Since this has been open for so long, I would like to point out that all
these pkcs11 modules use a system PCSC-lite daemon.
https://pcsclite.apdu.fr/ PCSC-lite provides locking and can use pol-
kit to restrict access as needed. There should be only one PCSC daemon
running for the system.
--
No. I am not a Ubuntu developer, Only OpenSC. But this problem has not
been resolved for 2 years.
Also see https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632
and comment 8
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to
> Any news on this? It really is a blocker for using Ubuntu in a number
of countries as it prevents interaction with government services."
You can always use firefox-esr. It does not use SNAP.
--
You received this bug notification because you are a member of Desktop
Packages, which is
"If canonical wants to deploy ubuntu in enterprise with a lot of card reader
usages, this is a critical bug."
I agree.
The also need to keep in mind, that enterprises may also use smartcards for
login which implies pcscd
needs to be run as root as pam modules will need access to it, during
"Is there a working work-around available?"
Yes, install the Debian FireFox-esr which does not use snap.
Google for: Ubuntu firefox esr
https://ubuntuhandbook.org/index.php/2022/03/install-firefox-esr-
ubuntu/
--
You received this bug notification because you are a member of Desktop
Thanks for the ldd output.
libpcsclite.so.1 is the lib to used the pcscd socket, and is used by modules
libstpkcs11.so, libeToken.so.10.7.77 and libopensc.so.8 (see below) It is not
used in libbit4xpki.so which may be a software pkcs11 or does not use pcscd.
libcrypto.so.1.1 is OpenSSL-1.1
So it appears that to load a PKCS11 module in snap packaged FireFox requires:
1) "/run/user/[0-9]*/** mr,"
2) "/run/pcscd/pcscd.comm rw," (if module uses pcscd)
3) absolute path (i.e. no symlinks) to the module
4) all libs the module may need to be in the snap base
To test if (4) is
This maybe the biggest problem:
"- /usr inside the snap is a bind-mount from /usr in the base snap, not on the
host system, which explains why your addition of `/usr/lib/x86_64-linux-gnu/**
rm,` to the apparmor profile doesn't work as you'd expect (see
https://launchpad.net/~liuck
You can test your reader/card with OpenSC without firefox.
see: "man pkcs11-tool" or "pkcs11-tool --help". "pkcs11-tool --test
--login" will try and read certificates and do sign/verify using
private keys. It may prompt for pin several times.
If you can also add
This problem is an Ubuntu/snap packaging issue. FF and Thunderbird both
allow the loading of PKCS11 modules as do other programs. But the snap
has not packaged these.
Access to smartcards is usually handled by PC/SC i.e. the pcscd daemon.
It provides locking access to the smartcards from multiple
https://launchpad.net/~liuck can you give some more information:
What PKCS11 module are you using?
What version of Ubuntu?
From my testing with a fresh copy install of XUbuntu-22.04.1 as guest of
VirtualBox, the "/run/user/[0-9]*/** mr," appears to allow access to any
file in my /usr/run/1000
After spending a week on this, I think I see the problem.
(1) pkcs11 modules are dynamically load by mozilla nss and need the
/etc/apparmor.d/abstractions/p11-kit as stated in previous comment.
(2) dynamically loaded modules may also load additional shared
libraries. So apparmor profiles are
Initial problem of:
Initial problem of "[sáb abr 2 17:32:27 2022] audit: type=1400
audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap"
profile="snap.firefox.firefox"
name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680
comm="firefox" requested_mask="m" denied_mask="m"
13 matches
Mail list logo
