Ubuntu
chromium-browser package

[snap] U2F doesn't work with yubikey

Bug #1738164 reported by Olivier Tilloy
48
This bug affects 8 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Fix Released
High
Olivier Tilloy
gnome-software (Ubuntu)
Fix Released
Medium
Robert Ancell
Xenial
Fix Released
Medium
Robert Ancell
Bionic
Fix Released
Medium
Robert Ancell
Cosmic
Won't Fix
Medium
Robert Ancell

Bug Description

[Impact]
Installing a snap that requires the u2f-devices interface doesn't show a UI element to enable/disable this in GNOME Software. Initially Chromium didn't have this enabled by default, and thus the feature wouldn't work without going to the command line. It now is enabled by default.

[Test Case]
1. Open GNOME Software
2. Install the Chromium snap
3. Click "Permissions"

Expected result:
A switch is shown to control "Read/write access to U2F devices exposed". Clicking it connects/disconnects the u2f-devices interface.

Observed result:
No switch is shown for this interface.

[Regression Potential]
A string for this interface was added to GNOME Software, low risk of introducing a new bug.

See original description
Revision history for this message
Chris Cowling (tatramaco) wrote :

It appears that apparmor is blocking u2f requests :

[ 5955.568022] audit: type=1400 audit(1526465659.599:92): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci0000:00/0000:00:14.0/usb3/3-3/3-3:1.0/0003:045E:07B2.0001/report_descriptor" pid=19386 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 5955.568379] audit: type=1400 audit(1526465659.599:93): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci0000:00/0000:00:14.0/usb3/3-3/3-3:1.1/0003:045E:07B2.0002/report_descriptor" pid=19386 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 5955.568667] audit: type=1400 audit(1526465659.599:94): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci0000:00/0000:00:14.0/usb3/3-3/3-3:1.2/0003:045E:07B2.0003/report_descriptor" pid=19386 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 5955.569840] audit: type=1400 audit(1526465659.599:95): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0/0003:1050:0407.002D/report_descriptor" pid=19386 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 5955.570337] audit: type=1400 audit(1526465659.603:96): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.1/0003:1050:0407.002E/report_descriptor" pid=19386 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Revision history for this message
Olivier Tilloy (osomon) wrote :

It looks like the raw-usb interface might help here. I'll rebuild the snap with it and will post instructions on how to test.

Revision history for this message
Olivier Tilloy (osomon) wrote :

@Chris: can you try the following, and report whether this addresses the issue:

    snap refresh chromium --channel=candidate/raw-usb-test
    snap connect chromium:raw-usb

Thanks!

Changed in chromium-browser (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Chris Cowling (tatramaco) wrote :

It no longer throws an apparmor denied message but it doesn't work.....

Bot gmail and github throw a 'Something went wrong' error.

Revision history for this message
Olivier Tilloy (osomon) wrote :

Do you get more useful debug information if you run the snap with the "--enable-logging=stderr" parameter?

Revision history for this message
karl (karl-hiramoto) wrote :

with chromium --enable-logging=stderr

You just see that chromium can not find the device in the log it says:

[14261:14261:0718/202809.157292:INFO:CONSOLE(173)] "0718 20:28:09.156000: []", source: chrome-extension://kmendfapggjehodndflmmgagdbamhnfd/gnubbies.js (173)
[14261:14261:0718/202809.358137:INFO:CONSOLE(172)] "0718 20:28:09.358000: Enumerated 0 gnubbies", source: chrome-extension://kmendfapggjehodndflmmgagdbamhnfd/gnubbies.js (172)
[14261:14261:0718/202809.358350:INFO:CONSOLE(173)] "0718 20:28:09.358000: []", source: chrome-extension://kmendfapggjehodndflmmgagdbamhnfd/gnubbies.js (173)
[14261:14261:0718/202809.358616:INFO:CONSOLE(172)] "0718 20:28:09.359000: Enumerated 0 gnubbies", source: chrome-extension://kmendfapggjehodndflmmgagdbamhnfd/gnubbies.js (172)
[14261:14261:0718/202809.358858:INFO:CONSOLE(173)] "0718 20:28:09.359000: []", source: chrome-extension://kmendfapggjehodndflmmgagdbamhnfd/gnubbies.js (173)

Revision history for this message
karl (karl-hiramoto) wrote :

the proprietary google chrome does find the yubikey / gnubbie

Revision history for this message
Sami Ben Hatit (sambh) wrote :

I can confirm the bug is still present, tested with 67.0.3396.99 (367) and 68.0.3440.75 (383). I couldn't test with raw-usb as it seems this channel doesn't exist anymore.

