Ubuntu
firefox package

[snap] Firefox unable to load Security Device "p11-kit-trust.so" defined in /etc/firefox/policies/policies.json

Bug #1951646 reported by Marcos Simental
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Environment:
Ubuntu 21.10 with default Firefox (v93.0) snap install.

Having defined a policy in /etc/firefox/policies/policies.json with the following:
$ cat /etc/firefox/policies/policies.json
{
    "policies": {
        "Authentication": {
            "Delegated": [
                "example.com"
            ],
            "NTLM": [
                "example.com"
            ],
            "SPNEGO": [
                "example.com"
            ],
            "Locked": false
        },
        "Homepage": {
            "URL": "https://example.com",
            "Locked": false
        },
        "Proxy": {
            "Mode": "system",
            "Passthrough": "<local>,.example.com,
            "Locked": false
        },
        "SecurityDevices": {
            "p11-kit-trust.so for Internal certificate chain": "/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so"
        }
    }
}

I got an error when looking over about:policies:
"Unable to load security device p11-kit-trust.so"
However, all other policies are active and applied correctly (meaning that snap firefox can load /etc/firefox/policies/policies.json file).

After enabling debug for policies I get the following error:
Policies.jsm:
Exception { name: "NS_ERROR_FAILURE", message: "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIPKCS11ModuleDB.addModule]", result: 2147500037, filename: "resource:///modules/policies/Policies.jsm", lineNumber: 1995, columnNumber: 0, data: null, stack: "onProfileAfterChange@resource:///modules/policies/Policies.jsm:1995:20\n_runPoliciesCallbacks@resource://gre/modules/EnterprisePoliciesParent.jsm:238:9\nBG_observe@resource://gre/modules/EnterprisePoliciesParent.jsm:291:14\n", location: XPCWrappedNative_NoHelper }
Policies.jsm:1998

I tried to reproduce with the firefox.deb package without success, so the problem might be around snap.

Tags: snap
Olivier Tilloy (osomon)
tags: added: snap
Changed in firefox (Ubuntu):
status: New → Confirmed
Revision history for this message
Olivier Tilloy (osomon) wrote :

That's indeed a snap-specific problem, and a confinement issue: the application is not allowed to see /usr/lib/x86_64-linux-gnu/pkcs11/ on the host system, the path is remapped to /snap/core20/current/usr/lib/x86_64-linux-gnu/pkcs11/, which doesn't exist.

I was able to work around the problem by downloading the p11-kit-modules package for Ubuntu 20.04 (https://launchpad.net/ubuntu/focal/amd64/p11-kit-modules), unpacking it in /var/snap/firefox/common/, and changing the path in /etc/firefox/policies/policies.json to point there.

Not exactly easy, but it seems to do the job without requiring changes to firefox or the snap itself.

Revision history for this message
Ville Aakko (wildpenguin) wrote :

Possibly related: bug #1970561 - but I'm not sure. See my description in that bug. If someone knows for certain, feel free to mark that as duplicate.

I haven't tried a similar workaround as outlined by Olivier, but chosen to use Firefox in the ppa for the time being.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.