[snap] U2F doesn't work with yubikey

Bug #1738164 reported by Olivier Tilloy on 2017-12-14
48
This bug affects 8 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
High
Olivier Tilloy
gnome-software (Ubuntu)
Medium
Robert Ancell
Xenial
Medium
Robert Ancell
Bionic
Medium
Robert Ancell
Cosmic
Medium
Robert Ancell

Bug Description

[Impact]
Installing a snap that requires the u2f-devices interface doesn't show a UI element to enable/disable this in GNOME Software. Initially Chromium didn't have this enabled by default, and thus the feature wouldn't work without going to the command line. It now is enabled by default.

[Test Case]
1. Open GNOME Software
2. Install the Chromium snap
3. Click "Permissions"

Expected result:
A switch is shown to control "Read/write access to U2F devices exposed". Clicking it connects/disconnects the u2f-devices interface.

Observed result:
No switch is shown for this interface.

[Regression Potential]
A string for this interface was added to GNOME Software, low risk of introducing a new bug.

Chris Cowling (tatramaco) wrote :

It appears that apparmor is blocking u2f requests :

[ 5955.568022] audit: type=1400 audit(1526465659.599:92): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci0000:00/0000:00:14.0/usb3/3-3/3-3:1.0/0003:045E:07B2.0001/report_descriptor" pid=19386 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 5955.568379] audit: type=1400 audit(1526465659.599:93): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci0000:00/0000:00:14.0/usb3/3-3/3-3:1.1/0003:045E:07B2.0002/report_descriptor" pid=19386 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 5955.568667] audit: type=1400 audit(1526465659.599:94): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci0000:00/0000:00:14.0/usb3/3-3/3-3:1.2/0003:045E:07B2.0003/report_descriptor" pid=19386 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 5955.569840] audit: type=1400 audit(1526465659.599:95): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.0/0003:1050:0407.002D/report_descriptor" pid=19386 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 5955.570337] audit: type=1400 audit(1526465659.603:96): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2:1.1/0003:1050:0407.002E/report_descriptor" pid=19386 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Olivier Tilloy (osomon) wrote :

It looks like the raw-usb interface might help here. I'll rebuild the snap with it and will post instructions on how to test.

Olivier Tilloy (osomon) wrote :

@Chris: can you try the following, and report whether this addresses the issue:

    snap refresh chromium --channel=candidate/raw-usb-test
    snap connect chromium:raw-usb

Thanks!

Changed in chromium-browser (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Chris Cowling (tatramaco) wrote :

It no longer throws an apparmor denied message but it doesn't work.....

Bot gmail and github throw a 'Something went wrong' error.

Olivier Tilloy (osomon) wrote :

Do you get more useful debug information if you run the snap with the "--enable-logging=stderr" parameter?

karl (karl-hiramoto) wrote :

with chromium --enable-logging=stderr

You just see that chromium can not find the device in the log it says:

[14261:14261:0718/202809.157292:INFO:CONSOLE(173)] "0718 20:28:09.156000: []", source: chrome-extension://kmendfapggjehodndflmmgagdbamhnfd/gnubbies.js (173)
[14261:14261:0718/202809.358137:INFO:CONSOLE(172)] "0718 20:28:09.358000: Enumerated 0 gnubbies", source: chrome-extension://kmendfapggjehodndflmmgagdbamhnfd/gnubbies.js (172)
[14261:14261:0718/202809.358350:INFO:CONSOLE(173)] "0718 20:28:09.358000: []", source: chrome-extension://kmendfapggjehodndflmmgagdbamhnfd/gnubbies.js (173)
[14261:14261:0718/202809.358616:INFO:CONSOLE(172)] "0718 20:28:09.359000: Enumerated 0 gnubbies", source: chrome-extension://kmendfapggjehodndflmmgagdbamhnfd/gnubbies.js (172)
[14261:14261:0718/202809.358858:INFO:CONSOLE(173)] "0718 20:28:09.359000: []", source: chrome-extension://kmendfapggjehodndflmmgagdbamhnfd/gnubbies.js (173)

karl (karl-hiramoto) wrote :

the proprietary google chrome does find the yubikey / gnubbie

Sami Ben Hatit (sambh) wrote :

I can confirm the bug is still present, tested with 67.0.3396.99 (367) and 68.0.3440.75 (383). I couldn't test with raw-usb as it seems this channel doesn't exist anymore.

