[Bug 1967632] Re: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication

Nathan Teodosio 1967632 at bugs.launchpad.net
Thu Sep 19 13:52:50 UTC 2024 

I missed the obvious fact that the module will only work if sourced from
a 22.04, as Firefox is based on core22. There is a priori no guarantee
it would work for other series, as it indeed doesn't. If sourced from
24.10, ldd says stuff like

  opensc-pkcs11.so: /lib/x86_64-linux-gnu/libc.so.6: version
`GLIBC_2.38' not found (required by
/snap/firefox/x7/usr/lib/x86_64-linux-gnu/libopensc.so.11)

I'll amend the description and later update it with something that works
accross all series, at least for supported cards supported by that
module.

** Description changed:

- We believe the best solution/work-around at the moment is:
+ For 22.04 we believe the best solution/work-around at the moment is:
  
-   sudo apt install opensc-pkcs11
+   sudo apt install opensc-pkcs11
    sudo snap refresh --edge firefox
    sudo snap connect firefox:pcscd
    cp /usr/lib/*/opensc-pkcs11.so $HOME/snap/firefox/common
  
  Then load the module from that path, i.e.
  $HOME/snap/firefox/common/opensc-pkcs11.so.
  
  If you get "unable to load module" make sure you are the owner of the
  file:
  
    chown "$(id -u)" $HOME/snap/firefox/common/opensc-pkcs11.so
  
  Please report whether this solves the issue.
  
  The part of copying the module to a snap-readable location is clumsy and
- we will work on a more proper solution to that.
+ we will work on a more proper solution to that. And of course, to make
+ this series-independent.
  
  ----
  
  I use a smart card to access government sites. I have that working in
  firefox and chrome on ubuntu impish, and gave jammy a try, but there
  firefox won't load the library, giving me a generic error.
  
  dmesg, however, shows this apparmor denied message:
  
  [sáb abr  2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115):
  apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox"
  name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680
  comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
  
  Note also the path, that's not what I typed into the firefox dialog box.
  I have the .so copied to /usr/lib/x86_64-linux-
  gnu/libaetpkss.so.3.5.4112, and that's what I typed in when prompted for
  its path by firefox.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: firefox 1:1snap1-0ubuntu2
  ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27
  Uname: Linux 5.15.0-23-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu80
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: ubuntu:GNOME
  Date: Sat Apr  2 17:34:09 2022
  InstallationDate: Installed on 2022-03-20 (13 days ago)
  InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220319)
  Snap.Changes: no changes found
  SourcePackage: firefox
  UpgradeStatus: No upgrade log present (probably fresh install)

-- 
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1967632

Title:
  [snap] apparmor denied when trying to load pkcs11 module for smart
  card authentication

To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1967632/+subscriptions

More information about the Ubuntu-mozillateam-bugs mailing list