当 Firefox 的默认 apparmor 配置文件设置为强制模式时,它会阻止对安全密钥的访问。禁用配置文件可恢复访问权限。
我尝试过但失败的规则:
/sys/devices/** r,
#include <abstractions/dbus>
dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.freedesktop.RealtimeKit1)
有人可以帮我制定规则以允许 Firefox 访问安全密钥吗?
内核日志:
Sep 17 19:07:01 user-pc kernel: [21606.295620] usb 7-2: new full-speed USB device number 4 using uhci_hcd
Sep 17 19:07:01 user-pc kernel: [21606.487632] usb 7-2: New USB device found, idVendor=1050, idProduct=0120, bcdDevice= 4.33
Sep 17 19:07:01 user-pc kernel: [21606.487636] usb 7-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Sep 17 19:07:01 user-pc kernel: [21606.487638] usb 7-2: Product: Security Key by Yubico
Sep 17 19:07:01 user-pc kernel: [21606.487639] usb 7-2: Manufacturer: Yubico
Sep 17 19:07:01 user-pc kernel: [21606.495139] hid-generic 0003:1050:0120.0005: hiddev0,hidraw2: USB HID v1.10 Device [Yubico Security Key by Yubico] on usb-0000:00:1d.1-2/input0
Sep 17 19:07:34 user-pc kernel: [21639.275573] audit: type=1400 audit(1568714854.720:331): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=21659 comm="apparmor_parser"
Sep 17 19:07:34 user-pc kernel: [21639.275577] audit: type=1400 audit(1568714854.724:332): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/firefox/firefox{,*[^s][^h]}//lsb_release" pid=21659 comm="apparmor_parser"
Sep 17 19:07:34 user-pc kernel: [21639.275580] audit: type=1400 audit(1568714854.724:333): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper" pid=21659 comm="apparmor_parser"
Sep 17 19:07:41 user-pc kernel: [21645.812202] audit: type=1107 audit(1568714861.260:334): pid=1061 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/RealtimeKit1" interface="org.freedesktop.DBus.Properties" member="Get" mask="send" name="org.freedesktop.RealtimeKit1" pid=21662 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1858 peer_label="unconfined"
Sep 17 19:07:41 user-pc kernel: [21645.812202] exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Sep 17 19:07:42 user-pc kernel: [21646.966062] audit: type=1107 audit(1568714862.416:335): pid=1061 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/RealtimeKit1" interface="org.freedesktop.DBus.Properties" member="Get" mask="send" name="org.freedesktop.RealtimeKit1" pid=21703 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1858 peer_label="unconfined"
Sep 17 19:07:42 user-pc kernel: [21646.966062] exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
答案1
我做了很多修改,让它能够工作。
关键点可能是从此行中删除拒绝:
deny /run/udev/data/** r,
还需要:
/sys/devices/pci*/** rw,
/dev/hidraw2 rw,
我还做了许多其他修改,试图解决这个问题,包括将配置文件从 usr.bin.firefox 切换到 usr.lib.firefox.firefox。我还没有将它们全部还原,所以如果结果发现是其他问题,请查看 -https://pastebin.ubuntu.com/p/Ypy2Q322cN/。当我们获得更多确认信息时,我计划从答案中删除 pastebin。