[Desktop-packages] [Bug 1967632]
Since this has been open for so long, I would like to point out that all these pkcs11 modules use a system PCSC-lite daemon. https://pcsclite.apdu.fr/ PCSC-lite provides locking and can use pol- kit to restrict access as needed. There should be only one PCSC daemon running for the system. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1967632 Title: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication Status in Mozilla Firefox: Confirmed Status in chromium-browser package in Ubuntu: Triaged Status in firefox package in Ubuntu: Triaged Bug description: I use a smart card to access government sites. I have that working in firefox and chrome on ubuntu impish, and gave jammy a try, but there firefox won't load the library, giving me a generic error. dmesg, however, shows this apparmor denied message: [sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 Note also the path, that's not what I typed into the firefox dialog box. I have the .so copied to /usr/lib/x86_64-linux-gnu/libaetpkss.so.3.5.4112, and that's what I typed in when prompted for its path by firefox. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: firefox 1:1snap1-0ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27 Uname: Linux 5.15.0-23-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu80 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Apr 2 17:34:09 2022 InstallationDate: Installed on 2022-03-20 (13 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220319) Snap.Changes: no changes found SourcePackage: firefox UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/1967632/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1967632]
No. I am not a Ubuntu developer, Only OpenSC. But this problem has not been resolved for 2 years. Also see https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632 and comment 8 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1967632 Title: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication Status in Mozilla Firefox: Confirmed Status in chromium-browser package in Ubuntu: Triaged Status in firefox package in Ubuntu: Triaged Bug description: I use a smart card to access government sites. I have that working in firefox and chrome on ubuntu impish, and gave jammy a try, but there firefox won't load the library, giving me a generic error. dmesg, however, shows this apparmor denied message: [sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 Note also the path, that's not what I typed into the firefox dialog box. I have the .so copied to /usr/lib/x86_64-linux-gnu/libaetpkss.so.3.5.4112, and that's what I typed in when prompted for its path by firefox. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: firefox 1:1snap1-0ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27 Uname: Linux 5.15.0-23-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu80 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Apr 2 17:34:09 2022 InstallationDate: Installed on 2022-03-20 (13 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220319) Snap.Changes: no changes found SourcePackage: firefox UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/1967632/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1967632]
> Any news on this? It really is a blocker for using Ubuntu in a number of countries as it prevents interaction with government services." You can always use firefox-esr. It does not use SNAP. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1967632 Title: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication Status in Mozilla Firefox: Confirmed Status in chromium-browser package in Ubuntu: Triaged Status in firefox package in Ubuntu: Triaged Bug description: I use a smart card to access government sites. I have that working in firefox and chrome on ubuntu impish, and gave jammy a try, but there firefox won't load the library, giving me a generic error. dmesg, however, shows this apparmor denied message: [sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 Note also the path, that's not what I typed into the firefox dialog box. I have the .so copied to /usr/lib/x86_64-linux-gnu/libaetpkss.so.3.5.4112, and that's what I typed in when prompted for its path by firefox. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: firefox 1:1snap1-0ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27 Uname: Linux 5.15.0-23-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu80 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Apr 2 17:34:09 2022 InstallationDate: Installed on 2022-03-20 (13 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220319) Snap.Changes: no changes found SourcePackage: firefox UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/1967632/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1967632] Re: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication
"If canonical wants to deploy ubuntu in enterprise with a lot of card reader usages, this is a critical bug." I agree. The also need to keep in mind, that enterprises may also use smartcards for login which implies pcscd needs to be run as root as pam modules will need access to it, during login. There should be only one pcscd running. i.e. don't try and put pcscd in a snap package. As there should only be one pcscd running on a system. Pcscd's primary function is to lock access to the card over a set of APDU commands. See https://pcscworkgroup.com/ Some smart card vendors provide their own PKCS11 modules and users may be need t uses thes via FireFox, either the sanp version or as suggested a "non-snap official firefox package". -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1967632 Title: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication Status in Mozilla Firefox: Confirmed Status in firefox package in Ubuntu: Triaged Bug description: I use a smart card to access government sites. I have that working in firefox and chrome on ubuntu impish, and gave jammy a try, but there firefox won't load the library, giving me a generic error. dmesg, however, shows this apparmor denied message: [sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 Note also the path, that's not what I typed into the firefox dialog box. I have the .so copied to /usr/lib/x86_64-linux-gnu/libaetpkss.so.3.5.4112, and that's what I typed in when prompted for its path by firefox. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: firefox 1:1snap1-0ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27 Uname: Linux 5.15.0-23-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu80 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Apr 2 17:34:09 2022 InstallationDate: Installed on 2022-03-20 (13 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220319) Snap.Changes: no changes found SourcePackage: firefox UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/1967632/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1967632] Re: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication
"Is there a working work-around available?" Yes, install the Debian FireFox-esr which does not use snap. Google for: Ubuntu firefox esr https://ubuntuhandbook.org/index.php/2022/03/install-firefox-esr- ubuntu/ -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1967632 Title: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication Status in Mozilla Firefox: Confirmed Status in firefox package in Ubuntu: Triaged Bug description: I use a smart card to access government sites. I have that working in firefox and chrome on ubuntu impish, and gave jammy a try, but there firefox won't load the library, giving me a generic error. dmesg, however, shows this apparmor denied message: [sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 Note also the path, that's not what I typed into the firefox dialog box. I have the .so copied to /usr/lib/x86_64-linux-gnu/libaetpkss.so.3.5.4112, and that's what I typed in when prompted for its path by firefox. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: firefox 1:1snap1-0ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27 Uname: Linux 5.15.0-23-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu80 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Apr 2 17:34:09 2022 InstallationDate: Installed on 2022-03-20 (13 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220319) Snap.Changes: no changes found SourcePackage: firefox UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/1967632/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1967632] Re: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication
Thanks for the ldd output. libpcsclite.so.1 is the lib to used the pcscd socket, and is used by modules libstpkcs11.so, libeToken.so.10.7.77 and libopensc.so.8 (see below) It is not used in libbit4xpki.so which may be a software pkcs11 or does not use pcscd. libcrypto.so.1.1 is OpenSSL-1.1 and also used by modules libstpkcs11.so and opensc-pkcs11.so So libstpkcs11.so, libeToken.so.10.7.77 and libstpkcs11.so, libeToken.so.10.7.77 all appear to work as all the libs are available. The difference is opensc-pkcs11.so needs to load libopensc.so.8 and a few others that I have not looked at On a 22.04.1 system running the command `sudo snap run --shell firefox.firefox` will run snap as root to have snap start up a shell with the environment that firefox would run under. The `df` command shows: /dev/sda3 122388080 11202960 104921928 10% /var/lib/snapd/hostfs tmpfs 814036 1272 812764 1% /run tmpfs5120 4 5116 1% /run/lock tmpfs 814036 100 813936 1% /run/user/1000 /dev/loop0128 128 0 100% /snap/bare/5 /dev/loop1 63488 63488 0 