Doesn't work with Firefox in Ubuntu when AppArmor aa-enforce is enabled
Closed this issue · 3 comments
Expected Behavior
Extension should connect to keepassxc with Firefox and Firefox Esr while aa-enforce is enabled.
Current Behavior
Extension only connects to keepassxc with Firefox Esr while aa-enforce is enabled, but not with the standard Firefox build in the Ubuntu repository. Extension says: ' KeePassXC-Browser has encountered an error: Timeout or not connected to KeePassXC'.
- I tried the troubleshooting page (looked at the json file, etc...)
- I tried disabling the proxy and connecting directly, closing keepassxc before launching firefox
- I tried the snap and and the appimage versions
- I tried manually starting keepassxc-proxy
- I tried debugging the extension:
addons.webextension.keepassxc-browser@keepassxc.org WARN Please specify whether you want browser_style or not in your browser_action options.
Connecting to native messaging host org.keepassxc.keepassxc_browser keepass.js:892:5
[Show/hide message details.] Failed to execute command "/usr/bin/keepassxc-proxy" NativeMessaging.jsm:99
NativeApp</this.startupPromise<
resource://gre/modules/NativeMessaging.jsm:99:9
Failed to connect: Unknown error keepass.js:868:5
Webconsole context has changed
Error 5: Timeout or not connected to KeePassXC keepass.js:976:5
- aa-status:
in enforce mode:
/usr/lib/firefox/firefox{,*[^s][^h]}
in complain mode:
/usr/lib/firefox/firefox{,*[^s][^h]}//null-/usr/bin/keepassxc-proxy
I deleted the firefox app armor profile and removed and purged firefox and app amor, reinstalled it, now
in complain mode:
/usr/lib/firefox/firefox{,*[^s][^h]}//null-/usr/bin/keepassxc-proxy
is gone, but the extension still doesn't work.
- tried turning ufw off completely and disabling app armor: keepassxc-browser works
- turned on ufw and keep app armor disabled: keepassxc-browser works
- json file:
{
"allowed_extensions": [
"keepassxc-browser@keepassxc.org"
],
"description": "KeePassXC integration with native messaging support",
"name": "org.keepassxc.keepassxc_browser",
"path": "/usr/bin/keepassxc-proxy",
"type": "stdio"
}
Possible Solution
Possibly an issue related to Ubuntu/Firefox and Apparmor and not Keepassxc?
Steps to Reproduce (for bugs)
- Up-to-date newest Ubuntu 18.04.1 LTS
- Freshly installed firefox
sudo aa-enforce usr.bin.firefox
- Open keepassxc
- Install keepassxc-browser in Firefox
- Try to connect
I have no experience with Apparmor but you could try to allow it to use the Unix Domain Socket used with keepassxc-proxy. It should be under XDG_RUNTIME_DIR
environment variable with name kpxc_server
. If XDG_RUNTIME_DIR
is not set, /tmp/kpxc_server
is used instead.
I'm sorry, I don't have experience with XDG_RUNTIME_DIR
neither. Is there a guide or wiki how to do that? Under ApplicationConfinement in the Ubuntu wiki it says:
modifying XDG_* variables was abandoned because this technique cannot generally be used without breaking access to read-only shared data like mimetypes, xdg-user-dirs, per-app gsettings (future), etc. Most traditional applications adhere to the XDG specification without modification, but the Ubuntu SDK will need to be adjusted to ensure these XDG paths are used without modifying the environment.
Coming back to the enforced standard Apparmor profile for Firefox, which can be modified however you like, maybe there is a clue inside what is causing keepassxc-proxy to not be able to run. On a sidenote, today Firefox Esr will be upgraded from version 52.9.0 to version 60.2. It would be interesting to see it if the same problem arises after the upgrade. Then it probably is Quantum-related.
I also would like to know if any other people using Apparmor have the same problem or if I am the exception, because if I am the exception then maybe something is wrong with my system and/or Apparmor.
# vim:syntax=apparmor
# Author: Jamie Strandboge <jamie@canonical.com>
# Declare an apparmor variable to help with overrides
@{MOZ_LIBDIR}=/usr/lib/firefox
#include <tunables/global>
# We want to confine the binaries that match:
# /usr/lib/firefox/firefox
# /usr/lib/firefox/firefox
# but not:
# /usr/lib/firefox/firefox.sh
/usr/lib/firefox/firefox{,*[^s][^h]} {
#include <abstractions/audio>
#include <abstractions/cups-client>
#include <abstractions/dbus-strict>
#include <abstractions/dbus-session-strict>
#include <abstractions/dconf>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/p11-kit>
#include <abstractions/ubuntu-unity7-base>
#include <abstractions/ubuntu-unity7-launcher>
#include <abstractions/dbus-accessibility-strict>
dbus (send)
bus=session
peer=(name=org.a11y.Bus),
dbus (receive)
bus=session
interface=org.a11y.atspi**,
dbus (receive, send)
bus=accessibility,
# for networking
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/arp r,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/[0-9]*/net/dev r,
@{PROC}/[0-9]*/net/wireless r,
dbus (send)
bus=system
path=/org/freedesktop/NetworkManager
member=state,
dbus (receive)
bus=system
path=/org/freedesktop/NetworkManager,
# should maybe be in abstractions
/etc/ r,
/etc/mime.types r,
/etc/mailcap r,
/etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
/etc/xfce4/defaults.list r,
/usr/share/xubuntu/applications/defaults.list r,
owner @{HOME}/.local/share/applications/defaults.list r,
owner @{HOME}/.local/share/applications/mimeapps.list r,
owner @{HOME}/.local/share/applications/mimeinfo.cache r,
/var/lib/snapd/desktop/applications/mimeinfo.cache r,
/var/lib/snapd/desktop/applications/*.desktop r,
owner /tmp/** m,
owner /var/tmp/** m,
owner /{,var/}run/shm/shmfd-* rw,
owner /{dev,run}/shm/org.chromium.* rwk,
/tmp/.X[0-9]*-lock r,
/etc/udev/udev.conf r,
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
# Possibly move to an abstraction if anything else needs it.
deny /run/udev/data/** r,
# let the shell know we launched something
dbus (send)
bus=session
interface=org.gtk.gio.DesktopAppInfo
member=Launched,
/etc/timezone r,
/etc/wildmidi/wildmidi.cfg r,
# firefox specific
/etc/firefox*/ r,
/etc/firefox*/** r,
/etc/xul-ext/** r,
/etc/xulrunner-2.0*/ r,
/etc/xulrunner-2.0*/** r,
/etc/gre.d/ r,
/etc/gre.d/* r,
# noisy
deny @{MOZ_LIBDIR}/** w,
deny /usr/lib/firefox-addons/** w,
deny /usr/lib/xulrunner-addons/** w,
deny /usr/lib/xulrunner-*/components/*.tmp w,
deny /.suspended r,
deny /boot/initrd.img* r,
deny /boot/vmlinuz* r,
deny /var/cache/fontconfig/ w,
deny @{HOME}/.local/share/recently-used.xbel r,
# TODO: investigate
deny /usr/bin/gconftool-2 x,
# These are needed when a new user starts firefox and firefox.sh is used
@{MOZ_LIBDIR}/** ixr,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/pwd ixr,
/sbin/killall5 ixr,
/bin/which ixr,
/usr/bin/tr ixr,
@{PROC}/ r,
@{PROC}/[0-9]*/cmdline r,
@{PROC}/[0-9]*/mountinfo r,
@{PROC}/[0-9]*/stat r,
owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
@{PROC}/[0-9]*/status r,
@{PROC}/filesystems r,
@{PROC}/sys/vm/overcommit_memory r,
/sys/devices/pci[0-9]*/**/uevent r,
/sys/devices/platform/**/uevent r,
/sys/devices/pci*/**/{busnum,idVendor,idProduct} r,
/sys/devices/pci*/**/{,subsystem_}device r,
/sys/devices/pci*/**/{,subsystem_}vendor r,
/sys/devices/system/node/node[0-9]*/meminfo r,
owner @{HOME}/.cache/thumbnails/** rw,
/etc/mtab r,
/etc/fstab r,
# Needed for the crash reporter
owner @{PROC}/[0-9]*/environ r,
owner @{PROC}/[0-9]*/auxv r,
/etc/lsb-release r,
/usr/bin/expr ix,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
# about:memory
owner @{PROC}/[0-9]*/statm r,
owner @{PROC}/[0-9]*/smaps r,
# Needed for container to work in xul builds
/usr/lib/xulrunner-*/plugin-container ixr,
# allow access to documentation and other files the user may want to look
# at in /usr and /opt
/usr/ r,
