-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
p11-kit-proxy as libnssckbi replacement breaks HTTPS in Firefox #172
Comments
That was actually for this Fedora 29 Change, where I am thinking a different way of registering p11-kit-proxy in NSS databases:
Then |
Thanks, after restoring the symlink and trying the crypto-policies configuration provided, it loads as expected, p11-kit-proxy module is shown above trust modules in Firefox security devices configuration. However, when I try to add the .module as usual in /etc/pkcs11/modules/ or /usr/share/p11-kit/modules/, Firefox tabs will crash. When run from the console it displays seccomp-based sandbox violations:
abrt also sends a FAF report with the segfault backtrace. |
Does the module work if you load it manually from firefox? It looks to me that the semaphore creation failed due to firefox sandbox requirements. A hardware card may have a legitimate reason to use a semaphore to prevent multiple uses of the hardware, and if I understand well this page, firefox in general breaks these use cases. A long shot, but if my speculation above is correct, using p11-kit server and putting your PKCS#11 module in a separate process may work. |
Loading p11-kit-proxy.so manually from Firefox loads the proprietary module without issues, same when trying to load the proprietary .so directly. I can confirm setting The sandbox tab crash also happens when trying to set the proprietary .so in the |
It's interesting that the behavior changes when the proxy module is loaded manually. At the NSS database level, the only difference I can see is that the policy configuration is processed a bit too late. Are you able to check if the following scratch build improves the situation? |
I'm sorry, but it seems my test in the first reply was flawed. I didn't do a system restart to see more effects. After restarting, not just firefox tabs were crashing, but every p11-kit based app: a simple Maybe the p11-kit FAF report helps with this. It looks similar to the tab crash backtrace. |
I am afraid I can't tell anything from the FAF report: the call sequence in p11-kit seems fine.
|
Applying crypto policies (and system restart) having the proprietary .module file with p11tool (trace)
pkcs11-tool (trace)
It also may crash the whole GNOME session few seconds after login (with both Wayland and Xorg). When I comment out the line
I've moved the lib from /usr/lib64/pkcs11/ to /usr/lib64/ just to discard related issues, before I was using a symlink, but it does not change any behaviour. |
My guess is that when the module is registered globally, it remains initialized by a system process and that makes it crash on subsequent uses preventing any other process initializing it. I'd suggest to try some smart card which has a decent driver. |
Thanks, it looks like that. Unfortunately there is no way to replace the smart card in my case, they're electronic IDs provided by public institutions and they don't work with OpenSC or other decent drivers. There are no driver updates as far I know neither for this particular model (module middleware seems to be under license). Sadly, there is also risk to happen with other vendors with broken modules. However, I wonder why it's working with p11-kit-proxy as nssckbi replacement without colliding while using other tools (p11tool, pkcs11-tool) just after initializing and using it in Firefox or Evolution. |
What do you see if you run: |
Thanks for the hint, after confirming After diving a bit deeper with strace for all crashing apps, there was a permission denied issue while trying to read/write files in If I recall correctly, modern kernel security measures disallow other users (including root) work with files created by other users in Firefox tabs issue still persists, perhaps yet another proprietary module problem, I'll try to add feedback later. Sorry for the noise so far. Probably I'll stick with the nssckbi workaround if still possible with Fedora 29. |
Originally reported in: p11-glue/p11-kit#172 (comment) While some smartcard drivers don't allow simultaneous access by multiple users, it is possible that the authenticating user and 'gdm' access the same smartcard, because both the login and user sessions monitor smartcard status through gsd-smartcard (and NSS). As the D-Bus service provided by gsd-smartcard is sorely used by gnome-shell's screen shield, there is little benefit to run it in the login session.
Originally reported in: p11-glue/p11-kit#172 (comment) While some smartcard drivers don't allow simultaneous access by multiple users, it is possible that the authenticating user and 'gdm' access the same smartcard, because both the login and user sessions monitor smartcard status through gsd-smartcard (and NSS). As the D-Bus service provided by gsd-smartcard is sorely used by gnome-shell's screen shield, there is little benefit to run it in the login session.
Thank you for the detail investigation; indeed, that explains the issue. I have opened a MR in gdm for that: |
Thank you, it looks like there may need another approach to be accepted. I've found it does not crash when those files are readable by the current user. Files in current_umask = umask(077);
umask(current_umask | S_IROTH); |
Another idea might be to isolate the card access in a separate chroot, using the
|
Thank you for the sandbox approach, definitely looks a safer a better way. I've tried with bubblewrap and worked nicely:
Firefox tabs are not crashing anymore. However, token login still crashes NSS based apps (Firefox, Evolution, certutil). At first sight, it seems to communicate properly with the card, because when trying with invalid PIN it prompts again for another retry. I've also tried with the scratch build from above with the same result. Here's a backtrace while trying login, at
|
Yes, the crash is known and I will include the patch in the next package update: |
I confirm the |
I just hit this problem on Gentoo, upgrading from p11-kit-0.23.9 to 0.23.12 |
@joakim-tjernlund I'd suggest checking what update-crypto-policies does in Fedora 29. It probably updates the sql:/etc/pki/nssdb by adding the p11-kit-proxy module via modutil. In some distros, Firefox and other don't use the system wide NSS database by default and may require setting an environment variable to enable it. Note downstream distro still applies patches for features not available upstream for better crypto experience. |
@fdelapena I need someone to tell me what Fedora does. I have do not have access to a Fedora install and trying to figure out this by installing Fedora on some host and dig through the install is just too much. |
Hi,
I'm using p11-kit-proxy in Fedora 28 to make Firefox work with system wide pkcs11 proprietary modules. I have a proprietarylib.so in a proprietaryconfig.module file and works nicely in all p11-kit supported apps. For NSS is well known that Firefox is not using the
pkcs11.txt
from/etc/pki/nssdb
, then so far I was replacinglibnssckbi.so
with the p11-kit-proxy replacement as the documentation was suggesting:With the latest p11-kit update in Fedora, which adds the
disable-in: p11-kit-proxy
change in p11-kit-trust.module, Firefox won't trust any HTTPS site anymore. It works by commenting out this line as a workaround in the meanwhile. However, is this issue on purpose or an unexpected side effect? I'm aware of upcoming improvements targeted for Fedora 29, if they are related somehow.Thanks.
The text was updated successfully, but these errors were encountered: