Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firefox: cannot communicate with KeePassXC #5447

Open
5 tasks done
optimisticninja opened this issue Nov 2, 2022 · 5 comments · May be fixed by #6391
Open
5 tasks done

firefox: cannot communicate with KeePassXC #5447

optimisticninja opened this issue Nov 2, 2022 · 5 comments · May be fixed by #6391
Projects
Release 0.9.74

Comments

@optimisticninja
Copy link

optimisticninja commented Nov 2, 2022
edited
Loading

Description

KeePassXC-Browser fails to communicate with KeePassXC (2.7.1-1, 2.7.4-1) using Firefox 106.0.3-1. Firefox 106.0.2-1 was working just fine.

Versions of KeePassXC tested : 2.7.1-1, 2.7.4-1

Steps to Reproduce

Running either of the versions of KeePassXC listed above, run Firefox 106.0.3-1 (I'm on Arch Linux, I'd assume behavior is the same elsewhere).

  1. Run in bash LC_ALL=C firejail keepassxc
  2. Run in bash LC_ALL=C firejail firefox
  3. Click on KeePassXC browser, then 'Reload' to receive a "Key exchange failed" message (this can also be done through KeePassXC-Browser's Settings->Connect - where nothing will happen). Debugging the plugin shows communication failures as well.
  4. To show it is Firefox that is the problem, run in bash LC_ALL=C firejail --noprofile firefox after closing the previous instance - communication will succeed.

Expected behavior

Successful key exchange/native-messaging-hosts transmission via keepassxc-proxy

Actual behavior

Key exchange failure/no transmission of username/password.

Behavior without a profile

KeePassXC is fine to run with a profile, Firefox is not. Using --noprofile on Firefox allows the communication from KeePassXC to KeePassXC-Browser

Additional context

Any other detail that may help to understand/debug the problem

Environment

  • Arch Linux (6.0.6-hardened)
  • Firejail version: 0.9.70

All KeePassXC-Browser relevant options enabled in firefox.profile (+ private-etc), firefox-common.profile (for private-etc), firefox-common-addons.profile, keepassxc.profile,

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • [x The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.

Log

Output of LC_ALL=C firejail firefox 

Reading profile /etc/firejail/firefox.profile                                                                                                                                                                       
Reading profile /home/r3p0m4n/.config/firejail/firefox.local                                                                                                                                                        
Reading profile /etc/firejail/whitelist-usr-share-common.inc                                                                                                                                                        
Reading profile /etc/firejail/firefox-common.profile                                                                                                                                                                
Reading profile /etc/firejail/disable-common.inc                                                                                                                                                                    
Reading profile /etc/firejail/disable-devel.inc                                                                                                                                                                     
Reading profile /etc/firejail/disable-exec.inc                                                                                                                                                                      
Reading profile /etc/firejail/disable-interpreters.inc                                                                                                                                                              
Reading profile /etc/firejail/disable-proc.inc                                                                                                                                                                      
Reading profile /etc/firejail/disable-programs.inc                                                                                                                                                                  
Reading profile /etc/firejail/whitelist-common.inc                                                                                                                                                                  
Reading profile /etc/firejail/whitelist-run-common.inc                                                                                                                                                              
Reading profile /etc/firejail/whitelist-runuser-common.inc                                                                                                                                                          
Reading profile /etc/firejail/whitelist-var-common.inc                                                                                                                                                              
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,                                                                                                                                              
Parent pid 1084564, child pid 1084567                                                                                                                                                                               
16 programs installed in 84.33 ms                                                                                                                                                                                   
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.                                                                                          
Warning: skipping firefox for private /etc                                                                                                                                                                          
Warning: skipping alternatives for private /etc                                                                                                                                                                     
Warning: skipping asound.conf for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping pango for private /etc
Warning: skipping pki for private /etc
Warning: skipping selinux for private /etc
Private /etc installed in 162.49 ms
Warning: skipping firefox for private /usr/etc
Warning: skipping alternatives for private /usr/etc
Warning: skipping asound.conf for private /usr/etc
Warning: skipping ca-certificates for private /usr/etc
Warning: skipping crypto-policies for private /usr/etc
Warning: skipping dconf for private /usr/etc
Warning: skipping fonts for private /usr/etc
Warning: skipping group for private /usr/etc
Warning: skipping gtk-2.0 for private /usr/etc
Warning: skipping gtk-3.0 for private /usr/etc
Warning: skipping hostname for private /usr/etc
Warning: skipping hosts for private /usr/etc
Warning: skipping ld.so.cache for private /usr/etc
Warning: skipping ld.so.conf for private /usr/etc
Warning: skipping ld.so.conf.d for private /usr/etc
Warning: skipping ld.so.preload for private /usr/etc
Warning: skipping localtime for private /usr/etc
Warning: skipping machine-id for private /usr/etc
Warning: skipping mailcap for private /usr/etc
Warning: skipping mime.types for private /usr/etc
Warning: skipping nsswitch.conf for private /usr/etc
Warning: skipping pango for private /usr/etc
Warning: skipping passwd for private /usr/etc
Warning: skipping pki for private /usr/etc
Warning: skipping pulse for private /usr/etc
Warning: skipping resolv.conf for private /usr/etc
Warning: skipping selinux for private /usr/etc
Warning: skipping ssl for private /usr/etc
Warning: skipping X11 for private /usr/etc
Warning: skipping xdg for private /usr/etc
Private /usr/etc installed in 0.50 ms
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: NVIDIA card detected, nogroups command ignored
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 512.00 ms

