github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3713] keepassxc: issues with browser extension and tray icon (dbus) #2340

New issue
Closed
opened 2026-05-05 09:01:32 -06:00 by gitea-mirror · 10 comments
gitea-mirror commented 2026-05-05 09:01:32 -06:00
Owner
Copy link

Originally created by @albinou on GitHub (Oct 31, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3713

Hi,

Since the addition of dbus filters support (firejail version 0.9.64 I think), the keepassxc default profile does not give enough permissions for:

  • the KeepassXC-Browser extension to work (tested with firefox)
  • the tray icon to be displayed (tested with wayvar under sway / wayland)

Bug and expected behavior

  • No systray icon displayed and things should at least be documented to allow the tray icon
  • firefox can't connect to keepassxc

Ugly fix ... can we find better?
It works if I add the following lines in a keepassxc.local file:

ignore dbus-user filter

I tried with the following lines without success:

dbus-user.own org.keepassxc.KeePassXC
dbus-user.talk org.freedesktop.Notifications
dbus-user.talk org.freedesktop.StatusNotifierItem

Does anyone have an idea of the right DBUS session names to use?

Environment

  • ArchLinux (up-to-date as of today)
  • firejail version 0.9.64

Additional context
Other context about the problem like related errors to understand the problem.

Checklist

  • The upstream profile (and redirect profile if exists) have no changes fixing it.
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • Programs needed for interaction are listed in the profile.
  • A short search for duplicates was performed.
  • If it is a AppImage, --profile=PROFILENAME is used to set the right profile.

Related commits:

  • ba62f0e29 ("keepassxc dbus, closes #3713 [skip ci]", 2020-10-31)
  • a2bed302c ("Update keepassxc.profile dbus comments", 2020-12-29)
Originally created by @albinou on GitHub (Oct 31, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3713 Hi, Since the addition of dbus filters support (firejail version 0.9.64 I think), the keepassxc default profile does not give enough permissions for: - the KeepassXC-Browser extension to work (tested with firefox) - the tray icon to be displayed (tested with wayvar under sway / wayland) **Bug and expected behavior** - No systray icon displayed and things should at least be documented to allow the tray icon - firefox can't connect to keepassxc **Ugly fix ... can we find better?** It works if I add the following lines in a keepassxc.local file: ``` ignore dbus-user filter ``` I tried with the following lines without success: ``` dbus-user.own org.keepassxc.KeePassXC dbus-user.talk org.freedesktop.Notifications dbus-user.talk org.freedesktop.StatusNotifierItem ``` Does anyone have an idea of the right DBUS session names to use? **Environment** - ArchLinux (up-to-date as of today) - firejail version 0.9.64 **Additional context** Other context about the problem like related errors to understand the problem. **Checklist** - [x] The upstream profile (and redirect profile if exists) have no changes fixing it. - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] Programs needed for interaction are listed in the profile. - [x] A short search for duplicates was performed. - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. --- Related commits: * ba62f0e29 ("keepassxc dbus, closes #3713 [skip ci]", 2020-10-31) * a2bed302c ("Update keepassxc.profile dbus comments", 2020-12-29)
gitea-mirror commented 2026-05-05 09:01:35 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 31, 2020):

For the tray, try dbus-user.own org.kde.StatusNotifierItem-2-2 and dbus-user.talk org.kde.StatusNotifierWatcher, if it works try to omit the own rule.

<!-- gh-comment-id:719920280 --> @rusty-snake commented on GitHub (Oct 31, 2020): For the tray, try `dbus-user.own org.kde.StatusNotifierItem-2-2` and `dbus-user.talk org.kde.StatusNotifierWatcher`, if it works try to omit the own rule.
gitea-mirror commented 2026-05-05 09:01:36 -06:00
Author
Owner
Copy link

@albinou commented on GitHub (Oct 31, 2020):

Thank you very much for your comment. After a few tries, it seems I need the 2 following lines:

dbus-user.talk org.kde.StatusNotifierWatcher
dbus-user.own org.kde.StatusNotifierItem-10-2

I really don't know from where the "10-2" value comes from :D

Note that these two lines also fix the KeepassXC-Browser extension.
I think we can close this issue, except if this needs to be documented somewhere?

