Access PGP card from Firefox using GPG

[polcak]

Description

This is very likely a duplicate of #4107 or both bugs have the same root. I originally used Gentoo sys-apps/firejail-0.9.64.4 and recently updated to sys-apps/firejail-0.9.68. My gpg card used to work in Firefox with local profile. It does not work anymore (very likely after the update, let me know if I should check).

Steps to Reproduce

Steps to reproduce the behavior

1. Start firejail --profile=firefox bash
2. Run in bash gpg --card-status

Expected behavior

I see details about my card.

Actual behavior

gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile gpg --card-status in a terminal?

I see details about my card.

Additional context

I tried to noblacklist and whitelist GPG commands listed by equery -C f app-crypt/gnupg. I added "ignore private-dev" to the local profile. I added 'ignore nou2f' suggested by keepassxc.profile (see also below).

I can see devices in /dev/ in the firefox profile but all are owned by nobody:nobody. Host /dev/usb/hiddev[0-9] as well as /dev/hidraw[0-9] devices are crw------- 1 root:root. I guess that there needs to be additional file accessible to the user.

Environment

• Gentoo Firejail 0.9.68

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it). I can operate GPG card outside the sandbox.
• I can reproduce the issue without custom modifications (e.g. globals.local). - Well, the default profile blacklists ~/.gnupg/, scdeamon, creates private-dev. The custom local modifications solve these problems. No custom modifications make the problem worse.
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream. AFAIK upstream profile expects that I do not need to access GPG card from Firefox.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers. DRM is irrelevant in this case. I am trying to make a PGP card running not u2f, so that is also irrelevant but to be safe, I tried adding "ignore nou2f" as mentioned above.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages) I am trying to access PGP card from Firefox, so I am trying firefox profile.

Log

Output of LC_ALL=C firejail gpg --card-status

gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

[rusty-snake]

owned by nobody:nobody

That because of noroot.

[polcak]

Thanks for the reply. ignore noroot made /dev files having original owners but gpg still does not see the card.

[polcak]

My local changes to the profile:

$ cat .config/firejail/firefox.profile
noblacklist ~/.gnupg
whitelist ~/.gnupg
read-only ~/.gnupg/*
blacklist ~/.gnupg/openpgp-revocs.d

noblacklist /usr/libexec
read-only /usr/libexec/*
noblacklist /usr/libexec/scdaemon
whitelist /usr/libexec/scdaemon
read-only /usr/libexec/scdaemon

noblacklist /usr/libexec/gpg-check-pattern
whitelist /usr/libexec/gpg-check-pattern
read-only /usr/libexec/gpg-check-pattern
noblacklist /usr/libexec/gpg-preset-passphrase
whitelist /usr/libexec/gpg-preset-passphrase
read-only /usr/libexec/gpg-preset-passphrase
noblacklist /usr/libexec/gpg-protect-tool
whitelist /usr/libexec/gpg-protect-tool
read-only /usr/libexec/gpg-protect-tool
noblacklist /usr/libexec/gpg-wks-client
whitelist /usr/libexec/gpg-wks-client
read-only /usr/libexec/gpg-wks-client
blacklist /usr/libexec/*

noblacklist /usr/sbin
read-only /usr/sbin/*

noblacklist /usr/sbin/addgnupghome
whitelist /usr/sbin/addgnupghome
read-only /usr/sbin/addgnupghome
noblacklist /usr/sbin/applygnupgdefaults
whitelist /usr/sbin/applygnupgdefaults
read-only /usr/sbin/applygnupgdefaults
blacklist /usr/sbin/*

ignore private-dev
ignore nou2f
ignore noroot

include /etc/firejail/firefox.profile

[rusty-snake]

Any reason to use firefox.profile rather then firefox.local?

Why all these unnecessary read-only and blacklist commands?

---

I've no real idea but does it work if you add ignore nogroups? Do you use systemd? Or an other init like OpenRC? If so with elogind or similar?

[polcak]

Any reason to use firefox.profile rather then firefox.local?

You mean, I should do mv .config/firejail/firefox.profile .config/firejail/firefox.local and remove the include of the system profile. I did just that. I created the profile a long time ago and I do not remember why I used .config/firejail/firefox.profile instead of .config/firejail/firefox.local but I very likely misunderstood the docs or was not sure about the correct name and firefox.profile worked for me.

Why all these unnecessary read-only and blacklist commands?

read-only - safe programming, blacklist in the .gnupg directory to hide revocation keys, other blacklist because the directories were hidden by the current profile.

I've no real idea but does it work if you add ignore nogroups?

No change for gpg.

Do you use systemd? Or an other init like OpenRC? If so with elogind or similar?

OpenRC and elogind.

I simplified the config, so I am now with cat .config/firejail/firefox.local:

noblacklist ~/.gnupg
whitelist ~/.gnupg
blacklist ~/.gnupg/openpgp-revocs.d

noblacklist /usr/libexec
noblacklist /usr/libexec/scdaemon
whitelist /usr/libexec/scdaemon

noblacklist /usr/libexec/gpg-check-pattern
whitelist /usr/libexec/gpg-check-pattern
noblacklist /usr/libexec/gpg-preset-passphrase
whitelist /usr/libexec/gpg-preset-passphrase
noblacklist /usr/libexec/gpg-protect-tool
whitelist /usr/libexec/gpg-protect-tool
noblacklist /usr/libexec/gpg-wks-client
whitelist /usr/libexec/gpg-wks-client

noblacklist /usr/sbin
noblacklist /usr/sbin/addgnupghome
whitelist /usr/sbin/addgnupghome
noblacklist /usr/sbin/applygnupgdefaults
whitelist /usr/sbin/applygnupgdefaults

ignore private-dev
ignore nou2f
ignore noroot
ignore nogroups

I also noticed, that gnupg updated last week but there is no card status in firejail for both =app-crypt/gnupg-2.2.32-r1 and =app-crypt/gnupg-2.2.33-r1.

[polcak]

So I noticed that whitelist-run-common.inc despite its name disables a bunch of files and directories in /run. So when the include is commented out, I made GPG running. I am not sure what exactly is needed from /run, yet.

A question: Is there a configuration I can put to my firefox.local like:
ignore include whitelist-run-common.inc

Thanks

[glitsj16]

A question: Is there a configuration I can put to my firefox.local like:
ignore include whitelist-run-common.inc

That's indeed the correct syntax.

So when the include is commented out, I made GPG running. I am not sure what exactly is needed from /run, yet.

IMO you can keep whitelist-run-common.inc but you need to add a few things to your firefox.local:

whitelist ${RUNUSER}/gnupg
whitelist /usr/share/gnupg
whitelist /usr/share/gnupg2

Side-note. Our firefox.profile indeed has blacklist /usr/libexec. To undo that you're correct in adding noblacklist /usr/libexec. A basic profile rule is that you don't need to noblacklist paths that are never blacklisted anywhere, it has no effect whatsoever to do that. Same rationale for /usr/sbin. That one is blacklisted in disable-common.inc so you need the one noblacklist /usr/sbin. The rest you can safely drop:

noblacklist /usr/libexec/scdaemon
noblacklist /usr/libexec/gpg-check-pattern
noblacklist /usr/libexec/gpg-preset-passphrase
noblacklist /usr/libexec/gpg-protect-tool
noblacklist /usr/libexec/gpg-wks-client
noblacklist /usr/sbin/addgnupghome
noblacklist /usr/sbin/applygnupgdefaults

Maybe that's what @rusty-snake was hinting at above. We might want to create something like allow-gpg.inc containing what's needed for PGP cards. That would ease the burden on users, instead of them having to figure this out on their own.

[rusty-snake]

whitelist ${RUNUSER}/gnupg
whitelist /usr/share/gnupg
whitelist /usr/share/gnupg2

Non of them are affected by wrc. But probably makes sense anyway to add them.

