U2F not working in Snap distribution

[kravietz]

Related issues, both closed now:

• Snap Package for Brave #1007 was about Snap package for Brave
• Yubikey doesn't work with Brave #3558 describes similar issue in non-Snap package

Description

U2F key is not seen by Brave and it eventually times out offering fallback to TOTP. Journalctl displays these logs, which implies the Snap is missing plugs allowing it to access the U2F device:

Steps to Reproduce

1. snap install --beta brave
2. Try to login to an U2F-enabled website (Bitbucket in my case)

Actual result:

U2F key is not seen by Brave and it eventually times out offering fallback to TOTP. Journalctl displays these logs, which implies the Snap is missing plugs allowing it to access the U2F device:

Nov 06 14:26:17 pax kernel: usb 1-2: new full-speed USB device number 24 using xhci_hcd
Nov 06 14:26:17 pax kernel: usb 1-2: New USB device found, idVendor=1050, idProduct=0120, bcdDevice= 5.02
Nov 06 14:26:17 pax kernel: usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Nov 06 14:26:17 pax kernel: usb 1-2: Product: Security Key by Yubico
Nov 06 14:26:17 pax kernel: usb 1-2: Manufacturer: Yubico
Nov 06 14:26:17 pax kernel: hid-generic 0003:1050:0120.0008: hiddev1,hidraw2: USB HID v1.10 Device [Yubico Security Key by Yubico] on usb-0000:00:14.0-2/input0
Nov 06 14:26:17 pax mtp-probe[5973]: checking bus 1, device 24: "/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2"
Nov 06 14:26:17 pax mtp-probe[5973]: bus: 1, device: 24 was not an MTP device
Nov 06 14:26:17 pax audit[5028]: AVC apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2/busnum" pid=5028 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 06 14:26:17 pax audit[5028]: AVC apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2/devnum" pid=5028 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 06 14:26:17 pax audit[5028]: AVC apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/0003:1050:0120.0008/report_descriptor" pid=5028 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 06 14:26:17 pax mtp-probe[5983]: checking bus 1, device 24: "/sys/devices/pci0000:00/0000:00:14.0/usb1/1-2"

Expected result:

U2F is detected by Brave

Reproduces how often:

Always

Brave version (brave://version info)

Brave | 0.69.135 Chromium: 77.0.3865.120 (Official Build) (64-bit)
-- | --
Revision | 416d6d8013e9adb6dd33b0c12e7614ff403d1a94-refs/branch-heads/3865@{#884}
OS | Linux
JavaScript | V8 7.7.299.13
Flash | (Disabled)
User Agent | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36
Command Line | /snap/brave/61/opt/brave.com/brave/brave-browser --enable-dom-distiller --disable-domain-reliability --disable-chrome-google-url-tracking-client --no-pings --extension-content-verification=enforce_strict --extensions-install-verification=enforce --enable-features=NewExtensionUpdaterService,WebUIDarkMode,SimplifyHttpsIndicator --disable-features=AudioServiceOutOfProcess,AutofillServerCommunication,LookalikeUrlNavigationSuggestionsUI,UnifiedConsent --flag-switches-begin --flag-switches-end
Executable Path | /snap/brave/61/opt/brave.com/brave/brave-browser
Profile Path | /home/kravietz/snap/brave/61/.config/BraveSoftware/Brave-Browser/Default

Version/Channel Information:

$ snap list brave
Name   Version   Rev  Tracking  Publisher  Notes
brave  0.69.135  61   beta      brave      -

Other Additional Information:

• Does the issue resolve itself when disabling Brave Shields? NO
• Does the issue resolve itself when disabling Brave Rewards? NO

Miscellaneous Information:

Thread on Snapcraft forum https://forum.snapcraft.io/t/u2f-not-working-in-firefox-snap/14039

[kravietz]

It seems to be quite easy fix - Brave snapcraft.yml needs to declare a plug for u2f-devices which is intended specifically for this use case. See https://snapcraft.io/docs/u2f-devices-interface

[kravietz]

Then there are two options: either leave it with the u2f-devices plug requiring manual connection after installation (poor for user experience) or create request in Snap store for the plug to be auto-connected here https://forum.snapcraft.io/t/process-for-aliases-auto-connections-and-tracks/455/11 With the latter I can help, as I've been through the process already on my snaps.

