firefox: cannot communicate with keepassxc

[neuroretransmit]

Description

KeePassXC-Browser fails to communicate with KeePassXC (2.7.1-1, 2.7.4-1) using Firefox 106.0.3-1. Firefox 106.0.2-1 was working just fine.

Versions of KeePassXC tested : 2.7.1-1, 2.7.4-1

Steps to Reproduce

Running either of the versions of KeePassXC listed above, run Firefox 106.0.3-1 (I'm on Arch Linux, I'd assume behavior is the same elsewhere).

1. Run in bash LC_ALL=C firejail keepassxc
2. Run in bash LC_ALL=C firejail firefox
3. Click on KeePassXC browser, then 'Reload' to receive a "Key exchange failed" message (this can also be done through KeePassXC-Browser's Settings->Connect - where nothing will happen). Debugging the plugin shows communication failures as well.
4. To show it is Firefox that is the problem, run in bash LC_ALL=C firejail --noprofile firefox after closing the previous instance - communication will succeed.

Expected behavior

Successful key exchange/native-messaging-hosts transmission via keepassxc-proxy

Actual behavior

Key exchange failure/no transmission of username/password.

Behavior without a profile

KeePassXC is fine to run with a profile, Firefox is not. Using --noprofile on Firefox allows the communication from KeePassXC to KeePassXC-Browser

Additional context

Any other detail that may help to understand/debug the problem

Environment

• Arch Linux (6.0.6-hardened)
• Firejail version: 0.9.70

All KeePassXC-Browser relevant options enabled in firefox.profile (+ private-etc), firefox-common.profile (for private-etc), firefox-common-addons.profile, keepassxc.profile,

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• [x The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
• I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.

Log

Output of LC_ALL=C firejail firefox

Reading profile /etc/firejail/firefox.profile                                                                                                                                                                       
Reading profile /home/r3p0m4n/.config/firejail/firefox.local                                                                                                                                                        
Reading profile /etc/firejail/whitelist-usr-share-common.inc                                                                                                                                                        
Reading profile /etc/firejail/firefox-common.profile                                                                                                                                                                
Reading profile /etc/firejail/disable-common.inc                                                                                                                                                                    
Reading profile /etc/firejail/disable-devel.inc                                                                                                                                                                     
Reading profile /etc/firejail/disable-exec.inc                                                                                                                                                                      
Reading profile /etc/firejail/disable-interpreters.inc                                                                                                                                                              
Reading profile /etc/firejail/disable-proc.inc                                                                                                                                                                      
Reading profile /etc/firejail/disable-programs.inc                                                                                                                                                                  
Reading profile /etc/firejail/whitelist-common.inc                                                                                                                                                                  
Reading profile /etc/firejail/whitelist-run-common.inc                                                                                                                                                              
Reading profile /etc/firejail/whitelist-runuser-common.inc                                                                                                                                                          
Reading profile /etc/firejail/whitelist-var-common.inc                                                                                                                                                              
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,                                                                                                                                              
Parent pid 1084564, child pid 1084567                                                                                                                                                                               
16 programs installed in 84.33 ms                                                                                                                                                                                   
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.                                                                                          
Warning: skipping firefox for private /etc                                                                                                                                                                          
Warning: skipping alternatives for private /etc                                                                                                                                                                     
Warning: skipping asound.conf for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping pango for private /etc
Warning: skipping pki for private /etc
Warning: skipping selinux for private /etc
Private /etc installed in 162.49 ms
Warning: skipping firefox for private /usr/etc
Warning: skipping alternatives for private /usr/etc
Warning: skipping asound.conf for private /usr/etc
Warning: skipping ca-certificates for private /usr/etc
Warning: skipping crypto-policies for private /usr/etc
Warning: skipping dconf for private /usr/etc
Warning: skipping fonts for private /usr/etc
Warning: skipping group for private /usr/etc
Warning: skipping gtk-2.0 for private /usr/etc
Warning: skipping gtk-3.0 for private /usr/etc
Warning: skipping hostname for private /usr/etc
Warning: skipping hosts for private /usr/etc
Warning: skipping ld.so.cache for private /usr/etc
Warning: skipping ld.so.conf for private /usr/etc
Warning: skipping ld.so.conf.d for private /usr/etc
Warning: skipping ld.so.preload for private /usr/etc
Warning: skipping localtime for private /usr/etc
Warning: skipping machine-id for private /usr/etc
Warning: skipping mailcap for private /usr/etc
Warning: skipping mime.types for private /usr/etc
Warning: skipping nsswitch.conf for private /usr/etc
Warning: skipping pango for private /usr/etc
Warning: skipping passwd for private /usr/etc
Warning: skipping pki for private /usr/etc
Warning: skipping pulse for private /usr/etc
Warning: skipping resolv.conf for private /usr/etc
Warning: skipping selinux for private /usr/etc
Warning: skipping ssl for private /usr/etc
Warning: skipping X11 for private /usr/etc
Warning: skipping xdg for private /usr/etc
Private /usr/etc installed in 0.50 ms
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: NVIDIA card detected, nogroups command ignored
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 512.00 ms

Parent is shutting down, bye...

Output of `Debug Addon` console

KeePassXC-Browser: Connecting to native messaging host org.keepassxc.keepassxc_browser [client.js:317:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/background/client.js)
[Error ] KeePassXC-Browser - Failed to connect: Unknown error [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error keepass.js:270] KeePassXC-Browser - 5: Cannot connect to KeePassXC. Check that browser integration is enabled in KeePassXC settings. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error ] KeePassXC-Browser - No content script available for this tab. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
KeePassXC-Browser: Connecting to native messaging host org.keepassxc.keepassxc_browser [client.js:317:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/background/client.js)
[Error ] KeePassXC-Browser - Failed to connect: Unknown error [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error ] KeePassXC-Browser - No content script available for this tab. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error ] KeePassXC-Browser - 9: Key exchange was not successful. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error ] KeePassXC-Browser - No content script available for this tab. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error keepass.js:270] KeePassXC-Browser - 5: Cannot connect to KeePassXC. Check that browser integration is enabled in KeePassXC settings. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error ] KeePassXC-Browser - No content script available for this tab. 2 [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error keepass.js:270] KeePassXC-Browser - 5: Cannot connect to KeePassXC. Check that browser integration is enabled in KeePassXC settings. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
KeePassXC-Browser: Connecting to native messaging host org.keepassxc.keepassxc_browser [client.js:317:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/background/client.js)
[Error ] KeePassXC-Browser - Failed to connect: Unknown error [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error ] KeePassXC-Browser - 9: Key exchange was not successful. [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)
[Error ] KeePassXC-Browser - Cannot send activated_tab message: Could not establish connection. Receiving end does not exist. 2 [global.js:178:13](moz-extension://ac1bca72-852b-4c93-aeac-1b20106507e2/common/global.js)

[gellnerm]

Confirmed. Here is some further information:

$ sudo strace -f -p $(pgrep firefox) 2>&1 | grep keepass
[pid 22220] openat(AT_FDCWD, "/home/username/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json", O_RDONLY <unfinished ...>
[pid 22132] stat("/usr/bin/keepassxc-proxy",  <unfinished ...>
[pid 22132] stat("/usr/bin/keepassxc-proxy",  <unfinished ...>
[pid 22132] stat("/usr/bin/keepassxc-proxy",  <unfinished ...>
[pid 22132] stat("/usr/bin/keepassxc-proxy",  <unfinished ...>
[pid 22687] execve("/usr/bin/keepassxc-proxy", ["/usr/bin/keepassxc-proxy", "/home/username/.mozilla/native-mess"..., "[email protected]"], 0x7faca7f9d500 /* 69 vars */ <unfinished ...>
[pid 22687] mkdir("/run/user/1000/app/org.keepassxc.KeePassXC", 0777) = -1 EACCES (Keine Berechtigung)
[pid 22687] unlink("/run/user/1000/org.keepassxc.KeePassXC.BrowserServer" <unfinished ...>
[pid 22687] symlink("/run/user/1000/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer", "/run/user/1000/org.keepassxc.KeePassXC.BrowserServer") = 0
[pid 22687] connect(6, {sa_family=AF_UNIX, sun_path="/run/user/1000/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer"}, 110) = -1 EACCES (Keine Berechtigung)

So it cannot mkdir("/run/user/1000/app/org.keepassxc.KeePassXC", 0777) because access denied.

Here is my firefox.profile:

private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy
whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
include /etc/firejail/firefox.profile

I tried to add
whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC

but that gives the same errors.

[rusty-snake]

#5444

[neuroretransmit]

Closing. @gellnerm - @rusty-snake's latest comment in #5444 is the solution. No other edits to firefox.local/keepasxc.local are required. That reply simplified my config significantly.

[rusty-snake]

Reopening as reminder to fix this for the next release.

[WhyNotHugo]

noblacklist ${RUNUSRR]/app is required.