.

Following those steps I managed to add only one "security device", but it does not work when accessing the website: https://dichiarazioneprecompilatasc.agenziaentrate.gov.it/

The security device I have added uses the module /usr/share/bit4id/x/libbit4xpki.so (FF copies it to /run/user/1000/doc/fb1650f7/libbit4xpki.so)

I didn't succeed in adding: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so (FF copies it to /run/user/1000/doc/bc62d73/opensc-pkcs11.so but issues "Cannot load module")

I am not in a urgent need of this bug to be fixed, but I'd really like to help in finding the root cause. I am wondering if there is a small shell/python script that can be helpful to isolate the problem avoiding to reproduce the steps with Firefox that hides details.

For example: how can I test from CLI if my smart card reader is working with OpenSC? (keeping out SNAP or Firefox from the test?) I think it can be useful to write down here a simple check.

Revision history for this message

Douglas E Engert (dengert) wrote on 2022-08-25:

#13

This problem is an Ubuntu/snap packaging issue. FF and Thunderbird both allow the loading of PKCS11 modules as do other programs. But the snap has not packaged these.

Access to smartcards is usually handled by PC/SC i.e. the pcscd daemon. It provides locking access to the smartcards from multiple running applications. So this is another issue for snap, how to provide access to this system daemon.

Snap does provide the ability to load the p11-kit but then p11-kit tries to load other PKCS11 modules which may need to load additional libraries. /usr/lib/x86_64-linux-gnu/pkcs11/* and run "p11-kit list-modules".

p11-kit has a client/remote capability that I have never looked at. It might be possible to use this from snap to a "remote" server running on the the local host.

Are there FF extensions that may similar problems?

Until Ubuntu can packaged up other pkcs11 modules and handle pcscd, the way to: "test from CLI if my smart card reader is working" is to use the debian firefox-esr which does not have any problems.

Revision history for this message

Douglas E Engert (dengert) wrote on 2022-08-25:

#14

https://launchpad.net/~liuck
You can test your reader/card with OpenSC without firefox.

see: "man pkcs11-tool" or "pkcs11-tool --help". "pkcs11-tool --test --login" will try and read certificates and do sign/verify using private keys. It may prompt for pin several times.

If you can also add --module <path/to/module> to use test a different PKCS11 module.

Revision history for this message

Luca Ferroni (liuck) wrote on 2022-08-25:

#15

BTW: I succeed in my test and I checked my working ACR38 AC1038-based Smart Card Reader with these commands:

# apt install libacsccid1 pcscd pcsc-tools opensc
# pcsc_scan

and in FF snap I cannot load /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

(thanks to https://guide.debianizzati.org/index.php/Carta_Nazionale/Regionale_dei_Servizi)

I don't know the relation between libacsccid1 and opensc but I suppose that libacsccid1 is a library used by pcscd, whereas opensc is a middleware between FF (or other PKCS11 API software) and pcscd.

I would like to try packaging pcsc-tools as a SNAP to see if it can read card info, do you think it could be a good idea, or just a waste of time?

Revision history for this message

Luca Ferroni (liuck) wrote on 2022-08-26:

#16

Guys, it works for me!
It's weird but somehow it works :-)

More than my previous not working comment https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/comments/9
I have added:

- the libacsccid1 package
- rw access to the unix socket /run/pcscd/pcscd.comm in the apparmor profile

Summarizing the solution again:

# apt install libacsccid1 pcscd
# mkdir /etc/apparmor.d/abstractions/p11-kit.d/
# echo "/run/user/[0-9]*/** mr," > /etc/apparmor.d/abstractions/p11-kit.d/snap
# echo "/run/pcscd/pcscd.comm rw," >> /etc/apparmor.d/abstractions/p11-kit.d/snap

add "#include <abstractions/p11-kit>" in /var/lib/snapd/apparmor/profiles/snap.firefox.firefox after #include <abstractions/openssl>

# apparmor_parser -v -C -r /var/lib/snapd/apparmor/profiles/snap.firefox.firefox

Then in Firefox -> Settings -> Privacy and Security -> Security devices
Load -> name: ACS ACR38U in my case, but can be anything you want, module: /usr/share/bit4id/x/libbit4xpki.so

That's for my card, my reader and my module. And note: my FF is in Italian, translation may differ a bit in English.

