github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4213] librewolf: cannot communicate with keepassxc #2583

New issue
Closed
opened 2026-05-05 09:15:10 -06:00 by gitea-mirror · 29 comments
gitea-mirror commented 2026-05-05 09:15:10 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Apr 25, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4213

Hey

I just recently installed librewolf on arch linux.

I'm trying to get the connection between wolf and keepassxc. The following set up works with firefox but not with wolf.

# Allow internet access
ignore net

# firefox requires a shell to launch on Arch.
private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy

# Allow keepassxc addon
whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
whitelist ${RUNUSER}/kpxc_server

So I changed only the line to:
private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which,keepassxc-proxy
for librewolf.local.

And for keepassxc I added the following:

# Needed for Firefox-Browser addon
mkfile ${HOME}/.librewolf/
whitelist ${HOME}/.librewolf/

Problem is, I can;t find this path like for firefox:

mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json

So might be a problem there?

Originally created by @ghost on GitHub (Apr 25, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4213 Hey I just recently installed librewolf on arch linux. I'm trying to get the connection between wolf and keepassxc. The following set up works with firefox but not with wolf. ``` # Allow internet access ignore net # firefox requires a shell to launch on Arch. private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy # Allow keepassxc addon whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer whitelist ${RUNUSER}/kpxc_server ``` So I changed only the line to: `private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which,keepassxc-proxy` for `librewolf.local`. And for keepassxc I added the following: ``` # Needed for Firefox-Browser addon mkfile ${HOME}/.librewolf/ whitelist ${HOME}/.librewolf/ ``` Problem is, I can;t find this path like for firefox: ``` mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json ``` So might be a problem there?
gitea-mirror 2026-05-05 09:15:10 -06:00
  • closed this issue
  • added the
    stale
         label
gitea-mirror commented 2026-05-05 09:15:13 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 25, 2021):

Problem is, I can;t find this path like for firefox:

Because LibeWolf isn't supported by KPXC, is it? Actually, it should work nevertheless with a manual setup because it's a fork.

Does it work without firejail?

mkfile ${HOME}/.librewolf/

Needs to be mkdir. And omit the trailing slashes.

<!-- gh-comment-id:826276110 --> @rusty-snake commented on GitHub (Apr 25, 2021): > Problem is, I can;t find this path like for firefox: Because LibeWolf isn't supported by KPXC, is it? Actually, it should work nevertheless with a manual setup because it's a fork. **Does it work without firejail?** > mkfile ${HOME}/.librewolf/ Needs to be `mkdir`. And omit the trailing slashes.
gitea-mirror commented 2026-05-05 09:15:14 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 25, 2021):

Yeah, it does work without firejail.

Needs to be mkdir.

It doesn't make any difference. There is no ...

mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json

native-messaging-hosts folder in ~/.librewolf/. I just copied it from mozilla to wolf and changed the settings in keepass itself (Use a custom browser configuration location:) but nothing.

Edit:

Because LibeWolf isn't supported by KPXC, is it?

Yeah, it's not supported.

<!-- gh-comment-id:826388544 --> @ghost commented on GitHub (Apr 25, 2021): Yeah, it does work without firejail. > Needs to be mkdir. It doesn't make any difference. There is no ... ``` mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json ``` `native-messaging-hosts` folder in `~/.librewolf/`. I just copied it from mozilla to wolf and changed the settings in keepass itself (`Use a custom browser configuration location:`) but nothing. Edit: > Because LibeWolf isn't supported by KPXC, is it? Yeah, it's not supported.
gitea-mirror commented 2026-05-05 09:15:15 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 26, 2021):

How looks your full keepassxc.local?

<!-- gh-comment-id:826533686 --> @rusty-snake commented on GitHub (Apr 26, 2021): How looks your full keepassxc.local?
gitea-mirror commented 2026-05-05 09:15:15 -06:00
Author
Owner
Copy link

@CodeArtisan00 commented on GitHub (Apr 26, 2021):

Needed for Firefox-Browser addon
mkfile ${HOME}/.librewolf/
whitelist ${HOME}/.librewolf/

add noblacklist ${HOME}/.librewolf also as that path is in disable-programs.inc. & keepassxc profile has disable-programs.inc. If without firejail it works then it should also work with firejail.

