Open unilock opened 2 months ago
Do the paths differ in the guide compared to your system?
Do the paths differ in the guide compared to your system?
Which paths? I assume they don't, since the aa-disable
command I mentioned leads to everything working fine with no other changes.
$HOME/.mozilla/native-messaging-hosts
is correct.
/usr/bin/keepassxc-proxy
does not exist, but I assume that's because I'm using the Flatpak version of KeePassXC. The file mentioned in the file KeePassXC generates in the native-messaging-hosts
folder, /var/lib/flatpak/exports/bin/org.keepassxc.KeePassXC
, does exist, but as I said, putting that in /etc/apparmor.d/usr.bin.firefox
doesn't help.
Same issue here. It seems we need to adapt the AppArmor
rules from the troubleshooting guide.
I can now confirm that the AppArmor rules outlined in the troubleshooting guide work fine with the non-FlatPak version of KeePassXC.
Ok, but how does this resolve the problem with the flatpak version of KeePassXC? After all, this is what the issue is all about :thinking:
I put this to a test and adding the following line to the config file worked like a charm for me:
/var/lib/flatpak/app/org.keepassxc.KeePassXC/current/stable/active/files/bin/keepassxc-proxy ixr,
Can you confirm it works? Adding this to the guide. Thanks.
Thanks for the quick response. For me (Ubuntu 22.04) the corresponding file location is /var/lib/flatpak/app/org.keepassxc.KeePassXC/current/active/files/bin/keepassxc-proxy
(there is no stable
folder). Adding this path to the AppArmor rules still does not work unfortunately.
Can you tell me your other AppArmor rules?
Thanks for the quick response. For me (Ubuntu 22.04) the corresponding file location is
/var/lib/flatpak/app/org.keepassxc.KeePassXC/current/active/files/bin/keepassxc-proxy
(there is nostable
folder). Adding this path to the AppArmor rules still does not work unfortunately. Can you tell me your other AppArmor rules?
The other AppArmor rules are identical to the ones in the Troubleshooting Guide. Gotta re-verify this though.
EDIT: Ok, it still doesn't work. Enforcing the profile on while Firefox is active does not work properly. A restart was needed -> then it did not work (as expected).
The flatpak uses a script to call the right binary, you may need to white-list the script as well
The flatpak uses a script to call the right binary, you may need to white-list the script as well
That didn't help either. Added all these three and it still doesn't work:
/var/lib/flatpak/app/org.keepassxc.KeePassXC/current/active/files/bin/keepassxc-proxy ixr,
/var/lib/flatpak/app/org.keepassxc.KeePassXC/current/active/files/bin/keepassxc-wrapper ixr,
/var/lib/flatpak/exports/bin/org.keepassxc.KeePassXC ixr,
Tried some more steps, this time using absolute paths instead of the symlinks. Btw, tail -f /var/log/syslog
is useful for debugging these because AppArmor reports denied rules in that log.
Added these to the rules because AppArmor complained even for /usr/bin/flapak
and the /metadata
folder under KeePassXC etc.
/usr/bin/flatpak ixr,
/var/lib/flatpak/repo/config ixr,
/var/lib/flatpak/app/org.keepassxc.KeePassXC/aarch64/stable/<long id>/** ixr,
After this strace
shows that Flatpak is trying to open KeePassXC from user's .local/share/flatpak/app/org.keepassxc.KeePassXC/aarch64/stable/active
path, and after that looks for overrides from /var/lib/flatpak/overrides/org.keepassxc.KeePassXC
(that path does not exist). And the connection still doesn't work.
Expected Behavior
The extension should be able to connect to KeePassXC without issue.
Current Behavior
"Key exchange was not successful." is shown instead.
Possible Solution
Disabling AppArmor completely works around the issue, but isn't ideal.
Steps to Reproduce (for bugs)
sudo aa-disable /etc/apparmor.d/usr.bin.firefox
(may require theapparmor-utils
package)Debug info
KeePassXC - 2.7.7 (Flatpak) KeePassXC-Browser - 1.9.0.3 Operating system: Linux (KDE neon / Ubuntu) Browser: Firefox (not the Snap version)
Additionally, I tried what was recommended in the troubleshooting guide for AppArmor (link), but it made no difference. Even changing
/usr/bin/keepassxc-proxy ixr,
to/var/lib/flatpak/exports/bin/org.keepassxc.KeePassXC ixr,
didn't help.