[snap] apparmor denied when trying to load pkcs11 module for smart card authentication

The upstream firefox binary tarball loads the pkcs11 module just fine from /usr/lib/x86_64-linux-gnu/

Thanks, that's known and on the desktop jira and tracked upstream as https://bugzilla.mozilla.org/show_bug.cgi?id=1734371

It's the same with Spain's government electronic ID card. When I try to load the security device on firefox (the smart card reader) it throw me an error.

Output of dmesg:

 6930.990257] audit: type=1400 audit(1649676741.715:120): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/2312b93b/libpkcs11-dnie.so" pid=2836 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
[ 6993.801991] audit: type=1400 audit(1649676804.530:121): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/2312b93b/libpkcs11-dnie.so" pid=2836 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0.

The firefox .deb packages (ubuntu 21.10 and 20.04) works fine. I'm on 22.04 with default firefox snap package

It seems the fix is coming. A new interface called pkcs11 was released. Now it just needs Firefox snap use it.

Here the BE government application eid-viewer (latest version) dot not load the data on Belgian identity-cards. Not the internal (a Dell-Latitude) , not the external card reader PKCS#11 works. The leds on the reader goes dark 5 seconds after plugging the usb cable in.
I see on the eid-archive.deb that the latest Ubuntu version is still not listed. Ubuntu 21.10 is the last version. https://eid.belgium.be/nl/linux-eid-software-installatie

Initial problem of:

Initial problem of "[sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0"

can be solved by adding to /var/lib/snapd/apparmor/profiles/snap.firefox.firefox something like:
-- DEE.snap.firefox.firefox 2022-05-15 00:51:38.010651530 -0500
+++ snap.firefox.firefox 2022-05-15 21:18:39.445523027 -0500
@@ -312,6 +312,9 @@
   /tmp/ r,
   /tmp/** mrwlkix,

+ #DEE
+ /run/user/[0-9]*/** mrwlkix,
+
   # App-specific access to files and directories in /dev/shm. We allow file
   # access in /dev/shm for shm_open() and files in subdirectories for open()
   # bind mount *not* used here (see 'parallel installs', above)

This adds the "m" mask to the "/run/user/1000/doc/e0bac853/" directory but does allow the module to be loaded. This is overkill, for the directory. For a PKCS11 module "mr" maybe all that is needed.

It is not clear why the choice was made to copy the pkcs11 modules to the doc directory in the first place.
Ubuntu appears to install PKCS11 modules (at least some in) in /usr/lib/x86_64-linux-gnu/pkcs11 so why can't this be used without copying?

The above only show how to get around the first of many possible problems.

Not all Ubuntu installed PKCS11 modules are installed in the above directory. p11-kit-client.so is but opensc-pkcs11.so and onepin-opensc-pkcs11.so are not, just symlinks.

Trying to use the apparmor aa-complain to get more info does not work with the way the snap apparmor profiles are named. It appears the profile uses "." inplace of "/" and there is no "snap/firefox/firefox"

Pkcs11 modules may load other PKCS11 modules, i.e. that is what p11-kit does. Each of these modules may have config files with system and user versions. apparmor needs to address how these config files can be read.

Until it can be shown that PKCS11 modules can be easily be used, I would suggest that firefox not be installed by snap.

Also see:
https://github.com/OpenSC/OpenSC/issues/2552

After spending a week on this, I think I see the problem.

(1) pkcs11 modules are dynamically load by mozilla nss and need the /etc/apparmor.d/abstractions/p11-kit as stated in previous comment.

(2) dynamically loaded modules may also load additional shared libraries. So apparmor profiles are need for each possible pkcs11 module. Ubuntu-22.04 has a /etc/apparmor.d/abstractions/p11-kit but needs the "m" file_mmap as stated in previous comment.

(3) /var/lib/snapd/apparmor/profiles/snap.firefox.firefox included these system based profiles:
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/openssl>
But it does not include
  #include <abstractions/p11-kit>
So it can not load the p11-kit or any pkcs11 module p11-kit might try and load.
(/etc/apparmor.d/abstractions/p11-kit will also include any profiles in abstractions/p11-kit.d)

(4) Smartcard pkcs11 modules use the pcscd system service. On most linux system this is the pcscd-lite package: https://github.com/LudovicRousseau/PCSC the ClientSetupSession https://github.com/LudovicRousseau/PCSC/blob/master/src/winscard_msg.c#L107-L167 sets client access to the socket. (I have not looked at what it would take to add the dbus apparmor code needed to do this.)

Observations:

With a modified p11-kit /etc/apparmor.d/abstractions/p11-kit with the "m" file_mmap and adding the #include <abstractions/p11-kit> to /var/lib/snapd/apparmor/profiles/snap.firefox.firefox I can add p11-kit as a "security Device", but it does not load any additional pkcs11 modules.

 ~/snap/firefox/common/.mozilla/firefox/0i8u9awg.default/pkcs11.txt has:
   library=/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0
    name=p11-kit
   (using symlinks to libs appears to be a problem, so I avoided using them.)

I can not add a "security device" for OpenSC even with adding a /etc/apparmor.d/abstractions/opensc profile.

(Others on the internet have reported problems with other smart card pkcs11 modules not just opensc.)

Using audit on all possible files, does not show a file loading problem or does running
sudo apparmor_parser -v -C -r snap.firefox.firefox to reload with complain only show any problems. So the problme must be somehing else.

P11-kit does not directly need access to pcscd, so (4) is not an issue with p11 kit itself but (4) is an issued with any (or most) pkcs11 modules loaded by p11-kit.

Solutions:

For a snap installed firefox if (1), (2), (3) and (4) where addressed, snap firefox should work.
Adding profiles for each pkcs11 module to /etc/apparmor.d/abstractions and adding an include in /etc/apparmor.d/abstractions/p11-kit.d would require only only adding an include for p11-kit to snap.firefox.firefox. I hope that there is enough info above so someone else can add the dbus code.

Personally:

I find snap to be nightmare and Ubuntu should not have made it the default firefox. Ubuntu should at least continue to give the user a choice. All my testing has been on a virtual test 22.04 system. I was in the process of converting from 20.04 to 22.04, both virtual, when I ran into this problem. I have removed the snap firefox and am working on using the Debian firefox-esr which...

Hi, this bug also affects me.

TLDR and as a confirm of the workaround, as root digit:

# mkdir /etc/apparmor.d/abstractions/p11-kit.d/
# echo "/run/user/[0-9]*/** mr," > /etc/apparmor.d/abstractions/p11-kit.d/snap

add "#include <abstractions/p11-kit>" in /var/lib/snapd/apparmor/profiles/snap.firefox.firefox after #include <abstractions/openssl>

# apparmor_parser -v -C -r /var/lib/snapd/apparmor/profiles/snap.firefox.firefox

Many thanks to Luca Ferroni for summarizing a solution.
For users of European Patent Office smart cards seeing
Secure Connection Failed... Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT

please see instructions posted by thomasip on Wed Aug 24, 2022 2:29 pm at:
https://forums.epo.org/new-version-of-the-cryptovision-software-12191#p40162

https://launchpad.net/~liuck can you give some more information:

 What PKCS11 module are you using?

 What version of Ubuntu?

From my testing with a fresh copy install of XUbuntu-22.04.1 as guest of VirtualBox, the "/run/user/[0-9]*/** mr," appears to allow access to any file in my /usr/run/1000 directory.

When I use firefox's "Security Devices... Load" and browse for a module, I give the path to the system version of the module(s) I have tried: both /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-client.so and /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so. Both get a "Unable to add module" and the location shown in /run/user/1000/doc/48e09223/p11-kit-client.so /run/user/1000/doc/e3261d9/opensc-pkcs11.so

So it looks like it find the files and copies to /run/user/1000/doc/*.

