[Desktop-packages] [Bug 1967632] Re: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication

Douglas E Engert Fri, 26 Aug 2022 05:26:34 -0700

This maybe the biggest problem:
"- /usr inside the snap is a bind-mount from /usr in the base snap, not on the 
host system, which explains why your addition of `/usr/lib/x86_64-linux-gnu/** 
rm,` to the apparmor profile doesn't work as you'd expect (see 
https://github.com/snapcore/snapd/pull/11025#issuecomment-1225787194 for 
details)"


Are both of you saying that the location of the PKCS11 module makes a 
difference?
And if the normal location is in /usr/lib/x86_64-linux-gnu is part of the FF 
snap package and 
their is no way to include files from the local system's 
/usr/lib/x86_64-linux-gnu.
So is that what the copying to the /usr/run/<uid>/doc is trying to overcome? 

There are many PKCS11 modules out there, some provided by smartcard vendors and 
not part of a distro.
OpenSC is distributed Ubuntu and most other distros. How will you handle these 
other modules?


What package has the /usr/lib/bit4id/libbit4xpki.so? 

can you run "ldd /usr/lib/bit4id/libbit4xpki.so" to see what other libs are 
required?
Does it use a socket to pcscd?

Is it possible some other libs must also be included?

Can you try to install opensc-pkcs11 (which also installs opensc) to
your system and see you can get FF to load it?

opensc-pkcs11-0.22.0-1ubuntu2 installs opensc-pkcs11.so in two places: 
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so and 
/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so (which is were p11-kit would 
load it)
and depends on libopensc.so.8  and /usr/lib/x86_64-linux-gnu/libcrypto.so.3 
from libssl3-3.0.2-0ubuntu1.6


 $ ls -l /usr/lib/x86_64-linux-gnu/*opensc*
lrwxrwxrwx 1 root root      18 Mar 10 11:00 
/usr/lib/x86_64-linux-gnu/libopensc.so.8 -> libopensc.so.8.0.0
-rw-r--r-- 1 root root 2040208 Mar 10 11:00 
/usr/lib/x86_64-linux-gnu/libopensc.so.8.0.0
-rw-r--r-- 1 root root  234704 Mar 10 11:00 
/usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so
-rw-r--r-- 1 root root  234704 Mar 10 11:00 
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
$ ldd /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
        linux-vdso.so.1 (0x00007ffcbbdfe000)
        libopensc.so.8 => /lib/x86_64-linux-gnu/libopensc.so.8 
(0x00007efd3cd14000)
        libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 
(0x00007efd3c8d2000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007efd3c6aa000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007efd3c68e000)
        libgio-2.0.so.0 => /lib/x86_64-linux-gnu/libgio-2.0.so.0 
(0x00007efd3c4b6000)
        libgobject-2.0.so.0 => /lib/x86_64-linux-gnu/libgobject-2.0.so.0 
(0x00007efd3c456000)
        /lib64/ld-linux-x86-64.so.2 (0x00007efd3cf58000)
        libglib-2.0.so.0 => /lib/x86_64-linux-gnu/libglib-2.0.so.0 
(0x00007efd3c31a000)
        libgmodule-2.0.so.0 => /lib/x86_64-linux-gnu/libgmodule-2.0.so.0 
(0x00007efd3c313000)
        libmount.so.1 => /lib/x86_64-linux-gnu/libmount.so.1 
(0x00007efd3c2cf000)
        libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 
(0x00007efd3c2a3000)
        libffi.so.8 => /lib/x86_64-linux-gnu/libffi.so.8 (0x00007efd3c296000)
        libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007efd3c21e000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007efd3c137000)
        libblkid.so.1 => /lib/x86_64-linux-gnu/libblkid.so.1 
(0x00007efd3c100000)
        libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 
(0x00007efd3c069000)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1967632

Title:
  [snap] apparmor denied when trying to load pkcs11 module for smart
  card authentication

Status in Mozilla Firefox:
  Unknown
Status in firefox package in Ubuntu:
  Triaged

Bug description:
  I use a smart card to access government sites. I have that working in
  firefox and chrome on ubuntu impish, and gave jammy a try, but there
  firefox won't load the library, giving me a generic error.

  dmesg, however, shows this apparmor denied message:

  [sáb abr  2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115):
  apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox"
  name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680
  comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

  
  Note also the path, that's not what I typed into the firefox dialog box. I 
have the .so copied to /usr/lib/x86_64-linux-gnu/libaetpkss.so.3.5.4112, and 
that's what I typed in when prompted for its path by firefox.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: firefox 1:1snap1-0ubuntu2
  ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27
  Uname: Linux 5.15.0-23-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu80
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: ubuntu:GNOME
  Date: Sat Apr  2 17:34:09 2022
  InstallationDate: Installed on 2022-03-20 (13 days ago)
  InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220319)
  Snap.Changes: no changes found
  SourcePackage: firefox
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1967632/+subscriptions


-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1967632] Re: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication

Reply via email to