Further weird notes:

1. The first time I try to access after a reboot, I go to the webpage https://dichiarazioneprecompilata.agenziaentrate.gov.it and FF ask me for the PIN (with a system dialog). I insert the PIN and FF ask me again for the PIN in an infinite cycle, I have to kill FF. But the second time and following times I access the page it works like a charm even in Incognito mode. Weird, but I can live with it. I seldom use smart card.

2. Another strange thing that happened while I was trying to isolate the right steps to publish here is that I removed rw access to pcscd.comm socket in apparmor profile and FF kept working! Even after a restart, and even in Incognito mode. So I have rebooted the system in order to be sure that rw access to the socket would be a requirement, and that's it.

3. I don't know why Firefox does not let me load the /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so module. It complains with the message "Unable to add module" :-(
even if I add `/usr/lib/x86_64-linux-gnu/** rm,` in /etc/apparmor.d/abstractions/p11-kit.d/snap apparmor profile.

Differences between opensc-pkcs11.so and libbit4xpki.so

file /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so /usr/lib/bit4id/libbit4xpki.so

/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=de5eb51ea9145d2bfd9428110736825895bb56f4, stripped

/usr/lib/bit4id/libbit4xpki.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=825713056df8eb66f78817284b4ec2c7a2d8c26b, not stripped

My environment is:

Ubuntu 22.04.1 LTS
Codename: jammy
Mozilla Firefox 104.0

I think that's all my story, if there is something else or attempts I can make in my environment, please ask, I remain here available.

Guys, it works for me!
It's weird but somehow it works :-)

More than my previous not working comment https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/comments/9
I have added:

- the libacsccid1 package
- rw access to the unix socket /run/pcscd/pcscd.comm in the apparmor profile

Summarizing the solution again:

# apt install libacsccid1 pcscd
# mkdir /etc/apparmor.d/abstractions/p11-kit.d/
# echo "/run/user/[0-9]*/** mr," > /etc/apparmor.d/abstractions/p11-kit.d/snap
# echo "/run/pcscd/pcscd.comm rw," >> /etc/apparmor.d/abstractions/p11-kit.d/snap

add "#include <abstractions/p11-kit>" in /var/lib/snapd/apparmor/profiles/snap.firefox.firefox after #include <abstractions/openssl>

# apparmor_parser -v -C -r /var/lib/snapd/apparmor/profiles/snap.firefox.firefox

Then in Firefox -> Settings -> Privacy and Security -> Security devices
Load -> name: ACS ACR38U in my case, but can be anything you want, module: /usr/share/bit4id/x/libbit4xpki.so

That's for my card, my reader and my module. And note: my FF is in Italian, translation may differ a bit in English.

Further weird notes:

1. The first time I try to access after a reboot, I go to the webpage https://dichiarazioneprecompilata.agenziaentrate.gov.it and FF ask me for the PIN (with a system dialog). I insert the PIN and FF ask me again for the PIN in an infinite cycle, I have to kill FF. But the second time and following times I access the page it works like a charm even in Incognito mode. Weird, but I can live with it. I seldom use smart card.

2. Another strange thing that happened while I was trying to isolate the right steps to publish here is that I removed rw access to pcscd.comm socket in apparmor profile and FF kept working! Even after a restart, and even in Incognito mode. So I have rebooted the system in order to be sure that rw access to the socket would be a requirement, and that's it.

3. I don't know why Firefox does not let me load the /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so module. It complains with the message "Unable to add module" :-(
even if I add `/usr/lib/x86_64-linux-gnu/** rm,` in /etc/apparmor.d/abstractions/p11-kit.d/snap apparmor profile.

Differences between opensc-pkcs11.so and libbit4xpki.so

file /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so /usr/lib/bit4id/libbit4xpki.so

/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=de5eb51ea9145d2bfd9428110736825895bb56f4, stripped

/usr/lib/bit4id/libbit4xpki.so:             ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=825713056df8eb66f78817284b4ec2c7a2d8c26b, not stripped

My environment is:

Ubuntu 22.04.1 LTS
Codename:	jammy
Mozilla Firefox 104.0

I think that's all my story, if there is something else or attempts I can make in my environment, please ask, I remain here available.

Revision history for this message

Olivier Tilloy (osomon) wrote on 2022-08-26:

#17

Thank you very much for documenting thoroughly your findings. These will be useful to design and implement a proper solution to the problem.