But both of these modules need access to other libs and also need to use pcscd to access the smartcard readers.

https://launchpad.net/~tnetter
Can you give some more information about "/usr/local/lib/libcvP11.so"
It is not clear why this works with: https://forums.epo.org/new-version-of-the-cryptovision-software-12191#p40162

It may be that this is a simple library and does not use pcscd.

https://launchpad.net/~dengert , https://launchpad.net/~tnetter

unfortunately my summary of @dengert instructions is nor a solution / nor a workaround.

Following those steps I managed to add only one "security device", but it does not work when accessing the website: https://dichiarazioneprecompilatasc.agenziaentrate.gov.it/

The security device I have added uses the module /usr/share/bit4id/x/libbit4xpki.so (FF copies it to /run/user/1000/doc/fb1650f7/libbit4xpki.so)

I didn't succeed in adding: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so (FF copies it to /run/user/1000/doc/bc62d73/opensc-pkcs11.so but issues "Cannot load module")

I am not in a urgent need of this bug to be fixed, but I'd really like to help in finding the root cause. I am wondering if there is a small shell/python script that can be helpful to isolate the problem avoiding to reproduce the steps with Firefox that hides details.

For example: how can I test from CLI if my smart card reader is working with OpenSC? (keeping out SNAP or Firefox from the test?) I think it can be useful to write down here a simple check.

This problem is an Ubuntu/snap packaging issue. FF and Thunderbird both allow the loading of PKCS11 modules as do other programs. But the snap has not packaged these.

Access to smartcards is usually handled by PC/SC i.e. the pcscd daemon. It provides locking access to the smartcards from multiple running applications. So this is another issue for snap, how to provide access to this system daemon.

Snap does provide the ability to load the p11-kit but then p11-kit tries to load other PKCS11 modules which may need to load additional libraries. /usr/lib/x86_64-linux-gnu/pkcs11/* and run "p11-kit list-modules".

p11-kit has a client/remote capability that I have never looked at. It might be possible to use this from snap to a "remote" server running on the the local host.

Are there FF extensions that may similar problems?

Until Ubuntu can packaged up other pkcs11 modules and handle pcscd, the way to: "test from CLI if my smart card reader is working" is to use the debian firefox-esr which does not have any problems.

https://launchpad.net/~liuck
You can test your reader/card with OpenSC without firefox.

see: "man pkcs11-tool" or "pkcs11-tool --help". "pkcs11-tool --test --login" will try and read certificates and do sign/verify using private keys. It may prompt for pin several times.

If you can also add --module <path/to/module> to use test a different PKCS11 module.

BTW: I succeed in my test and I checked my working ACR38 AC1038-based Smart Card Reader with these commands:

# apt install libacsccid1 pcscd pcsc-tools opensc
# pcsc_scan

and in FF snap I cannot load /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

(thanks to https://guide.debianizzati.org/index.php/Carta_Nazionale/Regionale_dei_Servizi)

I don't know the relation between libacsccid1 and opensc but I suppose that libacsccid1 is a library used by pcscd, whereas opensc is a middleware between FF (or other PKCS11 API software) and pcscd.

I would like to try packaging pcsc-tools as a SNAP to see if it can read card info, do you think it could be a good idea, or just a waste of time?

Guys, it works for me!
It's weird but somehow it works :-)

More than my previous not working comment https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/comments/9
I have added:

- the libacsccid1 package
- rw access to the unix socket /run/pcscd/pcscd.comm in the apparmor profile

Summarizing the solution again:

# apt install libacsccid1 pcscd
# mkdir /etc/apparmor.d/abstractions/p11-kit.d/
# echo "/run/user/[0-9]*/** mr," > /etc/apparmor.d/abstractions/p11-kit.d/snap
# echo "/run/pcscd/pcscd.comm rw," >> /etc/apparmor.d/abstractions/p11-kit.d/snap

add "#include <abstractions/p11-kit>" in /var/lib/snapd/apparmor/profiles/snap.firefox.firefox after #include <abstractions/openssl>

# apparmor_parser -v -C -r /var/lib/snapd/apparmor/profiles/snap.firefox.firefox

Then in Firefox -> Settings -> Privacy and Security -> Security devices
Load -> name: ACS ACR38U in my case, but can be anything you want, module: /usr/share/bit4id/x/libbit4xpki.so

That's for my card, my reader and my module. And note: my FF is in Italian, translation may differ a bit in English.

