[Bug 1967632] Re: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication

Jefferson Ascaneo 1967632 at bugs.launchpad.net
Sun Aug 28 08:51:26 UTC 2022 

https://launchpad.net/~liuck
Thank you very much! I managed to use my SafeNet eToken 5100 to login to a Brazilian government website using your instructions!

In my case, I didn't need to install the libacsccid1 package, maybe that
is related to your smart card. I also didn't have any infinite cycle
when testing my eToken, it seems to work just fine. And the package
pcscd was already installed, since it was needed to use the eToken in
Ubuntu 20.04.

The only remaining "bug" is that I had to manually follow a few symbolic
links to find the real location of the PKCS11 module. In Ubuntu 20.04 I
could just add the path "/usr/lib/libeTPkcs11.so", but this is a
symbolic link to "/usr/lib/libeToken.so", which in turn is a symbolic
link to "/usr/lib/libeToken.so.10.7.77". So it only worked when I used
the final path "/usr/lib/libeToken.so.10.7.77".


Summarizing the solution you gave above, again, but using sudo this time:

$ sudo apt install pcscd
$ sudo mkdir /etc/apparmor.d/abstractions/p11-kit.d/
$ echo "/run/user/[0-9]*/** mr," | sudo tee /etc/apparmor.d/abstractions/p11-kit.d/snap
$ echo "/run/pcscd/pcscd.comm rw," | sudo tee -a /etc/apparmor.d/abstractions/p11-kit.d/snap
$ sudo sed -i 's|.*#include <abstractions/openssl>.*|&\n  #include <abstractions/p11-kit>|' /var/lib/snapd/apparmor/profiles/snap.firefox.firefox
$ sudo apparmor_parser -v -C -r /var/lib/snapd/apparmor/profiles/snap.firefox.firefox

Then in Firefox -> Settings -> Privacy & Security -> Security devices...
-> Load -> Module name: "eToken SafeNet" in my case, but can be anything
you want, Module filename: "/usr/lib/libeToken.so.10.7.77", also in my
case, you need to find the correct module for you, and it will change
the module path automatically to another starting with "/run/user/..."
after selecting the file.

That's for my USB eToken, my (software) SafeNet reader and my libeToken
module.

My environment:

Ubuntu 22.04.1 LTS
Codename: jammy
Mozilla Firefox 104.0

-- 
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1967632

Title:
  [snap] apparmor denied when trying to load pkcs11 module for smart
  card authentication

To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1967632/+subscriptions

More information about the Ubuntu-mozillateam-bugs mailing list