profiles: keepassxc: add new socket location #6391
Conversation
etc/profile-a-l/firefox.profile
Outdated
| @@ -33,6 +33,7 @@ whitelist ${HOME}/.mozilla | |||
| # Note: Start KeePassXC before Firefox and keep it open to allow communication between them. | |||
| #whitelist ${RUNUSER}/kpxc_server | |||
| #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer | |||
| #noblacklist ${RUNUSER}/app | |||
There was a problem hiding this comment.
This should also be added to {cachy-browser,floorp,librewolf}.profile.
There was a problem hiding this comment.
This should also be added to {cachy-browser,floorp,librewolf}.profile.
If this applies to multiple browsers, I think it would be better to improve the
comment then move it to firefox-common.profile.
Then copy it to chromium-common.profile as suggested above.
I could do the refactor after this PR.
kmk3
changed the title
etc/profile-a-l/firefox.profile
Outdated
| #whitelist ${RUNUSER}/kpxc_server | ||
| #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer | ||
| #noblacklist ${RUNUSER}/app |
There was a problem hiding this comment.
| #whitelist ${RUNUSER}/kpxc_server | |
| #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer | |
| #noblacklist ${RUNUSER}/app | |
| #noblacklist ${RUNUSER}/app | |
| #whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC | |
| #whitelist ${RUNUSER}/kpxc_server | |
| #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer |
Sort and whitelist the new socket location.
Also, add the following to firefox-common-addons.profile:
-# Prevent whitelisting in ${RUNUSER}
+# Prevent blacklisting and whitelisting in ${RUNUSER}
+noblacklist ${RUNUSER}/app
ignore whitelist ${RUNUSER}/*firefox*
ignore whitelist ${RUNUSER}/psd/*firefox*
+ignore whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC
ignore whitelist ${RUNUSER}/kpxc_server
ignore whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
ignore include whitelist-runuser-common.incThere was a problem hiding this comment.
The sort and whitelisting should also apply to the comments in the other
changed profiles.
Also the changes to firefox-common-addons.profile are still missing.
etc/profile-a-l/firefox.profile
Outdated
| @@ -33,6 +33,7 @@ whitelist ${HOME}/.mozilla | |||
| # Note: Start KeePassXC before Firefox and keep it open to allow communication between them. | |||
| #whitelist ${RUNUSER}/kpxc_server | |||
| #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer | |||
| #noblacklist ${RUNUSER}/app | |||
There was a problem hiding this comment.
This should also be added to {cachy-browser,floorp,librewolf}.profile.
If this applies to multiple browsers, I think it would be better to improve the
comment then move it to firefox-common.profile.
Then copy it to chromium-common.profile as suggested above.
I could do the refactor after this PR.
There was a problem hiding this comment.
Note that the following issue is still unresolved:
Also, the current commit message has very long lines (>72 characters) and is
not consistent with the usual format:
$ git show --pretty='%s%n%n%b' -s d8e01fe62f8c5910b23411acbe42e5447846b3f8
Add comment to include `noblacklist ${RUNUSER}/app` in browser profiles
KeePassXC browser extension look for KeePassXC in the /run/user/app directory (https://github.com/keepassxreboot/keepassxc/blob/6b1ab1a5edd66ac10706a2fb5af34ec9458a901d/src/browser/BrowserShared.cpp\#L41). Unfortunately, /run/user/app seems to be blacklisted in disable-common.inc under the flatpak section (https://github.com/netblue30/firejail/blob/b89ec818926b4bcd3a58bb4e2a67b68a8090ba1c/etc/inc/disable-common.inc\#L667), as a result, KeePassXC extension cannot connect to it.
$ git show --pretty='%b' -s d8e01fe62f8c5910b23411acbe42e5447846b3f8 | tr -d '\n' | wc -m
481Suggestion:
Squash all commits, then reword the message to:
profiles: keepassxc: document new socket location
The KeePassXC browser extension looks for the KeePassXC socket at
`${RUNUSER}/app/org.keepassxc.KeePassXC`[1].
But `${RUNUSER}/app` seems to be blacklisted in disable-common.inc under the
flatpak section[2], so the KeePassXC extension cannot connect to it.
Fixes #5447.
[1] https://github.com/keepassxreboot/keepassxc/blob/6b1ab1a5edd66ac10706a2fb5af34ec9458a901d/src/browser/BrowserShared.cpp#L41
[2] https://github.com/netblue30/firejail/blob/b89ec818926b4bcd3a58bb4e2a67b68a8090ba1c/etc/inc/disable-common.inc#L667
(The link lines are still long, but the URLs cannot be line-wrapped)
See the following for details:
Let me know if you have any questions.
|
Done. Thanks for the link to the article, that will definitely help :) |
kmk3
changed the title
The KeePassXC browser extension looks for the KeePassXC socket at
`${RUNUSER}/app/org.keepassxc.KeePassXC`[1].
But `${RUNUSER}/app` seems to be blacklisted in disable-common.inc under the
flatpak section[2], so the KeePassXC extension cannot connect to it.
Fixes netblue30#5447.
[1] https://github.com/keepassxreboot/keepassxc/blob/6b1ab1a5edd66ac10706a2fb5af34ec9458a901d/src/browser/BrowserShared.cpp#L41
[2] https://github.com/netblue30/firejail/blob/b89ec818926b4bcd3a58bb4e2a67b68a8090ba1c/etc/inc/disable-common.inc#L667
| mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC | ||
| whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC | ||
| whitelist /usr/share/keepassxc | ||
| include whitelist-run-common.inc | ||
| include whitelist-runuser-common.inc |
There was a problem hiding this comment.
whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC
This will break X11, D-Bus, ...
Do you think the whitelisting is safe with whitelist-run-user-common.inc
included?
KeePassXC browser extension look for KeePassXC socket in the /run/user/app directory (https://github.com/keepassxreboot/keepassxc/blob/6b1ab1a5edd66ac10706a2fb5af34ec9458a901d/src/browser/BrowserShared.cpp#L41).
Unfortunately, /run/user/app seems to be blacklisted in disable-common.inc under the flatpak section (
firejail/etc/inc/disable-common.inc
Line 667 in b89ec81
Fixes #5447.
Relates to #3952.