Further weird notes:

1. The first time I try to access after a reboot, I go to the webpage https://dichiarazioneprecompilata.agenziaentrate.gov.it and FF ask me for the PIN (with a system dialog). I insert the PIN and FF ask me again for the PIN in an infinite cycle, I have to kill FF. But the second time and following times I access the page it works like a charm even in Incognito mode. Weird, but I can live with it. I seldom use smart card.

2. Another strange thing that happened while I was trying to isolate the right steps to publish here is that I removed rw access to pcscd.comm socket in apparmor profile and FF kept working! Even after a restart, and even in Incognito mode. So I have rebooted the system in order to be sure that rw access to the socket would be a requirement, and that's it.

3. I don't know why Firefox does not let me load the /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so module. It complains with the message "Unable to add module" :-(
even if I add `/usr/lib/x86_64-linux-gnu/** rm,` in /etc/apparmor.d/abstractions/p11-kit.d/snap apparmor profile.

Differences between opensc-pkcs11.so and libbit4xpki.so

file /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so /usr/lib/bit4id/libbit4xpki.so

/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=de5eb51ea9145d2bfd9428110736825895bb56f4, stripped

/usr/lib/bit4id/libbit4xpki.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=825713056df8eb66f78817284b4ec2c7a2d8c26b, not stripped

My environment is:

Ubuntu 22.04.1 LTS
Codename: jammy
Mozilla Firefox 104.0

I think that's all my story, if there is something else or attempts I can make in my environment, please ask, I remain here available.

Thank you very much for documenting thoroughly your findings. These will be useful to design and implement a proper solution to the problem.

In the meantime, a couple of comments:

 - the apparmor profile will be overwritten every time the snap is updated, so you will have to re-apply the changes

 - /usr inside the snap is a bind-mount from /usr in the base snap, not on the host system, which explains why your addition of `/usr/lib/x86_64-linux-gnu/** rm,` to the apparmor profile doesn't work as you'd expect (see https://github.com/snapcore/snapd/pull/11025#issuecomment-1225787194 for details)

This maybe the biggest problem:
"- /usr inside the snap is a bind-mount from /usr in the base snap, not on the host system, which explains why your addition of `/usr/lib/x86_64-linux-gnu/** rm,` to the apparmor profile doesn't work as you'd expect (see https://github.com/snapcore/snapd/pull/11025#issuecomment-1225787194 for details)"

Are both of you saying that the location of the PKCS11 module makes a difference?
And if the normal location is in /usr/lib/x86_64-linux-gnu is part of the FF snap package and
their is no way to include files from the local system's /usr/lib/x86_64-linux-gnu.
So is that what the copying to the /usr/run/<uid>/doc is trying to overcome?

There are many PKCS11 modules out there, some provided by smartcard vendors and not part of a distro.
OpenSC is distributed Ubuntu and most other distros. How will you handle these other modules?

What package has the /usr/lib/bit4id/libbit4xpki.so?

can you run "ldd /usr/lib/bit4id/libbit4xpki.so" to see what other libs are required?
Does it use a socket to pcscd?

Is it possible some other libs must also be included?

Can you try to install opensc-pkcs11 (which also installs opensc) to your system and see you can get FF to load it?

opensc-pkcs11-0.22.0-1ubuntu2 installs opensc-pkcs11.so in two places: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so and /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so (which is were p11-kit would load it)
and depends on libopensc.so.8 and /usr/lib/x86_64-linux-gnu/libcrypto.so.3 from libssl3-3.0.2-0ubuntu1.6

