search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.8k stars 567 forks source link

firefox: cannot communicate with keepassxc #5447

Closed neuroretransmit closed 1 month ago

neuroretransmit commented 2 years ago

Description

KeePassXC-Browser fails to communicate with KeePassXC (2.7.1-1, 2.7.4-1) using Firefox 106.0.3-1. Firefox 106.0.2-1 was working just fine.

Versions of KeePassXC tested : 2.7.1-1, 2.7.4-1

Steps to Reproduce

Running either of the versions of KeePassXC listed above, run Firefox 106.0.3-1 (I'm on Arch Linux, I'd assume behavior is the same elsewhere).

  1. Run in bash LC_ALL=C firejail keepassxc
  2. Run in bash LC_ALL=C firejail firefox
  3. Click on KeePassXC browser, then 'Reload' to receive a "Key exchange failed" message (this can also be done through KeePassXC-Browser's Settings->Connect - where nothing will happen). Debugging the plugin shows communication failures as well.
  4. To show it is Firefox that is the problem, run in bash LC_ALL=C firejail --noprofile firefox after closing the previous instance - communication will succeed.

Expected behavior

Successful key exchange/native-messaging-hosts transmission via keepassxc-proxy

Actual behavior

Key exchange failure/no transmission of username/password.

Behavior without a profile

KeePassXC is fine to run with a profile, Firefox is not. Using --noprofile on Firefox allows the communication from KeePassXC to KeePassXC-Browser

Additional context

Any other detail that may help to understand/debug the problem

Environment

All KeePassXC-Browser relevant options enabled in firefox.profile (+ private-etc), firefox-common.profile (for private-etc), firefox-common-addons.profile, keepassxc.profile,

Checklist

Log

Output of LC_ALL=C firejail firefox

``` Reading profile /etc/firejail/firefox.profile Reading profile /home/r3p0m4n/.config/firejail/firefox.local Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 1084564, child pid 1084567 16 programs installed in 84.33 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping firefox for private /etc Warning: skipping alternatives for private /etc Warning: skipping asound.conf for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping pango for private /etc Warning: skipping pki for private /etc Warning: skipping selinux for private /etc Private /etc installed in 162.49 ms Warning: skipping firefox for private /usr/etc Warning: skipping alternatives for private /usr/etc Warning: skipping asound.conf for private /usr/etc Warning: skipping ca-certificates for private /usr/etc Warning: skipping crypto-policies for private /usr/etc Warning: skipping dconf for private /usr/etc Warning: skipping fonts for private /usr/etc Warning: skipping group for private /usr/etc Warning: skipping gtk-2.0 for private /usr/etc Warning: skipping gtk-3.0 for private /usr/etc Warning: skipping hostname for private /usr/etc Warning: skipping hosts for private /usr/etc Warning: skipping ld.so.cache for private /usr/etc Warning: skipping ld.so.conf for private /usr/etc Warning: skipping ld.so.conf.d for private /usr/etc Warning: skipping ld.so.preload for private /usr/etc Warning: skipping localtime for private /usr/etc Warning: skipping machine-id for private /usr/etc Warning: skipping mailcap for private /usr/etc Warning: skipping mime.types for private /usr/etc Warning: skipping nsswitch.conf for private /usr/etc Warning: skipping pango for private /usr/etc Warning: skipping passwd for private /usr/etc Warning: skipping pki for private /usr/etc Warning: skipping pulse for private /usr/etc Warning: skipping resolv.conf for private /usr/etc Warning: skipping selinux for private /usr/etc Warning: skipping ssl for private /usr/etc Warning: skipping X11 for private /usr/etc Warning: skipping xdg for private /usr/etc Private /usr/etc installed in 0.50 ms Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: NVIDIA card detected, nogroups command ignored Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Child process initialized in 512.00 ms Parent is shutting down, bye... ```

Output of `Debug Addon` console