Anything I could do to help testing or debugging this?

Revision history for this message
Olivier Tilloy (osomon) wrote :

@Sami: I have re-opened the candidate/raw-usb-test channel and updated it to the latest stable release. Please test with the instructions in comment #3, run chromium with --enable-logging=stderr, and in another terminal window please run "journalctl -f" and share any relevant denials. Thanks!

Revision history for this message
Alejandro M. Medrano Gil (amedranogil) wrote :
Download full text (26.0 KiB)

I have the same issue, my Yubikey is the yibikey neo 4 model, it does support U2F. after installing Ubuntu 18.04.01 I followed yubico's instructions: https://support.yubico.com/support/solutions/articles/15000006449-using-your-u2f-yubikey-with-linux

which means I have a udev rule for the device, but dmesg was still mapping to snap.chromium. At this point the U2F seemed to wait for input until timeout, whereas the key's LED would flash like if it were in process of system recognition indefinitelly (as seen from dmesg, it seems chromium it continously attempting to read the device, but there are permission restrictions).

dmesg:
[18519.805380] usb 1-9: new full-speed USB device number 9 using xhci_hcd
[18519.954776] usb 1-9: New USB device found, idVendor=1050, idProduct=0116
[18519.954782] usb 1-9: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[18519.954785] usb 1-9: Product: Yubikey NEO OTP+U2F+CCID
[18519.954789] usb 1-9: Manufacturer: Yubico
[18519.956412] input: Yubico Yubikey NEO OTP+U2F+CCID as /devices/pci0000:00/0000:00:14.0/usb1/1-9/1-9:1.0/0003:1050:0116.0006/input/input20
[18520.014104] hid-generic 0003:1050:0116.0006: input,hidraw1: USB HID v1.10 Keyboard [Yubico Yubikey NEO OTP+U2F+CCID] on usb-0000:00:14.0-9/input0
[18520.015266] hid-generic 0003:1050:0116.0007: hiddev0,hidraw2: USB HID v1.10 Device [Yubico Yubikey NEO OTP+U2F+CCID] on usb-0000:00:14.0-9/input1
[18551.143579] audit: type=1107 audit(1534439526.751:164): pid=989 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=25155 label="snap.chromium.chromium" peer_pid=985 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
[18553.624016] audit: type=1400 audit(1534439529.231:165): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c238:0" pid=25155 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[18553.638835] audit: type=1400 audit(1534439529.247:166): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c239:0" pid=25155 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[18553.639389] audit: type=1400 audit(1534439529.247:167): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c240:1" pid=25155 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[18553.639450] audit: type=1400 audit(1534439529.247:168): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c240:2" pid=25155 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[18553.639491] audit: type=1400 audit(1534439529.247:169): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c240:0" pid=25155 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[18863.195707] audit: type=1400 audit(1534439838.807:170): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/ru...

Revision history for this message
Alejandro M. Medrano Gil (amedranogil) wrote :
Download full text (9.4 KiB)

Sorry forgot

journalctl -f:
-- Logs begin at Sun 2018-08-12 21:54:04 CEST. --
ago 16 19:20:29 Alex thunderbird.desktop[25941]: [Parent 26418, Gecko_IOThread] WARNING: pipe error (113): Conexión reinicializada por la máquina remota: file /build/firefox-oscv9o/firefox-61.0.1+build1/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353
ago 16 19:37:40 Alex dbus-daemon[18014]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/secrets" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.secrets" pid=27271 label="snap.chromium.chromium" peer_pid=18002 peer_label="unconfined"
ago 16 19:37:40 Alex audit[989]: USER_AVC pid=989 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=26979 label="snap.chromium.chromium" peer_pid=985 peer_label="unconfined"
                                  exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
ago 16 19:37:40 Alex kernel: audit: type=1107 audit(1534441060.543:176): pid=989 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=26979 label="snap.chromium.chromium" peer_pid=985 peer_label="unconfined"
                              exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
ago 16 19:37:47 Alex audit[26979]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c238:0" pid=26979 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ago 16 19:37:47 Alex kernel: audit: type=1400 audit(1534441067.899:177): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c238:0" pid=26979 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ago 16 19:37:47 Alex audit[26979]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c239:0" pid=26979 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ago 16 19:37:47 Alex audit[26979]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c240:0" pid=26979 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ago 16 19:37:47 Alex kernel: audit: type=1400 audit(1534441067.927:178): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c239:0" pid=26979 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ago 16 19:37:47 Alex kernel: audit: type=1400 audit(1534441067.927:179): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c240:0" pid=26979 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ago 16 19:38:12 Alex audit[26979]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c238:0" pid=26979 comm="TaskSchedulerFo" requested_mask=...