 $ ls -l /usr/lib/x86_64-linux-gnu/*opensc*
lrwxrwxrwx 1 root root 18 Mar 10 11:00 /usr/lib/x86_64-linux-gnu/libopensc.so.8 -> libopensc.so.8.0.0
-rw-r--r-- 1 root root 2040208 Mar 10 11:00 /usr/lib/x86_64-linux-gnu/libopensc.so.8.0.0
-rw-r--r-- 1 root root 234704 Mar 10 11:00 /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so
-rw-r--r-- 1 root root 234704 Mar 10 11:00 /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
$ ldd /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
 linux-vdso.so.1 (0x00007ffcbbdfe000)
 libopensc.so.8 => /lib/x86_64-linux-gnu/libopensc.so.8 (0x00007efd3cd14000)
 libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x00007efd3c8d2000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007efd3c6aa000)
 libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007efd3c68e000)
 libgio-2.0.so.0 => /lib/x86_64-linux-gnu/libgio-2.0.so.0 (0x00007efd3c4b6000)
 libgobject-2.0.so.0 => /lib/x86_64-linux-gnu/libgobject-2.0.so.0 (0x00007efd3c456000)
 /lib64/ld-linux-x86-64.so.2 (0x00007efd3cf58000)
 libglib-2.0.so.0 => /lib/x86_64-linux-gnu/libglib-2.0.so.0 (0x00007efd3c31a000)
 libgmodule-2.0.so.0 => /lib/x86_64-linux-gnu/libgmodule-2.0.so.0 (0x00007efd3c313000)
 libmount.so.1 => /lib/x86_64-linux-gnu/libmount.so.1 (0x00007efd3c2cf000)
 libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007efd3c2a3000)
 libffi.so.8 => /lib/x86_64-linux-gnu/libffi.so.8 (0x00007efd3c296000)
 libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007efd3c21e000)
 libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007efd3c137000)
 libblkid.so.1 => /lib/x86_64-linux-gnu/libblkid.so.1 (0x00007efd3c100000)
 libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libp...

https://launchpad.net/~liuck
Thank you very much! I managed to use my SafeNet eToken 5100 to login to a Brazilian government website using your instructions!

In my case, I didn't need to install the libacsccid1 package, maybe that is related to your smart card. I also didn't have any infinite cycle when testing my eToken, it seems to work just fine. And the package pcscd was already installed, since it was needed to use the eToken in Ubuntu 20.04.

The only remaining "bug" is that I had to manually follow a few symbolic links to find the real location of the PKCS11 module. In Ubuntu 20.04 I could just add the path "/usr/lib/libeTPkcs11.so", but this is a symbolic link to "/usr/lib/libeToken.so", which in turn is a symbolic link to "/usr/lib/libeToken.so.10.7.77". So it only worked when I used the final path "/usr/lib/libeToken.so.10.7.77".

Summarizing the solution you gave above, again, but using sudo this time:

$ sudo apt install pcscd
$ sudo mkdir /etc/apparmor.d/abstractions/p11-kit.d/
$ echo "/run/user/[0-9]*/** mr," | sudo tee /etc/apparmor.d/abstractions/p11-kit.d/snap
$ echo "/run/pcscd/pcscd.comm rw," | sudo tee -a /etc/apparmor.d/abstractions/p11-kit.d/snap
$ sudo sed -i 's|.*#include <abstractions/openssl>.*|&\n #include <abstractions/p11-kit>|' /var/lib/snapd/apparmor/profiles/snap.firefox.firefox
$ sudo apparmor_parser -v -C -r /var/lib/snapd/apparmor/profiles/snap.firefox.firefox

Then in Firefox -> Settings -> Privacy & Security -> Security devices... -> Load -> Module name: "eToken SafeNet" in my case, but can be anything you want, Module filename: "/usr/lib/libeToken.so.10.7.77", also in my case, you need to find the correct module for you, and it will change the module path automatically to another starting with "/run/user/..." after selecting the file.

That's for my USB eToken, my (software) SafeNet reader and my libeToken module.