In the meantime, a couple of comments:

- the apparmor profile will be overwritten every time the snap is updated, so you will have to re-apply the changes

- /usr inside the snap is a bind-mount from /usr in the base snap, not on the host system, which explains why your addition of `/usr/lib/x86_64-linux-gnu/** rm,` to the apparmor profile doesn't work as you'd expect (see https://github.com/snapcore/snapd/pull/11025#issuecomment-1225787194 for details)

Revision history for this message

Douglas E Engert (dengert) wrote on 2022-08-26:

#18

Download full text (3.2 KiB)

This maybe the biggest problem:
"- /usr inside the snap is a bind-mount from /usr in the base snap, not on the host system, which explains why your addition of `/usr/lib/x86_64-linux-gnu/** rm,` to the apparmor profile doesn't work as you'd expect (see https://github.com/snapcore/snapd/pull/11025#issuecomment-1225787194 for details)"

Are both of you saying that the location of the PKCS11 module makes a difference?
And if the normal location is in /usr/lib/x86_64-linux-gnu is part of the FF snap package and
their is no way to include files from the local system's /usr/lib/x86_64-linux-gnu.
So is that what the copying to the /usr/run/<uid>/doc is trying to overcome?

There are many PKCS11 modules out there, some provided by smartcard vendors and not part of a distro.
OpenSC is distributed Ubuntu and most other distros. How will you handle these other modules?

What package has the /usr/lib/bit4id/libbit4xpki.so?

can you run "ldd /usr/lib/bit4id/libbit4xpki.so" to see what other libs are required?
Does it use a socket to pcscd?

Is it possible some other libs must also be included?

Can you try to install opensc-pkcs11 (which also installs opensc) to your system and see you can get FF to load it?

opensc-pkcs11-0.22.0-1ubuntu2 installs opensc-pkcs11.so in two places: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so and /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so (which is were p11-kit would load it)
and depends on libopensc.so.8 and /usr/lib/x86_64-linux-gnu/libcrypto.so.3 from libssl3-3.0.2-0ubuntu1.6

$ ls -l /usr/lib/x86_64-linux-gnu/*opensc*
lrwxrwxrwx 1 root root 18 Mar 10 11:00 /usr/lib/x86_64-linux-gnu/libopensc.so.8 -> libopensc.so.8.0.0
-rw-r--r-- 1 root root 2040208 Mar 10 11:00 /usr/lib/x86_64-linux-gnu/libopensc.so.8.0.0
-rw-r--r-- 1 root root 234704 Mar 10 11:00 /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so
-rw-r--r-- 1 root root 234704 Mar 10 11:00 /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
$ ldd /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
linux-vdso.so.1 (0x00007ffcbbdfe000)
libopensc.so.8 => /lib/x86_64-linux-gnu/libopensc.so.8 (0x00007efd3cd14000)
libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x00007efd3c8d2000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007efd3c6aa000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007efd3c68e000)
libgio-2.0.so.0 => /lib/x86_64-linux-gnu/libgio-2.0.so.0 (0x00007efd3c4b6000)
libgobject-2.0.so.0 => /lib/x86_64-linux-gnu/libgobject-2.0.so.0 (0x00007efd3c456000)
/lib64/ld-linux-x86-64.so.2 (0x00007efd3cf58000)
libglib-2.0.so.0 => /lib/x86_64-linux-gnu/libglib-2.0.so.0 (0x00007efd3c31a000)
libgmodule-2.0.so.0 => /lib/x86_64-linux-gnu/libgmodule-2.0.so.0 (0x00007efd3c313000)
libmount.so.1 => /lib/x86_64-linux-gnu/libmount.so.1 (0x00007efd3c2cf000)
libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007efd3c2a3000)
libffi.so.8 => /lib/x86_64-linux-gnu/libffi.so.8 (0x00007efd3c296000)
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007efd3c21e000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007efd3c137000)
libblkid.so.1 => /lib/x86_64-linux-gnu/libblkid.so.1 (0x00007efd3c100000)
libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libp...

Thanks for the ldd output.
libpcsclite.so.1 is the lib to used the pcscd socket, and is used by modules libstpkcs11.so, libeToken.so.10.7.77 and libopensc.so.8 (see below)   It is not used in libbit4xpki.so which may be a software pkcs11 or does not use pcscd.

libcrypto.so.1.1 is OpenSSL-1.1 and also used by modules libstpkcs11.so and opensc-pkcs11.so

So libstpkcs11.so, libeToken.so.10.7.77 and libstpkcs11.so, libeToken.so.10.7.77 all appear to work as all the libs are available.