We might want to create something like allow-gpg.inc containing what's needed for PGP cards.

It's always difficult because of whitelisting, private-bin, ...
But we can add it with noblacklist commands and a comment what else might be necessary.

So I noticed that whitelist-run-common.inc despite its name disables a bunch of files and directories in /run.

That's what's the name says ;)

[rusty-snake]

@polcak What does ls -la /run show?

[glitsj16]

@rusty-snake All good arguments and ideas. I've added a few notes to my firejail-todo.md about 'allow-gpg.inc'. But in all honesty it's not high up, most of all because I don't have a yubikey or similar hw to do proper testing. Apologies to @polcak for side-tracking the issue.

[polcak]

@ rusty-snake: ls -la /run shows just a couple of directories without ignore include whitelist-run-common.inc. When I do not include whitelist-run-common.inc, run is much more populated (very likely the original /run). That is (for me) confusing.

I went back to using only

ignore private-dev
ignore nou2f

So I removed:

ignore noroot
ignore nogroups

When I use:

whitelist ${RUNUSER}/gnupg
whitelist /usr/share/gnupg
whitelist /usr/share/gnupg2

and whitelist-run-common.inc activated, I get:

$ ls /run/user/1000/gnupg
ls: cannot open directory '/run/user/1000/gnupg': Permission denied

The directory exists but cannot be accessed because it is owned by root:root (readable by root, no other permissions).

If I include ignore include whitelist-run-common.inc, the GPG card works.

@glitsj16: I do not feel like the issue is side-tracked. The main issue is likely similar to users are confused how to enable GPG card in a built-in profile.

[rusty-snake]

ls -la /run

I meant outside the sandbox, can you post? Some of them will need a whitelist /run/foobar. Or you test for file in /run/.* /run/*; do echo "whitelist $file"; done > whitelist-run-full.inc and remove whitelistst until you find all necessary ones.

That is (for me) confusing.

If you have no whitelist /run/… at all, the only thing done in /run is blacklisting (i.e. enumeration of badness) but if you have at least one whitelist /run/… (even if the file does not exists), you switch to whitelisting (i.e. enumeration of goodness) only path with an explicit whitelist are visible/accessible (and /run/firejail, /run/user/$UID).

[dptpirate]

Signing/encrypting emails with a smartcard is also broken with claws mail. It used to work.

[danielkrajnik]

I was also trying to solve this to no avail. Resorted to removing librewolf's profile altogether for now.

Does anyone know what may cause some directories to change owner from user to root/nobody? Adding ignore noroot doesn't work. I assume that's what causes lack of access to GPG agent (/run/user/1000/gnupg has gpg sockets inaccessible) in firefox/librewolf. This breaks browserpass extension.

I know that this has been discussed before, but has there ever been a solution? Here for example are described elaborate steps to make it work without explaining why - everyone's threat model is different so it would be good to have some explanation somewhere why ${RUNUSER}/gnupg is changed to root or nobody.

[danielkrajnik]

the only thing done in /run is blacklisting (i.e. enumeration of badness)

@rusty-snake this doesn't appear to be correct - some directories change to root owner permissions instead of user (in firefox or librewolf profiles)

[rusty-snake]

That's how blacklisting is implemented. The path is read-only bind-mounted over with a file of same type (dir, reg, sock, ...) that has 0xo000 permissions and is owned by root.

[danielkrajnik]

thank you for explaining, that makes sense, but in that case I don't know why adding both whitelist and noblacklist options still causes that directory to be blacklisted (owned by root):

whitelist ${RUNUSER}/gnupg/
noblacklist ${RUNUSER}/gnupg/

Is there anything else that may blacklist gnupg? I've been grepping through all files in /etc/firejail and nothing seemed to affect this directory directly.

[felix-walter]

Just stumbled upon this and found the following option in the Manpage of firejail.profile:

writable-run-user
              Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnupg.

Adding this option to the profile solves it for me.