What USB vendor/ID is WearAuthn?

[MrConorAE]

Hi! I'm going to open a request for Snap to add WearAuthn as a supported key for the u2f-devices plug, to allow keys to work in snapped apps like Firefox. Problem is, WearAuthn doesn't show up in lsusb, so I can't determine what ID to submit.

Here's my output of lsusb (it's the same before and after attaching):

Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 005: ID 138a:0097 Validity Sensors, Inc. 
Bus 001 Device 004: ID 13d3:5682 IMC Networks SunplusIT Integrated Camera
Bus 001 Device 003: ID 8087:0a2b Intel Corp. Bluetooth wireless interface
Bus 001 Device 002: ID 046d:c52f Logitech, Inc. Unifying Receiver
Bus 001 Device 006: ID 056a:50b6 Wacom Co., Ltd Pen and multitouch sensor
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Is it 8087:0a2b Intel Corp. Bluetooth wireless interface, or something else?

Thanks, MrConorAE

[Thesola10]

Devices paired via Bluetooth don't open a USB bus. They do, however, open a raw HID device, so you may want to look into a udev rule.

[fmeum]

I'm not completely sure how the snap permissions work. It's possible you would need both a udev rule and allowlist the Bluetooth adapter. But as @Thesola10 said, I would try adding a udev rule first.

[Thesola10]

Allowing access to the Bluetooth adapter through USB would be pointless. The Linux Bluetooth stack has a single daemon take over the adapter and communicate with udev to register devices, so it would be a bit like allowlisting a PCIe controller -- that's just not how sandboxed apps are supposed to work.

[MrConorAE]

As far as I understand it, all the snap permission system needs is a way of identifying the key - and for most of them, that's through a specific vendor/ID combination.

So should the rule for the snap permission be for the Bluetooth adapter or the watch itself?

[MrConorAE]

For reference, if it helps, the list of properties for the u2f-devices allow list is at https://github.com/snapcore/snapd/blob/master/interfaces/builtin/u2f_devices.go#L44

[fmeum]

I think that this approach is problematic since vendor and product ID depend on the watch model and can't be set by WearAuthn. Thus, all WearOS watches would have to be allowlisted individually. A more sustainable approach I implemented in systemd: https://github.com/systemd/systemd/commit/d45ee2f31a8358db0accde2e7c81777cedadc3c2 Could something similar be viable for snap? It would remove the need to maintain am allowlist.