Removed security modules from "Device Manager" are not being added back by the policies.json file

VERIFIED FIXED in Firefox -esr60

Status

()

defect
VERIFIED FIXED
8 months ago
6 months ago

People

(Reporter: emilghitta, Assigned: mkaply)

Tracking

Trunk
Firefox 64
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr6064+ verified, firefox62 unaffected, firefox63 unaffected, firefox64 verified)

Details

Attachments

(2 attachments)

Reporter

Description

8 months ago
[Affected versions]:
Firefox 64.0a1 (BuildId:20181010235834)

[Affected platforms]:
Windows 10 64bit.
macOS 10.13.6

[Preconditions]
Windows:
Enable the "SecurittyDevices" policy and load the kpkcs11.dll:

Example:
{
"policies": {
 "SecurityDevices": {
  "arbitrary name":  ".....\\kpkcs11.dll"
}
}
}

You can download the kpkcs11.dll file from here:
https://drive.google.com/file/d/16qxHyTWwPLPd37kOUXvuYP7owg5g8C6R/view

Mac:
For macOS please use the following file: https://drive.google.com/drive/u/0/folders/1kYcrfJuu816wC9Nqj2L2eu4zqkMAN4if

[Steps to reproduce]:
1. Launch Firefox.
2. Access the about:preferences page.
3. Click the "Security Devices" button from the "Certificates" section.
4. Unload the security device that was added from the policy.
5. Restart Firefox.
6. Repeat steps 2 and 3.

[Expected result]:
The security device is loaded back. 

[Actual result]:
The security device is no longer loaded after being removed from the "Device Manager" by the user (even after restarting Firefox). 

[Notes]
For further information regarding this issue please observe the attached screencast.
Assignee

Comment 1

8 months ago
Side note, this is a 64-bit DLL so it has to be loaded in 64 bit Firefox for testing.
This is because this is a runOnce policy that requires some modification to be applied again (for example changing the name).

I wonder if we should instead list the modules and re-add any that are missing, instead of runOnce
Assignee

Comment 3

8 months ago
> I wonder if we should instead list the modules and re-add any that are missing, instead of runOnce

I'm looking at that now. I'm checking if we can query the modules easily.
Assignee

Updated

8 months ago
Assignee: nobody → mozilla
Status: NEW → ASSIGNED

Comment 5

8 months ago
Pushed by mozilla@kaply.com:
https://hg.mozilla.org/integration/autoland/rev/4e01769b6baf
Always add security devices at startup if they aren't there. r=Felipe

Comment 6

8 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/4e01769b6baf
Status: ASSIGNED → RESOLVED
Last Resolved: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 64
Reporter

Comment 7

7 months ago
This issue is verified fixed using Firefox 64.0a1(BuildId:20181014223729)on Windows 10 64bit and macOS 10.13.6
Status: RESOLVED → VERIFIED
Assignee

Comment 8

7 months ago
Comment on attachment 9016707 [details]
Bug 1498223 - Always add security devices at startup if they aren't there.

[ESR Uplift Approval Request]

If this is not a sec:{high,crit} bug, please state case for ESR consideration: Followup to bug 1493249. Change for policy to match Firefox 64

User impact if declined: Policy not available

Fix Landed on Version: 64

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): Policy only.

String or UUID changes made by this patch:
Attachment #9016707 - Flags: approval-mozilla-esr60?
Comment on attachment 9016707 [details]
Bug 1498223 - Always add security devices at startup if they aren't there.

New enterprise policy, verified by QA, let's uplift for ESR60.
Attachment #9016707 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
Mike, looks like this also still needs to land.
Flags: needinfo?(mozilla)
Reporter

Comment 12

6 months ago
This is verified fixed using Firefox 60.3.1esr (provided in comment 11) on Windows 10 64bit and macOS 10.14
You need to log in before you can comment on or make changes to this bug.