[Bug 1967632] Re: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication

Nathan Teodosio 1967632 at bugs.launchpad.net
Mon Sep 23 07:34:23 UTC 2024 

** Description changed:

- For 22.04, if your smart card is supported by OpenSC
- (https://github.com/OpenSC/OpenSC/wiki/Supported-hardware-%28smart-
- cards-and-USB-tokens%29), we believe the best solution/work-around at
- the moment is:
+ Opensc-pkcs11
+ -------------
  
-   sudo apt install opensc-pkcs11
-   sudo snap refresh --edge firefox
-   sudo snap connect firefox:pcscd
-   cp /usr/lib/*/opensc-pkcs11.so $HOME/snap/firefox/common
+ The opensc-pkcs11 module is now loadable in the beta and edge snaps of
+ Firefox.
  
- Then load the module from that path, i.e.
- $HOME/snap/firefox/common/opensc-pkcs11.so.
+   snap refresh --beta firefox
  
- If you get "unable to load module" make sure you are the owner of the
- file:
+ To load the module, write this path in Settings > Cryptographic modules
+ > Load:
  
-   chown "$(id -u)" $HOME/snap/firefox/common/opensc-pkcs11.so
+   /snap/firefox/current/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
  
- Please report whether this solves the issue.
+ The file picker messes with the path, do NOT use it!
  
- The part of copying the module to a snap-readable location is clumsy and
- we will work on a more proper solution to that. And of course, to make
- this series-independent.
+ Please report whether this solves the issue for this particular module.
  
- ----
+ Original report
+ ---------------
  
  I use a smart card to access government sites. I have that working in
  firefox and chrome on ubuntu impish, and gave jammy a try, but there
  firefox won't load the library, giving me a generic error.
  
  dmesg, however, shows this apparmor denied message:
  
  [sáb abr  2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115):
  apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox"
  name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680
  comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
  
  Note also the path, that's not what I typed into the firefox dialog box.
  I have the .so copied to /usr/lib/x86_64-linux-
  gnu/libaetpkss.so.3.5.4112, and that's what I typed in when prompted for
  its path by firefox.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: firefox 1:1snap1-0ubuntu2
  ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27
  Uname: Linux 5.15.0-23-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu80
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: ubuntu:GNOME
  Date: Sat Apr  2 17:34:09 2022
  InstallationDate: Installed on 2022-03-20 (13 days ago)
  InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220319)
  Snap.Changes: no changes found
  SourcePackage: firefox
  UpgradeStatus: No upgrade log present (probably fresh install)

-- 
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1967632

Title:
  [snap] apparmor denied when trying to load pkcs11 module for smart
  card authentication

To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1967632/+subscriptions

More information about the Ubuntu-mozillateam-bugs mailing list