The difference is opensc-pkcs11.so needs to load libopensc.so.8 and a few others that I have not looked at

On a 22.04.1 system running the command  `sudo snap run --shell firefox.firefox` will run snap as root to have snap start up a shell with the environment that firefox would run under.

The `df` command shows:
 
/dev/sda3       122388080  11202960  104921928  10% /var/lib/snapd/hostfs
tmpfs              814036      1272     812764   1% /run
tmpfs                5120         4       5116   1% /run/lock
tmpfs              814036       100     813936   1% /run/user/1000
/dev/loop0            128       128          0 100% /snap/bare/5
/dev/loop1          63488     63488          0 100% /snap/core20/1587
/dev/loop2          63488     63488          0 100% /
/dev/loop3         167296    167296          0 100% /snap/firefox/1635
/dev/loop4         181248    181248          0 100% /snap/firefox/1749
/dev/loop5         410496    410496          0 100% /snap/gnome-3-38-2004/112
/dev/loop7          48128     48128          0 100% /snap/snapd/16292
/dev/loop6          93952     93952          0 100% /snap/gtk-common-themes/1535
/dev/sda2          524252      5364     518888   2% /var/lib/snapd/hostfs/boot/efi
Argonne        1952871748 479641924 1473229824  25% /media/sf_Argonne
VM-Shared      1952871748 479641924 1473229824  25% /media/sf_VM-Shared
/dev/loop8         354688    354688          0 100% /snap/gnome-3-38-2004/115
udev              4034884         0    4034884   0% /dev
tmpfs             4070180         0    4070180   0% /dev/shm
tmpfs             4070180         0    4070180   0% /snap/firefox/1749/data-dir/icons
tmpfs             4070180         0    4070180   0% /snap/firefox/1749/data-dir/sounds
tmpfs             4070180         0    4070180   0% /snap/firefox/1749/data-dir/themes
tmpfs             4070180      1996    4068184   1% /usr/lib/x86_64-linux-gnu
tmpfs             4070180         0    4070180   0% /usr/share

and /var/lib/snapd/hostfs is the host's filesystem. I was able to copy libopensc.so.8.0.0 and symlink libopensc.so.8.0.0 to /usr/lib/x86_64-linux-gnu FF will still not load opensc-pkcs11.so and it will be gone on a reboot.

snap does set sone environemt variables that could help:
LD_PRELOAD=:/snap/firefox/1749/gnome-platform/$LIB/bindtextdomain.so
LD_LIBRARY_PATH=/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl32:/var/lib/snapd/void:/snap/firefox/1749/usr/lib:/snap/firefox/1749/usr/lib/x86_64-linux-gnu:/snap/firefox/1749/gnome-platform/lib/x86_64-linux-gnu:/snap/firefox/1749/gnome-platform/usr/lib/x86_64-linux-gnu:/snap/firefox/1749/gnome-platform/usr/lib:/snap/firefox/1749/gnome-platform/lib:/snap/firefox/1749/gnome-platform/usr/lib/x86_64-linux-gnu/dri:/var/lib/snapd/lib/gl:/snap/firefox/1749/gnome-platform/usr/lib/x86_64-linux-gnu/libunity:/snap/firefox/1749/gnome-platform/usr/lib/x86_64-linux-gnu/pulseaudio

So this is where I am at. Firefox-esr from debiaen works with opensc. Forefox from snap does not. It appears the some effort when it to geting p11-kit to start, but all p11-kit does is load other pkcs11 modules, that may have been installed using normal apt-get. It the initial comments of this bug report there were suggestions to copy the single file if a pkcs11 module to a "doc" directory, but no attempt was made to copy dependent libraries that the module needs.

These will only work if missing libraries are in the snap base or of firefox snap packages.

OpenSC also has a notify capability to tell the user when a card was inserted or removed. This may add additional complications to getting it to work under snap.

Not much else I can do.

Bug Watch Updater (bug-watch-updater) on 2022-09-01

Changed in firefox:
status:	Unknown → Confirmed

Revision history for this message

In Mozilla Bugzilla #1734371, L-bugzilla (l-bugzilla) wrote on 2022-09-14:

#42

(In reply to Olivier Tilloy from comment #1)
> (from https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1843392/comments/1)
>
> The proposed approach to solve this that was discussed with the Ubuntu security team is:
> - stage common PKCS modules in the snap
> - add a layout for `/usr/lib/pkcs11` pointing to a writeable area of the snap (e.g. `$SNAP_USER_DATA/.local/lib`)
> - on first run, copy the common PKCS modules to that writeable area
> - document that custom modules (and their dependencies?) should be manually copied to that directory
> - create a new interface (not auto-connected, that's okay) for access to `/var/run/pcscd/pcscd.comm`
>
> I'm not familiar with how smart card readers work though, so feedback and suggestions are welcome.

Why can't the snap package be configured to just let access to /var/run/pcscd/pcscd.comm?
The PKCS#11 libs are normally platform/distribution dependent, so you can't just include it in a snap package hoping this will works anywhere.
Dependencies are more platform dependent, 1 over all: libpcsclite.so.1 library shall match the protocol version of his server, you can't just bring it in the snap packages and hope it works.
It looks like Snap is by now very immature technology to run the default version of FF on Ubuntu.

Revision history for this message

J G (josggm1) wrote on 2022-09-19:

#43

Problem to install/read Belgium e-Id. Is this the problem bug? Is there a working work-around available?

Revision history for this message

Douglas E Engert (dengert) wrote on 2022-09-20:

#44

"Is there a working work-around available?"

Yes, install the Debian FireFox-esr which does not use snap.
Google for: Ubuntu firefox esr

https://ubuntuhandbook.org/index.php/2022/03/install-firefox-esr-ubuntu/

Revision history for this message

José Marinho (jmarinho) wrote on 2022-09-20:

#45

Also, you can install the regular Firefox following this instructions. In this case, you will change the snap version for the .deb one. and it contains instructions for avoiding the re-installation of Firefox snap and for getting automated updates for the .deb version via unattended-upgrades:

https://www.omgubuntu.co.uk/2022/04/how-to-install-firefox-deb-apt-ubuntu-22-04

Revision history for this message

In Mozilla Bugzilla #1734371, Lissyx+mozillians (lissyx+mozillians) wrote on 2022-10-10:

#46

(In reply to Olivier Tilloy from comment #1)
> (from https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1843392/comments/1)
>
> The proposed approach to solve this that was discussed with the Ubuntu security team is:
> - stage common PKCS modules in the snap
> - add a layout for `/usr/lib/pkcs11` pointing to a writeable area of the snap (e.g. `$SNAP_USER_DATA/.local/lib`)
> - on first run, copy the common PKCS modules to that writeable area
> - document that custom modules (and their dependencies?) should be manually copied to that directory
> - create a new interface (not auto-connected, that's okay) for access to `/var/run/pcscd/pcscd.comm`
>
> I'm not familiar with how smart card readers work though, so feedback and suggestions are welcome.

Is this still a plan ? Is anybody on Canonical side working on that ?

Revision history for this message

vasek125 (vasek) wrote on 2022-10-16:

#47

Could there be a little bit more professional solution? If canonical wants to deploy ubuntu in enterprise with a lot of card reader usages, this is a critical bug.

In this case there should be maintained non-snap official firefox package to workaround.

Revision history for this message

Douglas E Engert (dengert) wrote on 2022-10-16:

#48

"If canonical wants to deploy ubuntu in enterprise with a lot of card reader usages, this is a critical bug."
I agree.

The also need to keep in mind, that enterprises may also use smartcards for login which implies pcscd
needs to be run as root as pam modules will need access to it, during login. There should be only one pcscd running. i.e. don't try and put pcscd in a snap package. As there should only be one pcscd running on a system. Pcscd's primary function is to lock access to the card over a set of APDU commands.
See https://pcscworkgroup.com/

Some smart card vendors provide their own PKCS11 modules and users may be need t uses thes via FireFox, either the sanp version or as suggested a "non-snap official firefox package".

Revision history for this message

In Mozilla Bugzilla #1734371, Olivier Tilloy (osomon) wrote on 2022-10-17:

#49

Not currently, but it is on my short-term to-do list.

Revision history for this message

Josué (j2g2rp) wrote on 2022-10-27:

#50

I don't know if this could help someone but firefox from mozilla repositories didn't worked for me neither (Kubuntu 22.10)
If I remember correctly I noticed that pcs package is not installed by default, in addition the service pcsd didn't run by default, in this context firefox can't add the module.

