github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #4279] firefox: keepassxc browser integration not working correctly (even with fixes from #3952) #2604

New issue

Closed

opened 2026-05-05 09:16:23 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 09:16:23 -06:00

Owner

Originally created by @bardacuda on GitHub (May 14, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4279

$ firejail --version
firejail version 0.9.64.4

$ cat /etc/*-release
Manjaro Linux
DISTRIB_ID=ManjaroLinux
DISTRIB_RELEASE=21.0.4
DISTRIB_CODENAME=Ornara
DISTRIB_DESCRIPTION="Manjaro Linux"
Manjaro Linux
NAME="Manjaro Linux"
ID=manjaro
ID_LIKE=arch
BUILD_ID=rolling
PRETTY_NAME="Manjaro Linux"
ANSI_COLOR="32;1;24;144;200"
HOME_URL="https://manjaro.org/"
DOCUMENTATION_URL="https://wiki.manjaro.org/"
SUPPORT_URL="https://manjaro.org/"
BUG_REPORT_URL="https://bugs.manjaro.org/"
LOGO=manjarolinux

$ hostnamectl | grep 'Operating System' -A 2
  Operating System: Manjaro Linux
            Kernel: Linux 5.12.1-2-MANJARO
      Architecture: x86-64

$ cat /proc/version
Linux version 5.12.1-2-MANJARO (builduser@LEGION) (gcc (GCC) 10.2.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Sun May 2 13:56:40 UTC 2021

The browser integration broke 2 or 3 months ago.

~~The issue is still present when running firejail --noprofile firefox~~
The issue isn't present when running firejail --noprofile firefox

I did not try disabling various options in /etc/firejail/firefox.profile as I don't really know what I'm doing and don't want to break things further.

What I did to was add this line to my /etc/firejail/firefox.local file

whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer

This restored partial functionality, where if keepassxc was running before starting firefox, then communication/key exchange between the two will work as expected. However, if firefox was running first (the more common scenario for me; as I tend to keep my browser open; but close keepass, and unmount the drive the database is stored on when I'm not using it), then no communication/key exchange is possible.

I have also tried adding the following two lines to my /etc/firejail/firefox.local as seems to be suggested in https://github.com/netblue30/firejail/issues/3952 (although I'm not clear if firefox.local is the file I'm supposed to be adding those lines to):

private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy
ignore include whitelist-runuser-common.inc

Doing so does not allow key exchange to work when firefox was running before starting keepassxc. Currently I have those 2 lines commented out though, and I'm at a loss for what to try next.

When running firefox outside of firejail the keepassxc browser integration works as intended.

Originally created by @bardacuda on GitHub (May 14, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4279 ``` $ firejail --version firejail version 0.9.64.4 ``` ``` $ cat /etc/*-release Manjaro Linux DISTRIB_ID=ManjaroLinux DISTRIB_RELEASE=21.0.4 DISTRIB_CODENAME=Ornara DISTRIB_DESCRIPTION="Manjaro Linux" Manjaro Linux NAME="Manjaro Linux" ID=manjaro ID_LIKE=arch BUILD_ID=rolling PRETTY_NAME="Manjaro Linux" ANSI_COLOR="32;1;24;144;200" HOME_URL="https://manjaro.org/" DOCUMENTATION_URL="https://wiki.manjaro.org/" SUPPORT_URL="https://manjaro.org/" BUG_REPORT_URL="https://bugs.manjaro.org/" LOGO=manjarolinux ``` ``` $ hostnamectl | grep 'Operating System' -A 2 Operating System: Manjaro Linux Kernel: Linux 5.12.1-2-MANJARO Architecture: x86-64 ``` ``` $ cat /proc/version Linux version 5.12.1-2-MANJARO (builduser@LEGION) (gcc (GCC) 10.2.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Sun May 2 13:56:40 UTC 2021 ``` The browser integration broke 2 or 3 months ago. ~~The issue is still present when running `firejail --noprofile firefox`~~ The issue isn't present when running `firejail --noprofile firefox` I did not try disabling various options in `/etc/firejail/firefox.profile` as I don't really know what I'm doing and don't want to break things further. What I did to was add this line to my `/etc/firejail/firefox.local` file `whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer` This restored partial functionality, where if keepassxc was running before starting firefox, then communication/key exchange between the two will work as expected. However, if firefox was running first (the more common scenario for me; as I tend to keep my browser open; but close keepass, and unmount the drive the database is stored on when I'm not using it), then no communication/key exchange is possible. I have also tried adding the following two lines to my `/etc/firejail/firefox.local` as seems to be suggested in https://github.com/netblue30/firejail/issues/3952 (although I'm not clear if `firefox.local` is the file I'm supposed to be adding those lines to): `private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy` `ignore include whitelist-runuser-common.inc` Doing so does not allow key exchange to work when firefox was running before starting keepassxc. Currently I have those 2 lines commented out though, and I'm at a loss for what to try next. When running firefox outside of firejail the keepassxc browser integration works as intended.

