keepassxreboot/keepassxc-browser

Doesn't work with Firefox in Ubuntu when AppArmor aa-enforce is enabled

Closed this issue · 3 comments

Expected Behavior

Extension should connect to keepassxc with Firefox and Firefox Esr while aa-enforce is enabled.

Current Behavior

Extension only connects to keepassxc with Firefox Esr while aa-enforce is enabled, but not with the standard Firefox build in the Ubuntu repository. Extension says: ' KeePassXC-Browser has encountered an error: Timeout or not connected to KeePassXC'.

  • I tried the troubleshooting page (looked at the json file, etc...)
  • I tried disabling the proxy and connecting directly, closing keepassxc before launching firefox
  • I tried the snap and and the appimage versions
  • I tried manually starting keepassxc-proxy
  • I tried debugging the extension:
addons.webextension.keepassxc-browser@keepassxc.org	WARN	Please specify whether you want browser_style or not in your browser_action options.
Connecting to native messaging host org.keepassxc.keepassxc_browser keepass.js:892:5
[Show/hide message details.] Failed to execute command "/usr/bin/keepassxc-proxy" NativeMessaging.jsm:99
NativeApp</this.startupPromise<
resource://gre/modules/NativeMessaging.jsm:99:9
Failed to connect: Unknown error keepass.js:868:5
Webconsole context has changed
Error 5: Timeout or not connected to KeePassXC keepass.js:976:5

  • aa-status:
in enforce mode:
/usr/lib/firefox/firefox{,*[^s][^h]}
in complain mode:
/usr/lib/firefox/firefox{,*[^s][^h]}//null-/usr/bin/keepassxc-proxy

I deleted the firefox app armor profile and removed and purged firefox and app amor, reinstalled it, now

in complain mode:
/usr/lib/firefox/firefox{,*[^s][^h]}//null-/usr/bin/keepassxc-proxy

is gone, but the extension still doesn't work.

  • tried turning ufw off completely and disabling app armor: keepassxc-browser works
  • turned on ufw and keep app armor disabled: keepassxc-browser works
  • json file:
{
    "allowed_extensions": [
        "keepassxc-browser@keepassxc.org"
    ],
    "description": "KeePassXC integration with native messaging support",
    "name": "org.keepassxc.keepassxc_browser",
    "path": "/usr/bin/keepassxc-proxy",
    "type": "stdio"
}

Possible Solution

Possibly an issue related to Ubuntu/Firefox and Apparmor and not Keepassxc?

Steps to Reproduce (for bugs)

  1. Up-to-date newest Ubuntu 18.04.1 LTS
  2. Freshly installed firefox
  3. sudo aa-enforce usr.bin.firefox
  4. Open keepassxc
  5. Install keepassxc-browser in Firefox
  6. Try to connect

I have no experience with Apparmor but you could try to allow it to use the Unix Domain Socket used with keepassxc-proxy. It should be under XDG_RUNTIME_DIR environment variable with name kpxc_server. If XDG_RUNTIME_DIR is not set, /tmp/kpxc_server is used instead.

I'm sorry, I don't have experience with XDG_RUNTIME_DIR neither. Is there a guide or wiki how to do that? Under ApplicationConfinement in the Ubuntu wiki it says:

modifying XDG_* variables was abandoned because this technique cannot generally be used without breaking access to read-only shared data like mimetypes, xdg-user-dirs, per-app gsettings (future), etc. Most traditional applications adhere to the XDG specification without modification, but the Ubuntu SDK will need to be adjusted to ensure these XDG paths are used without modifying the environment.

Coming back to the enforced standard Apparmor profile for Firefox, which can be modified however you like, maybe there is a clue inside what is causing keepassxc-proxy to not be able to run. On a sidenote, today Firefox Esr will be upgraded from version 52.9.0 to version 60.2. It would be interesting to see it if the same problem arises after the upgrade. Then it probably is Quantum-related.

I also would like to know if any other people using Apparmor have the same problem or if I am the exception, because if I am the exception then maybe something is wrong with my system and/or Apparmor.

# vim:syntax=apparmor
# Author: Jamie Strandboge <jamie@canonical.com>

# Declare an apparmor variable to help with overrides
@{MOZ_LIBDIR}=/usr/lib/firefox

#include <tunables/global>

# We want to confine the binaries that match:
#  /usr/lib/firefox/firefox
#  /usr/lib/firefox/firefox
# but not:
#  /usr/lib/firefox/firefox.sh
/usr/lib/firefox/firefox{,*[^s][^h]} {
  #include <abstractions/audio>
  #include <abstractions/cups-client>
  #include <abstractions/dbus-strict>
  #include <abstractions/dbus-session-strict>
  #include <abstractions/dconf>
  #include <abstractions/gnome>
  #include <abstractions/ibus>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  #include <abstractions/p11-kit>
  #include <abstractions/ubuntu-unity7-base>
  #include <abstractions/ubuntu-unity7-launcher>

