After spending a week on this, I think I see the problem. (1) pkcs11 modules are dynamically load by mozilla nss and need the /etc/apparmor.d/abstractions/p11-kit as stated in previous comment.
(2) dynamically loaded modules may also load additional shared libraries. So apparmor profiles are need for each possible pkcs11 module. Ubuntu-22.04 has a /etc/apparmor.d/abstractions/p11-kit but needs the "m" file_mmap as stated in previous comment. (3) /var/lib/snapd/apparmor/profiles/snap.firefox.firefox included these system based profiles: #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/openssl> But it does not include #include <abstractions/p11-kit> So it can not load the p11-kit or any pkcs11 module p11-kit might try and load. (/etc/apparmor.d/abstractions/p11-kit will also include any profiles in abstractions/p11-kit.d) (4) Smartcard pkcs11 modules use the pcscd system service. On most linux system this is the pcscd-lite package: https://github.com/LudovicRousseau/PCSC the ClientSetupSession https://github.com/LudovicRousseau/PCSC/blob/master/src/winscard_msg.c#L107-L167 sets client access to the socket. (I have not looked at what it would take to add the dbus apparmor code needed to do this.) Observations: With a modified p11-kit /etc/apparmor.d/abstractions/p11-kit with the "m" file_mmap and adding the #include <abstractions/p11-kit> to /var/lib/snapd/apparmor/profiles/snap.firefox.firefox I can add p11-kit as a "security Device", but it does not load any additional pkcs11 modules. ~/snap/firefox/common/.mozilla/firefox/0i8u9awg.default/pkcs11.txt has: library=/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 name=p11-kit (using symlinks to libs appears to be a problem, so I avoided using them.) I can not add a "security device" for OpenSC even with adding a /etc/apparmor.d/abstractions/opensc profile. (Others on the internet have reported problems with other smart card pkcs11 modules not just opensc.) Using audit on all possible files, does not show a file loading problem or does running sudo apparmor_parser -v -C -r snap.firefox.firefox to reload with complain only show any problems. So the problme must be somehing else. P11-kit does not directly need access to pcscd, so (4) is not an issue with p11 kit itself but (4) is an issued with any (or most) pkcs11 modules loaded by p11-kit. Solutions: For a snap installed firefox if (1), (2), (3) and (4) where addressed, snap firefox should work. Adding profiles for each pkcs11 module to /etc/apparmor.d/abstractions and adding an include in /etc/apparmor.d/abstractions/p11-kit.d would require only only adding an include for p11-kit to snap.firefox.firefox. I hope that there is enough info above so someone else can add the dbus code. Personally: I find snap to be nightmare and Ubuntu should not have made it the default firefox. Ubuntu should at least continue to give the user a choice. All my testing has been on a virtual test 22.04 system. I was in the process of converting from 20.04 to 22.04, both virtual, when I ran into this problem. I have removed the snap firefox and am working on using the Debian firefox-esr which works great with smartcards and pkcs11, and is much faster. I just have to convert my .mozilla profiles because the name changed from firefox to firefox-esr. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1967632 Title: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication Status in firefox package in Ubuntu: Triaged Bug description: I use a smart card to access government sites. I have that working in firefox and chrome on ubuntu impish, and gave jammy a try, but there firefox won't load the library, giving me a generic error. dmesg, however, shows this apparmor denied message: [sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 Note also the path, that's not what I typed into the firefox dialog box. I have the .so copied to /usr/lib/x86_64-linux-gnu/libaetpkss.so.3.5.4112, and that's what I typed in when prompted for its path by firefox. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: firefox 1:1snap1-0ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27 Uname: Linux 5.15.0-23-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu80 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Apr 2 17:34:09 2022 InstallationDate: Installed on 2022-03-20 (13 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220319) Snap.Changes: no changes found SourcePackage: firefox UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