My environment:

Ubuntu 22.04.1 LTS
Codename: jammy
Mozilla Firefox 104.0

So it appears that to load a PKCS11 module in snap packaged FireFox requires:
 1) "/run/user/[0-9]*/** mr,"
 2) "/run/pcscd/pcscd.comm rw," (if module uses pcscd)
 3) absolute path (i.e. no symlinks) to the module
 4) all libs the module may need to be in the snap base

To test if (4) is correct:

 https://launchpad.net/~ascaneo can you run "ldd /usr/lib/libeToken.so.10.7.77"

 https://launchpad.net/~liuck can you run "ldd /usr/lib/bit4id/libbit4xpki.so"

I posted the output of "ldd opensc-pkcs11.so" in https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/comments/18

It requires "libopensc.so.8 => /lib/x86_64-linux-gnu/libopensc.so.8" which is most likely not in the snap package base as per https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/comments/17

So how should a snap package handle arbitrary pkcs11 packages that require libs that would have been installed in a traditional install, but are not by snap packaging?

Here is the output:

$ ldd /usr/lib/libeToken.so.10.7.77
 linux-vdso.so.1 (0x00007ffe6e5ae000)
 libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fa98abb3000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fa98abae000)
 libpcsclite.so.1 => /lib/x86_64-linux-gnu/libpcsclite.so.1 (0x00007fa98aba2000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa98a5d8000)
 /lib64/ld-linux-x86-64.so.2 (0x00007fa98abd3000)

I did a quick search and found two deb packages at a Italian government website containing libbit4xpki.so

This is the output from i386 and amd64 versions:

$ ldd libbit4xpki.so
 linux-gate.so.1 (0xf7f7f000)
 libm.so.6 => /lib/i386-linux-gnu/libm.so.6 (0xf7d87000)
 libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0xf7d82000)
 libpthread.so.0 => /lib/i386-linux-gnu/libpthread.so.0 (0xf7d7d000)
 libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7b48000)
 /lib/ld-linux.so.2 (0xf7f81000)

$ ldd libbit4xpki.so
 linux-vdso.so.1 (0x00007fff13983000)
 libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f329bf5c000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f329bf57000)
 libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f329bf52000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f329b9d8000)
 /lib64/ld-linux-x86-64.so.2 (0x00007f329c05e000)

It seems there is another smartcard model used by the Italian government. I though this could be useful as another example:

$ ldd libstpkcs11.so
 linux-vdso.so.1 (0x00007ffe51f67000)
 libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f394c92a000)
 libpcsclite.so.1 => /lib/x86_64-linux-gnu/libpcsclite.so.1 (0x00007f394cfd7000)
 libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f394c6fe000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f394c4d6000)
 libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f394cfb7000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f394cfb0000)
 libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f394cfab000)
 /lib64/ld-linux-x86-64.so.2 (0x00007f394cffe000)
 libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f394cec4000)

Thanks for the ldd output.
libpcsclite.so.1 is the lib to used the pcscd socket, and is used by modules libstpkcs11.so, libeToken.so.10.7.77 and libopensc.so.8 (see below) It is not used in libbit4xpki.so which may be a software pkcs11 or does not use pcscd.

libcrypto.so.1.1 is OpenSSL-1.1 and also used by modules libstpkcs11.so and opensc-pkcs11.so

So libstpkcs11.so, libeToken.so.10.7.77 and libstpkcs11.so, libeToken.so.10.7.77 all appear to work as all the libs are available.

The difference is opensc-pkcs11.so needs to load libopensc.so.8 and a few others that I have not looked at

On a 22.04.1 system running the command `sudo snap run --shell firefox.firefox` will run snap as root to have snap start up a shell with the environment that firefox would run under.

The `df` command shows:

