[Bug 1967632] Re: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication

Thu Sep 19 13:59:39 UTC 2024

Andreas, thank you for your response. As in my previous message, we
cannot expect such a hack to work outside of 22.04, I updated the
description, sorry for wasting your time with that.

Then, it doesn't matter if /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
is in the host, the snap is on core22 and only sees
/snap/core22/current/lib/x86_64-linux-gnu/libcrypto.so.3.

In any case your comment is very valuable as it gives us a list of
libraries required by a module outside the our open-source archive that
we should keep in mind when ironing this out.

** Description changed:

- For 22.04 we believe the best solution/work-around at the moment is:
+ For 22.04, if your smart card is supported by OpenSC
+ (https://github.com/OpenSC/OpenSC/wiki/Supported-hardware-%28smart-
+ cards-and-USB-tokens%29), we believe the best solution/work-around at
+ the moment is:

    sudo apt install opensc-pkcs11
    sudo snap refresh --edge firefox
    sudo snap connect firefox:pcscd
    cp /usr/lib/*/opensc-pkcs11.so $HOME/snap/firefox/common

  Then load the module from that path, i.e.
  $HOME/snap/firefox/common/opensc-pkcs11.so.

  If you get "unable to load module" make sure you are the owner of the
  file:

    chown "$(id -u)" $HOME/snap/firefox/common/opensc-pkcs11.so

  Please report whether this solves the issue.

  The part of copying the module to a snap-readable location is clumsy and
  we will work on a more proper solution to that. And of course, to make
  this series-independent.

  ----

  I use a smart card to access government sites. I have that working in
  firefox and chrome on ubuntu impish, and gave jammy a try, but there
  firefox won't load the library, giving me a generic error.

  dmesg, however, shows this apparmor denied message:

  [sáb abr  2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115):
  apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox"
  name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680
  comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

  Note also the path, that's not what I typed into the firefox dialog box.
  I have the .so copied to /usr/lib/x86_64-linux-
  gnu/libaetpkss.so.3.5.4112, and that's what I typed in when prompted for
  its path by firefox.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: firefox 1:1snap1-0ubuntu2
  ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27
  Uname: Linux 5.15.0-23-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu80
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: ubuntu:GNOME
  Date: Sat Apr  2 17:34:09 2022
  InstallationDate: Installed on 2022-03-20 (13 days ago)
  InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220319)
  Snap.Changes: no changes found
  SourcePackage: firefox
  UpgradeStatus: No upgrade log present (probably fresh install)

-- 
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1967632

Title:
  [snap] apparmor denied when trying to load pkcs11 module for smart
  card authentication

To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1967632/+subscriptions