Ubuntu Firefox installed from snap cannot use U2F

RESOLVED FIXED

Status

defect
P5
normal
RESOLVED FIXED
Last year
5 months ago

People

(Reporter: bugzilla, Assigned: olivier)

Tracking

unspecified

Firefox Tracking Flags

(firefox67 fixed, firefox68 fixed)

Details

Attachments

(1 attachment)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180621125625

Steps to reproduce:

1. Enable Yubikey U2F support by setting the following configs:

security.webauth.webauthn: true
security.webauth.webauthn_enable_softtoken: false
security.webauth.webauthn_enable_usbtoken: true

2. Go to https://demo.yubico.com/u2f or any site that supports U2F.

3. Try to use U2F.



Actual results:

Immediately there is an error. The error from the Yubico demo site is:


Registration failed!

Make sure you have a U2F device connected, and try again.

 Traceback (most recent call last):
  File "/root/python-u2flib-server-demo/examples/yubiauth_server.py", line 161, in __call__
    raise Exception("FIDO Client error: %s" % error)
Exception: FIDO Client error: 1 (OTHER ERROR)
 
Likewise, trying to use the U2F device at a site where it is already registered also fails.


Expected results:

U2F device registration and usage should work.
If I use Firefox installed via `apt install firefox`, then U2F works correctly.
I tried to test this, but unfortunately we don't have the proper device (U2F) to do that. I think the most suitable component for this is Core DOM: Device Interfaces.
Component: Untriaged → DOM: Device Interfaces
Product: Firefox → Core
Priority: -- → P5
Output from journalctl when Firefox tries to interact with my Yubikey shows:

Sep 12 12:04:51 shirka audit[5322]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/dev/hidraw0" pid=5322 comm=4950444C204261636B67726F756E64 requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=0

Sep 12 12:04:51 shirka kernel: audit: type=1400 audit(1536750291.130:178): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/dev/hidraw0" pid=5322 comm=4950444C204261636B67726F756E64 requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=0

Sep 12 12:04:51 shirka audit[5322]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/dev/hidraw1" pid=5322 comm=4950444C204261636B67726F756E64 requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=0

Sep 12 12:04:51 shirka kernel: audit: type=1400 audit(1536750291.130:179): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/dev/hidraw1" pid=5322 comm=4950444C204261636B67726F756E64 requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=0
This is going to be an Ubuntu upstream configuration issue somewhere in the package management chain, not something we can fix from Firefox. 

Firefox needs access to the udev hidraw [1] devices of the security tokens.

It might eventually be doable to use non-raw access, but that requires drivers for U2F for Linux, so for now it's raw. 

Anyway, I'd open this on Canonical's tracker, I'm sorry.

[1] https://github.com/jcjones/u2f-hid-rs/blob/master/src/linux/hidraw.rs
Status: UNCONFIRMED → RESOLVED
Closed: 11 months ago
Resolution: --- → INVALID

A u2f-devices interface has been added to snapd [1]. The Chromium snap build now works with U2F devices after connecting the interface to the Chromium plug.

[1] https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1738164

This allows the confined snap to interact with Universal 2nd Factor devices, such as Yubikeys.

I rebuilt the snap package with the u2f-devices plug and verified that this allows accessing my Yubikey in firefox.

Status: RESOLVED → REOPENED
Component: DOM: Device Interfaces → Release Automation: Snap
Ever confirmed: true
Product: Core → Release Engineering
QA Contact: jlorenzo
Resolution: INVALID → ---
Version: 61 Branch → unspecified
Pushed by jlorenzo@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0f9e3bff5575
Add u2f-devices plug to snap package. r=jlorenzo
Status: REOPENED → RESOLVED
Closed: 11 months ago5 months ago
Resolution: --- → FIXED
Assignee: nobody → olivier
You need to log in before you can comment on or make changes to this bug.