So after install pcsd and after active the service with:
-sudo apt install pcsd
-sudo service pcscd start
-sudo systemctl enable pcscd (this is to keep the service running after a reboot)

I could active the module correctly. Sadly when I did this I had replaced firefox snap by firefox from mozilla repositories so I'm not sure if this could make work the module installation on snap.

Revision history for this message

Marcos Alano (mhalano) wrote on 2022-11-11:

#51

I was able to load the module libaetpkss from version 3.7.0 (instead of the latest 3.8.0) to Snap Firefox just copying the shared library to my home dir (where Firefox has access). It has to be the version 3.7.0 that needs the legacy package libssl1.1

Revision history for this message

Jim Mo (jaimezx) wrote on 2022-12-20:

#52

Adding my name to this as I use an old W10 laptop for accessing USGOV sites until the issue is fixed.

Nathan Teodosio (nteodosio) on 2023-02-06

Changed in chromium-browser (Ubuntu):
importance:	Undecided → High
status:	New → In Progress
assignee:	nobody → Nathan Teodosio (nteodosio)

Revision history for this message

In Mozilla Bugzilla #1734371, Rbarriuso (rbarriuso) wrote on 2023-02-14:

#53

(In reply to Olivier Tilloy from comment #19)
> Not currently, but it is on my short-term to-do list.

Any news about this? Thanks

Revision history for this message

In Mozilla Bugzilla #1734371, Lissyx+mozillians (lissyx+mozillians) wrote on 2023-03-14:

#54

According to Launchpad, it's being worked on for a fix on Chromium, can we also work on Firefox ?

Revision history for this message

In Mozilla Bugzilla #1734371, Amin Bandali (bandali) wrote on 2023-05-10:

#55

Yes, the plan is to work on this for Firefox as well, but I'm not sure about the exact timeline.

Revision history for this message

In Mozilla Bugzilla #1734371, Sebastien Bacher (seb128) wrote on 2023-05-22:

#56

It's on the Ubuntu Desktop team backlog and we hope to be able to work on it during this Ubuntu cycle

Revision history for this message

Nathan Teodosio (nteodosio) wrote on 2023-05-30:

#57

The snap on stable/pkcs has been built with (what I gather are) the essential components — opensc-pkcs11, libpcsclite, and also a couple of debugging utilities — for the most basic and supported smart cards. You may want to test it, if so keep reading.

You would also need pcscd installed and started in your system.

There is a merge request[1] currently under review to allow the snap to use the pcscd socket; Until it's merged you'd need to manually allow access to the socket in /var/lib/snapd/apparmor/profiles/snap.chromium.chromium.

So if your smart card is supported by OpenSC[2], the full recipe is

--->
snap install --channel stable/pkcs chromium
apt install pcscd
systemctl start pcscd.socket
editor /var/lib/snapd/apparmor/profiles/snap.chromium.chromium
#Insert "/{var/,}run/pcscd/pcscd.comm rwm," before the last bracket.
apparmor_parser -r
chromium --enable-logging=stderr &> chr.log
<---

Attach chr.log or the system's journal if you see any relevant error or denial there.

Bear in mind that I was oblivious to the components involved until I started looking at this bug and I still don't have a complete picture of them. So please point out any mistake or omission you can find.

[1] https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1843392/comments/9
[2] https://github.com/snapcore/snapd/pull/12847

Revision history for this message

Ludovic Rousseau (ludovic-rousseau-gmail) wrote on 2023-05-30:

#58

> Bear in mind that I was oblivious to the components involved until I started looking at this bug and I still don't have a complete picture of them. So please point out any mistake or omission you can find.

Your solution may/should work for smart cards that are supported by OpenSC.
But it will not work for all the other PKCS#11 libraries that are not included in he snap.

The idea proposed by Wouter in [1] looks promising.