Parent is shutting down, bye...

Output of `Debug Addon` console 

KeePassXC-Browser: Connecting to native messaging host org.keepassxc.keepassxc_browser [client.js:317:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/background/client.js)
[Error ] KeePassXC-Browser - Failed to connect: Unknown error [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error keepass.js:270] KeePassXC-Browser - 5: Cannot connect to KeePassXC. Check that browser integration is enabled in KeePassXC settings. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error ] KeePassXC-Browser - No content script available for this tab. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
KeePassXC-Browser: Connecting to native messaging host org.keepassxc.keepassxc_browser [client.js:317:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/background/client.js)
[Error ] KeePassXC-Browser - Failed to connect: Unknown error [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error ] KeePassXC-Browser - No content script available for this tab. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error ] KeePassXC-Browser - 9: Key exchange was not successful. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error ] KeePassXC-Browser - No content script available for this tab. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error keepass.js:270] KeePassXC-Browser - 5: Cannot connect to KeePassXC. Check that browser integration is enabled in KeePassXC settings. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error ] KeePassXC-Browser - No content script available for this tab. 2 [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error keepass.js:270] KeePassXC-Browser - 5: Cannot connect to KeePassXC. Check that browser integration is enabled in KeePassXC settings. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
KeePassXC-Browser: Connecting to native messaging host org.keepassxc.keepassxc_browser [client.js:317:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/background/client.js)
[Error ] KeePassXC-Browser - Failed to connect: Unknown error [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error ] KeePassXC-Browser - 9: Key exchange was not successful. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error ] KeePassXC-Browser - Cannot send activated_tab message: Could not establish connection. Receiving end does not exist. 2 [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)

@gellnerm
Copy link

gellnerm commented Nov 2, 2022

Confirmed. Here is some further information:

$ sudo strace -f -p $(pgrep firefox) 2>&1 | grep keepass
[pid 22220] openat(AT_FDCWD, "/home/username/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json", O_RDONLY <unfinished ...>
[pid 22132] stat("/usr/bin/keepassxc-proxy",  <unfinished ...>
[pid 22132] stat("/usr/bin/keepassxc-proxy",  <unfinished ...>
[pid 22132] stat("/usr/bin/keepassxc-proxy",  <unfinished ...>
[pid 22132] stat("/usr/bin/keepassxc-proxy",  <unfinished ...>
[pid 22687] execve("/usr/bin/keepassxc-proxy", ["/usr/bin/keepassxc-proxy", "/home/username/.mozilla/native-mess"..., "keepassxc-browser@keepassxc.org"], 0x7faca7f9d500 /* 69 vars */ <unfinished ...>
[pid 22687] mkdir("/run/user/1000/app/org.keepassxc.KeePassXC", 0777) = -1 EACCES (Keine Berechtigung)
[pid 22687] unlink("/run/user/1000/org.keepassxc.KeePassXC.BrowserServer" <unfinished ...>
[pid 22687] symlink("/run/user/1000/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer", "/run/user/1000/org.keepassxc.KeePassXC.BrowserServer") = 0
[pid 22687] connect(6, {sa_family=AF_UNIX, sun_path="/run/user/1000/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer"}, 110) = -1 EACCES (Keine Berechtigung)

So it cannot mkdir("/run/user/1000/app/org.keepassxc.KeePassXC", 0777) because access denied.

Here is my firefox.profile:

private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy
whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
include /etc/firejail/firefox.profile

I tried to add
whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC

but that gives the same errors.