<!-- gh-comment-id:826975788 --> @CodeArtisan00 commented on GitHub (Apr 26, 2021): > Needed for Firefox-Browser addon > mkfile ${HOME}/.librewolf/ > whitelist ${HOME}/.librewolf/ add `noblacklist ${HOME}/.librewolf` also as that path is in `disable-programs.inc`. & keepassxc profile has `disable-programs.inc`. If without `firejail` it works then it should also work with `firejail`.
gitea-mirror commented 2026-05-05 09:15:16 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 26, 2021):

That's my keepassxc.local file. Which works with firefox but still not with wolf. :

# Database path
whitelist ${HOME}/Software/KeePass/*.kdbx

# Key path
whitelist ${HOME}/.keys/keepass/*.key

# Needed for Firefox & LibreWolf-Browser addon
noblacklist ${HOME}/.librewolf
mkdir ${HOME}/.librewolf
whitelist ${HOME}/.librewolf

mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json

mkdir ${HOME}/.cache/keepassxc
mkdir ${HOME}/.config/keepassxc
whitelist ${HOME}/.cache/keepassxc
whitelist ${HOME}/.config/keepassxc
include whitelist-common.inc

# Uncomment or add to your keepassxc.local to allow Tray.
dbus-user.talk org.kde.StatusNotifierWatcher
dbus-user.own org.kde.*

# SSH key path
noblacklist ${HOME}/.ssh
noblacklist ${HOME}/.keys/.ssh
whitelist ${HOME}/.ssh
whitelist ${HOME}/.keys/ssh

That's the librewolf.local:

# Allow internet access
ignore net

# Uncomment (or add to librewolf.local) the following lines if you want to
# use the migration wizard.
#noblacklist ${HOME}/.mozilla
#whitelist ${HOME}/.mozilla

# librewolf requires a shell to launch on Arch. We can possibly remove sh though.
private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which,keepassxc-proxy
#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy

# private-etc must first be enabled in firefox-common.profile
private-etc librewolf

# Allow keepassxc addon
whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
whitelist ${RUNUSER}/kpxc_server

firefox-common.local:

# Allow internet access
ignore net

private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg

and firefox.local (I'm trying to allow dolphin and okular to use open with option):

# Allow internet access
ignore net

# firefox requires a shell to launch on Arch.
private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy

# Allow keepassxc addon
whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
whitelist ${RUNUSER}/kpxc_server
#ignore include whitelist-runuser-common.inc

# Allow PDF view with okular
#ignore dbus

noblacklist /usr/share/applications/org.kde.dolphin.desktop
noblacklist /usr/share/applications/org.kde.okular.desktop

#whitelist /usr/share/applications/org.kde.dolphin.desktop
#whitelist /usr/share/applications/org.kde.okular.desktop
<!-- gh-comment-id:827077132 --> @ghost commented on GitHub (Apr 26, 2021): That's my `keepassxc.local` file. Which works with firefox but still not with wolf. : ``` # Database path whitelist ${HOME}/Software/KeePass/*.kdbx # Key path whitelist ${HOME}/.keys/keepass/*.key # Needed for Firefox & LibreWolf-Browser addon noblacklist ${HOME}/.librewolf mkdir ${HOME}/.librewolf whitelist ${HOME}/.librewolf mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json mkdir ${HOME}/.cache/keepassxc mkdir ${HOME}/.config/keepassxc whitelist ${HOME}/.cache/keepassxc whitelist ${HOME}/.config/keepassxc include whitelist-common.inc # Uncomment or add to your keepassxc.local to allow Tray. dbus-user.talk org.kde.StatusNotifierWatcher dbus-user.own org.kde.* # SSH key path noblacklist ${HOME}/.ssh noblacklist ${HOME}/.keys/.ssh whitelist ${HOME}/.ssh whitelist ${HOME}/.keys/ssh ``` That's the `librewolf.local`: ``` # Allow internet access ignore net # Uncomment (or add to librewolf.local) the following lines if you want to # use the migration wizard. #noblacklist ${HOME}/.mozilla #whitelist ${HOME}/.mozilla # librewolf requires a shell to launch on Arch. We can possibly remove sh though. private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which,keepassxc-proxy #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy # private-etc must first be enabled in firefox-common.profile private-etc librewolf # Allow keepassxc addon whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer whitelist ${RUNUSER}/kpxc_server ``` `firefox-common.local`: ``` # Allow internet access ignore net private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg ``` and `firefox.local` (I'm trying to allow dolphin and okular to use `open with` option): ``` # Allow internet access ignore net # firefox requires a shell to launch on Arch. private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy # Allow keepassxc addon whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer whitelist ${RUNUSER}/kpxc_server #ignore include whitelist-runuser-common.inc # Allow PDF view with okular #ignore dbus noblacklist /usr/share/applications/org.kde.dolphin.desktop noblacklist /usr/share/applications/org.kde.okular.desktop #whitelist /usr/share/applications/org.kde.dolphin.desktop #whitelist /usr/share/applications/org.kde.okular.desktop ```
gitea-mirror commented 2026-05-05 09:15:17 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 26, 2021):

noblacklist /usr/share/applications/…

FYI: There is no such blacklist

ignore net

Do you have a globals.local?

<!-- gh-comment-id:827079963 --> @rusty-snake commented on GitHub (Apr 26, 2021): > noblacklist /usr/share/applications/… FYI: There is no such blacklist > ignore net Do you have a `globals.local`?
gitea-mirror commented 2026-05-05 09:15:18 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 26, 2021):

whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
whitelist ${RUNUSER}/kpxc_server

Just to be sure, you follow this rule:

6df0ce721c/etc/profile-a-l/librewolf.profile (L22)

<!-- gh-comment-id:827081004 --> @rusty-snake commented on GitHub (Apr 26, 2021): > whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer whitelist ${RUNUSER}/kpxc_server Just to be sure, you follow this rule: https://github.com/netblue30/firejail/blob/6df0ce721c9b94b9764dece0e7755fc0c2a6c459/etc/profile-a-l/librewolf.profile#L22
gitea-mirror commented 2026-05-05 09:15:19 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 26, 2021):

FYI: There is no such blacklist

Still learning :D

Yes, I have.
globals.local:

# Deny internet
net none

# Enable apparmor 
apparmor

Just to be sure, you follow this rule:

Yes, I follow that. Keepass autostart every reboot and after login I start wolf/firefox.

<!-- gh-comment-id:827082888 --> @ghost commented on GitHub (Apr 26, 2021): > FYI: There is no such blacklist Still learning :D Yes, I have. `globals.local`: ``` # Deny internet net none # Enable apparmor apparmor ``` > Just to be sure, you follow this rule: Yes, I follow that. Keepass autostart every reboot and after login I start wolf/firefox.
gitea-mirror commented 2026-05-05 09:15:20 -06:00
Author
Owner
Copy link

@CodeArtisan00 commented on GitHub (Apr 26, 2021):

That's my keepass.local file.

why keepass.local? Are you talking about keepass or keepassxc?

try the following,

  • run keepassxc with firejail --noprofile & librewolf with its firejail profile
  • run librewolf with firejail --noprofile & keepassxc with its firejail profile
    it will narrow down the problem. if in1st case keepassxc connects with librewolf then you have to work with keepassxc profile.

btw, is keepassxc working with firefox?

<!-- gh-comment-id:827125091 --> @CodeArtisan00 commented on GitHub (Apr 26, 2021): > That's my `keepass.local` file. why `keepass.local`? Are you talking about `keepass` or `keepassxc`? try the following, - run `keepassxc` with `firejail --noprofile` & `librewolf` with its **firejail profile** - run `librewolf` with `firejail --noprofile` & `keepassxc` with its **firejail profile** it will narrow down the problem. if in1st case `keepassxc` connects with **librewolf** then you have to work with `keepassxc` profile. btw, is `keepassxc` working with `firefox`?
gitea-mirror commented 2026-05-05 09:15:21 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 26, 2021):

I'm sorry it's keepassxc.local. I changed it.

Keepassxc with firejail and wolf with noprofile works.
Firefox and keepassxc with firejail works. Same set up like above.

So there is something "wrong" here librewolf.local:

# Allow internet access
ignore net

# Uncomment (or add to librewolf.local) the following lines if you want to
# use the migration wizard.
#noblacklist ${HOME}/.mozilla
#whitelist ${HOME}/.mozilla

# librewolf requires a shell to launch on Arch. We can possibly remove sh though.
private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which,keepassxc-proxy
#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy

# private-etc must first be enabled in firefox-common.profile
private-etc librewolf

# Allow keepassxc addon
whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
whitelist ${RUNUSER}/kpxc_server
<!-- gh-comment-id:827137037 --> @ghost commented on GitHub (Apr 26, 2021): I'm sorry it's `keepassxc.local`. I changed it. Keepassxc with firejail and wolf with noprofile works. Firefox and keepassxc with firejail works. Same set up like above. So there is something "wrong" here `librewolf.local`: ``` # Allow internet access ignore net # Uncomment (or add to librewolf.local) the following lines if you want to # use the migration wizard. #noblacklist ${HOME}/.mozilla #whitelist ${HOME}/.mozilla # librewolf requires a shell to launch on Arch. We can possibly remove sh though. private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which,keepassxc-proxy #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy # private-etc must first be enabled in firefox-common.profile private-etc librewolf # Allow keepassxc addon whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer whitelist ${RUNUSER}/kpxc_server ```
gitea-mirror commented 2026-05-05 09:15:21 -06:00
Author
Owner
Copy link

@CodeArtisan00 commented on GitHub (Apr 26, 2021):

Uncomment (or add to librewolf.local) the following lines if you want to
use the migration wizard.
noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla

what happens if you uncomment these two? give it a try, it may do the trick.

<!-- gh-comment-id:827157697 --> @CodeArtisan00 commented on GitHub (Apr 26, 2021): > Uncomment (or add to librewolf.local) the following lines if you want to > use the migration wizard. > noblacklist ${HOME}/.mozilla > whitelist ${HOME}/.mozilla what happens if you uncomment these two? give it a try, it may do the trick.
gitea-mirror commented 2026-05-05 09:15:22 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 27, 2021):

Indeed, that worked!

I played a little bit and moved the .mozilla folder as a backup folder (mozilla.backup) . It didn't worked.
So I created the .mozilla folder and it didn't worked.
I moved native-messaging-hosts which includes the file org.keepassxc.keepassxc_browser.json and it works.
I already tried to move the folder and file to .librewolf which doesn't work.
So I tried keepassxc -> tools -> browser integration -> advanced -> use a custom browser configuration location -> browser type: firefox -> config location: ~/.librewolf/native-messaging-hosts/ and created the folder.

Changed keepassxc.local

noblacklist ${HOME}/.librewolf
mkfile ${HOME}/.librewolf/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
whitelist ${HOME}/.librewolf/native-messaging-hosts/org.keepassxc.keepassxc_browser.json

The file gets created.

And I added to librewolf.local (just in case):

noblacklist ${HOME}/.librewolf
whitelist ${HOME}/.librewolf

It seems to me that librewolf is only looking in the mozilla folder for the extension particular to ~/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json or I must miss something.

My plan is to get rid off firefox.

Edit:
Or is keepassxc browser addon looking only in the .mozilla folder?

<!-- gh-comment-id:827307750 --> @ghost commented on GitHub (Apr 27, 2021): Indeed, that worked! I played a little bit and moved the `.mozilla` folder as a backup folder (`mozilla.backup`) . It didn't worked. So I created the `.mozilla` folder and it didn't worked. I moved `native-messaging-hosts` which includes the file `org.keepassxc.keepassxc_browser.json` and it works. I already tried to move the folder and file to `.librewolf` which doesn't work. So I tried `keepassxc -> tools -> browser integration -> advanced -> use a custom browser configuration location -> browser type: firefox -> config location: ~/.librewolf/native-messaging-hosts/` and created the folder. Changed `keepassxc.local` ``` noblacklist ${HOME}/.librewolf mkfile ${HOME}/.librewolf/native-messaging-hosts/org.keepassxc.keepassxc_browser.json whitelist ${HOME}/.librewolf/native-messaging-hosts/org.keepassxc.keepassxc_browser.json ``` The file gets created. And I added to `librewolf.local` (just in case): ``` noblacklist ${HOME}/.librewolf whitelist ${HOME}/.librewolf ``` It seems to me that librewolf is only looking in the mozilla folder for the extension particular to `~/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json` or I must miss something. My plan is to get rid off firefox. Edit: Or is keepassxc browser addon looking only in the `.mozilla` folder?
gitea-mirror commented 2026-05-05 09:15:23 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 27, 2021):

So actually this are the required locals?

keepassxc.local

# IF whitelist
mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
# FI

librewolf.local

# IF private-bin
private-bin keepassxc-proxy
# FI

noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json

# newer kpxc
whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
# older kpxc
whitelist ${RUNUSER}/kpxc_server
<!-- gh-comment-id:827350054 --> @rusty-snake commented on GitHub (Apr 27, 2021): So actually this are the required locals? `keepassxc.local` ``` # IF whitelist mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json # FI ``` `librewolf.local` ``` # IF private-bin private-bin keepassxc-proxy # FI noblacklist ${HOME}/.mozilla whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json # newer kpxc whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer # older kpxc whitelist ${RUNUSER}/kpxc_server ```
gitea-mirror commented 2026-05-05 09:15:23 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 27, 2021):

I have that keepassxc.local:

# Needed for Firefox & LibreWolf-Browser addon
#noblacklist ${HOME}/.librewolf
#mkfile ${HOME}/.librewolf/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
#whitelist ${HOME}/.librewolf/native-messaging-hosts/org.keepassxc.keepassxc_browser.json

mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json

mkdir ${HOME}/.cache/keepassxc
mkdir ${HOME}/.config/keepassxc
whitelist ${HOME}/.cache/keepassxc
whitelist ${HOME}/.config/keepassxc
include whitelist-common.inc

and librewolf.local:

# librewolf requires a shell to launch on Arch. We can possibly remove sh though.
private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which,keepassxc-proxy
#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy

# private-etc must first be enabled in firefox-common.profile
private-etc librewolf

# Uncomment (or add to librewolf.local) the following lines if you want to
# use the migration wizard and for keepassxc addon.
noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla
whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
whitelist ${RUNUSER}/kpxc_server

So keepassxc-proxy probably necessary as well.

Is the folder .mozilla created even without using Mozilla software? So keepassxc creates it then? Otherwise the keepassxc addon on librewolf does not work, I guess.

Edit:
And firefox-common.local

# Allow internet access
ignore net

private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
<!-- gh-comment-id:827355956 --> @ghost commented on GitHub (Apr 27, 2021): I have that `keepassxc.local`: ``` # Needed for Firefox & LibreWolf-Browser addon #noblacklist ${HOME}/.librewolf #mkfile ${HOME}/.librewolf/native-messaging-hosts/org.keepassxc.keepassxc_browser.json #whitelist ${HOME}/.librewolf/native-messaging-hosts/org.keepassxc.keepassxc_browser.json mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json mkdir ${HOME}/.cache/keepassxc mkdir ${HOME}/.config/keepassxc whitelist ${HOME}/.cache/keepassxc whitelist ${HOME}/.config/keepassxc include whitelist-common.inc ``` and `librewolf.local`: ``` # librewolf requires a shell to launch on Arch. We can possibly remove sh though. private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which,keepassxc-proxy #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy # private-etc must first be enabled in firefox-common.profile private-etc librewolf # Uncomment (or add to librewolf.local) the following lines if you want to # use the migration wizard and for keepassxc addon. noblacklist ${HOME}/.mozilla whitelist ${HOME}/.mozilla whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer whitelist ${RUNUSER}/kpxc_server ``` So `keepassxc-proxy` probably necessary as well. Is the folder `.mozilla` created even without using Mozilla software? So keepassxc creates it then? Otherwise the keepassxc addon on librewolf does not work, I guess. Edit: And `firefox-common.local` ``` # Allow internet access ignore net private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg ```
gitea-mirror commented 2026-05-05 09:15:24 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 27, 2021):

firefox-common.local
private-etc librewolf

I mean for the locals to make kpxc-browser work with librewolf (as reference for other users).

