Closed Bug 1594375 Opened Last month Closed 11 days ago

U2F not working in Firefox Snap distribution

Categories

(Core :: DOM: Web Authentication, task, P2)

71 Branch
Unspecified
Linux
task

Tracking

()

RESOLVED FIXED

People

(Reporter: pawel.krawczyk, Assigned: jcj)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0

Steps to reproduce:

  1. snap install --beta firefox

  2. snap list firefox
    Name Version Rev Tracking Publisher Notes
    firefox 71.0b7-1 282 beta mozilla✓ -

  3. Try to login to an U2F-enabled website (Bitbucket in my case)

Actual results:

U2F key is not seen by Firefox and it eventually times out offering fallback to TOTP. Journalctl displays these logs, which implies the Snap is missing plugs allowing it to access the U2F device:

Nov 06 12:25:34 pax kernel: usb 1-2: new full-speed USB device number 20 using xhci_hcd
Nov 06 12:25:35 pax kernel: usb 1-2: New USB device found, idVendor=1050, idProduct=0120, bcdDevice= 5.02
Nov 06 12:25:35 pax kernel: usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Nov 06 12:25:35 pax kernel: usb 1-2: Product: Security Key by Yubico
Nov 06 12:25:35 pax kernel: usb 1-2: Manufacturer: Yubico
Nov 06 12:25:35 pax kernel: hid-generic 0003:1050:0120.0004: hiddev1,hidraw2: USB HID v1.10 Device [Yubico Security Key by Yubico] on usb-0000:00:14.0-2/input0
Nov 06 12:25:35 pax mtp-probe[18020]: checking bus 1, device 20: "/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2"
Nov 06 12:25:35 pax mtp-probe[18020]: bus: 1, device: 20 was not an MTP device
Nov 06 12:25:35 pax audit[26391]: AVC apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2/busnum" pid=26391 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 06 12:25:35 pax audit[26391]: AVC apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2/devnum" pid=26391 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 06 12:25:35 pax audit[2758]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/dev/hidraw2" pid=2758 comm=4950444C204261636B67726F756E64 requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0

Expected results:

Firefox should be able to access the U2F device.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → DOM: Device Interfaces
Product: Firefox → Core

Thread on Snapcraft forum https://forum.snapcraft.io/t/u2f-not-working-in-firefox-snap/14039 to confirm which plugs may be missing

Component: DOM: Device Interfaces → DOM: Web Authentication

This can be mitigated easily by an user by running "" and it worked for me. This obviously is not very good from user experience perspective, as for most users will just see it "not working" after they install Firefox. This can be fixed by Firefox snap maintainers requesting auto-connection of U2F for the Firefox snap here https://forum.snapcraft.io/t/process-for-aliases-auto-connections-and-tracks/455/11

I can help with that as I have previously done this for my own snaps.

The priority flag is not set for this bug.
:jcj, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jjones)

So the action for us here is for a Firefox dev to open a discussion similar to Chrome's here: https://forum.snapcraft.io/t/auto-connecting-the-u2f-devices-interface-for-the-chromium-snap/10052 ?

Flags: needinfo?(jjones) → needinfo?(pawel.krawczyk)

Yes, precisely. Because Firefox snapcraft.yaml already declares the u2f-devices plug, it's just sufficient to submit a request for the plug to be auto-connected at this stage.

Flags: needinfo?(pawel.krawczyk)

The priority flag is not set for this bug.
:jcj, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jjones)

Since I think our part in this is done, marking fixed. Feel free to reopen as needed.

Assignee: nobody → jjones
Status: UNCONFIRMED → RESOLVED
Type: defect → task
Closed: 11 days ago
Flags: needinfo?(jjones)
OS: Unspecified → Linux
Priority: -- → P2
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.