Initial problem of: Initial problem of "[sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0"
can be solved by adding to /var/lib/snapd/apparmor/profiles/snap.firefox.firefox something like: -- DEE.snap.firefox.firefox 2022-05-15 00:51:38.010651530 -0500 +++ snap.firefox.firefox 2022-05-15 21:18:39.445523027 -0500 @@ -312,6 +312,9 @@ /tmp/ r, /tmp/** mrwlkix, + #DEE + /run/user/[0-9]*/** mrwlkix, + # App-specific access to files and directories in /dev/shm. We allow file # access in /dev/shm for shm_open() and files in subdirectories for open() # bind mount *not* used here (see 'parallel installs', above) This adds the "m" mask to the "/run/user/1000/doc/e0bac853/" directory but does allow the module to be loaded. This is overkill, for the directory. For a PKCS11 module "mr" maybe all that is needed. It is not clear why the choice was made to copy the pkcs11 modules to the doc directory in the first place. Ubuntu appears to install PKCS11 modules (at least some in) in /usr/lib/x86_64-linux-gnu/pkcs11 so why can't this be used without copying? The above only show how to get around the first of many possible problems. Not all Ubuntu installed PKCS11 modules are installed in the above directory. p11-kit-client.so is but opensc-pkcs11.so and onepin-opensc- pkcs11.so are not, just symlinks. Trying to use the apparmor aa-complain to get more info does not work with the way the snap apparmor profiles are named. It appears the profile uses "." inplace of "/" and there is no "snap/firefox/firefox" Pkcs11 modules may load other PKCS11 modules, i.e. that is what p11-kit does. Each of these modules may have config files with system and user versions. apparmor needs to address how these config files can be read. Until it can be shown that PKCS11 modules can be easily be used, I would suggest that firefox not be installed by snap. Also see: https://github.com/OpenSC/OpenSC/issues/2552 ** Bug watch added: OpenSC Issues #2552 https://github.com/OpenSC/OpenSC/issues/2552 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1967632 Title: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication Status in firefox package in Ubuntu: Triaged Bug description: I use a smart card to access government sites. I have that working in firefox and chrome on ubuntu impish, and gave jammy a try, but there firefox won't load the library, giving me a generic error. dmesg, however, shows this apparmor denied message: [sáb abr 2 17:32:27 2022] audit: type=1400 audit(1648931547.646:115): apparmor="DENIED" operation="file_mmap" profile="snap.firefox.firefox" name="/run/user/1000/doc/e0bac853/libaetpkss.so.3.5.4112" pid=3680 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 Note also the path, that's not what I typed into the firefox dialog box. I have the .so copied to /usr/lib/x86_64-linux-gnu/libaetpkss.so.3.5.4112, and that's what I typed in when prompted for its path by firefox. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: firefox 1:1snap1-0ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27 Uname: Linux 5.15.0-23-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu80 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Apr 2 17:34:09 2022 InstallationDate: Installed on 2022-03-20 (13 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220319) Snap.Changes: no changes found SourcePackage: firefox UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