[1] https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1843392/comments/9

Revision history for this message

Nathan Teodosio (nteodosio) wrote on 2023-09-28:

#59

Thanks Ludovic, so for those smart cards, the pcscd interface has been merged in Snapd (but is apparently only available from 2.60.4 on, so currently you need the beta channel of it), and so I update the test case to a simpler:

--->
snap refresh --beta snapd
snap refresh --channel stable/pkcs chromium
snap connect chromium:pcscd
chromium --enable-logging=stderr >chr.log 2>&1
<---

Revision history for this message

Marc Peña (pachulo) wrote on 2023-10-18 (last edit on 2023-10-18):

#60

Hi! I wanted to try this. This is what I did:

$ sudo snap set system experimental.parallel-instances=true
$ snap refresh --beta snapd
$ sudo snap install --channel stable/pkcs chromium_pkcs
$ sudo snap connect chromium_pkcs:pcscd

But I get an error when trying to execute chromium:

$ chromium_pkcs
/snap/chromium/2648/usr/lib/chromium-browser/chrome: symbol lookup error: /snap/chromium/2648/gnome-platform/usr/lib/x86_64-linux-gnu/libpango-1.0.so.0: undefined symbol: hb_ot_color_has_paint

Is this compatible with parallel installs or the problem lays somewhere else?

Thanks!

Revision history for this message

Nathan Teodosio (nteodosio) wrote on 2023-10-19:

#61

Parallel install is OK, I committed the fix for that weeks ago... In the wrong branch. (:

Rebuilt now, with my limited connection I cannot donwload it to test it, but I tested by making local changes by unsquashing and trying the snap.

Can you please give it another try and let me know? The revision number must be 2671.

Thanks for the help testing.

Revision history for this message

Marc Peña (pachulo) wrote on 2023-10-19:

#62

OK, now chromium starts, but when I try to access some website that requires the certificate on my smartcard, it seems like it's doing nothing to access the smartcard, so to speak.

Eveything works OK on my non-snaped Firefox.

Revision history for this message

In Mozilla Bugzilla #1734371, Johnebedford (johnebedford) wrote on 2023-11-25:

#63

Any news on this? It really is a blocker for using Ubuntu in a number of countries as it prevents interaction with government services.

Revision history for this message

In Mozilla Bugzilla #1734371, Douglas E Engert (dengert) wrote on 2023-11-28:

#64

> Any news on this? It really is a blocker for using Ubuntu in a number of countries as it prevents interaction with government services."

You can always use firefox-esr. It does not use SNAP.

Revision history for this message

In Mozilla Bugzilla #1734371, iav (iav) wrote on 2023-11-28:

#65

You can guarantee that it will always be so?

Revision history for this message

In Mozilla Bugzilla #1734371, Douglas E Engert (dengert) wrote on 2023-11-28:

#66

No. I am not a Ubuntu developer, Only OpenSC. But this problem has not been resolved for 2 years.

Also see https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632 and comment 8

Revision history for this message

In Mozilla Bugzilla #1734371, Appie-x (appie-x) wrote on 2024-01-02:

#67

(In reply to J Bedford from comment #24)
> Any news on this? It really is a blocker for using Ubuntu in a number of countries as it prevents interaction with government services.

Maybe see this as a secuirty feature, not a bug :-)

Revision history for this message

In Mozilla Bugzilla #1734371, Douglas E Engert (dengert) wrote on 2024-01-04:

#68

Since this has been open for so long, I would like to point out that all these pkcs11 modules use a system PCSC-lite daemon. https://pcsclite.apdu.fr/ PCSC-lite provides locking and can use pol-kit to restrict access as needed. There should be only one PCSC daemon running for the system.

Revision history for this message

In Mozilla Bugzilla #1734371, Pierre Ossman (Cendio AB) (ossman) wrote on 2024-01-05:

#69

It would be a big limitation if the solution to this focuses entirely on pcsc-lite:

a) /var/run/pcscd/pcscd.comm is internal and varies between distributions and pcsc-lite versions. I.e. any pcsc-lite library embedded in the snap package is not guaranteed to be able to talk to the system pcscd

b) Remote desktop solutions such as ThinLinc or FreeRDP tend to override the pcsc library so that smart card access can be tunneled.

I would suggest having a more generic tunnel between the snap and the session the snap is running in. Either on the PC/SC layer, or on the PKCS#11 layer. The session side of that tunnel would then hopefully respect the session environment fully.

Ubuntu
chromium-browser package

[snap] apparmor denied when trying to load pkcs11 module for smart card authentication

Bug Description

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

	Status	Importance	Assigned to
Mozilla Firefox	Confirmed	Unknown	mozilla-bugs #1734371
chromium-browser (Ubuntu)	In Progress	High	Nathan Teodosio
firefox (Ubuntu)	Triaged	High	Unassigned

Ubuntuchromium-browser package

[snap] apparmor denied when trying to load pkcs11 module for smart card authentication

Bug Description

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
chromium-browser package