[Bug 1967632] Re: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication

Tue, 07 May 2024 09:10:48 -0700 

Got this working, at least briefly on:
* Ubuntu 22.04
* snap Firefox 125.0.3 (+pcscd slot on the snap)
* deb opensc 0.22.0-1ubuntu2
* deb opensc-pkcs11 0.22.0-1ubuntu2

Loading /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so with file selector
from the snap put it under /run/user/1000/doc/XNUMBERX/opensc-pkcs11.so

I made following changes to the firefox snap enable my smartcard.

1. Allow loading module

Apparmor
```
# allow access to opensc pkcs11 module
/run/user/1000/doc/*/opensc-pkcs11.so mr,
```

2. Allow access to pcscd

Apparmor
```
# allow access to pcscd
/run/pcscd/pcscd.comm wr,
```

3. Fix issues with PKCS11 login

not sure if minimal set, anyway for apparmor:
```
# For token login
owner @{PROC}/@{pid}/mountinfo r,
/etc/opensc/opensc.conf r,
```

and for seccomp, allow syscalls
```
setpriority
quotactl
```

After these changes I was able to log in to my tokens and use them for
authentication.

Output for ldd
$ ldd /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
        linux-vdso.so.1 (0x00007ffded5ec000)
        libopensc.so.8 => /lib/x86_64-linux-gnu/libopensc.so.8 
(0x00007b6ccd15a000)
        libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 
(0x00007b6cccc00000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007b6ccc800000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007b6ccd13e000)
        libgio-2.0.so.0 => /lib/x86_64-linux-gnu/libgio-2.0.so.0 
(0x00007b6ccc627000)
        libgobject-2.0.so.0 => /lib/x86_64-linux-gnu/libgobject-2.0.so.0 
(0x00007b6ccd0de000)
        /lib64/ld-linux-x86-64.so.2 (0x00007b6ccd3ac000)
        libglib-2.0.so.0 => /lib/x86_64-linux-gnu/libglib-2.0.so.0 
(0x00007b6cccac6000)
        libgmodule-2.0.so.0 => /lib/x86_64-linux-gnu/libgmodule-2.0.so.0 
(0x00007b6ccd0d5000)
        libmount.so.1 => /lib/x86_64-linux-gnu/libmount.so.1 
(0x00007b6ccd091000)
        libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 
(0x00007b6ccd065000)
        libffi.so.8 => /lib/x86_64-linux-gnu/libffi.so.8 (0x00007b6ccd058000)
        libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007b6ccca50000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007b6ccc540000)
        libblkid.so.1 => /lib/x86_64-linux-gnu/libblkid.so.1 
(0x00007b6ccc509000)
        libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 
(0x00007b6ccc472000)

Some of these changes seem straightforward, but the loaded module should
be made visible with a stable file system path. It is needed both for
the apparmor rule and the reference created in the NSSDB module database
(which in the snap seems to have relocated under SNAP_USER_COMMON and
the users profile).

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1967632

Title:
  [snap] apparmor denied when trying to load pkcs11 module for smart
  card authentication

To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/1967632/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to