gitea-mirror closed this issue

2026-05-05 09:16:24 -06:00

gitea-mirror commented

2026-05-05 09:16:25 -06:00

Author

Owner

@rusty-snake commented on GitHub (May 14, 2021):

The issue is still present when running firejail --noprofile firefox

~~Then it's either in the keepassxc.profile or unrelated to firejail.~~ [next quote]

When running firefox outside of firejail the keepassxc browser integration works as intended.

Can you try try running firefox with the noprofile.profile. 😕

This restored partial functionality, where if keepassxc was running before starting firefox, then communication/key exchange between the two will work as expected. However, if firefox was running first (the more common scenario for me; as I tend to keep my browser open; but close keepass, and unmount the drive the database is stored on when I'm not using it), then no communication/key exchange is possible.

c9e7fe8ab3/etc/profile-a-l/firefox.profile (L26)

This was a design decision made in #3952/#3984 which keeps firefox.profile tighter.

Good summary (IMHO) of the ways you have: https://github.com/netblue30/firejail/issues/3952#issuecomment-774717729

private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy

If you enabled private-bin, you need to add keepassxc-proxy. If you didn't enabled private-bin you don't need this line (or private-bin keepassxc-proxy)

@rusty-snake commented on GitHub (May 14, 2021): > The issue is still present when running firejail --noprofile firefox ~Then it's either in the keepassxc.profile or unrelated to firejail.~ [next quote] > When running firefox outside of firejail the keepassxc browser integration works as intended. Can you try try running firefox with the [noprofile.profile](https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72). :confused: > This restored partial functionality, where if keepassxc was running before starting firefox, then communication/key exchange between the two will work as expected. However, if firefox was running first (the more common scenario for me; as I tend to keep my browser open; but close keepass, and unmount the drive the database is stored on when I'm not using it), then no communication/key exchange is possible. https://github.com/netblue30/firejail/blob/c9e7fe8ab3631a5e2e48de466dfa349823c741e5/etc/profile-a-l/firefox.profile#L26 This was a design decision made in #3952/#3984 which keeps firefox.profile tighter. Good summary (IMHO) of the ways you have: https://github.com/netblue30/firejail/issues/3952#issuecomment-774717729 > private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy If you enabled `private-bin`, you need to add `keepassxc-proxy`. If you didn't enabled `private-bin` you don't need this line (or `private-bin keepassxc-proxy`)

gitea-mirror commented

2026-05-05 09:16:26 -06:00

Author

Owner

@bardacuda commented on GitHub (May 15, 2021):

Can you try try running firefox with the noprofile.profile. 😕

That works:

https://imgbox.com/vICOXQT3

c9e7fe8ab3/etc/profile-a-l/firefox.profile (L26)

This was a design decision made in #3952/#3984 which keeps firefox.profile tighter.

Ok but I'd like to implement a workaround if I can, even if I have to loosen the restrictions a little.