Read more...

Revision history for this message
Olivier Tilloy (osomon) wrote :

Thanks for the feedback Alejandro. So it looks like the raw-usb interface doesn't help indeed, what chromium needs read access to to access your key is the following:

    /run/udev/data/c238:0
    /run/udev/data/c239:0
    /run/udev/data/c240:0
    /run/udev/data/c240:1
    /run/udev/data/c240:2

And there doesn't seem to be any existing interfaces for those.

To switch back to the stable channel, you can just do:

    sudo snap refresh chromium --stable

Revision history for this message
Olivier Tilloy (osomon) wrote :

I asked @jdstrand on the snapcraft forum: https://forum.snapcraft.io/t/fido-u2f-authentication-fails-in-chromium-snap-build/6130/4

Revision history for this message
Charl le Roux (charl-leroux) wrote :

I am experiencing the same thing with both firefox and chromium snap packages. Google Chrome install works perfectly. Really annoying to have to revert to .deb if there is a snap package available.

Olivier Tilloy (osomon)
Changed in chromium-browser (Ubuntu):
importance: Medium → High
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

We can add this to browser-support:

# for U2F yubikey
/run/udev/data/c238:[0-9]* r,
/run/udev/data/c239:[0-9]* r,
/run/udev/data/c240:[0-9]* r,
/run/udev/data/c240:[0-9]* r,
/run/udev/data/c240:[0-9]* r,

Can someone experiencing this issue adjust /var/lib/snapd/apparmor/profiles/snap.chromium.chromium to have the above, and then run: sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.chromium.chromium and report back if the issue is resolved? If not, please paste any other apparmor denials.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The actual rules would be:

# for U2F yubikey
/run/udev/data/c238:[0-9]* r,
/run/udev/data/c239:[0-9]* r,
/run/udev/data/c240:[0-9]* r,

but using the redundant rules from the previous comment is fine too.

Olivier Tilloy (osomon)
Changed in chromium-browser (Ubuntu):
assignee: nobody → Olivier Tilloy (osomon)
Revision history for this message
Kyle Fazzari (kyrofa) wrote :

jdstrand, I've added those rules, and the denials go away, but I'm afraid it still doesn't work. There doesn't seem to be any denials, but it's like chrome just doesn't see it.

Revision history for this message
Olivier Tilloy (osomon) wrote :

I'm testing with a brand new Yubikey 4, and after adding the rules in comment #16, I was seeing more denials which prompted me to add the following two rules:

    /run/udev/data/c14:[0-9]* r,
    /sys/devices/pci**/usb*/**/report_descriptor r,

With those the denials went away, but U2F registration still fails. I'm using https://demo.yubico.com/u2f?tab=register to test, and seeing the following error:

Registration failed!
Make sure you have a U2F device connected, and try again.

 Traceback (most recent call last):
  File "/root/python-u2flib-server-demo/examples/yubiauth_server.py", line 161, in __call__
    raise Exception("FIDO Client error: %s" % error)
Exception: FIDO Client error: 1 (OTHER ERROR)

Revision history for this message
Olivier Tilloy (osomon) wrote :

Could the hidraw interface (https://github.com/snapcore/snapd/blob/master/interfaces/builtin/hidraw.go) be of any help here?

Revision history for this message
Daniel Aleksandersen (da2x) wrote :

This isn’t mentioned in the bug so thought I’d just document it here:

* U2F must be enabled in about:config (security.webauth.u2f;true) before it will work in Firefox.

Revision history for this message
Olivier Tilloy (osomon) wrote :

Jamie added a u2f-devices interface to snapd, and I successfully tested it with chromium and a YubiKey 4 (using https://demo.yubico.com/webauthn/registration).

Changed in chromium-browser (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Olivier Tilloy (osomon) wrote :

https://git.launchpad.net/~chromium-team/chromium-browser/+git/snap-from-source/commit/?id=413294d8a3e7ce271fe050670ab99d43972ce6df

Changed in chromium-browser (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Olivier Tilloy (osomon) wrote :

I've published revision 579 to the candidate channel with the u2f-devices plug.
To test this you will need to do the following:

    snap refresh core --edge
    snap refresh chromium --candidate
    snap connect chromium:u2f-devices

Then restart chromium and verify that your U2F device is seen and works.