/usr/** r,
/opt/ r,
/opt/** r,
# so browsing directories works
/ r,
/**/ r,
# Default profile allows downloads to ~/Downloads and uploads from ~/Public
owner @{HOME}/ r,
owner @{HOME}/Public/ r,
owner @{HOME}/Public/* r,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/* rw,
# per-user firefox configuration
owner @{HOME}/.{firefox,mozilla}/ rw,
owner @{HOME}/.{firefox,mozilla}/** rw,
owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
owner @{HOME}/.gnome2/firefox* rwk,
owner @{HOME}/.cache/mozilla/{,firefox/} rw,
owner @{HOME}/.cache/mozilla/firefox/** rw,
owner @{HOME}/.cache/mozilla/firefox/**/*.sqlite k,
owner @{HOME}/.config/gtk-3.0/bookmarks r,
owner @{HOME}/.config/dconf/user w,
owner /{,var/}run/user/*/dconf/user w,
dbus (send)
bus=session
path=/org/gnome/GConf/Server
member=GetDefaultDatabase
peer=(label=unconfined),
dbus (send)
bus=session
path=/org/gnome/GConf/Database/*
member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}
peer=(label=unconfined),
dbus (send)
bus=session
path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=ListMountableInfo
peer=(label=unconfined),
# gnome-session
dbus (send)
bus=session
path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={Inhibit,Uninhibit}
peer=(label=unconfined),
# unity screen API
dbus (send)
bus=system
interface="org.freedesktop.DBus.Introspectable"
path="/com/canonical/Unity/Screen"
member="Introspect"
peer=(label=unconfined),
dbus (send)
bus=system
interface="com.canonical.Unity.Screen"
path="/com/canonical/Unity/Screen"
member={keepDisplayOn,removeDisplayOnRequest}
peer=(label=unconfined),
# freedesktop.org ScreenSaver
dbus (send)
bus=session
path=/{,org/freedesktop/,org.gnome/}Screen{s,S}aver
interface=org.freedesktop.ScreenSaver
member={Inhibit,UnInhibit,SimulateUserActivity}
peer=(label=unconfined),
# gnome, kde and cinnamon screensaver
dbus (send)
bus=session
path=/{,ScreenSaver}
interface=org.{gnome.ScreenSaver,kde.screensaver,cinnamon.ScreenSaver}
member=SimulateUserActivity
peer=(label=unconfined),
# UPower
dbus (send)
bus=system
path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=EnumerateDevices
peer=(label=unconfined),
#
# Extensions
# /usr/share/.../extensions/... is already covered by '/usr/** r', above.
# Allow 'x' for downloaded extensions, but inherit policy for safety
owner @{HOME}/.mozilla/**/extensions/** mixr,
deny @{MOZ_LIBDIR}/update.test w,
deny /usr/lib/mozilla/extensions/**/ w,
deny /usr/lib/xulrunner-addons/extensions/**/ w,
deny /usr/share/mozilla/extensions/**/ w,
deny /usr/share/mozilla/ w,
# Miscellaneous (to be abstracted)
# Ideally these would use a child profile. They are all ELF executables
# so running with 'Ux', while not ideal, is ok because we will at least
# benefit from glibc's secure execute.
/usr/bin/mkfifo Uxr, # investigate
/bin/ps Uxr,
/bin/uname Uxr,
/usr/bin/lsb_release Cxr -> lsb_release,
profile lsb_release {
#include <abstractions/base>
#include <abstractions/python>
/usr/bin/lsb_release r,
/bin/dash ixr,
/usr/bin/dpkg-query ixr,
/usr/include/python2.[4567]/pyconfig.h r,
/etc/lsb-release r,
/etc/debian_version r,
/usr/share/distro-info/*.csv r,
/var/lib/dpkg/** r,
/usr/local/lib/python3.[0-6]/dist-packages/ r,
/usr/bin/ r,
/usr/bin/python3.[0-6] mr,
# file_inherit
deny /tmp/gtalkplugin.log w,
}
# Addons
#include <abstractions/ubuntu-browsers.d/firefox>
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.firefox>
}
I got this working with the following rules with PPA Firefox and KeePassXC installed from PPA as well:
# Native Messaging
owner @{HOME}/.mozilla/**/native-messaging-hosts/** ixr,
/usr/bin/keepassxc-proxy ixr,
/run/user/1000/org.keepassxc.KeePassXC.BrowserServer ixr,
/run/user/1000/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer wr,
Added the rules to Troubleshooting Guide.