Got this working, at least briefly on:
* Ubuntu 22.04
* snap Firefox 125.0.3 (+pcscd slot on the snap)
* deb opensc 0.22.0-1ubuntu2
* deb opensc-pkcs11 0.22.0-1ubuntu2
Loading /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so with file selector from the snap put it under /run/user/1000/doc/XNUMBERX/opensc-pkcs11.so
I made following changes to the firefox snap enable my smartcard.
Some of these changes seem straightforward, but the loaded module should be made visible with a stable file system path. It is needed both for the apparmor rule and the reference created in the NSSDB module database (which in the snap seems to have relocated under SNAP_USER_COMMON and the users profile).
Got this working, at least briefly on:
* Ubuntu 22.04
* snap Firefox 125.0.3 (+pcscd slot on the snap)
* deb opensc 0.22.0-1ubuntu2
* deb opensc-pkcs11 0.22.0-1ubuntu2
Loading /usr/lib/ x86_64- linux-gnu/ opensc- pkcs11. so with file selector from the snap put it under /run/user/ 1000/doc/ XNUMBERX/ opensc- pkcs11. so
I made following changes to the firefox snap enable my smartcard.
1. Allow loading module
Apparmor 1000/doc/ */opensc- pkcs11. so mr,
```
# allow access to opensc pkcs11 module
/run/user/
```
2. Allow access to pcscd
Apparmor pcscd.comm wr,
```
# allow access to pcscd
/run/pcscd/
```
3. Fix issues with PKCS11 login
not sure if minimal set, anyway for apparmor: /@{pid} /mountinfo r, opensc. conf r,
```
# For token login
owner @{PROC}
/etc/opensc/
```
and for seccomp, allow syscalls
```
setpriority
quotactl
```
After these changes I was able to log in to my tokens and use them for authentication.
Output for ldd x86_64- linux-gnu/ opensc- pkcs11. so c000) 64-linux- gnu/libopensc. so.8 (0x00007b6ccd15 a000) 64-linux- gnu/libcrypto. so.3 (0x00007b6cccc0 0000) 64-linux- gnu/libc. so.6 (0x00007b6ccc80 0000) 64-linux- gnu/libz. so.1 (0x00007b6ccd13 e000) 64-linux- gnu/libgio- 2.0.so. 0 (0x00007b6ccc62 7000) 2.0.so. 0 => /lib/x86_ 64-linux- gnu/libgobject- 2.0.so. 0 (0x00007b6ccd0d e000) ld-linux- x86-64. so.2 (0x00007b6ccd3a c000) 64-linux- gnu/libglib- 2.0.so. 0 (0x00007b6cccac 6000) 2.0.so. 0 => /lib/x86_ 64-linux- gnu/libgmodule- 2.0.so. 0 (0x00007b6ccd0d 5000) 64-linux- gnu/libmount. so.1 (0x00007b6ccd09 1000) 64-linux- gnu/libselinux. so.1 (0x00007b6ccd06 5000) 64-linux- gnu/libffi. so.8 (0x00007b6ccd05 8000) 64-linux- gnu/libpcre. so.3 (0x00007b6ccca5 0000) 64-linux- gnu/libm. so.6 (0x00007b6ccc54 0000) 64-linux- gnu/libblkid. so.1 (0x00007b6ccc50 9000) 64-linux- gnu/libpcre2- 8.so.0 (0x00007b6ccc47 2000)
$ ldd /usr/lib/
linux-vdso.so.1 (0x00007ffded5e
libopensc.so.8 => /lib/x86_
libcrypto.so.3 => /lib/x86_
libc.so.6 => /lib/x86_
libz.so.1 => /lib/x86_
libgio-2.0.so.0 => /lib/x86_
libgobject-
/lib64/
libglib-2.0.so.0 => /lib/x86_
libgmodule-
libmount.so.1 => /lib/x86_
libselinux.so.1 => /lib/x86_
libffi.so.8 => /lib/x86_
libpcre.so.3 => /lib/x86_
libm.so.6 => /lib/x86_
libblkid.so.1 => /lib/x86_
libpcre2-8.so.0 => /lib/x86_
Some of these changes seem straightforward, but the loaded module should be made visible with a stable file system path. It is needed both for the apparmor rule and the reference created in the NSSDB module database (which in the snap seems to have relocated under SNAP_USER_COMMON and the users profile).