Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Non-Snap Firefox does not connect to Flatpak KeePassXC unless AppArmor is disabled #2176

Open
unilock opened this issue Apr 21, 2024 · 11 comments
Labels
software packages & sandboxes AppImage, Snap, Flatpack etc.

Comments

@unilock
Copy link

unilock commented Apr 21, 2024

Expected Behavior

The extension should be able to connect to KeePassXC without issue.

Current Behavior

"Key exchange was not successful." is shown instead.

Possible Solution

Disabling AppArmor completely works around the issue, but isn't ideal.

Steps to Reproduce (for bugs)

  1. Install KDE neon (it seems to have AppArmor set up for Firefox out of the box)
  2. Install KeePassXC as a Flatpak and set it up for Browser Integration with Firefox
  3. Install KeePassXC-Browser and try to use it; it fails to connect to KeePassXC
  4. Open a terminal and execute sudo aa-disable /etc/apparmor.d/usr.bin.firefox (may require the apparmor-utils package)
  5. Try using KeePassXC-Browser again; it works

Debug info

KeePassXC-Browser: Connecting to native messaging host org.keepassxc.keepassxc_browser client.js:383:13
[Error ] KeePassXC-Browser - Failed to connect: Unknown error global.js:132:13
[Error ] KeePassXC-Browser - 9: Key exchange was not successful. global.js:132:13
[Error keepass.js:256] KeePassXC-Browser - 5: Cannot connect to KeePassXC. Check that browser integration is enabled in KeePassXC settings. global.js:132:13

<apparmor is disabled>

KeePassXC-Browser: Connecting to native messaging host org.keepassxc.keepassxc_browser client.js:383:13
KeePassXC-Browser: Server public key: [redacted] keepass.js:426:17
[Error ] KeePassXC-Browser - 1: Database not opened

KeePassXC - 2.7.7 (Flatpak)
KeePassXC-Browser - 1.9.0.3
Operating system: Linux (KDE neon / Ubuntu)
Browser: Firefox (not the Snap version)

Additionally, I tried what was recommended in the troubleshooting guide for AppArmor (link), but it made no difference. Even changing /usr/bin/keepassxc-proxy ixr, to /var/lib/flatpak/exports/bin/org.keepassxc.KeePassXC ixr, didn't help.

@varjolintu
Copy link
Member

Do the paths differ in the guide compared to your system?

@varjolintu varjolintu added bug software packages & sandboxes AppImage, Snap, Flatpack etc. labels Apr 21, 2024
@unilock
Copy link
Author

unilock commented Apr 21, 2024

Do the paths differ in the guide compared to your system?

Which paths? I assume they don't, since the aa-disable command I mentioned leads to everything working fine with no other changes.

$HOME/.mozilla/native-messaging-hosts is correct.

/usr/bin/keepassxc-proxy does not exist, but I assume that's because I'm using the Flatpak version of KeePassXC. The file mentioned in the file KeePassXC generates in the native-messaging-hosts folder, /var/lib/flatpak/exports/bin/org.keepassxc.KeePassXC, does exist, but as I said, putting that in /etc/apparmor.d/usr.bin.firefox doesn't help.

@adv4ncr
Copy link

adv4ncr commented Jul 1, 2024

Same issue here. It seems we need to adapt the AppArmor rules from the troubleshooting guide.

@unilock
Copy link
Author

unilock commented Jul 1, 2024

I can now confirm that the AppArmor rules outlined in the troubleshooting guide work fine with the non-FlatPak version of KeePassXC.

@adv4ncr
Copy link

adv4ncr commented Jul 1, 2024

Ok, but how does this resolve the problem with the flatpak version of KeePassXC? After all, this is what the issue is all about 🤔

@varjolintu varjolintu reopened this Jul 1, 2024
@varjolintu
Copy link
Member

varjolintu commented Jul 1, 2024

I put this to a test and adding the following line to the config file worked like a charm for me:
/var/lib/flatpak/app/org.keepassxc.KeePassXC/current/stable/active/files/bin/keepassxc-proxy ixr,

Can you confirm it works? Adding this to the guide. Thanks.

@adv4ncr
Copy link

adv4ncr commented Jul 1, 2024

Thanks for the quick response. For me (Ubuntu 22.04) the corresponding file location is /var/lib/flatpak/app/org.keepassxc.KeePassXC/current/active/files/bin/keepassxc-proxy (there is no stable folder). Adding this path to the AppArmor rules still does not work unfortunately.
Can you tell me your other AppArmor rules?

@varjolintu
Copy link
Member

varjolintu commented Jul 1, 2024

Thanks for the quick response. For me (Ubuntu 22.04) the corresponding file location is /var/lib/flatpak/app/org.keepassxc.KeePassXC/current/active/files/bin/keepassxc-proxy (there is no stable folder). Adding this path to the AppArmor rules still does not work unfortunately. Can you tell me your other AppArmor rules?

The other AppArmor rules are identical to the ones in the Troubleshooting Guide. Gotta re-verify this though.

EDIT: Ok, it still doesn't work. Enforcing the profile on while Firefox is active does not work properly. A restart was needed -> then it did not work (as expected).

@droidmonkey
Copy link
Member

The flatpak uses a script to call the right binary, you may need to white-list the script as well

@varjolintu
Copy link
Member

The flatpak uses a script to call the right binary, you may need to white-list the script as well

That didn't help either. Added all these three and it still doesn't work:

/var/lib/flatpak/app/org.keepassxc.KeePassXC/current/active/files/bin/keepassxc-proxy ixr,
/var/lib/flatpak/app/org.keepassxc.KeePassXC/current/active/files/bin/keepassxc-wrapper ixr,
/var/lib/flatpak/exports/bin/org.keepassxc.KeePassXC ixr,

@varjolintu
Copy link
Member

varjolintu commented Jul 2, 2024

Tried some more steps, this time using absolute paths instead of the symlinks. Btw, tail -f /var/log/syslog is useful for debugging these because AppArmor reports denied rules in that log.

Added these to the rules because AppArmor complained even for /usr/bin/flapak and the /metadata folder under KeePassXC etc.

/usr/bin/flatpak ixr,
/var/lib/flatpak/repo/config ixr,
/var/lib/flatpak/app/org.keepassxc.KeePassXC/aarch64/stable/<long id>/** ixr,

After this strace shows that Flatpak is trying to open KeePassXC from user's .local/share/flatpak/app/org.keepassxc.KeePassXC/aarch64/stable/active path, and after that looks for overrides from /var/lib/flatpak/overrides/org.keepassxc.KeePassXC (that path does not exist). And the connection still doesn't work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
software packages & sandboxes AppImage, Snap, Flatpack etc.
Projects
None yet
Development

No branches or pull requests

4 participants