Anything I could do to help testing or debugging this?

Olivier Tilloy (osomon) wrote :

@Sami: I have re-opened the candidate/raw-usb-test channel and updated it to the latest stable release. Please test with the instructions in comment #3, run chromium with --enable-logging=stderr, and in another terminal window please run "journalctl -f" and share any relevant denials. Thanks!

Download full text (26.0 KiB)

I have the same issue, my Yubikey is the yibikey neo 4 model, it does support U2F. after installing Ubuntu 18.04.01 I followed yubico's instructions: https://support.yubico.com/support/solutions/articles/15000006449-using-your-u2f-yubikey-with-linux

which means I have a udev rule for the device, but dmesg was still mapping to snap.chromium. At this point the U2F seemed to wait for input until timeout, whereas the key's LED would flash like if it were in process of system recognition indefinitelly (as seen from dmesg, it seems chromium it continously attempting to read the device, but there are permission restrictions).

dmesg:
[18519.805380] usb 1-9: new full-speed USB device number 9 using xhci_hcd
[18519.954776] usb 1-9: New USB device found, idVendor=1050, idProduct=0116
[18519.954782] usb 1-9: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[18519.954785] usb 1-9: Product: Yubikey NEO OTP+U2F+CCID
[18519.954789] usb 1-9: Manufacturer: Yubico
[18519.956412] input: Yubico Yubikey NEO OTP+U2F+CCID as /devices/pci0000:00/0000:00:14.0/usb1/1-9/1-9:1.0/0003:1050:0116.0006/input/input20
[18520.014104] hid-generic 0003:1050:0116.0006: input,hidraw1: USB HID v1.10 Keyboard [Yubico Yubikey NEO OTP+U2F+CCID] on usb-0000:00:14.0-9/input0
[18520.015266] hid-generic 0003:1050:0116.0007: hiddev0,hidraw2: USB HID v1.10 Device [Yubico Yubikey NEO OTP+U2F+CCID] on usb-0000:00:14.0-9/input1
[18551.143579] audit: type=1107 audit(1534439526.751:164): pid=989 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=25155 label="snap.chromium.chromium" peer_pid=985 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
[18553.624016] audit: type=1400 audit(1534439529.231:165): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c238:0" pid=25155 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[18553.638835] audit: type=1400 audit(1534439529.247:166): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c239:0" pid=25155 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[18553.639389] audit: type=1400 audit(1534439529.247:167): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c240:1" pid=25155 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[18553.639450] audit: type=1400 audit(1534439529.247:168): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c240:2" pid=25155 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[18553.639491] audit: type=1400 audit(1534439529.247:169): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c240:0" pid=25155 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[18863.195707] audit: type=1400 audit(1534439838.807:170): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/ru...

Download full text (9.4 KiB)

Sorry forgot

journalctl -f:
-- Logs begin at Sun 2018-08-12 21:54:04 CEST. --
ago 16 19:20:29 Alex thunderbird.desktop[25941]: [Parent 26418, Gecko_IOThread] WARNING: pipe error (113): Conexión reinicializada por la máquina remota: file /build/firefox-oscv9o/firefox-61.0.1+build1/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353
ago 16 19:37:40 Alex dbus-daemon[18014]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/secrets" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.secrets" pid=27271 label="snap.chromium.chromium" peer_pid=18002 peer_label="unconfined"
ago 16 19:37:40 Alex audit[989]: USER_AVC pid=989 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=26979 label="snap.chromium.chromium" peer_pid=985 peer_label="unconfined"
                                  exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
ago 16 19:37:40 Alex kernel: audit: type=1107 audit(1534441060.543:176): pid=989 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=26979 label="snap.chromium.chromium" peer_pid=985 peer_label="unconfined"
                              exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
ago 16 19:37:47 Alex audit[26979]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c238:0" pid=26979 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ago 16 19:37:47 Alex kernel: audit: type=1400 audit(1534441067.899:177): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c238:0" pid=26979 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ago 16 19:37:47 Alex audit[26979]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c239:0" pid=26979 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ago 16 19:37:47 Alex audit[26979]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c240:0" pid=26979 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ago 16 19:37:47 Alex kernel: audit: type=1400 audit(1534441067.927:178): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c239:0" pid=26979 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ago 16 19:37:47 Alex kernel: audit: type=1400 audit(1534441067.927:179): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c240:0" pid=26979 comm="TaskSchedulerFo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ago 16 19:38:12 Alex audit[26979]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/run/udev/data/c238:0" pid=26979 comm="TaskSchedulerFo" requested_mask=...

Read more...

Olivier Tilloy (osomon) wrote :

Thanks for the feedback Alejandro. So it looks like the raw-usb interface doesn't help indeed, what chromium needs read access to to access your key is the following:

    /run/udev/data/c238:0
    /run/udev/data/c239:0
    /run/udev/data/c240:0
    /run/udev/data/c240:1
    /run/udev/data/c240:2

And there doesn't seem to be any existing interfaces for those.

To switch back to the stable channel, you can just do:

    sudo snap refresh chromium --stable

Charl le Roux (charl-leroux) wrote :

I am experiencing the same thing with both firefox and chromium snap packages. Google Chrome install works perfectly. Really annoying to have to revert to .deb if there is a snap package available.

Olivier Tilloy (osomon) on 2018-09-19
Changed in chromium-browser (Ubuntu):
importance: Medium → High
Jamie Strandboge (jdstrand) wrote :

We can add this to browser-support:

# for U2F yubikey
/run/udev/data/c238:[0-9]* r,
/run/udev/data/c239:[0-9]* r,
/run/udev/data/c240:[0-9]* r,
/run/udev/data/c240:[0-9]* r,
/run/udev/data/c240:[0-9]* r,

Can someone experiencing this issue adjust /var/lib/snapd/apparmor/profiles/snap.chromium.chromium to have the above, and then run: sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.chromium.chromium and report back if the issue is resolved? If not, please paste any other apparmor denials.

Jamie Strandboge (jdstrand) wrote :

The actual rules would be:

# for U2F yubikey
/run/udev/data/c238:[0-9]* r,
/run/udev/data/c239:[0-9]* r,
/run/udev/data/c240:[0-9]* r,

but using the redundant rules from the previous comment is fine too.

Olivier Tilloy (osomon) on 2018-09-19
Changed in chromium-browser (Ubuntu):
assignee: nobody → Olivier Tilloy (osomon)
Kyle Fazzari (kyrofa) wrote :

jdstrand, I've added those rules, and the denials go away, but I'm afraid it still doesn't work. There doesn't seem to be any denials, but it's like chrome just doesn't see it.

Olivier Tilloy (osomon) wrote :

I'm testing with a brand new Yubikey 4, and after adding the rules in comment #16, I was seeing more denials which prompted me to add the following two rules:

    /run/udev/data/c14:[0-9]* r,
    /sys/devices/pci**/usb*/**/report_descriptor r,

With those the denials went away, but U2F registration still fails. I'm using https://demo.yubico.com/u2f?tab=register to test, and seeing the following error:

Registration failed!
Make sure you have a U2F device connected, and try again.

 Traceback (most recent call last):
  File "/root/python-u2flib-server-demo/examples/yubiauth_server.py", line 161, in __call__
    raise Exception("FIDO Client error: %s" % error)
Exception: FIDO Client error: 1 (OTHER ERROR)

Olivier Tilloy (osomon) wrote :

Could the hidraw interface (https://github.com/snapcore/snapd/blob/master/interfaces/builtin/hidraw.go) be of any help here?

Daniel Aleksandersen (da2x) wrote :

This isn’t mentioned in the bug so thought I’d just document it here:

* U2F must be enabled in about:config (security.webauth.u2f;true) before it will work in Firefox.

Olivier Tilloy (osomon) wrote :

Jamie added a u2f-devices interface to snapd, and I successfully tested it with chromium and a YubiKey 4 (using https://demo.yubico.com/webauthn/registration).

Changed in chromium-browser (Ubuntu):
status: Confirmed → In Progress
Olivier Tilloy (osomon) wrote :

I've published revision 579 to the candidate channel with the u2f-devices plug.
To test this you will need to do the following:

    snap refresh core --edge
    snap refresh chromium --candidate
    snap connect chromium:u2f-devices

Then restart chromium and verify that your U2F device is seen and works.

