1473602 - Ubuntu Firefox installed from snap cannot use U2F

Status: RESOLVED FIXED

(Release Engineering Graveyard :: Release Automation: Snap, defect, P5)

Description

[u620482]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180621125625

Steps to reproduce:

1. Enable Yubikey U2F support by setting the following configs:

security.webauth.webauthn: true
security.webauth.webauthn_enable_softtoken: false
security.webauth.webauthn_enable_usbtoken: true

2. Go to https://demo.yubico.com/u2f or any site that supports U2F.

3. Try to use U2F.



Actual results:

Immediately there is an error. The error from the Yubico demo site is:


Registration failed!

Make sure you have a U2F device connected, and try again.

 Traceback (most recent call last):
  File "/root/python-u2flib-server-demo/examples/yubiauth_server.py", line 161, in __call__
    raise Exception("FIDO Client error: %s" % error)
Exception: FIDO Client error: 1 (OTHER ERROR)
 
Likewise, trying to use the U2F device at a site where it is already registered also fails.


Expected results:

U2F device registration and usage should work.

Comment 1

[u620482]

If I use Firefox installed via `apt install firefox`, then U2F works correctly.

Comment 2

[David Olah]

I tried to test this, but unfortunately we don't have the proper device (U2F) to do that. I think the most suitable component for this is Core DOM: Device Interfaces.

Comment 3

[u620482]

Output from journalctl when Firefox tries to interact with my Yubikey shows:

Sep 12 12:04:51 shirka audit[5322]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/dev/hidraw0" pid=5322 comm=4950444C204261636B67726F756E64 requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=0

Sep 12 12:04:51 shirka kernel: audit: type=1400 audit(1536750291.130:178): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/dev/hidraw0" pid=5322 comm=4950444C204261636B67726F756E64 requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=0

Sep 12 12:04:51 shirka audit[5322]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/dev/hidraw1" pid=5322 comm=4950444C204261636B67726F756E64 requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=0

Sep 12 12:04:51 shirka kernel: audit: type=1400 audit(1536750291.130:179): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/dev/hidraw1" pid=5322 comm=4950444C204261636B67726F756E64 requested_mask="wr" denied_mask="wr" fsuid=1001 ouid=0

Comment 4

[J.C. Jones [:jcj] (he/they)]

This is going to be an Ubuntu upstream configuration issue somewhere in the package management chain, not something we can fix from Firefox. 

Firefox needs access to the udev hidraw [1] devices of the security tokens.

It might eventually be doable to use non-raw access, but that requires drivers for U2F for Linux, so for now it's raw. 

Anyway, I'd open this on Canonical's tracker, I'm sorry.

[1] https://github.com/jcjones/u2f-hid-rs/blob/master/src/linux/hidraw.rs

Comment 5

[u634711]

A u2f-devices interface has been added to snapd [1]. The Chromium snap build now works with U2F devices after connecting the interface to the Chromium plug.

[1] https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1738164

Comment 6

[Olivier Tilloy]

Attachment: Bug 1473602 - Add u2f-devices plug to snap package.

This allows the confined snap to interact with Universal 2nd Factor devices, such as Yubikeys.

Comment 7

[Olivier Tilloy]

I rebuilt the snap package with the u2f-devices plug and verified that this allows accessing my Yubikey in firefox.

Comment 8

[Pulsebot]

Pushed by jlorenzo@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0f9e3bff5575
Add u2f-devices plug to snap package. r=jlorenzo

Comment 9

[Stefan Hindli [:stefan_hindli]]

https://hg.mozilla.org/mozilla-central/rev/0f9e3bff5575

Comment 10

[Johan Lorenzo [:jlorenzo]]

Landed on beta at https://hg.mozilla.org/releases/mozilla-beta/rev/515db7d568340e65ab0eb5925eed4ae434b98923

Comment 11

[rccausey]

I'm still having this issue when using Firefox installed using snap. I do not have this issue if I install using apt. The u2f part is specifically not working as I am able use it as a input device to fill forms that have a field for a one time password.

I'm on Ubuntu 18.04 running the following version of the Firefox snap:

$ sudo snap list firefox
Name     Version   Rev  Tracking  Publisher  Notes
firefox  69.0.1-1  266  stable    mozilla✓   -

$ cat /etc/os-release 
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

Steps to reproduce:

1. go to https://demo.yubico.com/webauthn-technical/registration
2. hit next to start prompt for u2f key
3. insert yubikey and press button after it lights up

Expected result:
u2f authentication successful

Actual result:
nothing happens. u2f protocol does not initiate.

Comment 12

[Olivier Tilloy]

@rccausey: you'll need to manually connect the u2f-devices interfaces for this to work:

snap connect firefox:u2f-devices

Can you confirm that your U2F device is recognized and usable in the firefox snap after doing this and restarting the app?

Comment 13

[rccausey]

(In reply to Olivier Tilloy from comment #12)

@rccausey: you'll need to manually connect the u2f-devices interfaces for this to work:

snap connect firefox:u2f-devices

Can you confirm that your U2F device is recognized and usable in the firefox snap after doing this and restarting the app?

Yes, once I do that it works. Is there not something in the snap build file that can specify this connection is required automatically?

Comment 14

[Olivier Tilloy]

According to the documentation, no, this interface can't be auto-connected.

Comment 15

[jgmcmuizpcyjjykxnj]

That seems to no longer be the case. It is possible to request permission from the Snapcraft reviewers to autoconnect an interface that normally does not. Details of the procedure: https://forum.snapcraft.io/t/process-for-aliases-auto-connections-and-tracks/455

Comment 16

[susenoaditya]

This happened again in 21.10

Should I open a new bug?

Comment 17

[Olivier Tilloy]

Can you elaborate on what happened again? Is the u2f-devices interface connected? Please share the output of snap connections firefox | grep u2f.

Please also share hardware details about your U2F token (relevant line of lsusb).

Comment 18

[Max]

I'm seeing the same. U2F does not work for me with firefox in ubuntu 21.10. It does work in ubuntu 20.04 on the same machine. I tried adding the snap connection with no effect.

I'm trying to use a tomu (tomu.im).

max@ubuntu21.10:~$ snap connections firefox | grep u2f
u2f-devices               firefox:u2f-devices             :u2f-devices                     -
max@ubuntu21.10:~$ lsusb
...
Bus 001 Device 007: ID 16d0:0e90 MCS U2F-token (EFM32)
...

I tested the device using https://github.com/mdp/u2fcli on ubuntu 21.10 and it works fine.
Udev permissions are also set:

max@ubuntu21.10:~$ cat /etc/udev/rules.d/10-tomu.rules 
ACTION=="add|change", KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="16d0", ATTRS{idProduct}=="0e90", TAG+="uaccess"
ACTION=="add|change", SUBSYSTEM=="usb", ATTRS{idVendor}=="16d0", ATTRS{idProduct}=="0e90", TAG+="uaccess"

Comment 19

[Max]

Uninstalling the firefox snap and installing the debian package makes tomo work. So it seems to be an issue with the snap.

Comment 20

[susenoaditya]

(In reply to Olivier Tilloy from comment #17)

Can you elaborate on what happened again? Is the u2f-devices interface connected? Please share the output of snap connections firefox | grep u2f.

Please also share hardware details about your U2F token (relevant line of lsusb).

Sorry that was three month ago. I already open the issue on Launchpad and it's working now.

Comment 21

[Max]

I had to add TAG+="snap_firefox_firefox" to the hidraw rule as also suggested on that launchpad issue.