Bug 32830

Summary: Broken pcsc socket when using flatpak apps -> no access to USB smartcard reader from within a flatpak sandbox. FIX PROVIDED
Product: Mageia Reporter: Martin Spiegel <mnspiegel>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: marja11, nicolas.salguero, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: x86_64   
OS: Linux   
URL: https://ludovicrousseau.blogspot.com/2022/02/fedora-flatpak-and-pcsc-lite.html https://ludovicrousseau.blogspot.com/2022/02/accessing-smart-cards-from-inside.html
Whiteboard: MGA9-64-OK
Source RPM: pcsc-lite-1.9.9-1.mga9.src.rpm CVE:
Status comment:
Attachments: Modified spec file for pcsc-lite

Description Martin Spiegel 2024-02-10 18:57:05 CET 
Description of problem:
I have tried to setup the flatpak version of AusweisApp in Mageia 9. AusweisApp is an app which is used for authentication purposes with a German ID card. It needs access to a compatible USB smartcard reader. I use the "Reiner SCT cyberJack RFID basis" which is supported both by AusweisApp and Mageia (via pcsc daemon and ccid driver). However, every time I try to access the smartcard reader with the flatpak version of AusweisApp, it recognizes the smartcard reader but fails to load the driver. The smartcard reader itself works because  I can access it with the pcsc_scan tool. Furthermore, the whole setup works without problems in Manjaro Linux and Fedora 38 on the same computer. When I had a closer look at the spec file of pcsc-lite-1.9.9-1.mga9.src.rpm I realized that Mageia uses a patched version of pcsc. The patch increases the number of accessible smartcard readers from 16 to 48 but according to https://ludovicrousseau.blogspot.com/2022/02/fedora-flatpak-and-pcsc-lite.html it breaks accessibility of smartcard readers for flatpak apps (actually, Fedora dropped the patch in recent versions of their pcsc rpms). Therefore, I have rebuilt the Mageia pcsc packages without the patch and reinstalled them. Unfortunately, the smartcard reader still cannot be accessed by the flatpak app. It seems, that there is also something broken on the flatpak side, but here I am running out of ideas... To rule out that this is an AusweisApp-specific issue I did two additional things: First, I rebuilt the opensuse AusweisApp rpm for Mageia 9 and installed it. This version works without problems and accesses the smartcard reader as expected in Mageia 9. Second, I made a flatpak version of pcsc_scan following the instructions given at https://ludovicrousseau.blogspot.com/2022/02/accessing-smart-cards-from-inside.html. When I try to access the smartcard reader with the flatpak version of pcsc_scan it fails with the error message "SCardEstablishContext: Service not available" in Mageia 9. In Manjaro Linux the flatpak version of pcsc_scan accesses the smartcard reader without problems.             

Version-Release number of selected component (if applicable):
flatpak-1.14.4-1.mga9, pcsc-lite-1.9.9-1.mga9

How reproducible:
Every time I try to access a smartcard reader from within a flatpak sandbox


Steps to Reproduce:
1. Install AusweisApp from flathub
2. Try to establish a connection to a supported USB smartcard reader  
3. AusweisApp detects the smartcard reader but fails to load the driver
Martin Spiegel 2024-02-11 02:27:56 CET

Source RPM: flatpak-1.14.4-1.mga9.src.rpm, pcsc-lite-1.9.9-1.mga9.src.rpm => pcsc-lite-1.9.9-1.mga9.src.rpm

Comment 1 Martin Spiegel 2024-02-11 03:04:29 CET 
Created attachment 14366 [details]
Modified spec file for pcsc-lite
Comment 2 Martin Spiegel 2024-02-11 03:19:43 CET 
I think I have found a solution: I compared once again the Mageia pcsc-lite spec file with the Fedora version. The two main differences are: Mageia still uses the pcsc-lite-1.9.1-maxreaders.patch (see my previous comment) and the Mageia spec file contains an additional configure option in the build section: --enable-ipcdir=/run. I have rebuilt the Mageia psc-lite packages without the patch *and* without the additonal configure option and reinstalled them. Now, flatpak-apps can access my smartcard reader without problems!. Additionally, the modified packages do not break "direct" access of the smartcard reader (e.g. with pcsc_scan provided by Mageia).
Comment 3 Lewis Smith 2024-02-11 21:37:58 CET 
Thank you Martin for not just the original report, but your detailed and extensive research into it - comparing with other distros, rebuilding things, and apparently sorting the problem.

Please confirm that the modified spec file comment 1 incorporates the correction described in comment 2: I imagine so; packagers will check.

Become a packager? You are clearly adept:
 https://wiki.mageia.org/en/Becoming_a_Mageia_Packager

Assigning globally as the previous maintainer has retired.

Assignee: bugsquad => pkg-bugs
Status comment: (none) => FIX PROVIDED comments 1,2
Summary: Broken pcsc socket when using flatpak apps -> no access to USB smartcard reader from within a flatpak sandbox => Broken pcsc socket when using flatpak apps -> no access to USB smartcard reader from within a flatpak sandbox. FIX PROVIDED

Comment 4 Martin Spiegel 2024-02-12 09:22:59 CET 
Yes, the uploaded spec file contains the necessary changes. These are the following ones (line numbers refer to the original spec file):
l015: patch deleted
l104: autosetup -p1 chaged to setup -q
l109: option --enable-ipcdir=/run deleted
Comment 5 Nicolas Salguero 2024-02-14 11:26:09 CET 
Suggested advisory:
========================

The updated packages fix access to USB smartcard reader from within a flatpak sandbox.

References:
https://ludovicrousseau.blogspot.com/2022/02/fedora-flatpak-and-pcsc-lite.html
https://ludovicrousseau.blogspot.com/2022/02/accessing-smart-cards-from-inside.html
========================

Updated packages in core/updates_testing:
========================
lib(64)pcsclite1-1.9.9-1.1.mga9
lib(64)pcsclite-devel-1.9.9-1.1.mga9
lib(64)pcscspy0-1.9.9-1.1.mga9
pcsc-lite-1.9.9-1.1.mga9
pcsc-lite-doc-1.9.9-1.1.mga9
pcsc-spy-1.9.9-1.1.mga9

from SRPM:
pcsc-lite-1.9.9-1.1.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Status comment: FIX PROVIDED comments 1,2 => (none)

Comment 6 Martin Spiegel 2024-02-14 15:43:30 CET 
I have installed the upadated pcsc packages from core/updates_testing. They work for me :-)
Comment 7 Martin Spiegel 2024-02-14 15:44:39 CET 
I have installed the updated pcsc packages from core/updates_testing. They work for me :-)
Marja Van Waes 2024-02-14 16:41:57 CET

URL: (none) => https://ludovicrousseau.blogspot.com/2022/02/fedora-flatpak-and-pcsc-lite.html https://ludovicrousseau.blogspot.com/2022/02/accessing-smart-cards-from-inside.html
CC: (none) => marja11

Marja Van Waes 2024-02-14 16:44:12 CET

Keywords: (none) => advisory

katnatek 2024-02-15 03:28:21 CET

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2024-02-15 06:18:24 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2024-0055.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED