Closed Bug 1956145 Opened 1 year ago Closed 1 year ago

SecurityDevices settings in policies.json don't take effect on Firefox

Categories

(Firefox :: Enterprise Policies, defect)

Product:
Firefox
Component:
Enterprise Policies
Version:
Firefox 128
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: nicholas.clark, Unassigned)

References

Details

OS: RHEL 9
Package: firefox-128.8.0-1.el9_5.x86_64

Steps to reproduce:

Created policies.json file:
{
"policies": {
"SecurityDevices": {
"Add": {
"OpenSC PKCS#11 Module": "/usr/lib64/opensc-pkcs11.so"
}
}
}

Actual results:

Security device is not defined.

Expected results:

I wanted to globally set a security device for PIV-II card use and it's not getting set.

OS: Unspecified → Linux
Hardware: Unspecified → x86_64

This is pretty much identical to Bug ID 1580753, but for firefox.

Component: Security → Enterprise Policies
Type: enhancement → defect
See Also: → 1580753

Are there any errors when you go to about:policies or on the Javascript console?

(In reply to Mike Kaply [:mkaply] from comment #2)

Are there any errors when you go to about:policies or on the Javascript console?

There is an error with the setting:
Unable to add security device OpenSC PKCS#11 Module.

If you go to about:config, add a new string called:

browser.policies.loglevel

and set the value to

debug

It should put out the actual error.

(In reply to Mike Kaply [:mkaply] from comment #4)

If you go to about:config, add a new string called:

browser.policies.loglevel

and set the value to

debug

It should put out the actual error.

It did print out the actual error:

[Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIPKCS11ModuleDB.addModule]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: resource:///modules/policies/Policies.sys.mjs :: onProfileAfterChange :: line 2374" data: no]

Browser Console has this:

NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIPKCS11ModuleDB.addModule]
    onProfileAfterChange resource:///modules/policies/Policies.sys.mjs:2374
    _runPoliciesCallbacks resource://gre/modules/EnterprisePoliciesParent.sys.mjs:247
    BG_observe resource://gre/modules/EnterprisePoliciesParent.sys.mjs:293

And just to verify, when you add the module manually, it works?

Summary: SecurityDevices settings in policies.json don't take effect → SecurityDevices settings in policies.json don't take effect on Firefox

Ah, you know what, it isn't working manually either.

It's been a few years since I last tried and it looks like loading this library does not work anymore. I am unsure if it is some other setting that broke this functionality. It used to be this path back when cck2 was still a thing.

I figured it out. There was another module that seems to be built-in, loaded by default, called p11-kit-proxy. Unloading p11-kit-proxy and then I was able to load the opensc module.

Awesome. Glad you figured it out.

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME

Looks like this was a change back in RHEL8 per https://www.redhat.com/en/blog/consistent-pkcs-11-support-red-hat-enterprise-linux-8, that the p11-kit-proxy should be used as it will support use of system's configured module (which can be opensc).

This can be closed. Thanks.

Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago1 year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.