After spending a week on this, I think I see the problem. (1) pkcs11 modules are dynamically load by mozilla nss and need the /etc/apparmor.d/abstractions/p11-kit as stated in previous comment.
(2) dynamically loaded modules may also load additional shared libraries. So apparmor profiles are need for each possible pkcs11 module. Ubuntu-22.04 has a /etc/apparmor.d/abstractions/p11-kit but needs the "m" file_mmap as stated in previous comment. (3) /var/lib/snapd/apparmor/profiles/snap.firefox.firefox included these system based profiles: #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/openssl> But it does not include #include <abstractions/p11-kit> So it can not load the p11-kit or any pkcs11 module p11-kit might try and load. (/etc/apparmor.d/abstractions/p11-kit will also include any profiles in abstractions/p11-kit.d) (4) Smartcard pkcs11 modules use the pcscd system service. On most linux system this is the pcscd-lite package: https://github.com/LudovicRousseau/PCSC the ClientSetupSession https://github.com/LudovicRousseau/PCSC/blob/master/src/winscard_msg.c#L107-L167 sets client access to the socket. (I have not looked at what it would take to add the dbus apparmor code needed to do this.) Observations: With a modified p11-kit /etc/apparmor.d/abstractions/p11-kit with the "m" file_mmap and adding the #include <abstractions/p11-kit> to /var/lib/snapd/apparmor/profiles/snap.firefox.firefox I can add p11-kit as a "security Device", but it does not load any additional pkcs11 modules. ~/snap/firefox/common/.mozilla/firefox/0i8u9awg.default/pkcs11.txt has: library=/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 name=p11-kit (using symlinks to libs appears to be a problem, so I avoided using them.) I can not add a "security device" for OpenSC even with adding a /etc/apparmor.d/abstractions/opensc profile. (Others on the internet have reported problems with other smart card pkcs11 modules not just opensc.) Using audit on all possible files, does not show a file loading problem or does running sudo apparmor_parser -v -C -r snap.firefox.firefox to reload with complain only show any problems. So the problme must be somehing else. P11-kit does not directly need access to pcscd, so (4) is not an issue with p11 kit itself but (4) is an issued with any (or most) pkcs11 modules loaded by p11-kit. Solutions: For a snap installed firefox if (1), (2), (3) and (4) where addressed, snap firefox should work. Adding profiles for each pkcs11 module to /etc/apparmor.d/abstractions and adding an include in /etc/apparmor.d/abstractions/p11-kit.d would require only only adding an include for p11-kit to snap.firefox.firefox. I hope that there is enough info above so someone else can add the dbus code. Personally: I find snap to be nightmare and Ubuntu should not have made it the default firefox. Ubuntu should at least continue to give the user a choice. All my testing has been on a virtual test 22.04 system. I was in the process of converting from 20.04 to 22.04, both virtual, when I ran into this problem. I have removed the snap firefox and am working on using the Debian firefox-esr which works great with smartcards and pkcs11, and is much faster. I just have to convert my .mozilla profiles because the name changed from firefox to firefox-esr. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1967632 Title: [snap] apparmor denied when trying to load pkcs11 module for smart card authentication To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1967632/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