100% /snap/core20/1587 /dev/loop2 63488 63488 0 100% / /dev/loop3 167296167296 0 100% /snap/firefox/1635 /dev/loop4 181248181248 0 100% /snap/firefox/1749 /dev/loop5 410496410496 0 100% /snap/gnome-3-38-2004/112 /dev/loop7 48128 48128 0 100% /snap/snapd/16292 /dev/loop6 93952 93952 0 100% /snap/gtk-common-themes/1535 /dev/sda2 524252 5364 51 2% /var/lib/snapd/hostfs/boot/efi Argonne1952871748 479641924 1473229824 25% /media/sf_Argonne VM-Shared 1952871748 479641924 1473229824 25% /media/sf_VM-Shared /dev/loop8 354688354688 0 100% /snap/gnome-3-38-2004/115 udev 4034884 04034884 0% /dev tmpfs 4070180 04070180 0% /dev/shm tmpfs 4070180 04070180 0% /snap/firefox/1749/data-dir/icons tmpfs 4070180 04070180 0% /snap/firefox/1749/data-dir/sounds tmpfs 4070180 04070180 0% /snap/firefox/1749/data-dir/themes tmpfs 4070180 19964068184 1% /usr/lib/x86_64-linux-gnu tmpfs 4070180 04070180 0% /usr/share and /var/lib/snapd/hostfs is the host's filesystem. I was able to copy libopensc.so.8.0.0 and symlink libopensc.so.8.0.0 to /usr/lib/x86_64-linux-gnu FF will still not load opensc-pkcs11.so and it will be gone on a reboot. snap does set sone environemt variables that could help: LD_PRELOAD=:/snap/firefox/1749/gnome-platform/$LIB/bindtextdomain.so LD_LIBRARY_PATH=/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl32:/var/lib/snapd/void:/snap/firefox/1749/usr/lib:/snap/firefox/1749/usr/lib/x86_64-linux-gnu:/snap/firefox/1749/gnome-platform/lib/x86_64-linux-gnu:/snap/firefox/1749/gnome-platform/usr/lib/x86_64-linux-gnu:/snap/firefox/1749/gnome-platform/usr/lib:/snap/firefox/1749/gnome-platform/lib:/snap/firefox/1749/gnome-platform/usr/lib/x86_64-linux-gnu/dri:/var/lib/snapd/lib/gl:/snap/firefox/1749/gnome-platform/usr/lib/x86_64-linux-gnu/libunity:/snap/firefox/1749/gnome-platform/usr/lib/x86_64-linux-gnu/pulseaudio So this is where I am at. Firefox-esr from debiaen works with opensc. Forefox from snap does not. It appears the some effort when it to geting p11-kit to start, but all p11-kit does is load other pkcs11 modules, that may have been installed using normal apt-get. It the initial comments of this bug report there were suggestions to copy the single file if a pkcs11 module to a "doc" directory, but no attempt was made to copy dependent libraries that the module needs. These will only work if missing libraries are in the snap base or of firefox snap packages. OpenSC also has a notify capability to tell the user when a card was inserted or removed. This may add additional complications to getting it to work under snap. Not much else I can do. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1967632 Title: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication Status in Mozilla Firefox: Unknown Status in firefox package in Ubuntu: Triaged Bug description: I use a smart card to access government sites. I have that working in firefox and chrome on ubuntu impish, and gave jammy a try, but there firefox won't load the library, giving me a generic error. dmesg, however, shows this apparmor denied message: [sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firef
[Desktop-packages] [Bug 1967632] Re: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication
So it appears that to load a PKCS11 module in snap packaged FireFox requires: 1) "/run/user/[0-9]*/** mr," 2) "/run/pcscd/pcscd.comm rw," (if module uses pcscd) 3) absolute path (i.e. no symlinks) to the module 4) all libs the module may need to be in the snap base To test if (4) is correct: https://launchpad.net/~ascaneo can you run "ldd /usr/lib/libeToken.so.10.7.77" https://launchpad.net/~liuck can you run "ldd /usr/lib/bit4id/libbit4xpki.so" I posted the output of "ldd opensc-pkcs11.so" in https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/comments/18 It requires "libopensc.so.8 => /lib/x86_64-linux-gnu/libopensc.so.8" which is most likely not in the snap package base as per https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/comments/17 So how should a snap package handle arbitrary pkcs11 packages that require libs that would have been installed in a traditional install, but are not by snap packaging? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1967632 Title: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication Status in Mozilla Firefox: Unknown Status in firefox package in Ubuntu: Triaged Bug description: I use a smart card to access government sites. I have that working in firefox and chrome on ubuntu impish, and gave jammy a try, but there firefox won't load the library, giving me a generic error. dmesg, however, shows this apparmor denied message: [sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 Note also the path, that's not what I typed into the firefox dialog box. I have the .so copied to /usr/lib/x86_64-linux-gnu/libaetpkss.so.3.5.4112, and that's what I typed in when prompted for its path by firefox. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: firefox 1:1snap1-0ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27 Uname: Linux 5.15.0-23-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu80 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Apr 2 17:34:09 2022 InstallationDate: Installed on 2022-03-20 (13 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220319) Snap.Changes: no changes found SourcePackage: firefox UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/1967632/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1967632] Re: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication
