Open bratekarate opened 2 years ago
UPDATE: adding the entire
/sys
directory toroot_share
makes the error in the browser disappear. However, now it just waits for the key to be inserted and does not detect it. Something else must be missing.
It might need some part of /dev
as well.
Also I was not able to pinpoint yet what part of
/sys
needs to be accessed.
This is where strace
is very useful.
now it just waits for the key to be inserted and does not detect it.
Unless /dev
is bind-mounted (e.g. --dev-bind /dev /dev
) you need to insert the yubikey before you start the sandbox. That's why we disable private-dev
for browser in firejail if you disable browser-disable-u2f
. https://github.com/netblue30/firejail/blob/81e12a45b7b1856bffc877d34266823207f8a5b7/etc/profile-a-l/firefox-common.profile#L56
Thanks a lot for looking at this issue and pointing me in the right direction!
Unless /dev is bind-mounted (e.g. --dev-bind /dev /dev) you need to insert the yubikey before you start the sandbox
Indeed it works with bind-mounted /dev
. I must admit I am a beginner with sandboxing through firejail or bubblewrap, that's why I tried to share /dev
as a file path, not through bind-mount.
However, I had my Yubikey inserted before I started the sandbox. Without bind-mounting /dev
it never works. Anyway, this does not really matter since I bind-mounted it now.
@igo95862 is there any way to bind-mount /dev
through the services.toml file. without --debug-bwrap-args
?
UPDATE: /dev/hidraw*
devices need to be mounted for it to work. Still working on finding out which /sys/*
files are needed, so far my strace
skills are lacking.
Still working on finding out which
/sys/*
files are needed, so far mystrace
skills are lacking
If you want some examples:
strace -e %file -fo gnome-hexgl.strace /usr/bin/gnome-hexgl
grep -o '"/sys/.*"' gnome-hexgl.strace | cut -d\" -f2 | sort -u
Hey, I've been trying to make my own Yubikey work too and I sort of got it working. I added those following lines to the services.toml config:
[root_share]
paths = [
"/sys/devices",
"/sys/class",
]
[debug]
raw_bwrap_args = [
"--dev-bind-try", # --dev-bind works too, but it will fails if hidraw14 doesn't exist. --dev-bind-try will keep going if it doesn't exist.
"/dev/hidraw14", #hidraw14 is the location of my yubikey.
"/dev/hidraw14",
]
It works right now (tested on the webauthn.io demo) but I can think of a couple of drawbacks and notes:
The udev rule I've tried:
SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", SYMLINK+="hidraw_yubikey"
Note that I have not tested what happens when multiple yubikeys are inserted. Probably only the last one inserted will refer to the symlink.
Also, @bratekarate did you ever get it working too? I think you weren't quite far, but the hidraw must go as a --dev-bind, not a root path, the rest of /sys can go into the root paths.
Authentication with security key does not work in a Firefox profile.
I have no idea what file paths should be whitelisted. I tried hidraw devices:
But to no avail.
Hidraw devices is all I could find out so far through this Firejail Issue: https://github.com/netblue30/firejail/issues/1381
More recent Firejail issue regarding Webauthn (but no mention of hidraw): https://github.com/netblue30/firejail/issues/3796
UPDATE: adding the entire
/sys
directory toroot_share
makes the error in the browser disappear. However, now it just waits for the key to be inserted and does not detect it. Something else must be missing.Also I was not able to pinpoint yet what part of
/sys
needs to be accessed.