``` KeePassXC-Browser: Connecting to native messaging host org.keepassxc.keepassxc_browser [client.js:317:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/background/client.js) [Error ] KeePassXC-Browser - Failed to connect: Unknown error [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js) [Error keepass.js:270] KeePassXC-Browser - 5: Cannot connect to KeePassXC. Check that browser integration is enabled in KeePassXC settings. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js) [Error ] KeePassXC-Browser - No content script available for this tab. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js) KeePassXC-Browser: Connecting to native messaging host org.keepassxc.keepassxc_browser [client.js:317:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/background/client.js) [Error ] KeePassXC-Browser - Failed to connect: Unknown error [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js) [Error ] KeePassXC-Browser - No content script available for this tab. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js) [Error ] KeePassXC-Browser - 9: Key exchange was not successful. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js) [Error ] KeePassXC-Browser - No content script available for this tab. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js) [Error keepass.js:270] KeePassXC-Browser - 5: Cannot connect to KeePassXC. Check that browser integration is enabled in KeePassXC settings. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js) [Error ] KeePassXC-Browser - No content script available for this tab. 2 [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js) [Error keepass.js:270] KeePassXC-Browser - 5: Cannot connect to KeePassXC. Check that browser integration is enabled in KeePassXC settings. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js) KeePassXC-Browser: Connecting to native messaging host org.keepassxc.keepassxc_browser [client.js:317:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/background/client.js) [Error ] KeePassXC-Browser - Failed to connect: Unknown error [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js) [Error ] KeePassXC-Browser - 9: Key exchange was not successful. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js) [Error ] KeePassXC-Browser - Cannot send activated_tab message: Could not establish connection. Receiving end does not exist. 2 [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js) ```

gellnerm commented 2 years ago

Confirmed. Here is some further information:

$ sudo strace -f -p $(pgrep firefox) 2>&1 | grep keepass
[pid 22220] openat(AT_FDCWD, "/home/username/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json", O_RDONLY <unfinished ...>
[pid 22132] stat("/usr/bin/keepassxc-proxy",  <unfinished ...>
[pid 22132] stat("/usr/bin/keepassxc-proxy",  <unfinished ...>
[pid 22132] stat("/usr/bin/keepassxc-proxy",  <unfinished ...>
[pid 22132] stat("/usr/bin/keepassxc-proxy",  <unfinished ...>
[pid 22687] execve("/usr/bin/keepassxc-proxy", ["/usr/bin/keepassxc-proxy", "/home/username/.mozilla/native-mess"..., "keepassxc-browser@keepassxc.org"], 0x7faca7f9d500 /* 69 vars */ <unfinished ...>
[pid 22687] mkdir("/run/user/1000/app/org.keepassxc.KeePassXC", 0777) = -1 EACCES (Keine Berechtigung)
[pid 22687] unlink("/run/user/1000/org.keepassxc.KeePassXC.BrowserServer" <unfinished ...>
[pid 22687] symlink("/run/user/1000/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer", "/run/user/1000/org.keepassxc.KeePassXC.BrowserServer") = 0
[pid 22687] connect(6, {sa_family=AF_UNIX, sun_path="/run/user/1000/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer"}, 110) = -1 EACCES (Keine Berechtigung)

So it cannot mkdir("/run/user/1000/app/org.keepassxc.KeePassXC", 0777) because access denied.

Here is my firefox.profile:

private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy
whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
include /etc/firejail/firefox.profile

I tried to add whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC

but that gives the same errors.

rusty-snake commented 2 years ago

5444

neuroretransmit commented 2 years ago

Closing. @gellnerm - @rusty-snake's latest comment in #5444 is the solution. No other edits to firefox.local/keepasxc.local are required. That reply simplified my config significantly.

rusty-snake commented 2 years ago

Reopening as reminder to fix this for the next release.

WhyNotHugo commented 2 years ago

noblacklist ${RUNUSRR]/app is required.