  #include <abstractions/dbus-accessibility-strict>
  dbus (send)
       bus=session
       peer=(name=org.a11y.Bus),
  dbus (receive)
       bus=session
       interface=org.a11y.atspi**,
  dbus (receive, send)
       bus=accessibility,

  # for networking
  network inet stream,
  network inet6 stream,
  @{PROC}/[0-9]*/net/arp r,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r,
  @{PROC}/[0-9]*/net/dev r,
  @{PROC}/[0-9]*/net/wireless r,
  dbus (send)
       bus=system
       path=/org/freedesktop/NetworkManager
       member=state,
  dbus (receive)
       bus=system
       path=/org/freedesktop/NetworkManager,

  # should maybe be in abstractions
  /etc/ r,
  /etc/mime.types r,
  /etc/mailcap r,
  /etc/xdg/*buntu/applications/defaults.list    r, # for all derivatives
  /etc/xfce4/defaults.list r,
  /usr/share/xubuntu/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/mimeapps.list r,
  owner @{HOME}/.local/share/applications/mimeinfo.cache r,
  /var/lib/snapd/desktop/applications/mimeinfo.cache r,
  /var/lib/snapd/desktop/applications/*.desktop r,
  owner /tmp/** m,
  owner /var/tmp/** m,
  owner /{,var/}run/shm/shmfd-* rw,
  owner /{dev,run}/shm/org.chromium.* rwk,
  /tmp/.X[0-9]*-lock r,
  /etc/udev/udev.conf r,
  # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
  # Possibly move to an abstraction if anything else needs it.
  deny /run/udev/data/** r,
  # let the shell know we launched something
  dbus (send)
     bus=session
     interface=org.gtk.gio.DesktopAppInfo
     member=Launched,

  /etc/timezone r,
  /etc/wildmidi/wildmidi.cfg r,

  # firefox specific
  /etc/firefox*/ r,
  /etc/firefox*/** r,
  /etc/xul-ext/** r,
  /etc/xulrunner-2.0*/ r,
  /etc/xulrunner-2.0*/** r,
  /etc/gre.d/ r,
  /etc/gre.d/* r,

  # noisy
  deny @{MOZ_LIBDIR}/** w,
  deny /usr/lib/firefox-addons/** w,
  deny /usr/lib/xulrunner-addons/** w,
  deny /usr/lib/xulrunner-*/components/*.tmp w,
  deny /.suspended r,
  deny /boot/initrd.img* r,
  deny /boot/vmlinuz* r,
  deny /var/cache/fontconfig/ w,
  deny @{HOME}/.local/share/recently-used.xbel r,

  # TODO: investigate
  deny /usr/bin/gconftool-2 x,

  # These are needed when a new user starts firefox and firefox.sh is used
  @{MOZ_LIBDIR}/** ixr,
  /usr/bin/basename ixr,
  /usr/bin/dirname ixr,
  /usr/bin/pwd ixr,
  /sbin/killall5 ixr,
  /bin/which ixr,
  /usr/bin/tr ixr,
  @{PROC}/ r,
  @{PROC}/[0-9]*/cmdline r,
  @{PROC}/[0-9]*/mountinfo r,
  @{PROC}/[0-9]*/stat r,
  owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
  @{PROC}/[0-9]*/status r,
  @{PROC}/filesystems r,
  @{PROC}/sys/vm/overcommit_memory r,
  /sys/devices/pci[0-9]*/**/uevent r,
  /sys/devices/platform/**/uevent r,
  /sys/devices/pci*/**/{busnum,idVendor,idProduct} r,
  /sys/devices/pci*/**/{,subsystem_}device r,
  /sys/devices/pci*/**/{,subsystem_}vendor r,
  /sys/devices/system/node/node[0-9]*/meminfo r,
  owner @{HOME}/.cache/thumbnails/** rw,

  /etc/mtab r,
  /etc/fstab r,

  # Needed for the crash reporter
  owner @{PROC}/[0-9]*/environ r,
  owner @{PROC}/[0-9]*/auxv r,
  /etc/lsb-release r,
  /usr/bin/expr ix,
  /sys/devices/system/cpu/ r,
  /sys/devices/system/cpu/** r,

  # about:memory
  owner @{PROC}/[0-9]*/statm r,
  owner @{PROC}/[0-9]*/smaps r,

  # Needed for container to work in xul builds
  /usr/lib/xulrunner-*/plugin-container ixr,

  # allow access to documentation and other files the user may want to look
  # at in /usr and /opt
  /usr/ r,
  /usr/** r,
  /opt/ r,
  /opt/** r,

  # so browsing directories works
  / r,
  /**/ r,

  # Default profile allows downloads to ~/Downloads and uploads from ~/Public
  owner @{HOME}/ r,
  owner @{HOME}/Public/ r,
  owner @{HOME}/Public/* r,
  owner @{HOME}/Downloads/ r,
  owner @{HOME}/Downloads/* rw,