To everyone affected, please test and let me know if that works for you (details about your U2F device would be interesting).

Revision history for this message
Jeremy Bícha (jbicha) wrote :

I used your instructions to successfully authenticate with https://salsa.debian.org/ using the Chromium snap. Thanks! I believe my device is also a Yubikey 4.

Revision history for this message
Jeremy Bícha (jbicha) wrote :

This works now with core and chromium on the stable branches.

Olivier, I don't see u2f in GNOME Software's Permissions dialog for Chromium.

Also, are you intending to ask Security if u2f can be auto-connected for Chromium?

Revision history for this message
Olivier Tilloy (osomon) wrote :

I'm not sure whether u2f being auto-connected is acceptable from a security standpoint, I'll ask Jamie and if it is, I'll request the auto-connection.

Revision history for this message
Olivier Tilloy (osomon) wrote :

Tentative request for auto-connection: https://forum.snapcraft.io/t/auto-connecting-the-u2f-devices-interface-for-the-chromium-snap/10052

Ken VanDine (ken-vandine)
Changed in chromium-browser (Ubuntu Xenial):
status: New → Invalid
Changed in chromium-browser (Ubuntu Bionic):
status: New → Invalid
Changed in chromium-browser (Ubuntu Cosmic):
status: New → Invalid
Changed in gnome-software (Ubuntu Xenial):
status: New → Confirmed
Changed in gnome-software (Ubuntu Bionic):
status: New → Confirmed
Changed in gnome-software (Ubuntu Cosmic):
status: New → Confirmed
Changed in gnome-software (Ubuntu Xenial):
importance: Undecided → Medium
Changed in gnome-software (Ubuntu Bionic):
importance: Undecided → Medium
Changed in gnome-software (Ubuntu Cosmic):
importance: Undecided → Medium
Changed in gnome-software (Ubuntu Xenial):
assignee: nobody → Robert Ancell (robert-ancell)
Changed in gnome-software (Ubuntu Bionic):
assignee: nobody → Robert Ancell (robert-ancell)
Changed in gnome-software (Ubuntu Cosmic):
assignee: nobody → Robert Ancell (robert-ancell)
Changed in gnome-software (Ubuntu):
assignee: nobody → Robert Ancell (robert-ancell)
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Ken VanDine (ken-vandine) wrote :

@robert-ancell, I addition of this interface to the ubuntu-master, ubuntu-3-30, and ubuntu-3-28 branches as well as snap-store. Can you please include this in your next round of SRUs for cosmic, bionic and xenial? I wasn't sure which branch to use for xenial.

Robert Ancell (robert-ancell)
Changed in gnome-software (Ubuntu Bionic):
status: Confirmed → Fix Committed
Robert Ancell (robert-ancell)
Changed in gnome-software (Ubuntu):
status: Confirmed → Fix Committed
Olivier Tilloy (osomon)
Changed in chromium-browser (Ubuntu):
status: Fix Committed → Fix Released
no longer affects: chromium-browser (Ubuntu Xenial)
no longer affects: chromium-browser (Ubuntu Bionic)
no longer affects: chromium-browser (Ubuntu Cosmic)
Revision history for this message
Brian Murray (brian-murray) wrote : Missing SRU information

Thanks for uploading the fix for this bug report to -proposed. However, when reviewing the package in -proposed and the details of this bug report I noticed that the bug description is missing information required for the SRU process. You can find full details at http://wiki.ubuntu.com/StableReleaseUpdates#Procedure but essentially this bug is missing some of the following: a statement of impact, a test case and details regarding the regression potential. Thanks in advance!

Robert Ancell (robert-ancell)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Olivier, or anyone else affected,

Accepted gnome-software into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gnome-software/3.28.1-0ubuntu4.18.04.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-bionic
Revision history for this message
Robert Ancell (robert-ancell) wrote :

Tested gnome-software 3.28.1-0ubuntu4.18.04.9 and the u2f-devices interface control is shown.

tags: added: verification-done-bionic
removed: verification-needed verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-software - 3.30.6-2ubuntu3

---------------
gnome-software (3.30.6-2ubuntu3) disco; urgency=medium

  * debian/patches/0028-Added-u2f-devices-to-interfaces-UI.patch
    - Allow connections on the u2f-devices interface (LP: #1738164)
    (the patch has been SRUed to bionic but was missing from Disco)

