brave-browser: U2F not working in Snap distribution

Related issues, both closed now:

  • #1007 was about Snap package for Brave
  • #3558 describes similar issue in non-Snap package

Description

U2F key is not seen by Brave and it eventually times out offering fallback to TOTP. Journalctl displays these logs, which implies the Snap is missing plugs allowing it to access the U2F device:

Steps to Reproduce

1. snap install --beta brave
2. Try to login to an U2F-enabled website (Bitbucket in my case)

Actual result:

U2F key is not seen by Brave and it eventually times out offering fallback to TOTP. Journalctl displays these logs, which implies the Snap is missing plugs allowing it to access the U2F device:

Nov 06 14:26:17 pax kernel: usb 1-2: new full-speed USB device number 24 using xhci_hcd
Nov 06 14:26:17 pax kernel: usb 1-2: New USB device found, idVendor=1050, idProduct=0120, bcdDevice= 5.02
Nov 06 14:26:17 pax kernel: usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Nov 06 14:26:17 pax kernel: usb 1-2: Product: Security Key by Yubico
Nov 06 14:26:17 pax kernel: usb 1-2: Manufacturer: Yubico
Nov 06 14:26:17 pax kernel: hid-generic 0003:1050:0120.0008: hiddev1,hidraw2: USB HID v1.10 Device [Yubico Security Key by Yubico] on usb-0000:00:14.0-2/input0
Nov 06 14:26:17 pax mtp-probe[5973]: checking bus 1, device 24: "/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2"
Nov 06 14:26:17 pax mtp-probe[5973]: bus: 1, device: 24 was not an MTP device
Nov 06 14:26:17 pax audit[5028]: AVC apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2/busnum" pid=5028 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 06 14:26:17 pax audit[5028]: AVC apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2/devnum" pid=5028 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 06 14:26:17 pax audit[5028]: AVC apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/0003:1050:0120.0008/report_descriptor" pid=5028 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 06 14:26:17 pax mtp-probe[5983]: checking bus 1, device 24: "/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2"

Expected result:

U2F is detected by Brave

Reproduces how often:

Always

Brave version (brave://version info)


Brave | 0.69.135 Chromium: 77.0.3865.120 (Official Build) (64-bit)
-- | --
Revision | 416d6d8013e9adb6dd33b0c12e7614ff403d1a94-refs/branch-heads/3865@{#884}
OS | Linux
JavaScript | V8 7.7.299.13
Flash | (Disabled)
User Agent | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36
Command Line | /snap/brave/61/opt/brave.com/brave/brave-browser --enable-dom-distiller --disable-domain-reliability --disable-chrome-google-url-tracking-client --no-pings --extension-content-verification=enforce_strict --extensions-install-verification=enforce --enable-features=NewExtensionUpdaterService,WebUIDarkMode,SimplifyHttpsIndicator --disable-features=AudioServiceOutOfProcess,AutofillServerCommunication,LookalikeUrlNavigationSuggestionsUI,UnifiedConsent --flag-switches-begin --flag-switches-end
Executable Path | /snap/brave/61/opt/brave.com/brave/brave-browser
Profile Path | /home/kravietz/snap/brave/61/.config/BraveSoftware/Brave-Browser/Default

Version/Channel Information:

$ snap list brave
Name   Version   Rev  Tracking  Publisher  Notes
brave  0.69.135  61   beta      brave      -

Other Additional Information:

  • Does the issue resolve itself when disabling Brave Shields? NO
  • Does the issue resolve itself when disabling Brave Rewards? NO

Miscellaneous Information:

Thread on Snapcraft forum https://forum.snapcraft.io/t/u2f-not-working-in-firefox-snap/14039

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 3
  • Comments: 26 (11 by maintainers)

Most upvoted comments

We added a couple of dependencies to the Snap package in https://github.com/brave/brave-browser-snap/pull/14.

Is this still broken?

+3
fmarier on Dec 28, 2020

this seems like it could be a higher priority given the crypto focus of the browser, can we possibly bounty this? it doesn’t seem like it should be super hard, I am not familiar enough w snaps/apparmor to say for sure but someone with relevant experience probably could

+2
parkan on Mar 10, 2021

@parkan can you upgrade to the latest snap package version? I tested this today on Arch. Right after installation AppArmor was indeed blocking access and after running snap connect brave:u2f-devices, I was able to use my yubikey to log into GitHub.