/dev/sda3 122388080 11202960 104921928 10% /var/lib/snapd/hostfs
tmpfs 814036 1272 812764 1% /run
tmpfs 5120 4 5116 1% /run/lock
tmpfs 814036 100 813936 1% /run/user/1000
/dev/loop0 128 128 0 100% /snap/bare/5
/dev/loop1 63488 63488 0 100% /snap/core20/1587
/dev/loop2 63488 63488 0 100% /
/dev/loop3 167296 167296 0 100% /snap/firefox/1635
/dev/loop4 181248 181248 0 100% /snap/firefox/1749
/dev/loop5 410496 410496 0 100% /snap/gnome-3-38-2004/112
/dev/loop7 48128 48128 0 100% /snap/snapd/16292
/dev/loop6 93952 93952 0 100% /snap/gtk-common-themes/1535
/dev/sda2 524252 5364 518888 2% /var/lib/snapd/hostfs/boot/efi
Argonne 1952871748 479641924 1473229824 25% /media/sf_Argonne
VM-Shared 1952871748 479641924 1473229824 25% /media/sf_VM-Shared
/dev/loop8 354688 354688 0 100% /snap/gnome-3-38-2004/115
udev 4034884 0 4034884 0% /dev
tmpfs 4070180 0 4070180 0% /dev/shm
tmpfs 4070180 0 4070180 0% /snap/firefox/1749/data-dir/icons
tmpfs 4070180 0 4070180 0% /snap/firefox/1749/data-dir/sounds
tmpfs 4070180 0 4070180 0% /snap/firefox/1749/data-dir/themes
tmpfs 4070180 1996 4068184 1% /usr/lib/x86_64-linux-gnu
tmpfs 4070180 0 4070180 0% /usr/share

and /var/lib/snapd/hostfs is the host's filesystem. I was able to copy libopensc.so.8.0.0 and symlink libopensc.so.8.0.0 to /usr/lib/x86_64-linux-gnu FF will still not load opensc-pkcs11.so and it will be gone on a reboot.

snap does set sone environemt variables that could help:
LD_PRELOAD=:/snap/firefox/1749/gnome-platform/$LIB/bindtextdomain.so
LD_LIBRARY_PATH=/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl32:/var/lib/snapd/void:/snap/firefox/1749/usr/lib:/snap/firefox/1749/usr/lib/x86_64-linux-gnu:/snap/firefox/1749/gnome-platform/lib/x86_64-linux-gnu:/snap/firefox/1749/gnome-platform/usr/lib/x86_64-linux-gnu:/snap/firefox/1749/gnome-platform/usr/lib:/snap/firefox/1749/gnome-platform/lib:/snap/firefox/1749/gnome-platform/usr/lib/x86_6...

Problem to install/read Belgium e-Id. Is this the problem bug? Is there a working work-around available?

 "Is there a working work-around available?"

Yes, install the Debian FireFox-esr which does not use snap.
Google for: Ubuntu firefox esr

 https://ubuntuhandbook.org/index.php/2022/03/install-firefox-esr-ubuntu/

Also, you can install the regular Firefox following this instructions. In this case, you will change the snap version for the .deb one. and it contains instructions for avoiding the re-installation of Firefox snap and for getting automated updates for the .deb version via unattended-upgrades:

https://www.omgubuntu.co.uk/2022/04/how-to-install-firefox-deb-apt-ubuntu-22-04

Could there be a little bit more professional solution? If canonical wants to deploy ubuntu in enterprise with a lot of card reader usages, this is a critical bug.

In this case there should be maintained non-snap official firefox package to workaround.

"If canonical wants to deploy ubuntu in enterprise with a lot of card reader usages, this is a critical bug."
I agree.

The also need to keep in mind, that enterprises may also use smartcards for login which implies pcscd
needs to be run as root as pam modules will need access to it, during login. There should be only one pcscd running. i.e. don't try and put pcscd in a snap package. As there should only be one pcscd running on a system. Pcscd's primary function is to lock access to the card over a set of APDU commands.
See https://pcscworkgroup.com/

Some smart card vendors provide their own PKCS11 modules and users may be need t uses thes via FireFox, either the sanp version or as suggested a "non-snap official firefox package".

I don't know if this could help someone but firefox from mozilla repositories didn't worked for me neither (Kubuntu 22.10)
If I remember correctly I noticed that pcs package is not installed by default, in addition the service pcsd didn't run by default, in this context firefox can't add the module.

So after install pcsd and after active the service with:
-sudo apt install pcsd
-sudo service pcscd start
-sudo systemctl enable pcscd (this is to keep the service running after a reboot)

I could active the module correctly. Sadly when I did this I had replaced firefox snap by firefox from mozilla repositories so I'm not sure if this could make work the module installation on snap.

I was able to load the module libaetpkss from version 3.7.0 (instead of the latest 3.8.0) to Snap Firefox just copying the shared library to my home dir (where Firefox has access). It has to be the version 3.7.0 that needs the legacy package libssl1.1

Adding my name to this as I use an old W10 laptop for accessing USGOV sites until the issue is fixed.

EDIT: This comment is obsolete, stable/pkcs expired and if you try to install it now you'll simply end up with stable snap.

The snap on stable/pkcs has been built with (what I gather are) the essential components — opensc-pkcs11, libpcsclite, and also a couple of debugging utilities — for the most basic and supported smart cards. You may want to test it, if so keep reading.

You would also need pcscd installed and started in your system.

There is a merge request[1] currently under review to allow the snap to use the pcscd socket; Until it's merged you'd need to manually allow access to the socket in /var/lib/snapd/apparmor/profiles/snap.chromium.chromium.

So if your smart card is supported by OpenSC[2], the full recipe is

--->
snap install --channel stable/pkcs chromium
apt install pcscd
systemctl start pcscd.socket
editor /var/lib/snapd/apparmor/profiles/snap.chromium.chromium
#Insert "/{var/,}run/pcscd/pcscd.comm rwm," before the last bracket.
apparmor_parser -r
chromium --enable-logging=stderr &> chr.log
<---

Attach chr.log or the system's journal if you see any relevant error or denial there.

Bear in mind that I was oblivious to the components involved until I started looking at this bug and I still don't have a complete picture of them. So please point out any mistake or omission you can find.

[1] https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1843392/comments/9
[2] https://github.com/snapcore/snapd/pull/12847

> Bear in mind that I was oblivious to the components involved until I started looking at this bug and I still don't have a complete picture of them. So please point out any mistake or omission you can find.

Your solution may/should work for smart cards that are supported by OpenSC.
But it will not work for all the other PKCS#11 libraries that are not included in he snap.

The idea proposed by Wouter in [1] looks promising.

[1] https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1843392/comments/9

Thanks Ludovic, so for those smart cards, the pcscd interface has been merged in Snapd (but is apparently only available from 2.60.4 on, so currently you need the beta channel of it), and so I update the test case to a simpler:

--->
snap refresh --beta snapd
snap refresh --channel stable/pkcs chromium
snap connect chromium:pcscd
chromium --enable-logging=stderr >chr.log 2>&1
<---

Hi! I wanted to try this. This is what I did:

$ sudo snap set system experimental.parallel-instances=true
$ snap refresh --beta snapd
$ sudo snap install --channel stable/pkcs chromium_pkcs
$ sudo snap connect chromium_pkcs:pcscd

But I get an error when trying to execute chromium:

$ chromium_pkcs
/snap/chromium/2648/usr/lib/chromium-browser/chrome: symbol lookup error: /snap/chromium/2648/gnome-platform/usr/lib/x86_64-linux-gnu/libpango-1.0.so.0: undefined symbol: hb_ot_color_has_paint

Is this compatible with parallel installs or the problem lays somewhere else?

Thanks!

Parallel install is OK, I committed the fix for that weeks ago... In the wrong branch. (:

Rebuilt now, with my limited connection I cannot donwload it to test it, but I tested by making local changes by unsquashing and trying the snap.

Can you please give it another try and let me know? The revision number must be 2671.

Thanks for the help testing.

OK, now chromium starts, but when I try to access some website that requires the certificate on my smartcard, it seems like it's doing nothing to access the smartcard, so to speak.

Eveything works OK on my non-snaped Firefox.

Can you ascertain if your smart card is supported by OpenSC?

> Can you ascertain if your smart card is supported by OpenSC?

Yes, totally. It's a DNIe: https://github.com/OpenSC/OpenSC/wiki/DNIe-(OpenDNIe)/dca4ae71aac1deb510df0d2b9afebb59afd07feb

The test snap does have the components I expected to be sufficient. I don't know the reason of failure and haven't got the time to investigate it in the short term, sorry.