<!-- gh-comment-id:719933079 --> @albinou commented on GitHub (Oct 31, 2020): Thank you very much for your comment. After a few tries, it seems I need the 2 following lines: ``` dbus-user.talk org.kde.StatusNotifierWatcher dbus-user.own org.kde.StatusNotifierItem-10-2 ``` I really don't know from where the "10-2" value comes from :D Note that these two lines also fix the KeepassXC-Browser extension. I think we can close this issue, except if this needs to be documented somewhere?
gitea-mirror commented 2026-05-05 09:01:37 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 31, 2020):

2-2 is used be the flatpak, if you need 10-2 then these numbers seem to not be stable.

Note that these two lines also fix the KeepassXC-Browser extension.

LOL

I think we can close this issue, except if this needs to be documented somewhere?

I add a note to the profile.

<!-- gh-comment-id:719951016 --> @rusty-snake commented on GitHub (Oct 31, 2020): 2-2 is used be the flatpak, if you need 10-2 then these numbers seem to not be stable. > Note that these two lines also fix the KeepassXC-Browser extension. LOL > I think we can close this issue, except if this needs to be documented somewhere? I add a note to the profile.
gitea-mirror commented 2026-05-05 09:01:38 -06:00
Author
Owner
Copy link

@albinou commented on GitHub (Oct 31, 2020):

Note that these two lines also fix the KeepassXC-Browser extension.

LOL

I was wrong, this does not fix the KeepassXC-Browser extension totally.

Explanation of the scenario:

  • run keepassxc without firejail
  • KeePassXC-Browser works fine (under firefox)
  • stop keepassxc
  • rerun keepassxc but with firejail this time
  • KeePassXC-Browser can reconnect successfully with the same firefox instance (kept opened)
  • restart firefox
  • KeePassXC-Browser fails to connect with the following error: KeePassXC-Browser has encountered an error: (no more information is given)

Even adding ignore dbus-user filter into the keepassxc firejail config does not fix the issue. So I guess the issue is related to something else.

<!-- gh-comment-id:719959285 --> @albinou commented on GitHub (Oct 31, 2020): > > Note that these two lines also fix the KeepassXC-Browser extension. > > LOL I was wrong, this does not fix the KeepassXC-Browser extension totally. Explanation of the scenario: - run keepassxc without firejail - KeePassXC-Browser works fine (under firefox) - stop keepassxc - rerun keepassxc but with firejail this time - KeePassXC-Browser can reconnect successfully with the same firefox instance (kept opened) - restart firefox - KeePassXC-Browser fails to connect with the following error: `KeePassXC-Browser has encountered an error:` (no more information is given) Even adding `ignore dbus-user filter` into the keepassxc firejail config does not fix the issue. So I guess the issue is related to something else.
gitea-mirror commented 2026-05-05 09:01:38 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 31, 2020):

Has you made and modifications to your firefox/keepassxc profile? (private-bin, wruc, ...)

<!-- gh-comment-id:719960396 --> @rusty-snake commented on GitHub (Oct 31, 2020): Has you made and modifications to your firefox/keepassxc profile? (`private-bin`, wruc, ...)
gitea-mirror commented 2026-05-05 09:01:39 -06:00
Author
Owner
Copy link

@albinou commented on GitHub (Oct 31, 2020):

No, no local modifications on my keepassxc profile and I ran the tests without firejail enabled for firefox .

As a note, I just found this: https://github.com/keepassxreboot/keepassxc/pull/283
So maybe we should add:

dbus-user.own org.keepassxc.MainWindow.openDatabase
dbus-user.own org.keepassxc.MainWindow.closeAllDatabases
dbus-user.own org.keepassxc.MainWindow.appExit

But this does not really helps here.