[rebron]

cc: @mbacchi can you take a look at this one?

[fmarier]

We added a couple of dependencies to the Snap package in brave/brave-browser-snap#14.

Is this still broken?

[katian]

hello, still not working with :

Interface                 Connecteur                      Prise                           Notes
audio-playback            brave:audio-playback            :audio-playback                 -
audio-record              brave:audio-record              -                               -
bluez                     brave:bluez                     :bluez                          manual
browser-support           brave:browser-sandbox           :browser-support                -
camera                    brave:camera                    -                               -
content[gtk-3-themes]     brave:gtk-3-themes              gtk-common-themes:gtk-3-themes  -
content[icon-themes]      brave:icon-themes               gtk-common-themes:icon-themes   -
content[sound-themes]     brave:sound-themes              gtk-common-themes:sound-themes  -
cups-control              brave:cups-control              -                               -
desktop                   brave:desktop                   :desktop                        -
desktop-legacy            brave:desktop-legacy            :desktop-legacy                 -
gsettings                 brave:gsettings                 :gsettings                      -
home                      brave:home                      :home                           -
joystick                  brave:joystick                  -                               -
mount-observe             brave:mount-observe             :mount-observe                  manual
mpris                     -                               brave:mpris                     -
network                   brave:network                   :network                        -
network-manager           brave:network-manager           -                               -
opengl                    brave:opengl                    :opengl                         -
password-manager-service  brave:password-manager-service  -                               -
pulseaudio                brave:pulseaudio                :pulseaudio                     -
raw-usb                   brave:raw-usb                   :raw-usb                        manual
removable-media           brave:removable-media           :removable-media                manual
screen-inhibit-control    brave:screen-inhibit-control    :screen-inhibit-control         -
u2f-devices               brave:u2f-devices               :u2f-devices                    manual
unity7                    brave:unity7                    :unity7                         -
upower-observe            brave:upower-observe            :upower-observe                 -
x11                       brave:x11                       :x11                            -

name:      brave
summary:   Brave Browser
publisher: Brave Software (brave)
store-url: https://snapcraft.io/brave
contact:   https://community.brave.com/
license:   unset
description: |
  https://brave.com/linux
commands:
  - brave
snap-id:      uE3hSmGE91m9MpbDEnUWi2vpeumH6gmv
tracking:     latest/stable
refresh-date: hier à 17h47, heure des Rocheuses
channels:
  latest/stable:    1.19.88 2021-01-28 (95) 168MB -
  latest/candidate: 1.19.88 2021-01-28 (95) 168MB -
  latest/beta:      1.19.88 2021-01-28 (95) 168MB -
  latest/edge:      1.19.88 2021-01-28 (95) 168MB -
installed:          1.19.88            (95) 168MB -

[kjozwiak]

CCing @jumde

[parkan]

broken for me in Version 1.20.103 Chromium: 88.0.4324.152 (Official Build) (64-bit), u2f-devices manually connected

[45549.431256] audit: type=1400 audit(1613949356.379:640): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:8" pid=524776 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[45549.431302] audit: type=1400 audit(1613949356.379:641): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:6" pid=524776 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[45549.431354] audit: type=1400 audit(1613949356.379:642): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:4" pid=524776 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[45549.431413] audit: type=1400 audit(1613949356.379:643): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:2" pid=524776 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[45549.431469] audit: type=1400 audit(1613949356.379:644): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:0" pid=524776 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[45549.431569] audit: type=1400 audit(1613949356.379:645): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:9" pid=524776 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[45549.431652] audit: type=1400 audit(1613949356.379:646): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:7" pid=524776 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[45549.431714] audit: type=1400 audit(1613949356.379:647): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:5" pid=524776 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[45549.431770] audit: type=1400 audit(1613949356.379:648): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:3" pid=524776 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[45549.431828] audit: type=1400 audit(1613949356.379:649): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:10" pid=524776 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

[parkan]

this seems like it could be a higher priority given the crypto focus of the browser, can we possibly bounty this? it doesn't seem like it should be super hard, I am not familiar enough w snaps/apparmor to say for sure but someone with relevant experience probably could

[wknapik]

Hi @kravietz & @parkan!

I've requested the auto-connection of u2f-devices for the Brave package.

Until the request is granted, the fix is to run:

sudo snap connect brave:u2f-devices

[parkan]

Hi @kravietz & @parkan!

I've requested the auto-connection of u2f-devices for the Brave package.

Until the request is granted, the fix is to run:

sudo snap connect brave:u2f-devices

see above, connecting u2f-devices has no effect, unfortunately

[wknapik]

@parkan can you upgrade to the latest snap package version? I tested this today on Arch. Right after installation AppArmor was indeed blocking access and after running snap connect brave:u2f-devices, I was able to use my yubikey to log into GitHub.

What does snap connections brave|grep -i u2f say?

[parkan]

@parkan can you upgrade to the latest snap package version? I tested this today on Arch. Right after installation AppArmor was indeed blocking access and after running snap connect brave:u2f-devices, I was able to use my yubikey to log into GitHub.

What does snap connections brave|grep -i u2f say?

$ snap list
Name               Version                     Rev    Tracking         Publisher         Notes
brave              1.21.74                     101    latest/stable    brave             -

$ snap connections brave|grep -i u2f 
u2f-devices               brave:u2f-devices               :u2f-devices                    manual

[361704.238366] hid-generic 0003:2C97:4015.0036: hiddev5,hidraw10: USB HID v1.11 Device [Ledger Nano X] on usb-0000:06:00.3-1/input0
[361704.270017] hid-generic 0003:2C97:4015.0037: hiddev6,hidraw11: USB HID v1.11 Device [Ledger Nano X] on usb-0000:06:00.3-1/input1
[361704.283106] audit: type=1400 audit(1615411138.531:359319): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/sys/devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.3/usb3/3-1/busnum" pid=1895042 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[361704.283136] audit: type=1400 audit(1615411138.531:359320): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/sys/devices/pci0000:00/0000:00:01.2/0000:02:00.0/0000:03:08.0/0000:06:00.3/usb3/3-1/devnum" pid=1895042 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[361707.386167] audit: type=1400 audit(1615411141.636:359321): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:8" pid=1895042 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[361707.386197] audit: type=1400 audit(1615411141.636:359322): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:6" pid=1895042 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[361707.386245] audit: type=1400 audit(1615411141.636:359323): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:4" pid=1895042 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[361707.386307] audit: type=1400 audit(1615411141.636:359324): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:11" pid=1895042 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[361707.386361] audit: type=1400 audit(1615411141.636:359325): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:2" pid=1895042 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[361707.386412] audit: type=1400 audit(1615411141.636:359326): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:0" pid=1895042 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

I think my udev rules are in order, as well:

$ cat /etc/udev/rules.d/20-hw1.rules 
# HW.1 / Nano
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="1b7c|2b7c|3b7c|4b7c", TAG+="uaccess", TAG+="udev-acl"
# Blue
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0000|0000|0001|0002|0003|0004|0005|0006|0007|0008|0009|000a|000b|000c|000d|000e|000f|0010|0011|0012|0013|0014|0015|0016|0017|0018|0019|001a|001b|001c|001d|001e|001f", TAG+="uaccess", TAG+="udev-acl"
# Nano S
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0001|1000|1001|1002|1003|1004|1005|1006|1007|1008|1009|100a|100b|100c|100d|100e|100f|1010|1011|1012|1013|1014|1015|1016|1017|1018|1019|101a|101b|101c|101d|101e|101f", TAG+="uaccess", TAG+="udev-acl"
# Aramis
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0002|2000|2001|2002|2003|2004|2005|2006|2007|2008|2009|200a|200b|200c|200d|200e|200f|2010|2011|2012|2013|2014|2015|2016|2017|2018|2019|201a|201b|201c|201d|201e|201f", TAG+="uaccess", TAG+="udev-acl"
# HW2
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0003|3000|3001|3002|3003|3004|3005|3006|3007|3008|3009|300a|300b|300c|300d|300e|300f|3010|3011|3012|3013|3014|3015|3016|3017|3018|3019|301a|301b|301c|301d|301e|301f", TAG+="uaccess", TAG+="udev-acl"
# Nano X
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0004|4000|4001|4002|4003|4004|4005|4006|4007|4008|4009|400a|400b|400c|400d|400e|400f|4010|4011|4012|4013|4014|4015|4016|4017|4018|4019|401a|401b|401c|401d|401e|401f", TAG+="uaccess", TAG+="udev-acl",  OWNER="parkan"

KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0660", GROUP="plugdev", ATTRS{idVendor}=="2c97"

KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0660", GROUP="plugdev", ATTRS{idVendor}=="2581"

[wknapik]

@parkan on my system, the udev rules for each snap package are generated and written to /etc/udev/rules.d/70-snap.<package_name>.rules.

/etc/udev/rules.d/70-snap.brave.rules

# This file is automatically generated.
# opengl
KERNEL=="nvhost-*", TAG+="snap_brave_brave"
# opengl
KERNEL=="nvmap", TAG+="snap_brave_brave"
# opengl
KERNEL=="renderD[0-9]*", TAG+="snap_brave_brave"
# opengl
KERNEL=="tegra_dc_[0-9]*", TAG+="snap_brave_brave"
# opengl
KERNEL=="tegra_dc_ctrl", TAG+="snap_brave_brave"
# opengl
KERNEL=="vchiq", TAG+="snap_brave_brave"
# opengl
KERNEL=="vcsm-cma", TAG+="snap_brave_brave"
# opengl
SUBSYSTEM=="drm", KERNEL=="card[0-9]*", TAG+="snap_brave_brave"
# u2f-devices
# Bluink Key
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="2abe", ATTRS{idProduct}=="1002", TAG+="snap_brave_brave"
# u2f-devices
# Feitian ePass FIDO, BioPass FIDO2
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0850|0852|0853|0854|0856|0858|085a|085b|085d", TAG+="snap_brave_brave"
# u2f-devices
# Google Titan U2F
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="5026", TAG+="snap_brave_brave"
# u2f-devices
# Happlink (formerly Plug-Up) Security KEY
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", TAG+="snap_brave_brave"
# u2f-devices
# HyperSecu HyperFIDO
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="096e|2ccf", ATTRS{idProduct}=="0880", TAG+="snap_brave_brave"
# u2f-devices
# JaCarta U2F
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="24dc", ATTRS{idProduct}=="0101", TAG+="snap_brave_brave"
# u2f-devices
# Ledger Blue + Nano S + Nano X
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0000|0001|0004|0005|0015|1005|1015|4005|4015", TAG+="snap_brave_brave"
# u2f-devices
# MIRKey
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="a2ac", TAG+="snap_brave_brave"
# u2f-devices
# Neowave Keydo and Keydo AES
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="1e0d", ATTRS{idProduct}=="f1d0|f1ae", TAG+="snap_brave_brave"
# u2f-devices
# Nitrokey FIDO U2F
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287", TAG+="snap_brave_brave"
# u2f-devices
# OnlyKey
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="1d50", ATTRS{idProduct}=="60fc", TAG+="snap_brave_brave"
# u2f-devices
# SoloKeys
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5070|50b0", TAG+="snap_brave_brave"
# u2f-devices
# Thetis Key
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="1ea8", ATTRS{idProduct}=="f025", TAG+="snap_brave_brave"
# u2f-devices
# Tomu board + chopstx U2F + SoloKeys
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="cdab|a2ca", TAG+="snap_brave_brave"
# u2f-devices
# U2F Zero
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="8acf", TAG+="snap_brave_brave"
# u2f-devices
# VASCO SeccureClick
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="1a44", ATTRS{idProduct}=="00bb", TAG+="snap_brave_brave"
# u2f-devices
# Yubico YubiKey
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0121|0200|0402|0403|0406|0407|0410", TAG+="snap_brave_brave"
TAG=="snap_brave_brave", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_brave_brave $devpath $major:$minor"

The rule relevant to your device (Ledger Nano X) looks as follows:

# Ledger Blue + Nano S + Nano X
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0000|0001|0004|0005|0015|1005|1015|4005|4015", TAG+="snap_brave_brave"

That differs from what you shared. Notably the SUBSYSTEM is hidraw, rather than usb and a different tag is assigned.

There is also a rule to invoke the snap-device-helper based on the snap_brave_brave tag:

TAG=="snap_brave_brave", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_brave_brave $devpath $major:$minor"

Are udev rules not generated on your system? Those should be sufficient to make your device work, you should not have to write udev rules manually. If you don't see any files matching /etc/udev/rules.d/70-snap.*.rules, I would look into that first. Modifying the manually constructed rules might make this problem go away, but if the generated files are missing, that would be an indication of a bigger problem.

[parkan]

I got those rules from the ledger FAQ, in the snap specific file I have:

# This file is automatically generated.
# opengl
KERNEL=="nvhost-*", TAG+="snap_brave_brave"
# opengl
KERNEL=="nvmap", TAG+="snap_brave_brave"
# opengl
KERNEL=="renderD[0-9]*", TAG+="snap_brave_brave"
# opengl
KERNEL=="tegra_dc_[0-9]*", TAG+="snap_brave_brave"
# opengl
KERNEL=="tegra_dc_ctrl", TAG+="snap_brave_brave"
# opengl
KERNEL=="vchiq", TAG+="snap_brave_brave"
# opengl
KERNEL=="vcsm-cma", TAG+="snap_brave_brave"
# opengl
SUBSYSTEM=="drm", KERNEL=="card[0-9]*", TAG+="snap_brave_brave"
# u2f-devices
# Bluink Key
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="2abe", ATTRS{idProduct}=="1002", TAG+="snap_brave_brave"
# u2f-devices
# Feitian ePass FIDO, BioPass FIDO2
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0850|0852|0853|0854|0856|0858|085a|085b|085d", TAG+="snap_brave_brave"
# u2f-devices
# Google Titan U2F
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="5026", TAG+="snap_brave_brave"
# u2f-devices
# Happlink (formerly Plug-Up) Security KEY
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", TAG+="snap_brave_brave"
# u2f-devices
# HyperSecu HyperFIDO
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="096e|2ccf", ATTRS{idProduct}=="0880", TAG+="snap_brave_brave"
# u2f-devices
# JaCarta U2F
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="24dc", ATTRS{idProduct}=="0101", TAG+="snap_brave_brave"
# u2f-devices
# Ledger Blue + Nano S + Nano X
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0000|0001|0004|0005|0015|1005|1015|4005|4015", TAG+="snap_brave_brave"
# u2f-devices
# MIRKey
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="a2ac", TAG+="snap_brave_brave"
# u2f-devices
# Neowave Keydo and Keydo AES
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="1e0d", ATTRS{idProduct}=="f1d0|f1ae", TAG+="snap_brave_brave"
# u2f-devices
# Nitrokey FIDO U2F
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287", TAG+="snap_brave_brave"
# u2f-devices
# OnlyKey
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="1d50", ATTRS{idProduct}=="60fc", TAG+="snap_brave_brave"
# u2f-devices
# SoloKeys
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5070|50b0", TAG+="snap_brave_brave"
# u2f-devices
# Thetis Key
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="1ea8", ATTRS{idProduct}=="f025", TAG+="snap_brave_brave"
# u2f-devices
# Tomu board + chopstx U2F + SoloKeys
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="cdab|a2ca", TAG+="snap_brave_brave"
# u2f-devices
# U2F Zero
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="8acf", TAG+="snap_brave_brave"
# u2f-devices
# VASCO SeccureClick
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="1a44", ATTRS{idProduct}=="00bb", TAG+="snap_brave_brave"
# u2f-devices
# Yubico YubiKey
SUBSYSTEM=="hidraw", KERNEL=="hidraw*", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0121|0200|0402|0403|0406|0407|0410", TAG+="snap_brave_brave"
TAG=="snap_brave_brave", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_brave_brave $devpath $major:$minor"

[wknapik]

@parkan alright, let's try a few things:

1. Let's drop the custom udev rules for now, they should not be required, but might get in the way.
2. Does your u2f device work with the Chromium and Firefox snaps? If you haven't tried, let's give that a go.
3. After starting the Brave snap, unplug the u2f device and plug it again before use.

Regarding the last point - I noticed my yubikey only works if I plug it in after the Brave snap is started. This is also the behavior of the Chromium snap, but not the Firefox snap. That's something to look into, but for now, let's just get this working for you and we can make further improvements later.

Also, what OS are you on (cat /etc/os-release)?

[parkan]

@parkan alright, let's try a few things:

1. Let's drop the custom udev rules for now, they should not be required, but might get in the way.

👍

2. Does your u2f device work with the Chromium and Firefox snaps? If you haven't tried, let's give that a go.

it does not work with FF snap (u2f-devices connected)

[411832.447804] audit: type=1400 audit(1615655934.423:366292): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/run/udev/data/c510:3" pid=3604988 comm=4950444C204261636B67726F756E64 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

it does work with ledger live AppImage

3. After starting the Brave snap, unplug the u2f device and plug it again before use.

see the hid-generic hid-generic lines in the log above, this is how I am trying it

Also, what OS are you on (cat /etc/os-release)?

NAME="Ubuntu"
VERSION="20.10 (Groovy Gorilla)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.10"
VERSION_ID="20.10"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=groovy
UBUNTU_CODENAME=groovy

[wknapik]

@parkan can you try these steps https://support.ledger.com/hc/en-us/articles/115005165269-Fix-connection-issues, followed by sudo snap connect brave:raw-usb? Then (re)start the snap and (re)plug in the device?

Also, can you try a different u2f device with the Brave/Chromium/Firefox snaps? Like a Yubikey?

[parkan]

@parkan can you try these steps https://support.ledger.com/hc/en-us/articles/115005165269-Fix-connection-issues, followed by sudo snap connect brave:raw-usb? Then (re)start the snap and (re)plug in the device?

Also, can you try a different u2f device with the Brave/Chromium/Firefox snaps? Like a Yubikey?

tried those steps before coming here, that's where the other rules are from 🙂

will try raw usb as well as a yubikey

[parkan]

also fwiw I did a ppa install and that works fine, so I may just switch to that browser (a bit tricky b/c sync doesn't seem to do anything and I have a lot of state in this browser) but happy to keep debugging if it's helpful for you

[wknapik]

Hey @parkan. Have you had the chance to try raw-usb and the Yubikey?

[parkan]

Hey @parkan. Have you had the chance to try raw-usb and the Yubikey?

raw-usb didn't help, yubikey still not on hand (in my storage unit)

at this point I basically believe that snaps, unless very specifically and heavily maintained, are not usable for complex consumer apps (dpi scaling, sync, printing are all broken, startup takes 20x native app, snapd eats a ton of resources and slows down boot, apps claim 30GiB vmem, app crashes randomly, extensions get corrupted, etc etc)

thank you for patiently debugging this with me! however, I think the immediate solution is to only recommend ppa installs (or remove the snap altogether)

in ppa install everything works fine

[parkan]

that being said, as apparmor becomes more common (and as weyland matures) it's something that will need to get ironed out -- I sorta feel like the bulk of work is on chromium

[wknapik]

@parkan since the Ledger device doesn't work with the Firefox snap either, there isn't much that we can do. We rely on the u2f-devices plug to make these devices work.

But I would definitely encourage you to report this to Ledger (site, github, reddit) and the Snap store (forum).

As for the original problem this issue was covering - we were granted auto-connection for the u2f-devices plug, so starting with the next Brave snap update, users will no longer have to manually run sudo snap connect brave:u2f-devices to use their u2f device. I'll keep this issue open until this is confirmed to work.

[parkan]

@wknapik agreed!

[wknapik]

After the new snap package release a few minutes ago, the u2f-devices plug is autoconnected, as expected.

This change will kick in automatically on all systems, as snap refresh is run automatically (this happens multiple times a day by default, can be forced manually by calling sudo snap refresh, or just sudo snap refresh brave).

This confirms that it's no longer necessary to run sudo snap connect brave:u2f-devices to make u2f devices work with the Brave snap.

However, the device needs to be (re)connected after the Brave snap is started. This also affects the Chromium snap, but not the Firefox snap. Will track this in this issue.

[wknapik]

Created #15003 for the remaining issue of having to (re)connect the u2f device after the snap starts. Closing.