When enabled, Firefox AppArmor profile prevents U2F devices from working
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
firefox (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Summary:
If you enable the apparmor profile that comes in Ubuntu's Firefox package, it prevents USB U2F tokens from being used.
To reproduce:
1. Obtain a USB FIDO/U2F token - such as a Yubikey; and a clean install of Ubuntu 20.04 with Firefox installed, but the AppArmor profile for firefox disabled (As is the default).
2. Confirm the correct function of your U2F token - such as at https:/
3. Enable the AppArmor profile with the following command, then restart firefox.
sudo aa-enforce /etc/apparmor.
4. Repeat your test of your U2F token. You will find Firefox is unable to access your U2F token. Any accounts you need U2F to log into are now inaccessible.
5. Disabling the apparmor profile and restarting firefox will make U2F work again.
To work around:
Edit /etc/apparmor.
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
# Possibly move to an abstraction if anything else needs it.
deny /run/udev/data/** r,
Instead allowing access to udev data, and to hidraw devices:
/run/udev/data/** r,
/dev/hidraw[0-9] rw,
I haven't checked the security implications of this change; some might feel it grants overly broad access. Chromium, which in 20.04 is delivered as a snap, includes udev rules (70-snap.
Status changed to 'Confirmed' because the bug affects multiple users.