Is the folder .mozilla created even without using Mozilla software?

mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json need to create .mozilla in order to create a file under it.

librewolf.local

Can you test with only

noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json

for ~/.mozilla.

<!-- gh-comment-id:827359618 --> @rusty-snake commented on GitHub (Apr 27, 2021): > firefox-common.local > private-etc librewolf I mean for the locals to make kpxc-browser work with librewolf (as reference for other users). > Is the folder .mozilla created even without using Mozilla software? `mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json` need to create `.mozilla` in order to create a file under it. > librewolf.local Can you test with only ``` noblacklist ${HOME}/.mozilla whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json ``` for `~/.mozilla`.
gitea-mirror commented 2026-05-05 09:15:24 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 27, 2021):

I just tested it on a vm with only keepassxc and librewolf.

And that's the bare minimum for the addon ...

mkdir -p ~/.mozilla/native-messaging-hosts/

keepassxc.local:

mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json

and for librewolf.local:

noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer

But that's very annoying you probably know it already :D Better to add at least those to keepassxc.local as well:

mkdir ${HOME}/.config/keepassxc
whitelist ${HOME}/.config/keepassxc

Otherwise you have to enable browser integration every time you start keepass.

I still don't get it why I can't just use Use a custom browser configuration location:. I tried that too but nothing. Anyhow that's the solution for now, I guess.

<!-- gh-comment-id:827472045 --> @ghost commented on GitHub (Apr 27, 2021): I just tested it on a vm with only keepassxc and librewolf. And that's the bare minimum for the addon ... `mkdir -p ~/.mozilla/native-messaging-hosts/` `keepassxc.local`: ``` mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json ``` and for `librewolf.local`: ``` noblacklist ${HOME}/.mozilla whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer ``` But that's very annoying you probably know it already :D Better to add at least those to `keepassxc.local` as well: ``` mkdir ${HOME}/.config/keepassxc whitelist ${HOME}/.config/keepassxc ``` Otherwise you have to enable browser integration every time you start keepass. I still don't get it why I can't just use `Use a custom browser configuration location:`. I tried that too but nothing. Anyhow that's the solution for now, I guess.
gitea-mirror commented 2026-05-05 09:15:25 -06:00
Author
Owner
Copy link

@vnepogodin commented on GitHub (Apr 30, 2021):

I have that keepassxc.local:

# Needed for Firefox & LibreWolf-Browser addon
#noblacklist ${HOME}/.librewolf
#mkfile ${HOME}/.librewolf/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
#whitelist ${HOME}/.librewolf/native-messaging-hosts/org.keepassxc.keepassxc_browser.json

mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json

mkdir ${HOME}/.cache/keepassxc
mkdir ${HOME}/.config/keepassxc
whitelist ${HOME}/.cache/keepassxc
whitelist ${HOME}/.config/keepassxc
include whitelist-common.inc

and librewolf.local:

# librewolf requires a shell to launch on Arch. We can possibly remove sh though.
private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which,keepassxc-proxy
#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy

# private-etc must first be enabled in firefox-common.profile
private-etc librewolf

# Uncomment (or add to librewolf.local) the following lines if you want to
# use the migration wizard and for keepassxc addon.
noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla
whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
whitelist ${RUNUSER}/kpxc_server

So keepassxc-proxy probably necessary as well.

Is the folder .mozilla created even without using Mozilla software? So keepassxc creates it then? Otherwise the keepassxc addon on librewolf does not work, I guess.

Edit:
And firefox-common.local

# Allow internet access
ignore net

private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg

https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/librewolf.profile#L21
You should just uncomment or put it to your librewolf.local

<!-- gh-comment-id:830111594 --> @vnepogodin commented on GitHub (Apr 30, 2021): > I have that `keepassxc.local`: > > ``` > # Needed for Firefox & LibreWolf-Browser addon > #noblacklist ${HOME}/.librewolf > #mkfile ${HOME}/.librewolf/native-messaging-hosts/org.keepassxc.keepassxc_browser.json > #whitelist ${HOME}/.librewolf/native-messaging-hosts/org.keepassxc.keepassxc_browser.json > > mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json > whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json > > mkdir ${HOME}/.cache/keepassxc > mkdir ${HOME}/.config/keepassxc > whitelist ${HOME}/.cache/keepassxc > whitelist ${HOME}/.config/keepassxc > include whitelist-common.inc > ``` > > and `librewolf.local`: > > ``` > # librewolf requires a shell to launch on Arch. We can possibly remove sh though. > private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which,keepassxc-proxy > #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy > > # private-etc must first be enabled in firefox-common.profile > private-etc librewolf > > # Uncomment (or add to librewolf.local) the following lines if you want to > # use the migration wizard and for keepassxc addon. > noblacklist ${HOME}/.mozilla > whitelist ${HOME}/.mozilla > whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer > whitelist ${RUNUSER}/kpxc_server > ``` > > So `keepassxc-proxy` probably necessary as well. > > Is the folder `.mozilla` created even without using Mozilla software? So keepassxc creates it then? Otherwise the keepassxc addon on librewolf does not work, I guess. > > Edit: > And `firefox-common.local` > > ``` > # Allow internet access > ignore net > > private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg > ``` https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/librewolf.profile#L21 You should just uncomment or put it to your `librewolf.local`
gitea-mirror commented 2026-05-05 09:15:25 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 30, 2021):

@vnepogodin does this work for you?

<!-- gh-comment-id:830116431 --> @rusty-snake commented on GitHub (Apr 30, 2021): @vnepogodin does this work for you?
gitea-mirror commented 2026-05-05 09:15:26 -06:00
Author
Owner
Copy link

@vnepogodin commented on GitHub (Apr 30, 2021):

Yes

<!-- gh-comment-id:830118532 --> @vnepogodin commented on GitHub (Apr 30, 2021): Yes
gitea-mirror commented 2026-05-05 09:15:26 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 30, 2021):

@vnepogodin did you uncommented the .mozilla as well?

@DanSman @vnepogodin How do you installed librewolf (could a wrong configure argument cause this?)?

<!-- gh-comment-id:830125357 --> @rusty-snake commented on GitHub (Apr 30, 2021): @vnepogodin did you uncommented the .mozilla as well? @DanSman @vnepogodin How do you installed librewolf (could a wrong configure argument cause this?)?
gitea-mirror commented 2026-05-05 09:15:26 -06:00
Author
Owner
Copy link

@vnepogodin commented on GitHub (Apr 30, 2021):

I did't uncommented .mozilla

librewolf and keepassxc installed as fresh as posible

<!-- gh-comment-id:830138509 --> @vnepogodin commented on GitHub (Apr 30, 2021): I did't uncommented `.mozilla` librewolf and keepassxc installed as fresh as posible
gitea-mirror commented 2026-05-05 09:15:27 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 30, 2021):

It doesn't work here.

I need to have everything uncomment and the .mozilla folder manually created like I mentioned above. Which makes sense to me. Librewolf and keepassxc shouldn't have access to the .mozilla folder out of the box.

@vnepogodin
Where is the file org.keepassxc.keepassxc_browser.json stored on your computer and how get librewolf access to it?

Edit:
I use Arch Linux and used the AUR librewolf bin package.
Keepassxc just from the official repo.

<!-- gh-comment-id:830408130 --> @ghost commented on GitHub (Apr 30, 2021): It doesn't work here. I need to have everything uncomment and the `.mozilla` folder manually created like I mentioned above. Which makes sense to me. Librewolf and keepassxc shouldn't have access to the `.mozilla` folder out of the box. @vnepogodin Where is the file `org.keepassxc.keepassxc_browser.json` stored on your computer and how get librewolf access to it? Edit: I use Arch Linux and used the AUR librewolf bin package. Keepassxc just from the official repo.
gitea-mirror commented 2026-05-05 09:15:27 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 1, 2021):

librewolf and keepassxc installed as fresh as posible

Compiled from git?

<!-- gh-comment-id:830573519 --> @rusty-snake commented on GitHub (May 1, 2021): > librewolf and keepassxc installed as fresh as posible Compiled from git?
gitea-mirror commented 2026-05-05 09:15:28 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (May 1, 2021):

librewolf and keepassxc installed as fresh as posible

Compiled from git?

Does it really makes any difference?

<!-- gh-comment-id:830643493 --> @ghost commented on GitHub (May 1, 2021): > > librewolf and keepassxc installed as fresh as posible > > Compiled from git? Does it really makes any difference?
gitea-mirror commented 2026-05-05 09:15:28 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 1, 2021):

Other program version or configure arguments are the only idea I have ATM.

<!-- gh-comment-id:830651104 --> @rusty-snake commented on GitHub (May 1, 2021): Other program version or configure arguments are the only idea I have ATM.
gitea-mirror commented 2026-05-05 09:15:28 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (May 2, 2021):

It doesn't work here.

I need to have everything uncomment and the .mozilla folder manually created like I mentioned above. Which makes sense to me. Librewolf and keepassxc shouldn't have access to the .mozilla folder out of the box.

@vnepogodin
Where is the file org.keepassxc.keepassxc_browser.json stored on your computer and how get librewolf access to it?

Edit:
I use Arch Linux and used the AUR librewolf bin package.
Keepassxc just from the official repo.

Why messing with firefox if you are using librewolf ?
Firefox has .mozilla folder and librewolf has .librewolf

I think you also malfunctioned the keepassxc browser extension. Uninstall keepassxc browser extension and
rm -rf $(find ~/.librewolf | grep keepass)

then reinstall again. Mine works perfectly. Just auto keyboard completion and internet connection not works, which is not a privacy but a shit. KeePassXC and be build without those flags but no need to implement that for all users by default :D

<!-- gh-comment-id:830919065 --> @ghost commented on GitHub (May 2, 2021): > It doesn't work here. > > I need to have everything uncomment and the `.mozilla` folder manually created like I mentioned above. Which makes sense to me. Librewolf and keepassxc shouldn't have access to the `.mozilla` folder out of the box. > > @vnepogodin > Where is the file `org.keepassxc.keepassxc_browser.json` stored on your computer and how get librewolf access to it? > > Edit: > I use Arch Linux and used the AUR librewolf bin package. > Keepassxc just from the official repo. Why messing with firefox if you are using librewolf ? Firefox has .mozilla folder and librewolf has .librewolf I think you also malfunctioned the keepassxc browser extension. Uninstall keepassxc browser extension and `rm -rf $(find ~/.librewolf | grep keepass)` then reinstall again. Mine works perfectly. Just auto keyboard completion and internet connection not works, which is not a privacy but a shit. KeePassXC and be build without those flags but no need to implement that for all users by default :D
gitea-mirror commented 2026-05-05 09:15:29 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (May 3, 2021):

Did you enabled browser integration in keepass? If yes, which browser? Or custom browser config?

I have seen you're using Arch as well. I tried that on a fresh install arch vm and on my computer arch. So I can't get any connection between those without the setup above.
But maybe I block something else here and there.,

<!-- gh-comment-id:831481877 --> @ghost commented on GitHub (May 3, 2021): Did you enabled browser integration in keepass? If yes, which browser? Or custom browser config? I have seen you're using Arch as well. I tried that on a fresh install arch vm and on my computer arch. So I can't get any connection between those without the setup above. But maybe I block something else here and there.,
gitea-mirror commented 2026-05-05 09:15:29 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 10, 2021):

I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

<!-- gh-comment-id:858443465 --> @rusty-snake commented on GitHub (Jun 10, 2021): I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.
gitea-mirror commented 2026-05-05 09:15:30 -06:00
Author
Owner
Copy link

@float3 commented on GitHub (Nov 18, 2022):

https://github.com/keepassxreboot/keepassxc/issues/6907#issuecomment-1136491056

<!-- gh-comment-id:1319865783 --> @float3 commented on GitHub (Nov 18, 2022): https://github.com/keepassxreboot/keepassxc/issues/6907#issuecomment-1136491056
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2583
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?