What does snap connections brave|grep -i u2f say?

$ snap list
Name               Version                     Rev    Tracking         Publisher         Notes
brave              1.21.74                     101    latest/stable    brave             -

$ snap connections brave|grep -i u2f 
u2f-devices               brave:u2f-devices               :u2f-devices                    manual

[361704.238366] hid-generic 0003:2C97:4015.0036: hiddev5,hidraw10: USB HID v1.11 Device [Ledger Nano X] on usb-0000:06:00.3-1/input0
[361704.270017] hid-generic 0003:2C97:4015.0037: hiddev6,hidraw11: USB HID v1.11 Device [Ledger Nano X] on usb-0000:06:00.3-1/input1
[361704.283106] audit: type=1400 audit(1615411138.531:359319): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/sys/devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.3/usb3/3-1/busnum" pid=1895042 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[361704.283136] audit: type=1400 audit(1615411138.531:359320): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/sys/devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.3/usb3/3-1/devnum" pid=1895042 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[361707.386167] audit: type=1400 audit(1615411141.636:359321): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:8" pid=1895042 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[361707.386197] audit: type=1400 audit(1615411141.636:359322): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:6" pid=1895042 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[361707.386245] audit: type=1400 audit(1615411141.636:359323): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:4" pid=1895042 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[361707.386307] audit: type=1400 audit(1615411141.636:359324): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:11" pid=1895042 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[361707.386361] audit: type=1400 audit(1615411141.636:359325): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:2" pid=1895042 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[361707.386412] audit: type=1400 audit(1615411141.636:359326): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:0" pid=1895042 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

I think my udev rules are in order, as well:

$ cat /etc/udev/rules.d/20-hw1.rules 
# HW.1 / Nano
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="1b7c|2b7c|3b7c|4b7c", TAG+="uaccess", TAG+="udev-acl"
# Blue
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0000|0000|0001|0002|0003|0004|0005|0006|0007|0008|0009|000a|000b|000c|000d|000e|000f|0010|0011|0012|0013|0014|0015|0016|0017|0018|0019|001a|001b|001c|001d|001e|001f", TAG+="uaccess", TAG+="udev-acl"
# Nano S
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0001|1000|1001|1002|1003|1004|1005|1006|1007|1008|1009|100a|100b|100c|100d|100e|100f|1010|1011|1012|1013|1014|1015|1016|1017|1018|1019|101a|101b|101c|101d|101e|101f", TAG+="uaccess", TAG+="udev-acl"
# Aramis
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0002|2000|2001|2002|2003|2004|2005|2006|2007|2008|2009|200a|200b|200c|200d|200e|200f|2010|2011|2012|2013|2014|2015|2016|2017|2018|2019|201a|201b|201c|201d|201e|201f", TAG+="uaccess", TAG+="udev-acl"
# HW2
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0003|3000|3001|3002|3003|3004|3005|3006|3007|3008|3009|300a|300b|300c|300d|300e|300f|3010|3011|3012|3013|3014|3015|3016|3017|3018|3019|301a|301b|301c|301d|301e|301f", TAG+="uaccess", TAG+="udev-acl"
# Nano X
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0004|4000|4001|4002|4003|4004|4005|4006|4007|4008|4009|400a|400b|400c|400d|400e|400f|4010|4011|4012|4013|4014|4015|4016|4017|4018|4019|401a|401b|401c|401d|401e|401f", TAG+="uaccess", TAG+="udev-acl",  OWNER="parkan"

KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0660", GROUP="plugdev", ATTRS{idVendor}=="2c97"

KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0660", GROUP="plugdev", ATTRS{idVendor}=="2581"
+1
parkan on Mar 10, 2021

CCing @jumde

+1
kjozwiak on Jan 30, 2021
Read more comments on GitHub
← json_schema: Upgrade from v 0.19 -> v 0.20 results in infinite loop for `lookup_schema`
brave-browser: 1Password does not work →