 -- Sebastien Bacher <email address hidden> Thu, 04 Apr 2019 13:45:29 +0200

Changed in gnome-software (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-software - 3.28.1-0ubuntu4.18.04.9

---------------
gnome-software (3.28.1-0ubuntu4.18.04.9) bionic; urgency=medium

  * debian/rules:
    - Disable ubuntu-reviews plugin (use ODRS instead)
  * debian/patches/0028-Added-u2f-devices-to-interfaces-UI.patch:
    - Allow connections on the u2f-devices interface (LP: #1738164)
  * debian/patches/0029-snap-Use-ODRS-for-reviews.patch:
    - Review snaps using ODRS review server (LP: #1815708)

 -- Robert Ancell <email address hidden> Wed, 27 Feb 2019 16:16:54 +1300

Changed in gnome-software (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for gnome-software has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Robert Ancell (robert-ancell)
Changed in gnome-software (Ubuntu Xenial):
status: Confirmed → Fix Committed
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Proposed package upload rejected

An upload of gnome-software to xenial-proposed has been rejected from the upload queue for the following reason: "Since this upload includes the same change for 'new media API' as others, I would feel much safer if we set a minimal version depenency to libsnapd-glib-dev (>= 1.45) - since it seems there was more than one snapd-glib version in xenial.".

Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Olivier, or anyone else affected,

Accepted gnome-software into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gnome-software/3.20.5-0ubuntu0.16.04.12 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-xenial
Revision history for this message
Robert Ancell (robert-ancell) wrote :

Tested gnome-software 3.20.5-0ubuntu0.16.04.12 and the u2f-devices interface control is shown.

tags: added: verification-done-xenial
removed: verification-needed verification-needed-xenial
Changed in gnome-software (Ubuntu Cosmic):
status: Confirmed → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-software - 3.20.5-0ubuntu0.16.04.12

---------------
gnome-software (3.20.5-0ubuntu0.16.04.12) xenial; urgency=medium

  * debian/patches/0001-Fix-potential-crash-when-icons-are-missing.patch:
    - Fix crash loading icons (LP: #1778135)
  * debian/patches/0020-Add-a-basic-permissions-system.patch:
    - Fix crash when have plugs with multiple slots available (LP: #1778160)
  * debian/patches/0021-Add-a-Snap-plugin.patch
    - Fix some command line warnings (LP: #1790563)
    - Use new snapd media API (LP: #1799614)
    - Allow connections on the u2f-devices interface (LP: #1738164)
  * debian/patches/0053-Don-t-reject-unexpected-state-changes-external-event.patch:
    - Fix snaps not being shown correctly after install from command line
      (LP: #1754655)
  * debian/patches/0054-Show-verified-developers.patch:
    - Show verified developers (LP: #1789336)

 -- Robert Ancell <email address hidden> Wed, 17 Apr 2019 14:39:52 +1200

Changed in gnome-software (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Christoph (cvboth) wrote :

I'm still facing this problem. I just switched to 19.10 and the snap package has been installed. It does not work.
I tried to do the "snap connect chromium:u2f-devices" but this will not solve the problem.

My dmesg out put shows a lot of DENIED:

audit: type=1107 audit(1572541712.846:243): pid=954 uid=106 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=20568 label="snap.chromium.chromium" peer_pid=946 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=106 hostname=? addr=? terminal=?'
[ 7036.430639] audit: type=1400 audit(1572541713.042:244): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 7036.430641] audit: type=1400 audit(1572541713.042:245): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 7049.256201] audit: type=1400 audit(1572541725.870:246): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci0000:00/0000:00:15.1/i2c_designware.1/i2c-2/i2c-ELAN1200:00/0018:04F3:3022.0001/report_descriptor" pid=20568 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Can you please advise how to fix this? Thanks!

Revision history for this message
Olivier Tilloy (osomon) wrote :

Christoph, is your device a Yubikey? If not would you mind filing a new bug report with all the details by running `ubuntu-bug chromium-browser` ?

The relevant denial seems to be:

[ 7049.256201] audit: type=1400 audit(1572541725.870:246): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci0000:00/0000:00:15.1/i2c_designware.1/i2c-2/i2c-ELAN1200:00/0018:04F3:3022.0001/report_descriptor" pid=20568 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Revision history for this message
Olivier Tilloy (osomon) wrote :

Nevermind, I hadn't realized you had filed bug #1851211 already. Let's continue the discussion there.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.