Public bug reported: Summary:
If you enable the apparmor profile that comes in Ubuntu's Firefox package, it prevents USB U2F tokens from being used. To reproduce: 1. Obtain a USB FIDO/U2F token - such as a Yubikey; and a clean install of Ubuntu 20.04 with Firefox installed, but the AppArmor profile for firefox disabled (As is the default). 2. Confirm the correct function of your U2F token - such as at https://demo.yubico.com/webauthn-technical 3. Enable the AppArmor profile with the following command, then restart firefox. sudo aa-enforce /etc/apparmor.d/usr.bin.firefox 4. Repeat your test of your U2F token. You will find Firefox is unable to access your U2F token. Any accounts you need U2F to log into are now inaccessible. 5. Disabling the apparmor profile and restarting firefox will make U2F work again. To work around: Edit /etc/apparmor.d/usr.bin.firefox and replace these lines: # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed. # Possibly move to an abstraction if anything else needs it. deny /run/udev/data/** r, Instead allowing access to udev data, and to hidraw devices: /run/udev/data/** r, /dev/hidraw[0-9] rw, I haven't checked the security implications of this change; some might feel it grants overly broad access. Chromium, which in 20.04 is delivered as a snap, includes udev rules (70-snap.chromium.rules) which I suspect grant access in a device-id-whitelisted way. This is me resubmitting #1930768 this time with all the info attached. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: firefox 88.0.1+build1-0ubuntu0.20.04.2 ProcVersionSignature: Ubuntu 5.8.0-53.60~20.04.1-generic 5.8.18 Uname: Linux 5.8.0-53-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia AddonCompatCheckDisabled: False ApportVersion: 2.20.11-0ubuntu27.18 Architecture: amd64 AudioDevicesInUse: USER PID ACCESS COMMAND /dev/snd/controlC0: mtandy 1757 F.... pulseaudio /dev/snd/controlC1: mtandy 1757 F.... pulseaudio BuildID: 20210504152106 CasperMD5CheckResult: skip Channel: Unavailable CurrentDesktop: ubuntu:GNOME Date: Thu Jun 3 23:34:55 2021 ForcedLayersAccel: False IncompatibleExtensions: Default - {972ce4c6-7e08-4474-a285-3208198ce6fd} InstallationDate: Installed on 2021-05-31 (3 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) IpRoute: default via 192.168.0.1 dev enp3s0 proto dhcp metric 100 169.254.0.0/16 dev enp3s0 scope link metric 1000 192.168.0.0/24 dev enp3s0 proto kernel scope link src 192.168.0.2 metric 100 MostRecentCrashID: bp-4122b123-9c74-4baf-b817-c8a771171216 PrefErrors: Unexpected character ',' before close parenthesis @ /usr/lib/firefox/omni.ja:greprefs.js:352 PrefSources: prefs.js Profiles: Profile0 (Default) - LastVersion=88.0.1/20210504152106 (In use) RunningIncompatibleAddons: True SourcePackage: firefox UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 07/11/2014 dmi.bios.release: 4.6 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 2202 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: Z97-K dmi.board.vendor: ASUSTeK COMPUTER INC. dmi.board.version: Rev X.0x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: To Be Filled By O.E.M. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr2202:bd07/11/2014:br4.6:svnASUS:pnAllSeries:pvrSystemVersion:rvnASUSTeKCOMPUTERINC.:rnZ97-K:rvrRevX.0x:cvnToBeFilledByO.E.M.:ct3:cvrToBeFilledByO.E.M.: dmi.product.family: ASUS MB dmi.product.name: All Series dmi.product.sku: All dmi.product.version: System Version dmi.sys.vendor: ASUS mtime.conffile..etc.apparmor.d.usr.bin.firefox: 2021-06-03T23:25:44.143815 ** Affects: firefox (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug focal -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1930769 Title: When enabled, Firefox AppArmor profile prevents U2F devices from working Status in firefox package in Ubuntu: New Bug description: Summary: If you enable the apparmor profile that comes in Ubuntu's Firefox package, it prevents USB U2F tokens from being used. To reproduce: 1. Obtain a USB FIDO/U2F token - such as a Yubikey; and a clean install of Ubuntu 20.04 with Firefox installed, but the AppArmor profile for firefox disabled (As is the default). 2. Confirm the correct function of your U2F token - such as at https://demo.yubico.com/webauthn-technical 3. Enable the AppArmor profile with the following command, then restart firefox. sudo aa-enforce /etc/apparmor.d/usr.bin.firefox 4. Repeat your test of your U2F token. You will find Firefox is unable to access your U2F token. Any accounts you need U2F to log into are now inaccessible. 5. Disabling the apparmor profile and restarting firefox will make U2F work again. To work around: Edit /etc/apparmor.d/usr.bin.firefox and replace these lines: # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed. # Possibly move to an abstraction if anything else needs it. deny /run/udev/data/** r, Instead allowing access to udev data, and to hidraw devices: /run/udev/data/** r, /dev/hidraw[0-9] rw, I haven't checked the security implications of this change; some might feel it grants overly broad access. Chromium, which in 20.04 is delivered as a snap, includes udev rules (70-snap.chromium.rules) which I suspect grant access in a device-id-whitelisted way. This is me resubmitting #1930768 this time with all the info attached. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: firefox 88.0.1+build1-0ubuntu0.20.04.2 ProcVersionSignature: Ubuntu 5.8.0-53.60~20.04.1-generic 5.8.18 Uname: Linux 5.8.0-53-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia AddonCompatCheckDisabled: False ApportVersion: 2.20.11-0ubuntu27.18 Architecture: amd64 AudioDevicesInUse: USER PID ACCESS COMMAND /dev/snd/controlC0: mtandy 1757 F.... pulseaudio /dev/snd/controlC1: mtandy 1757 F.... pulseaudio BuildID: 20210504152106 CasperMD5CheckResult: skip Channel: Unavailable CurrentDesktop: ubuntu:GNOME Date: Thu Jun 3 23:34:55 2021 ForcedLayersAccel: False IncompatibleExtensions: Default - {972ce4c6-7e08-4474-a285-3208198ce6fd} InstallationDate: Installed on 2021-05-31 (3 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) IpRoute: default via 192.168.0.1 dev enp3s0 proto dhcp metric 100 169.254.0.0/16 dev enp3s0 scope link metric 1000 192.168.0.0/24 dev enp3s0 proto kernel scope link src 192.168.0.2 metric 100 MostRecentCrashID: bp-4122b123-9c74-4baf-b817-c8a771171216 PrefErrors: Unexpected character ',' before close parenthesis @ /usr/lib/firefox/omni.ja:greprefs.js:352 PrefSources: prefs.js Profiles: Profile0 (Default) - LastVersion=88.0.1/20210504152106 (In use) RunningIncompatibleAddons: True SourcePackage: firefox UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 07/11/2014 dmi.bios.release: 4.6 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 2202 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: Z97-K dmi.board.vendor: ASUSTeK COMPUTER INC. dmi.board.version: Rev X.0x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: To Be Filled By O.E.M. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr2202:bd07/11/2014:br4.6:svnASUS:pnAllSeries:pvrSystemVersion:rvnASUSTeKCOMPUTERINC.:rnZ97-K:rvrRevX.0x:cvnToBeFilledByO.E.M.:ct3:cvrToBeFilledByO.E.M.: dmi.product.family: ASUS MB dmi.product.name: All Series dmi.product.sku: All dmi.product.version: System Version dmi.sys.vendor: ASUS mtime.conffile..etc.apparmor.d.usr.bin.firefox: 2021-06-03T23:25:44.143815 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1930769/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
