[Bug 1930768] [NEW] When enabled, Firefox AppArmor profile prevents U2F devices from working

Thu, 03 Jun 2021 16:05:50 -0700 

*** This bug is a duplicate of bug 1930769 ***
    https://bugs.launchpad.net/bugs/1930769

Public bug reported:

Summary:

If you enable the apparmor profile that comes in Ubuntu's Firefox
package, it prevents USB U2F tokens from being used.

To reproduce:

1. Obtain a USB FIDO/U2F token - such as a Yubikey; and a clean install
of Ubuntu 20.04 with Firefox installed, but the AppArmor profile for
firefox disabled (As is the default).

2. Confirm the correct function of your U2F token - such as at
https://demo.yubico.com/webauthn-technical

3. Enable the AppArmor profile with the following command, then restart
firefox.

     sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

4. Repeat your test of your U2F token. You will find Firefox is unable
to access your U2F token. Any accounts you need U2F to log into are now
inaccessible.

5. Disabling the apparmor profile and restarting firefox will make U2F
work again.

To work around:

Edit /etc/apparmor.d/usr.bin.firefox and replace these lines:

  # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
  # Possibly move to an abstraction if anything else needs it.
  deny /run/udev/data/** r,

Instead allowing access to udev data, and to hidraw devices:

  /run/udev/data/** r,
  /dev/hidraw[0-9] rw,

I haven't checked the security implications of this change; some might
feel it grants overly broad access. Chromium, which in 20.04 is
delivered as a snap, includes udev rules (70-snap.chromium.rules) which
I suspect grant access in a device-id-whitelisted way.

** Affects: firefox (Ubuntu)
     Importance: Undecided
         Status: New

** This bug has been marked a duplicate of bug 1930769
   When enabled, Firefox AppArmor profile prevents U2F devices from working

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1930768

Title:
  When enabled, Firefox AppArmor profile prevents U2F devices from
  working

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1930768/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to