This maybe the biggest problem: "- /usr inside the snap is a bind-mount from /usr in the base snap, not on the host system, which explains why your addition of `/usr/lib/x86_64-linux-gnu/** rm,` to the apparmor profile doesn't work as you'd expect (see https://github.com/snapcore/snapd/pull/11025#issuecomment-1225787194 for details)" Are both of you saying that the location of the PKCS11 module makes a difference? And if the normal location is in /usr/lib/x86_64-linux-gnu is part of the FF snap package and their is no way to include files from the local system's /usr/lib/x86_64-linux-gnu. So is that what the copying to the /usr/run//doc is trying to overcome? There are many PKCS11 modules out there, some provided by smartcard vendors and not part of a distro. OpenSC is distributed Ubuntu and most other distros. How will you handle these other modules? What package has the /usr/lib/bit4id/libbit4xpki.so? can you run "ldd /usr/lib/bit4id/libbit4xpki.so" to see what other libs are required? Does it use a socket to pcscd? Is it possible some other libs must also be included? Can you try to install opensc-pkcs11 (which also installs opensc) to your system and see you can get FF to load it? opensc-pkcs11-0.22.0-1ubuntu2 installs opensc-pkcs11.so in two places: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so and /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so (which is were p11-kit would load it) and depends on libopensc.so.8 and /usr/lib/x86_64-linux-gnu/libcrypto.so.3 from libssl3-3.0.2-0ubuntu1.6 $ ls -l /usr/lib/x86_64-linux-gnu/*opensc* lrwxrwxrwx 1 root root 18 Mar 10 11:00 /usr/lib/x86_64-linux-gnu/libopensc.so.8 -> libopensc.so.8.0.0 -rw-r--r-- 1 root root 2040208 Mar 10 11:00 /usr/lib/x86_64-linux-gnu/libopensc.so.8.0.0 -rw-r--r-- 1 root root 234704 Mar 10 11:00 /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so -rw-r--r-- 1 root root 234704 Mar 10 11:00 /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so $ ldd /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so linux-vdso.so.1 (0x7ffcbbdfe000) libopensc.so.8 => /lib/x86_64-linux-gnu/libopensc.so.8 (0x7efd3cd14000) libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x7efd3c8d2000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7efd3c6aa000) libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x7efd3c68e000) libgio-2.0.so.0 => /lib/x86_64-linux-gnu/libgio-2.0.so.0 (0x7efd3c4b6000) libgobject-2.0.so.0 => /lib/x86_64-linux-gnu/libgobject-2.0.so.0 (0x7efd3c456000) /lib64/ld-linux-x86-64.so.2 (0x7efd3cf58000) libglib-2.0.so.0 => /lib/x86_64-linux-gnu/libglib-2.0.so.0 (0x7efd3c31a000) libgmodule-2.0.so.0 => /lib/x86_64-linux-gnu/libgmodule-2.0.so.0 (0x7efd3c313000) libmount.so.1 => /lib/x86_64-linux-gnu/libmount.so.1 (0x7efd3c2cf000) libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x7efd3c2a3000) libffi.so.8 => /lib/x86_64-linux-gnu/libffi.so.8 (0x7efd3c296000) libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x7efd3c21e000) libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x7efd3c137000) libblkid.so.1 => /lib/x86_64-linux-gnu/libblkid.so.1 (0x7efd3c10) libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x7efd3c069000) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1967632 Title: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication Status in Mozilla Firefox: Unknown Status in firefox package in Ubuntu: Triaged Bug description: I use a smart card to access government sites. I have that working in firefox and chrome on ubuntu impish, and gave jammy a try, but there firefox won't load the library, giving me a generic error. dmesg, however, shows this apparmor denied message: [sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 Note also the path, that's not what I typed into the firefox dialog box. I have the .so copied to /usr/lib/x86_64-linux-gnu/libaetpkss.so.3.5.4112, and that's what I typed in when prompted for its path by firefox. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: firefox 1:1snap1-0ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27 Uname: Linux 5.15.0-23-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu80 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Apr 2 17:34:09 2022 InstallationDate: Installed on 2022-03-20 (13 days ago) InstallationMedia: Ubuntu 22