  # per-user firefox configuration
  owner @{HOME}/.{firefox,mozilla}/ rw,
  owner @{HOME}/.{firefox,mozilla}/** rw,
  owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
  owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
  owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
  owner @{HOME}/.gnome2/firefox* rwk,
  owner @{HOME}/.cache/mozilla/{,firefox/} rw,
  owner @{HOME}/.cache/mozilla/firefox/** rw,
  owner @{HOME}/.cache/mozilla/firefox/**/*.sqlite k,
  owner @{HOME}/.config/gtk-3.0/bookmarks r,
  owner @{HOME}/.config/dconf/user w,
  owner /{,var/}run/user/*/dconf/user w,
  dbus (send)
       bus=session
       path=/org/gnome/GConf/Server
       member=GetDefaultDatabase
       peer=(label=unconfined),
  dbus (send)
       bus=session
       path=/org/gnome/GConf/Database/*
       member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}
       peer=(label=unconfined),
  dbus (send)
       bus=session
       path=/org/gtk/vfs/mounttracker
       interface=org.gtk.vfs.MountTracker
       member=ListMountableInfo
       peer=(label=unconfined),

  # gnome-session
  dbus (send)
       bus=session
       path=/org/gnome/SessionManager
       interface=org.gnome.SessionManager
       member={Inhibit,Uninhibit}
       peer=(label=unconfined),

  # unity screen API
  dbus (send)
       bus=system
       interface="org.freedesktop.DBus.Introspectable"
       path="/com/canonical/Unity/Screen"
       member="Introspect"
       peer=(label=unconfined),
  dbus (send)
       bus=system
       interface="com.canonical.Unity.Screen"
       path="/com/canonical/Unity/Screen"
       member={keepDisplayOn,removeDisplayOnRequest}
       peer=(label=unconfined),

  # freedesktop.org ScreenSaver
  dbus (send)
       bus=session
       path=/{,org/freedesktop/,org.gnome/}Screen{s,S}aver
       interface=org.freedesktop.ScreenSaver
       member={Inhibit,UnInhibit,SimulateUserActivity}
       peer=(label=unconfined),

  # gnome, kde and cinnamon screensaver
  dbus (send)
       bus=session
       path=/{,ScreenSaver}
       interface=org.{gnome.ScreenSaver,kde.screensaver,cinnamon.ScreenSaver}
       member=SimulateUserActivity
       peer=(label=unconfined),

  # UPower
  dbus (send)
       bus=system
       path=/org/freedesktop/UPower
       interface=org.freedesktop.UPower
       member=EnumerateDevices
       peer=(label=unconfined),

  #
  # Extensions
  # /usr/share/.../extensions/... is already covered by '/usr/** r', above.
  # Allow 'x' for downloaded extensions, but inherit policy for safety
  owner @{HOME}/.mozilla/**/extensions/** mixr,

  deny @{MOZ_LIBDIR}/update.test w,
  deny /usr/lib/mozilla/extensions/**/ w,
  deny /usr/lib/xulrunner-addons/extensions/**/ w,
  deny /usr/share/mozilla/extensions/**/ w,
  deny /usr/share/mozilla/ w,

  # Miscellaneous (to be abstracted)
  # Ideally these would use a child profile. They are all ELF executables
  # so running with 'Ux', while not ideal, is ok because we will at least
  # benefit from glibc's secure execute.
  /usr/bin/mkfifo Uxr,  # investigate
  /bin/ps Uxr,
  /bin/uname Uxr,

  /usr/bin/lsb_release Cxr -> lsb_release,
  profile lsb_release {
    #include <abstractions/base>
    #include <abstractions/python>
    /usr/bin/lsb_release r,
    /bin/dash ixr,
    /usr/bin/dpkg-query ixr,
    /usr/include/python2.[4567]/pyconfig.h r,
    /etc/lsb-release r,
    /etc/debian_version r,
    /usr/share/distro-info/*.csv r,
    /var/lib/dpkg/** r,

    /usr/local/lib/python3.[0-6]/dist-packages/ r,
    /usr/bin/ r,
    /usr/bin/python3.[0-6] mr,

    # file_inherit
    deny /tmp/gtalkplugin.log w,
  }

  # Addons
  #include <abstractions/ubuntu-browsers.d/firefox>

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.bin.firefox>
}

I got this working with the following rules with PPA Firefox and KeePassXC installed from PPA as well:

# Native Messaging
owner @{HOME}/.mozilla/**/native-messaging-hosts/** ixr,
/usr/bin/keepassxc-proxy ixr,
/run/user/1000/org.keepassxc.KeePassXC.BrowserServer ixr,
/run/user/1000/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer wr,

Added the rules to Troubleshooting Guide.