Ubuntu
firefox package

  1. Bug #1967632
  2. Comment #74

Comment 74 for bug 1967632

Revision history for this message
Eero Aaltonen (ejn) wrote (last edit ):

Got this working, at least briefly on:
* Ubuntu 22.04
* snap Firefox 125.0.3 (+pcscd slot on the snap)
* deb opensc 0.22.0-1ubuntu2
* deb opensc-pkcs11 0.22.0-1ubuntu2

Loading /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so with file selector from the snap put it under /run/user/1000/doc/XNUMBERX/opensc-pkcs11.so

I made following changes to the firefox snap enable my smartcard.

1. Allow loading module

Apparmor
```
# allow access to opensc pkcs11 module
/run/user/1000/doc/*/opensc-pkcs11.so mr,
```

2. Allow access to pcscd

Apparmor
```
# allow access to pcscd
/run/pcscd/pcscd.comm wr,
```

3. Fix issues with PKCS11 login

not sure if minimal set, anyway for apparmor:
```
# For token login
owner @{PROC}/@{pid}/mountinfo r,
/etc/opensc/opensc.conf r,
```

and for seccomp, allow syscalls
```
setpriority
quotactl
```

After these changes I was able to log in to my tokens and use them for authentication.

Output for ldd
$ ldd /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
 linux-vdso.so.1 (0x00007ffded5ec000)
 libopensc.so.8 => /lib/x86_64-linux-gnu/libopensc.so.8 (0x00007b6ccd15a000)
 libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x00007b6cccc00000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007b6ccc800000)
 libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007b6ccd13e000)
 libgio-2.0.so.0 => /lib/x86_64-linux-gnu/libgio-2.0.so.0 (0x00007b6ccc627000)
 libgobject-2.0.so.0 => /lib/x86_64-linux-gnu/libgobject-2.0.so.0 (0x00007b6ccd0de000)
 /lib64/ld-linux-x86-64.so.2 (0x00007b6ccd3ac000)
 libglib-2.0.so.0 => /lib/x86_64-linux-gnu/libglib-2.0.so.0 (0x00007b6cccac6000)
 libgmodule-2.0.so.0 => /lib/x86_64-linux-gnu/libgmodule-2.0.so.0 (0x00007b6ccd0d5000)
 libmount.so.1 => /lib/x86_64-linux-gnu/libmount.so.1 (0x00007b6ccd091000)
 libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007b6ccd065000)
 libffi.so.8 => /lib/x86_64-linux-gnu/libffi.so.8 (0x00007b6ccd058000)
 libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007b6ccca50000)
 libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007b6ccc540000)
 libblkid.so.1 => /lib/x86_64-linux-gnu/libblkid.so.1 (0x00007b6ccc509000)
 libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007b6ccc472000)

Some of these changes seem straightforward, but the loaded module should be made visible with a stable file system path. It is needed both for the apparmor rule and the reference created in the NSSDB module database (which in the snap seems to have relocated under SNAP_USER_COMMON and the users profile).