search

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
20.07k stars 1.42k forks source link

KeePassXC-Browser fails in Firejailed Firefox: Can't mount AppImage #11021

Closed tomm87 closed 5 days ago

tomm87 commented 5 days ago

Overview

Firefox with KeePassXC-Browser, running in a Firejail sandbox, works fine with distro-packaged KeePassXC, but fails with upstream AppImage -- "can't mount AppImage". I prefer the AppImage due to the great recent features.

This might be the same problem as #6230, but that issue is old, closed, and contains no solution.

Steps to Reproduce

  1. Setup:
    • Debian 12.6
    • Firefox 115.12.0esr (from Debian repository)
    • KeePassXC-Browser 1.9.0.5 (from addons.mozilla.org)
    • Firejail 0.9.72 (from Debian repo)
    • KeePassXC 2.7.4 (from Debian repo) -- works as expected
    • KeePassXC 2.7.9 (AppImage from upstream) -- has the problem I'm reporting in this issue
    • Contents of Firejail's firefox-esr.local -- the only modifications to the default Firefox profile: 
      x11 xorg
noblacklist ${RUNUSER}/app
whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC
  2. Launch distro-supplied KeePassXC 2.7.4, and unlock database.
  3. In KeePassXC, enable web integration for Firefox. Check that native messaging JSON file looks correct.
  4. Launch sandboxed Firefox, go to addons.mozilla.org and install KeePassXC-Browser, and establish connection to KeePassXC.
  5. Extension is ready to use as expected.
  6. Close Firefox and KeePassXC.
  7. Launch upstream KeePassXC 2.7.9 AppImage, and unlock database -- notice that it immediately re-writes the native messaging JSON file, changing the path from the keepassxc-proxy binary to the AppImage file. Leave this change as-is.
  8. Launch sandboxed Firefox, and try to use web extension -- won't connect, "key exchange was unsuccessful", "can't mount AppImage". I think that last message is the heart of the problem.
  9. At this point closing the KeePassXC AppImage and launching the distro-supplied version (and restarting Firefox) would make it work again. Instead, here's a more interesting experiment:
  10. Close Firefox; do not close KeePassXC (so the native messaging JSON will not get rewritten).
  11. Edit the path in the native messaging JSON file to point to the distro-installed keepassxc-proxy instead of the AppImage.
  12. Launch sandboxed Firefox -- the extension is working. But this is not a very satisfactory solution because (1) it will break upon re-launching the KeePassXC AppImage and consequent re-writing of the JSON, (2) the versions of KeePassXC and keepassxc-proxy are mismatched, and (3) it requires keeping the distro-supplied version installed.

Expected Behavior

My hope is that the web extension would be working at step 8 above, with the AppImage version of KeePassXC.

Actual Behavior

The web extension works only with the distro-supplied KeePassXC, not with the AppImage.

Context

It seems that when Firejailed, Firefox has a problem mounting the KeePassXC AppImage, as is needed to use KeePassXC-Browser. Removing either Firejail or the AppImage from the situation allows it to work.

Help -> About -> Debug Info:

KeePassXC - Version 2.7.9
Revision: 8f6dd13
Distribution: AppImage

Qt 5.15.2
Debugging mode is disabled.

Operating system: Debian GNU/Linux 12 (bookworm)
CPU architecture: x86_64
Kernel: linux 6.1.0-22-amd64

Enabled extensions:
- Auto-Type
- Browser Integration
- Passkeys
- SSH Agent
- KeeShare
- YubiKey
- Secret Service Integration

Cryptographic libraries:
- Botan 2.19.1

Operating System: Linux Desktop Env: XFCE Windowing System: X11

Thanks for KeePassXC, and for any help with this problem!

droidmonkey commented 5 days ago

We have a robust troubleshooting guide that you should run through: https://github.com/keepassxreboot/keepassxc-browser/wiki/Troubleshooting-guide#3-check-if-keepassxc-proxy-is-launched-and-running

You'll need to figure out what rules are necessary for your specific location of the appimage.

tomm87 commented 5 days ago

Right, I did spend considerable time studying that document, which is why I knew to watch the path in the JSON file, but it doesn't address this problem. There have been numerous issues reported relating to the socket location and ensuring that it's accessible in a sandbox, but that's not my problem.

My problem is that keepassxc-proxy is not running when I use the AppImage, and the underlying reason for that is because sandboxed Firefox can't mount the AppImage. The troubleshooting doc doesn't address this. I'm not trying to do anything very exotic, and I can't be the only person with this problem -- #6230 appears to be the same unresolved problem from 3 years ago.

Can I ask you to take a closer look?

tomm87 commented 5 days ago

I'm also continuing to look at this as I get occasional ideas. I've determined that most of my /dev directory is missing due to a Firejail private-dev directive; disabling that has allowed /dev/fuse to appear, which gets me a step closer to being able to use the AppImage.

This is now looking more squarely like a matter of tweaking the Firejail profile, so I withdraw my request for a closer look. If I find a full solution I'll post it here.

tomm87 commented 5 days ago

Fixing this properly is looking like it's going to take a deeper dive into Firejail profiles than I want to do for now, so instead I came up with workaround -- it's crufty but satisfactory for my purposes:

I extracted the KeePassXC AppImage with --appimage-extract and found the keepassxc-proxy binary, and copied this to /usr/local/bin. Upon running it, it said it was missing libbotan, so I installed that, and fortunately that was the only missing dependency for it.

Then I created a wrapper script to launch the KeePassXC AppImage. First it launches it and puts it in the background with an ampersand. Then it sleeps for a few seconds to ensure KeePassXC had time to write the native messaging JSON file, and finally it rewrites that JSON file with a path pointing to /usr/local/bin/keepassxc-proxy.

Then when I manually launch a sandboxed Firefox, it reads the correct path to a working keepassxc-proxy, and does not need to mount the AppImage.

Although ugly, this solution is at least convenient to use, has KeePassXC and keepassxc-proxy with matching versions, and did not require turning off Firejail security features. KeePassXC upgrades will take a little manual work.