Good summary (IMHO) of the ways you have: #3952 (comment)

I basically just copied off of that issue.

private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy

If you enabled private-bin, you need to add keepassxc-proxy. If you didn't enabled private-bin you don't need this line (or private-bin keepassxc-proxy)

I just added that whole line in case I needed to for the workaround, but it didn't change anything in my case.

@bardacuda commented on GitHub (May 15, 2021): > Can you try try running firefox with the [noprofile.profile](https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72). 😕 That works: https://imgbox.com/vICOXQT3 > https://github.com/netblue30/firejail/blob/c9e7fe8ab3631a5e2e48de466dfa349823c741e5/etc/profile-a-l/firefox.profile#L26 > > This was a design decision made in #3952/#3984 which keeps firefox.profile tighter. Ok but I'd like to implement a workaround if I can, even if I have to loosen the restrictions a little. > Good summary (IMHO) of the ways you have: [#3952 (comment)](https://github.com/netblue30/firejail/issues/3952#issuecomment-774717729) I basically just copied off of that issue. > > private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which,keepassxc-proxy > > If you enabled `private-bin`, you need to add `keepassxc-proxy`. If you didn't enabled `private-bin` you don't need this line (or `private-bin keepassxc-proxy`) I just added that whole line in case I needed to for the workaround, but it didn't change anything in my case.

gitea-mirror commented

2026-05-05 09:16:27 -06:00

Author

Owner

@rusty-snake commented on GitHub (May 15, 2021):

Can you try try running firefox with the noprofile.profile. confused

That works

Good. Does this firefox.local work?

ignore include whitelist-runuser-common.inc
writable-run-user

Do you have any other relevant .locals?

@rusty-snake commented on GitHub (May 15, 2021): > > Can you try try running firefox with the [noprofile.profile](https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72). confused > > That works Good. Does this firefox.local work? ``` ignore include whitelist-runuser-common.inc writable-run-user ``` Do you have any other relevant .locals?

gitea-mirror commented

2026-05-05 09:16:28 -06:00

Author

Owner

@bardacuda commented on GitHub (May 15, 2021):

Good. Does this firefox.local work?
ignore include whitelist-runuser-common.inc
writable-run-user

Hey hey, yeah that works even with the regular firefox.profile profile

Do you have any other relevant .locals?

I didn't explicitly make any myself, and there are no other ones that I can see in /etc/firejail/

EDIT: Okay, so running with only ignore include whitelist-runuser-common.inc works too. I don't need to have writable-run-user in there for it to work.

If I have both:
ignore include whitelist-runuser-common.inc, followed by
whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
or only:
whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer,
that's when I only get partial functionality (keepass has to be open first).

EDIT2: I also just tested again by starting firefox first using firejail --noprofile firefox and it did work, so now I'm confused too. Maybe I typo'ed or messed up the syntax when I first did this, before making my original post 😳. Sorry for the confusion and thanks for the help!

@bardacuda commented on GitHub (May 15, 2021): > Good. Does this firefox.local work? > > ``` > ignore include whitelist-runuser-common.inc > writable-run-user > ``` Hey hey, yeah that works even with the regular `firefox.profile` profile > Do you have any other relevant .locals? I didn't explicitly make any myself, and there are no other ones that I can see in `/etc/firejail/` EDIT: Okay, so running with only `ignore include whitelist-runuser-common.inc` works too. I don't need to have `writable-run-user` in there for it to work. If I have both: `ignore include whitelist-runuser-common.inc`, followed by `whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer` or only: `whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer`, that's when I only get partial functionality (keepass has to be open first). EDIT2: I also just tested again by starting firefox first using `firejail --noprofile firefox` and it did work, so now I'm confused too. Maybe I typo'ed or messed up the syntax when I first did this, before making my original post 😳. Sorry for the confusion and thanks for the help!

gitea-mirror referenced this issue

2026-05-05 10:20:13 -06:00

[PR #2604] [MERGED] pavucontrol does not work with ipc-namespace #4442

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2604

No description provided.

Rows
Columns