Ubuntu
firefox package

Bug #1967632
Comment #7

Comment 7 for bug 1967632

Revision history for this message

Douglas E Engert (dengert) wrote on 2022-05-16:

Initial problem of:

Initial problem of "[sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0"

+ #DEE
+ /run/user/[0-9]*/** mrwlkix,
+
   # App-specific access to files and directories in /dev/shm. We allow file
   # access in /dev/shm for shm_open() and files in subdirectories for open()
   # bind mount *not* used here (see 'parallel installs', above)

This adds the "m" mask to the "/run/user/1000/doc/e0bac853/" directory but does allow the module to be loaded. This is overkill, for the directory. For a PKCS11 module "mr" maybe all that is needed.

It is not clear why the choice was made to copy the pkcs11 modules to the doc directory in the first place.
Ubuntu appears to install PKCS11 modules (at least some in) in /usr/lib/x86_64-linux-gnu/pkcs11 so why can't this be used without copying?

The above only show how to get around the first of many possible problems.

Not all Ubuntu installed PKCS11 modules are installed in the above directory. p11-kit-client.so is but opensc-pkcs11.so and onepin-opensc-pkcs11.so are not, just symlinks.

Trying to use the apparmor aa-complain to get more info does not work with the way the snap apparmor profiles are named. It appears the profile uses "." inplace of "/" and there is no "snap/firefox/firefox"

Pkcs11 modules may load other PKCS11 modules, i.e. that is what p11-kit does. Each of these modules may have config files with system and user versions. apparmor needs to address how these config files can be read.

Until it can be shown that PKCS11 modules can be easily be used, I would suggest that firefox not be installed by snap.

Also see:
https://github.com/OpenSC/OpenSC/issues/2552

Initial problem of:

can be solved by adding to  /var/lib/snapd/apparmor/profiles/snap.firefox.firefox something like:
-- DEE.snap.firefox.firefox	2022-05-15 00:51:38.010651530 -0500
+++ snap.firefox.firefox	2022-05-15 21:18:39.445523027 -0500
@@ -312,6 +312,9 @@
   /tmp/   r,
   /tmp/** mrwlkix,
 
+  #DEE
+  /run/user/[0-9]*/** mrwlkix,
+
   # App-specific access to files and directories in /dev/shm. We allow file
   # access in /dev/shm for shm_open() and files in subdirectories for open()
   # bind mount *not* used here (see 'parallel installs', above)

This adds the "m" mask to the  "/run/user/1000/doc/e0bac853/" directory but does allow the module to be loaded. This is overkill, for the directory. For a PKCS11 module "mr" maybe all that is needed.

It is not clear why the choice was made to copy the pkcs11 modules to the doc directory in the first place.
Ubuntu appears to install PKCS11 modules (at least some in) in  /usr/lib/x86_64-linux-gnu/pkcs11 so why can't this be used without copying?

The above only show how to get around the first of many possible problems.

Not all Ubuntu installed PKCS11 modules are installed in the above directory. p11-kit-client.so is but opensc-pkcs11.so and onepin-opensc-pkcs11.so are not, just symlinks.

Until it can be shown that PKCS11 modules can be easily be used, I would suggest that firefox not be installed by snap.

Also see:
https://github.com/OpenSC/OpenSC/issues/2552

Ubuntufirefox package

Comment 7 for bug 1967632

Ubuntu
firefox package