When enabled, Firefox AppArmor profile prevents U2F devices from working

Summary:

If you enable the apparmor profile that comes in Ubuntu's Firefox package, it prevents USB U2F tokens from being used.

To reproduce:

1. Obtain a USB FIDO/U2F token - such as a Yubikey; and a clean install of Ubuntu 20.04 with Firefox installed, but the AppArmor profile for firefox disabled (As is the default).

2. Confirm the correct function of your U2F token - such as at https://demo.yubico.com/webauthn-technical

3. Enable the AppArmor profile with the following command, then restart firefox.

     sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

4. Repeat your test of your U2F token. You will find Firefox is unable to access your U2F token. Any accounts you need U2F to log into are now inaccessible.

5. Disabling the apparmor profile and restarting firefox will make U2F work again.

To work around:

Edit /etc/apparmor.d/usr.bin.firefox and replace these lines:

  # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
  # Possibly move to an abstraction if anything else needs it.
  deny /run/udev/data/** r,

Instead allowing access to udev data, and to hidraw devices:

  /run/udev/data/** r,
  /dev/hidraw[0-9] rw,

I haven't checked the security implications of this change; some might feel it grants overly broad access. Chromium, which in 20.04 is delivered as a snap, includes udev rules (70-snap.chromium.rules) which I suspect grant access in a device-id-whitelisted way.

This is me resubmitting #1930768 this time with all the info attached.

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: firefox 88.0.1+build1-0ubuntu0.20.04.2
ProcVersionSignature: Ubuntu 5.8.0-53.60~20.04.1-generic 5.8.18
Uname: Linux 5.8.0-53-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
AddonCompatCheckDisabled: False
ApportVersion: 2.20.11-0ubuntu27.18
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: mtandy 1757 F.... pulseaudio
 /dev/snd/controlC1: mtandy 1757 F.... pulseaudio
BuildID: 20210504152106
CasperMD5CheckResult: skip
Channel: Unavailable
CurrentDesktop: ubuntu:GNOME
Date: Thu Jun 3 23:34:55 2021
ForcedLayersAccel: False
IncompatibleExtensions: Default - {972ce4c6-7e08-4474-a285-3208198ce6fd}
InstallationDate: Installed on 2021-05-31 (3 days ago)
InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1)
IpRoute:
 default via 192.168.0.1 dev enp3s0 proto dhcp metric 100
 169.254.0.0/16 dev enp3s0 scope link metric 1000
 192.168.0.0/24 dev enp3s0 proto kernel scope link src 192.168.0.2 metric 100
MostRecentCrashID: bp-4122b123-9c74-4baf-b817-c8a771171216
PrefErrors: Unexpected character ',' before close parenthesis @ /usr/lib/firefox/omni.ja:greprefs.js:352
PrefSources: prefs.js
Profiles: Profile0 (Default) - LastVersion=88.0.1/20210504152106 (In use)
RunningIncompatibleAddons: True
SourcePackage: firefox
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 07/11/2014
dmi.bios.release: 4.6
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 2202
dmi.board.asset.tag: To be filled by O.E.M.
dmi.board.name: Z97-K
dmi.board.vendor: ASUSTeK COMPUTER INC.
dmi.board.version: Rev X.0x
dmi.chassis.asset.tag: To Be Filled By O.E.M.
dmi.chassis.type: 3
dmi.chassis.vendor: To Be Filled By O.E.M.
dmi.chassis.version: To Be Filled By O.E.M.
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr2202:bd07/11/2014:br4.6:svnASUS:pnAllSeries:pvrSystemVersion:rvnASUSTeKCOMPUTERINC.:rnZ97-K:rvrRevX.0x:cvnToBeFilledByO.E.M.:ct3:cvrToBeFilledByO.E.M.:
dmi.product.family: ASUS MB
dmi.product.name: All Series
dmi.product.sku: All
dmi.product.version: System Version
dmi.sys.vendor: ASUS
mtime.conffile..etc.apparmor.d.usr.bin.firefox: 2021-06-03T23:25:44.143815