@rusty-snake
Copy link
Collaborator

#5444

@optimisticninja
Copy link
Author

Closing. @gellnerm - @rusty-snake's latest comment in #5444 is the solution. No other edits to firefox.local/keepasxc.local are required. That reply simplified my config significantly.

@rusty-snake
Copy link
Collaborator

Reopening as reminder to fix this for the next release.

@rusty-snake rusty-snake reopened this Nov 3, 2022
@WhyNotHugo WhyNotHugo mentioned this issue Nov 5, 2022
Closed
@WhyNotHugo
Copy link
Contributor

noblacklist ${RUNUSRR]/app is required.

qdii added a commit to qdii/firejail that referenced this issue Jun 22, 2024
@qdii
Fix browser communication with KeepassXC extension
82a0742 
KeePassXC browser extension look for KeePassXC in the /run/user/app directory (https://github.com/keepassxreboot/keepassxc/blob/6b1ab1a5edd66ac10706a2fb5af34ec9458a901d/src/browser/BrowserShared.cpp\#L41). Unfortunately, /run/user/app seems to be blacklisted in disable-common.inc under the flatpak section (https://github.com/netblue30/firejail/blob/b89ec818926b4bcd3a58bb4e2a67b68a8090ba1c/etc/inc/disable-common.inc\#L667), as a result, KeePassXC extension cannot connect to it.

Fixes netblue30#5447
@qdii qdii linked a pull request Jun 22, 2024 that will close this issue
Open
qdii added a commit to qdii/firejail that referenced this issue Jul 3, 2024
@qdii
profiles: keepassxc: document new socket location
ef1cc5c 
The KeePassXC browser extension looks for the KeePassXC socket at
`${RUNUSER}/app/org.keepassxc.KeePassXC`[1].

But `${RUNUSER}/app` seems to be blacklisted in disable-common.inc under the
flatpak section[2], so the KeePassXC extension cannot connect to it.

Fixes netblue30#5447.

[1] https://github.com/keepassxreboot/keepassxc/blob/6b1ab1a5edd66ac10706a2fb5af34ec9458a901d/src/browser/BrowserShared.cpp#L41
[2] https://github.com/netblue30/firejail/blob/b89ec818926b4bcd3a58bb4e2a67b68a8090ba1c/etc/inc/disable-common.inc#L667
kmk3 pushed a commit to qdii/firejail that referenced this issue Jul 7, 2024
@qdii @kmk3
profiles: keepassxc: add new socket location
e71c00e 
The KeePassXC browser extension looks for the KeePassXC socket at
`${RUNUSER}/app/org.keepassxc.KeePassXC`[1].

But `${RUNUSER}/app` seems to be blacklisted in disable-common.inc under the
flatpak section[2], so the KeePassXC extension cannot connect to it.

Fixes netblue30#5447.

[1] https://github.com/keepassxreboot/keepassxc/blob/6b1ab1a5edd66ac10706a2fb5af34ec9458a901d/src/browser/BrowserShared.cpp#L41
[2] https://github.com/netblue30/firejail/blob/b89ec818926b4bcd3a58bb4e2a67b68a8090ba1c/etc/inc/disable-common.inc#L667
kmk3 pushed a commit to qdii/firejail that referenced this issue Jul 7, 2024
@qdii @kmk3
profiles: keepassxc: add new socket location
bb4f668 
The KeePassXC browser extension looks for the KeePassXC socket at
`${RUNUSER}/app/org.keepassxc.KeePassXC`[1].

But `${RUNUSER}/app` seems to be blacklisted in disable-common.inc under the
flatpak section[2], so the KeePassXC extension cannot connect to it.

Fixes netblue30#5447.

[1] https://github.com/keepassxreboot/keepassxc/blob/6b1ab1a5edd66ac10706a2fb5af34ec9458a901d/src/browser/BrowserShared.cpp#L41
[2] https://github.com/netblue30/firejail/blob/b89ec818926b4bcd3a58bb4e2a67b68a8090ba1c/etc/inc/disable-common.inc#L667
@kmk3 kmk3 added this to To do in Release 0.9.74 via automation Jul 7, 2024
@kmk3 kmk3 moved this from To do to In progress in Release 0.9.74 Jul 7, 2024
@kmk3 kmk3 changed the title Firefox 106.0.3 fails to communicate with KeePassXC-Browser firefox: cannot communicate with KeePassXC Jul 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Release 0.9.74
  
In progress
Milestone
No milestone
4 participants
@WhyNotHugo @optimisticninja @rusty-snake @gellnerm