<!-- gh-comment-id:719961191 --> @albinou commented on GitHub (Oct 31, 2020): No, no local modifications on my keepassxc profile and I ran the tests without firejail enabled for firefox . As a note, I just found this: https://github.com/keepassxreboot/keepassxc/pull/283 So maybe we should add: ``` dbus-user.own org.keepassxc.MainWindow.openDatabase dbus-user.own org.keepassxc.MainWindow.closeAllDatabases dbus-user.own org.keepassxc.MainWindow.appExit ``` But this does not really helps here.
gitea-mirror commented 2026-05-05 09:01:40 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 31, 2020):

Can you try to comment include disable-*.inc, private-tmp, private-bin and see if it works then.

If it still fails, comment the hole profile and uncomment it line for line.

EDIT: and try with --noprofile to make sure it's not general issues and try to run with --writable-run-user.

<!-- gh-comment-id:719961988 --> @rusty-snake commented on GitHub (Oct 31, 2020): Can you try to comment `include disable-*.inc`, `private-tmp`, `private-bin` and see if it works then. If it still fails, comment the hole profile and uncomment it line for line. EDIT: and try with `--noprofile` to make sure it's not general issues and try to run with `--writable-run-user`.
gitea-mirror commented 2026-05-05 09:01:41 -06:00
Author
Owner
Copy link

@albinou commented on GitHub (Oct 31, 2020):

I tried with firejail --noprofile --writable-run-user keepassxc and I can observe the same issue than with the keepassxc profile :-(

Not really sure of what it means?
Thanks for your help.

<!-- gh-comment-id:719963045 --> @albinou commented on GitHub (Oct 31, 2020): I tried with `firejail --noprofile --writable-run-user keepassxc` and I can observe the same issue than with the keepassxc profile :-( Not really sure of what it means? Thanks for your help.
gitea-mirror commented 2026-05-05 09:01:41 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 31, 2020):

That's bad, if something is broken with --noprofile, then there is likely no fix for it. However there is still some hope: Because firefox isn't firejailed, keepassxc-proxy is started with it's profile. Maybe it works if you remove the keepassxc-proxy symlink (assuming you execute firecfg).

<!-- gh-comment-id:719971981 --> @rusty-snake commented on GitHub (Oct 31, 2020): That's bad, if something is broken with `--noprofile`, then there is likely no fix for it. However there is still some hope: Because firefox isn't firejailed, keepassxc-proxy is started with it's profile. Maybe it works if you remove the keepassxc-proxy symlink (assuming you execute firecfg).
gitea-mirror commented 2026-05-05 09:01:42 -06:00
Author
Owner
Copy link

@albinou commented on GitHub (Nov 2, 2020):

Well, so sorry, but it was weird ... actually my issue was also happening without enabling firejail at all. I just uninstalled the Keepassxc-browser add-on & re-install it. Everything is working now.

So, we can really close this issue. The only interesting thing to remember is that the following lines must be added to the keepassxc.local file in order to have a tray icon:

dbus-user.own org.keepassxc.KeePassXC
dbus-user.talk org.freedesktop.Notifications
dbus-user.talk org.freedesktop.StatusNotifierItem
dbus-user.talk org.kde.StatusNotifierWatcher
dbus-user.own org.kde.StatusNotifierItem-10-2

Thank you very much.

<!-- gh-comment-id:720716778 --> @albinou commented on GitHub (Nov 2, 2020): Well, so sorry, but it was weird ... actually my issue was also happening without enabling firejail at all. I just uninstalled the Keepassxc-browser add-on & re-install it. Everything is working now. So, we can really close this issue. The only interesting thing to remember is that the following lines must be added to the keepassxc.local file in order to have a tray icon: ``` dbus-user.own org.keepassxc.KeePassXC dbus-user.talk org.freedesktop.Notifications dbus-user.talk org.freedesktop.StatusNotifierItem dbus-user.talk org.kde.StatusNotifierWatcher dbus-user.own org.kde.StatusNotifierItem-10-2 ``` Thank you very much.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2340
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?