Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firefox: Yubikey Webauthn does not work in #26

Open
bratekarate opened this issue Apr 9, 2022 · 4 comments
Open

Firefox: Yubikey Webauthn does not work in #26

bratekarate opened this issue Apr 9, 2022 · 4 comments

Comments

@bratekarate
Copy link

bratekarate commented Apr 9, 2022
edited
Loading

Authentication with security key does not work in a Firefox profile.

I have no idea what file paths should be whitelisted. I tried hidraw devices:

[root_share]
paths = [
   "/dev/hidraw0",
   "/dev/hidraw1",
   "/dev/hidraw2"
]

But to no avail.

Hidraw devices is all I could find out so far through this Firejail Issue: netblue30/firejail#1381

More recent Firejail issue regarding Webauthn (but no mention of hidraw): netblue30/firejail#3796

UPDATE:
adding the entire /sys directory to root_share makes the error in the browser disappear. However, now it just waits for the key to be inserted and does not detect it. Something else must be missing.

Also I was not able to pinpoint yet what part of /sys needs to be accessed.
@igo95862
Copy link
Owner

igo95862 commented Apr 9, 2022

UPDATE: adding the entire /sys directory to root_share makes the error in the browser disappear. However, now it just waits for the key to be inserted and does not detect it. Something else must be missing.

It might need some part of /dev as well.

Also I was not able to pinpoint yet what part of /sys needs to be accessed.

This is where strace is very useful.

@rusty-snake
Copy link
Contributor

now it just waits for the key to be inserted and does not detect it.

Unless /dev is bind-mounted (e.g. --dev-bind /dev /dev) you need to insert the yubikey before you start the sandbox. That's why we disable private-dev for browser in firejail if you disable browser-disable-u2f. https://github.com/netblue30/firejail/blob/81e12a45b7b1856bffc877d34266823207f8a5b7/etc/profile-a-l/firefox-common.profile#L56

@bratekarate
Copy link
Author

bratekarate commented Apr 17, 2022
edited
Loading

Thanks a lot for looking at this issue and pointing me in the right direction!

Unless /dev is bind-mounted (e.g. --dev-bind /dev /dev) you need to insert the yubikey before you start the sandbox

Indeed it works with bind-mounted /dev. I must admit I am a beginner with sandboxing through firejail or bubblewrap, that's why I tried to share /dev as a file path, not through bind-mount.

However, I had my Yubikey inserted before I started the sandbox. Without bind-mounting /dev it never works. Anyway, this does not really matter since I bind-mounted it now.

@igo95862 is there any way to bind-mount /dev through the services.toml file. without --debug-bwrap-args?

UPDATE: /dev/hidraw* devices need to be mounted for it to work. Still working on finding out which /sys/* files are needed, so far my strace skills are lacking.

@rusty-snake
Copy link
Contributor

rusty-snake commented Apr 18, 2022
edited
Loading

Still working on finding out which /sys/* files are needed, so far my strace skills are lacking

If you want some examples:

strace -e %file -fo gnome-hexgl.strace /usr/bin/gnome-hexgl
grep -o '"/sys/.*"' gnome-hexgl.strace | cut -d\" -f2 | sort -u

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bratekarate @igo95862 @rusty-snake