When enabled, Firefox AppArmor profile prevents U2F devices from working
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
firefox (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Summary:
If you enable the apparmor profile that comes in Ubuntu's Firefox package, it prevents USB U2F tokens from being used.
To reproduce:
1. Obtain a USB FIDO/U2F token - such as a Yubikey; and a clean install of Ubuntu 20.04 with Firefox installed, but the AppArmor profile for firefox disabled (As is the default).
2. Confirm the correct function of your U2F token - such as at https:/
3. Enable the AppArmor profile with the following command, then restart firefox.
sudo aa-enforce /etc/apparmor.
4. Repeat your test of your U2F token. You will find Firefox is unable to access your U2F token. Any accounts you need U2F to log into are now inaccessible.
5. Disabling the apparmor profile and restarting firefox will make U2F work again.
To work around:
Edit /etc/apparmor.
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
# Possibly move to an abstraction if anything else needs it.
deny /run/udev/data/** r,
Instead allowing access to udev data, and to hidraw devices:
/run/udev/data/** r,
/dev/hidraw[0-9] rw,
I haven't checked the security implications of this change; some might feel it grants overly broad access. Chromium, which in 20.04 is delivered as a snap, includes udev rules (70-snap.
This is me resubmitting #1930768 this time with all the info attached.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: firefox 88.0.1+
ProcVersionSign
Uname: Linux 5.8.0-53-generic x86_64
NonfreeKernelMo
AddonCompatChec
ApportVersion: 2.20.11-
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/
/dev/snd/
BuildID: 20210504152106
CasperMD5CheckR
Channel: Unavailable
CurrentDesktop: ubuntu:GNOME
Date: Thu Jun 3 23:34:55 2021
ForcedLayersAccel: False
IncompatibleExt
InstallationDate: Installed on 2021-05-31 (3 days ago)
InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1)
IpRoute:
default via 192.168.0.1 dev enp3s0 proto dhcp metric 100
169.254.0.0/16 dev enp3s0 scope link metric 1000
192.168.0.0/24 dev enp3s0 proto kernel scope link src 192.168.0.2 metric 100
MostRecentCrashID: bp-4122b123-
PrefErrors: Unexpected character ',' before close parenthesis @ /usr/lib/
PrefSources: prefs.js
Profiles: Profile0 (Default) - LastVersion=
RunningIncompat
SourcePackage: firefox
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 07/11/2014
dmi.bios.release: 4.6
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 2202
dmi.board.
dmi.board.name: Z97-K
dmi.board.vendor: ASUSTeK COMPUTER INC.
dmi.board.version: Rev X.0x
dmi.chassis.
dmi.chassis.type: 3
dmi.chassis.vendor: To Be Filled By O.E.M.
dmi.chassis.
dmi.modalias: dmi:bvnAmerican
dmi.product.family: ASUS MB
dmi.product.name: All Series
dmi.product.sku: All
dmi.product.
dmi.sys.vendor: ASUS
mtime.conffile.
Status changed to 'Confirmed' because the bug affects multiple users.