[Desktop-packages] [Bug 1967632] Re: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication
https://launchpad.net/~liuck You can test your reader/card with OpenSC without firefox. see: "man pkcs11-tool" or "pkcs11-tool --help". "pkcs11-tool --test --login" will try and read certificates and do sign/verify using private keys. It may prompt for pin several times. If you can also add --module to use test a different PKCS11 module. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1967632 Title: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication Status in firefox package in Ubuntu: Triaged Bug description: I use a smart card to access government sites. I have that working in firefox and chrome on ubuntu impish, and gave jammy a try, but there firefox won't load the library, giving me a generic error. dmesg, however, shows this apparmor denied message: [sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 Note also the path, that's not what I typed into the firefox dialog box. I have the .so copied to /usr/lib/x86_64-linux-gnu/libaetpkss.so.3.5.4112, and that's what I typed in when prompted for its path by firefox. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: firefox 1:1snap1-0ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27 Uname: Linux 5.15.0-23-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu80 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Apr 2 17:34:09 2022 InstallationDate: Installed on 2022-03-20 (13 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220319) Snap.Changes: no changes found SourcePackage: firefox UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1967632] Re: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication
This problem is an Ubuntu/snap packaging issue. FF and Thunderbird both allow the loading of PKCS11 modules as do other programs. But the snap has not packaged these. Access to smartcards is usually handled by PC/SC i.e. the pcscd daemon. It provides locking access to the smartcards from multiple running applications. So this is another issue for snap, how to provide access to this system daemon. Snap does provide the ability to load the p11-kit but then p11-kit tries to load other PKCS11 modules which may need to load additional libraries. /usr/lib/x86_64-linux-gnu/pkcs11/* and run "p11-kit list- modules". p11-kit has a client/remote capability that I have never looked at. It might be possible to use this from snap to a "remote" server running on the the local host. Are there FF extensions that may similar problems? Until Ubuntu can packaged up other pkcs11 modules and handle pcscd, the way to: "test from CLI if my smart card reader is working" is to use the debian firefox-esr which does not have any problems. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1967632 Title: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication Status in firefox package in Ubuntu: Triaged Bug description: I use a smart card to access government sites. I have that working in firefox and chrome on ubuntu impish, and gave jammy a try, but there firefox won't load the library, giving me a generic error. dmesg, however, shows this apparmor denied message: [sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 Note also the path, that's not what I typed into the firefox dialog box. I have the .so copied to /usr/lib/x86_64-linux-gnu/libaetpkss.so.3.5.4112, and that's what I typed in when prompted for its path by firefox. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: firefox 1:1snap1-0ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27 Uname: Linux 5.15.0-23-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu80 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Apr 2 17:34:09 2022 InstallationDate: Installed on 2022-03-20 (13 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220319) Snap.Changes: no changes found SourcePackage: firefox UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1967632] Re: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication
https://launchpad.net/~liuck can you give some more information: What PKCS11 module are you using? What version of Ubuntu? From my testing with a fresh copy install of XUbuntu-22.04.1 as guest of VirtualBox, the "/run/user/[0-9]*/** mr," appears to allow access to any file in my /usr/run/1000 directory. When I use firefox's "Security Devices... Load" and browse for a module, I give the path to the system version of the module(s) I have tried: both /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-client.so and /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so. Both get a "Unable to add module" and the location shown in /run/user/1000/doc/48e09223/p11-kit-client.so /run/user/1000/doc/e3261d9/opensc-pkcs11.so So it looks like it find the files and copies to /run/user/1000/doc/*. But both of these modules need access to other libs and also need to use pcscd to access the smartcard readers. https://launchpad.net/~tnetter Can you give some more information about "/usr/local/lib/libcvP11.so" It is not clear why this works with: https://forums.epo.org/new-version-of-the-cryptovision-software-12191#p40162 It may be that this is a simple library and does not use pcscd. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1967632 Title: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication Status in firefox package in Ubuntu: Triaged Bug description: I use a smart card to access government sites. I have that working in firefox and chrome on ubuntu impish, and gave jammy a try, but there firefox won't load the library, giving me a generic error. dmesg, however, shows this apparmor denied message: [sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 Note also the path, that's not what I typed into the firefox dialog box. I have the .so copied to /usr/lib/x86_64-linux-gnu/libaetpkss.so.3.5.4112, and that's what I typed in when prompted for its path by firefox. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: firefox 1:1snap1-0ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27 Uname: Linux 5.15.0-23-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu80 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Apr 2 17:34:09 2022 InstallationDate: Installed on 2022-03-20 (13 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220319) Snap.Changes: no changes found SourcePackage: firefox UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1967632] Re: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication
After spending a week on this, I think I see the problem. (1) pkcs11 modules are dynamically load by mozilla nss and need the /etc/apparmor.d/abstractions/p11-kit as stated in previous comment. (2) dynamically loaded modules may also load additional shared libraries. So apparmor profiles are need for each possible pkcs11 module. Ubuntu-22.04 has a /etc/apparmor.d/abstractions/p11-kit but needs the "m" file_mmap as stated in previous comment. (3) /var/lib/snapd/apparmor/profiles/snap.firefox.firefox included these system based profiles: #include #include #include But it does not include #include So it can not load the p11-kit or any pkcs11 module p11-kit might try and load. (/etc/apparmor.d/abstractions/p11-kit will also include any profiles in abstractions/p11-kit.d) (4) Smartcard pkcs11 modules use the pcscd system service. On most linux system this is the pcscd-lite package: https://github.com/LudovicRousseau/PCSC the ClientSetupSession https://github.com/LudovicRousseau/PCSC/blob/master/src/winscard_msg.c#L107-L167 sets client access to the socket. (I have not looked at what it would take to add the dbus apparmor code needed to do this.) Observations: With a modified p11-kit /etc/apparmor.d/abstractions/p11-kit with the "m" file_mmap and adding the #include to /var/lib/snapd/apparmor/profiles/snap.firefox.firefox I can add p11-kit as a "security Device", but it does not load any additional pkcs11 modules. ~/snap/firefox/common/.mozilla/firefox/0i8u9awg.default/pkcs11.txt has: library=/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 name=p11-kit (using symlinks to libs appears to be a problem, so I avoided using them.) I can not add a "security device" for OpenSC even with adding a /etc/apparmor.d/abstractions/opensc profile. (Others on the internet have reported problems with other smart card pkcs11 modules not just opensc.) Using audit on all possible files, does not show a file loading problem or does running sudo apparmor_parser -v -C -r snap.firefox.firefox to reload with complain only show any problems. So the problme must be somehing else. P11-kit does not directly need access to pcscd, so (4) is not an issue with p11 kit itself but (4) is an issued with any (or most) pkcs11 modules loaded by p11-kit. Solutions: For a snap installed firefox if (1), (2), (3) and (4) where addressed, snap firefox should work. Adding profiles for each pkcs11 module to /etc/apparmor.d/abstractions and adding an include in /etc/apparmor.d/abstractions/p11-kit.d would require only only adding an include for p11-kit to snap.firefox.firefox. I hope that there is enough info above so someone else can add the dbus code. Personally: I find snap to be nightmare and Ubuntu should not have made it the default firefox. Ubuntu should at least continue to give the user a choice. All my testing has been on a virtual test 22.04 system. I was in the process of converting from 20.04 to 22.04, both virtual, when I ran into this problem. I have removed the snap firefox and am working on using the Debian firefox-esr which works great with smartcards and pkcs11, and is much faster. I just have to convert my .mozilla profiles because the name changed from firefox to firefox-esr. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1967632 Title: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication Status in firefox package in Ubuntu: Triaged Bug description: I use a smart card to access government sites. I have that working in firefox and chrome on ubuntu impish, and gave jammy a try, but there firefox won't load the library, giving me a generic error. dmesg, however, shows this apparmor denied message: [sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 Note also the path, that's not what I typed into the firefox dialog box. I have the .so copied to /usr/lib/x86_64-linux-gnu/libaetpkss.so.3.5.4112, and that's what I typed in when prompted for its path by firefox. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: firefox 1:1snap1-0ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27 Uname: Linux 5.15.0-23-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu80 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Apr 2 17:34:09 2022 InstallationDate: Installed on 2022-03-20 (13 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220319) Snap.Changes: no changes found SourcePackage: firefox UpgradeStatus: No upgrade log present (probabl
[Desktop-packages] [Bug 1967632] Re: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication
Initial problem of: Initial problem of "[sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0" can be solved by adding to /var/lib/snapd/apparmor/profiles/snap.firefox.firefox something like: -- DEE.snap.firefox.firefox 2022-05-15 00:51:38.010651530 -0500 +++ snap.firefox.firefox2022-05-15 21:18:39.445523027 -0500 @@ -312,6 +312,9 @@ /tmp/ r, /tmp/** mrwlkix, + #DEE + /run/user/[0-9]*/** mrwlkix, + # App-specific access to files and directories in /dev/shm. We allow file # access in /dev/shm for shm_open() and files in subdirectories for open() # bind mount *not* used here (see 'parallel installs', above) This adds the "m" mask to the "/run/user/1000/doc/e0bac853/" directory but does allow the module to be loaded. This is overkill, for the directory. For a PKCS11 module "mr" maybe all that is needed. It is not clear why the choice was made to copy the pkcs11 modules to the doc directory in the first place. Ubuntu appears to install PKCS11 modules (at least some in) in /usr/lib/x86_64-linux-gnu/pkcs11 so why can't this be used without copying? The above only show how to get around the first of many possible problems. Not all Ubuntu installed PKCS11 modules are installed in the above directory. p11-kit-client.so is but opensc-pkcs11.so and onepin-opensc- pkcs11.so are not, just symlinks. Trying to use the apparmor aa-complain to get more info does not work with the way the snap apparmor profiles are named. It appears the profile uses "." inplace of "/" and there is no "snap/firefox/firefox" Pkcs11 modules may load other PKCS11 modules, i.e. that is what p11-kit does. Each of these modules may have config files with system and user versions. apparmor needs to address how these config files can be read. Until it can be shown that PKCS11 modules can be easily be used, I would suggest that firefox not be installed by snap. Also see: https://github.com/OpenSC/OpenSC/issues/2552 ** Bug watch added: OpenSC Issues #2552 https://github.com/OpenSC/OpenSC/issues/2552 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1967632 Title: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication Status in firefox package in Ubuntu: Triaged Bug description: I use a smart card to access government sites. I have that working in firefox and chrome on ubuntu impish, and gave jammy a try, but there firefox won't load the library, giving me a generic error. dmesg, however, shows this apparmor denied message: [sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 Note also the path, that's not what I typed into the firefox dialog box. I have the .so copied to /usr/lib/x86_64-linux-gnu/libaetpkss.so.3.5.4112, and that's what I typed in when prompted for its path by firefox. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: firefox 1:1snap1-0ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27 Uname: Linux 5.15.0-23-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu80 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Apr 2 17:34:09 2022 InstallationDate: Installed on 2022-03-20 (13 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220319) Snap.Changes: no changes found SourcePackage: firefox UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp