search

keepassxreboot / keepassxc-browser

KeePassXC Browser Extension
GNU General Public License v3.0
1.68k stars 172 forks source link

Non-Snap Firefox does not connect to Flatpak KeePassXC unless AppArmor is disabled #2176

Open unilock opened 2 months ago

unilock commented 2 months ago

Expected Behavior

The extension should be able to connect to KeePassXC without issue.

Current Behavior

"Key exchange was not successful." is shown instead.

Possible Solution

Disabling AppArmor completely works around the issue, but isn't ideal.

Steps to Reproduce (for bugs)

  1. Install KDE neon (it seems to have AppArmor set up for Firefox out of the box)
  2. Install KeePassXC as a Flatpak and set it up for Browser Integration with Firefox
  3. Install KeePassXC-Browser and try to use it; it fails to connect to KeePassXC
  4. Open a terminal and execute sudo aa-disable /etc/apparmor.d/usr.bin.firefox (may require the apparmor-utils package)
  5. Try using KeePassXC-Browser again; it works

Debug info

KeePassXC-Browser: Connecting to native messaging host org.keepassxc.keepassxc_browser client.js:383:13
[Error ] KeePassXC-Browser - Failed to connect: Unknown error global.js:132:13
[Error ] KeePassXC-Browser - 9: Key exchange was not successful. global.js:132:13
[Error keepass.js:256] KeePassXC-Browser - 5: Cannot connect to KeePassXC. Check that browser integration is enabled in KeePassXC settings. global.js:132:13

<apparmor is disabled>

KeePassXC-Browser: Connecting to native messaging host org.keepassxc.keepassxc_browser client.js:383:13
KeePassXC-Browser: Server public key: [redacted] keepass.js:426:17
[Error ] KeePassXC-Browser - 1: Database not opened

KeePassXC - 2.7.7 (Flatpak) KeePassXC-Browser - 1.9.0.3 Operating system: Linux (KDE neon / Ubuntu) Browser: Firefox (not the Snap version)

Additionally, I tried what was recommended in the troubleshooting guide for AppArmor (link), but it made no difference. Even changing /usr/bin/keepassxc-proxy ixr, to /var/lib/flatpak/exports/bin/org.keepassxc.KeePassXC ixr, didn't help.

varjolintu commented 2 months ago

Do the paths differ in the guide compared to your system?

unilock commented 2 months ago

Do the paths differ in the guide compared to your system?

Which paths? I assume they don't, since the aa-disable command I mentioned leads to everything working fine with no other changes.

$HOME/.mozilla/native-messaging-hosts is correct.

/usr/bin/keepassxc-proxy does not exist, but I assume that's because I'm using the Flatpak version of KeePassXC. The file mentioned in the file KeePassXC generates in the native-messaging-hosts folder, /var/lib/flatpak/exports/bin/org.keepassxc.KeePassXC, does exist, but as I said, putting that in /etc/apparmor.d/usr.bin.firefox doesn't help.

adv4ncr commented 2 weeks ago

Same issue here. It seems we need to adapt the AppArmor rules from the troubleshooting guide.

unilock commented 2 weeks ago

I can now confirm that the AppArmor rules outlined in the troubleshooting guide work fine with the non-FlatPak version of KeePassXC.

adv4ncr commented 2 weeks ago

Ok, but how does this resolve the problem with the flatpak version of KeePassXC? After all, this is what the issue is all about :thinking:

varjolintu commented 2 weeks ago

I put this to a test and adding the following line to the config file worked like a charm for me: /var/lib/flatpak/app/org.keepassxc.KeePassXC/current/stable/active/files/bin/keepassxc-proxy ixr,

Can you confirm it works? Adding this to the guide. Thanks.

adv4ncr commented 2 weeks ago

Thanks for the quick response. For me (Ubuntu 22.04) the corresponding file location is /var/lib/flatpak/app/org.keepassxc.KeePassXC/current/active/files/bin/keepassxc-proxy (there is no stable folder). Adding this path to the AppArmor rules still does not work unfortunately. Can you tell me your other AppArmor rules?

varjolintu commented 2 weeks ago

Thanks for the quick response. For me (Ubuntu 22.04) the corresponding file location is /var/lib/flatpak/app/org.keepassxc.KeePassXC/current/active/files/bin/keepassxc-proxy (there is no stable folder). Adding this path to the AppArmor rules still does not work unfortunately. Can you tell me your other AppArmor rules?

The other AppArmor rules are identical to the ones in the Troubleshooting Guide. Gotta re-verify this though.

EDIT: Ok, it still doesn't work. Enforcing the profile on while Firefox is active does not work properly. A restart was needed -> then it did not work (as expected).

droidmonkey commented 2 weeks ago

The flatpak uses a script to call the right binary, you may need to white-list the script as well

varjolintu commented 2 weeks ago

The flatpak uses a script to call the right binary, you may need to white-list the script as well

That didn't help either. Added all these three and it still doesn't work:

/var/lib/flatpak/app/org.keepassxc.KeePassXC/current/active/files/bin/keepassxc-proxy ixr,
/var/lib/flatpak/app/org.keepassxc.KeePassXC/current/active/files/bin/keepassxc-wrapper ixr,
/var/lib/flatpak/exports/bin/org.keepassxc.KeePassXC ixr,
varjolintu commented 2 weeks ago

Tried some more steps, this time using absolute paths instead of the symlinks. Btw, tail -f /var/log/syslog is useful for debugging these because AppArmor reports denied rules in that log.

Added these to the rules because AppArmor complained even for /usr/bin/flapak and the /metadata folder under KeePassXC etc.

/usr/bin/flatpak ixr,
/var/lib/flatpak/repo/config ixr,
/var/lib/flatpak/app/org.keepassxc.KeePassXC/aarch64/stable/<long id>/** ixr,

After this strace shows that Flatpak is trying to open KeePassXC from user's .local/share/flatpak/app/org.keepassxc.KeePassXC/aarch64/stable/active path, and after that looks for overrides from /var/lib/flatpak/overrides/org.keepassxc.KeePassXC (that path does not exist). And the connection still doesn't work.