To everyone affected, please test and let me know if that works for you (details about your U2F device would be interesting).

Jeremy Bicha (jbicha) wrote :

I used your instructions to successfully authenticate with https://salsa.debian.org/ using the Chromium snap. Thanks! I believe my device is also a Yubikey 4.

Jeremy Bicha (jbicha) wrote :

This works now with core and chromium on the stable branches.

Olivier, I don't see u2f in GNOME Software's Permissions dialog for Chromium.

Also, are you intending to ask Security if u2f can be auto-connected for Chromium?

Olivier Tilloy (osomon) wrote :

I'm not sure whether u2f being auto-connected is acceptable from a security standpoint, I'll ask Jamie and if it is, I'll request the auto-connection.

Changed in chromium-browser (Ubuntu Xenial):
status: New → Invalid
Changed in chromium-browser (Ubuntu Bionic):
status: New → Invalid
Changed in chromium-browser (Ubuntu Cosmic):
status: New → Invalid
Changed in gnome-software (Ubuntu Xenial):
status: New → Confirmed
Changed in gnome-software (Ubuntu Bionic):
status: New → Confirmed
Changed in gnome-software (Ubuntu Cosmic):
status: New → Confirmed
Changed in gnome-software (Ubuntu Xenial):
importance: Undecided → Medium
Changed in gnome-software (Ubuntu Bionic):
importance: Undecided → Medium
Changed in gnome-software (Ubuntu Cosmic):
importance: Undecided → Medium
Changed in gnome-software (Ubuntu Xenial):
assignee: nobody → Robert Ancell (robert-ancell)
Changed in gnome-software (Ubuntu Bionic):
assignee: nobody → Robert Ancell (robert-ancell)
Changed in gnome-software (Ubuntu Cosmic):
assignee: nobody → Robert Ancell (robert-ancell)
Changed in gnome-software (Ubuntu):
assignee: nobody → Robert Ancell (robert-ancell)
status: New → Confirmed
importance: Undecided → Medium
Ken VanDine (ken-vandine) wrote :

@robert-ancell, I addition of this interface to the ubuntu-master, ubuntu-3-30, and ubuntu-3-28 branches as well as snap-store. Can you please include this in your next round of SRUs for cosmic, bionic and xenial? I wasn't sure which branch to use for xenial.

Changed in gnome-software (Ubuntu Bionic):
status: Confirmed → Fix Committed
Changed in gnome-software (Ubuntu):
status: Confirmed → Fix Committed
Olivier Tilloy (osomon) on 2019-03-07
Changed in chromium-browser (Ubuntu):
status: Fix Committed → Fix Released
no longer affects: chromium-browser (Ubuntu Xenial)
no longer affects: chromium-browser (Ubuntu Bionic)
no longer affects: chromium-browser (Ubuntu Cosmic)

Thanks for uploading the fix for this bug report to -proposed. However, when reviewing the package in -proposed and the details of this bug report I noticed that the bug description is missing information required for the SRU process. You can find full details at http://wiki.ubuntu.com/StableReleaseUpdates#Procedure but essentially this bug is missing some of the following: a statement of impact, a test case and details regarding the regression potential. Thanks in advance!

description: updated

Hello Olivier, or anyone else affected,

Accepted gnome-software into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gnome-software/3.28.1-0ubuntu4.18.04.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-bionic
Robert Ancell (robert-ancell) wrote :

Tested gnome-software 3.28.1-0ubuntu4.18.04.9 and the u2f-devices interface control is shown.

tags: added: verification-done-bionic
removed: verification-needed verification-needed-bionic
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-software - 3.30.6-2ubuntu3

---------------
gnome-software (3.30.6-2ubuntu3) disco; urgency=medium

  * debian/patches/0028-Added-u2f-devices-to-interfaces-UI.patch
    - Allow connections on the u2f-devices interface (LP: #1738164)
    (the patch has been SRUed to bionic but was missing from Disco)

 -- Sebastien Bacher <email address hidden> Thu, 04 Apr 2019 13:45:29 +0200

Changed in gnome-software (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-software - 3.28.1-0ubuntu4.18.04.9

---------------
gnome-software (3.28.1-0ubuntu4.18.04.9) bionic; urgency=medium

  * debian/rules:
    - Disable ubuntu-reviews plugin (use ODRS instead)
  * debian/patches/0028-Added-u2f-devices-to-interfaces-UI.patch:
    - Allow connections on the u2f-devices interface (LP: #1738164)
  * debian/patches/0029-snap-Use-ODRS-for-reviews.patch:
    - Review snaps using ODRS review server (LP: #1815708)

 -- Robert Ancell <email address hidden> Wed, 27 Feb 2019 16:16:54 +1300

Changed in gnome-software (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for gnome-software has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Changed in gnome-software (Ubuntu Xenial):
status: Confirmed → Fix Committed

An upload of gnome-software to xenial-proposed has been rejected from the upload queue for the following reason: "Since this upload includes the same change for 'new media API' as others, I would feel much safer if we set a minimal version depenency to libsnapd-glib-dev (>= 1.45) - since it seems there was more than one snapd-glib version in xenial.".

Hello Olivier, or anyone else affected,

Accepted gnome-software into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gnome-software/3.20.5-0ubuntu0.16.04.12 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-xenial
Robert Ancell (robert-ancell) wrote :

Tested gnome-software 3.20.5-0ubuntu0.16.04.12 and the u2f-devices interface control is shown.

tags: added: verification-done-xenial
removed: verification-needed verification-needed-xenial
Changed in gnome-software (Ubuntu Cosmic):
status: Confirmed → Won't Fix
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-software - 3.20.5-0ubuntu0.16.04.12

---------------
gnome-software (3.20.5-0ubuntu0.16.04.12) xenial; urgency=medium

  * debian/patches/0001-Fix-potential-crash-when-icons-are-missing.patch:
    - Fix crash loading icons (LP: #1778135)
  * debian/patches/0020-Add-a-basic-permissions-system.patch:
    - Fix crash when have plugs with multiple slots available (LP: #1778160)
  * debian/patches/0021-Add-a-Snap-plugin.patch
    - Fix some command line warnings (LP: #1790563)
    - Use new snapd media API (LP: #1799614)
    - Allow connections on the u2f-devices interface (LP: #1738164)
  * debian/patches/0053-Don-t-reject-unexpected-state-changes-external-event.patch:
    - Fix snaps not being shown correctly after install from command line
      (LP: #1754655)
  * debian/patches/0054-Show-verified-developers.patch:
    - Show verified developers (LP: #1789336)

 -- Robert Ancell <email address hidden> Wed, 17 Apr 2019 14:39:52 +1200

Changed in gnome-software (Ubuntu Xenial):
status: Fix Committed → Fix Released
Christoph (cvboth) wrote :

I'm still facing this problem. I just switched to 19.10 and the snap package has been installed. It does not work.
I tried to do the "snap connect chromium:u2f-devices" but this will not solve the problem.

My dmesg out put shows a lot of DENIED:

audit: type=1107 audit(1572541712.846:243): pid=954 uid=106 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=20568 label="snap.chromium.chromium" peer_pid=946 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=106 hostname=? addr=? terminal=?'
[ 7036.430639] audit: type=1400 audit(1572541713.042:244): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 7036.430641] audit: type=1400 audit(1572541713.042:245): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/var/lib/snapd/desktop/icons/" pid=20568 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 7049.256201] audit: type=1400 audit(1572541725.870:246): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci0000:00/0000:00:15.1/i2c_designware.1/i2c-2/i2c-ELAN1200:00/0018:04F3:3022.0001/report_descriptor" pid=20568 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Can you please advise how to fix this? Thanks!

Olivier Tilloy (osomon) wrote :

Christoph, is your device a Yubikey? If not would you mind filing a new bug report with all the details by running `ubuntu-bug chromium-browser` ?

The relevant denial seems to be:

[ 7049.256201] audit: type=1400 audit(1572541725.870:246): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/sys/devices/pci0000:00/0000:00:15.1/i2c_designware.1/i2c-2/i2c-ELAN1200:00/0018:04F3:3022.0001/report_descriptor" pid=20568 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Olivier Tilloy (osomon) wrote :

Nevermind, I hadn't realized you had filed bug #1851211 already. Let's continue the discussion there.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers