search

igo95862 / bubblejail

Bubblewrap based sandboxing for desktop applications
242 stars 16 forks source link

Firefox: Yubikey Webauthn does not work in #26

Open bratekarate opened 2 years ago

bratekarate commented 2 years ago

Authentication with security key does not work in a Firefox profile.

I have no idea what file paths should be whitelisted. I tried hidraw devices:

[root_share]
paths = [
   "/dev/hidraw0",
   "/dev/hidraw1",
   "/dev/hidraw2"
]

But to no avail.

Hidraw devices is all I could find out so far through this Firejail Issue: https://github.com/netblue30/firejail/issues/1381

More recent Firejail issue regarding Webauthn (but no mention of hidraw): https://github.com/netblue30/firejail/issues/3796

UPDATE: adding the entire /sys directory to root_share makes the error in the browser disappear. However, now it just waits for the key to be inserted and does not detect it. Something else must be missing.

Also I was not able to pinpoint yet what part of /sys needs to be accessed.

igo95862 commented 2 years ago

UPDATE: adding the entire /sys directory to root_share makes the error in the browser disappear. However, now it just waits for the key to be inserted and does not detect it. Something else must be missing.

It might need some part of /dev as well.

Also I was not able to pinpoint yet what part of /sys needs to be accessed.

This is where strace is very useful.

rusty-snake commented 2 years ago

now it just waits for the key to be inserted and does not detect it.

Unless /dev is bind-mounted (e.g. --dev-bind /dev /dev) you need to insert the yubikey before you start the sandbox. That's why we disable private-dev for browser in firejail if you disable browser-disable-u2f. https://github.com/netblue30/firejail/blob/81e12a45b7b1856bffc877d34266823207f8a5b7/etc/profile-a-l/firefox-common.profile#L56

bratekarate commented 2 years ago

Thanks a lot for looking at this issue and pointing me in the right direction!

Unless /dev is bind-mounted (e.g. --dev-bind /dev /dev) you need to insert the yubikey before you start the sandbox

Indeed it works with bind-mounted /dev. I must admit I am a beginner with sandboxing through firejail or bubblewrap, that's why I tried to share /dev as a file path, not through bind-mount.

However, I had my Yubikey inserted before I started the sandbox. Without bind-mounting /dev it never works. Anyway, this does not really matter since I bind-mounted it now.

@igo95862 is there any way to bind-mount /dev through the services.toml file. without --debug-bwrap-args?

UPDATE: /dev/hidraw* devices need to be mounted for it to work. Still working on finding out which /sys/* files are needed, so far my strace skills are lacking.

rusty-snake commented 2 years ago

Still working on finding out which /sys/* files are needed, so far my strace skills are lacking

If you want some examples:

strace -e %file -fo gnome-hexgl.strace /usr/bin/gnome-hexgl
grep -o '"/sys/.*"' gnome-hexgl.strace | cut -d\" -f2 | sort -u
gabfv commented 5 days ago

Hey, I've been trying to make my own Yubikey work too and I sort of got it working. I added those following lines to the services.toml config:

[root_share]
paths = [
    "/sys/devices",
    "/sys/class",
]

[debug]
raw_bwrap_args = [
    "--dev-bind-try", # --dev-bind works too, but it will fails if hidraw14 doesn't exist. --dev-bind-try will keep going if it doesn't exist.
    "/dev/hidraw14", #hidraw14 is the location of my yubikey.
    "/dev/hidraw14",
]

It works right now (tested on the webauthn.io demo) but I can think of a couple of drawbacks and notes:

The udev rule I've tried: SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", SYMLINK+="hidraw_yubikey" Note that I have not tested what happens when multiple yubikeys are inserted. Probably only the last one inserted will refer to the symlink.

Also, @bratekarate did you ever get it working too? I think you weren't quite far, but the hidraw must go as a --dev-bind, not a root path, the rest of /sys can go into the root paths.