github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 22:01:33 -06:00

org.keepassxc.KeePassXC #3001

New issue

Closed

opened 2026-05-05 09:39:24 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 09:39:24 -06:00

Owner

Originally created by @WhyNotHugo on GitHub (Nov 3, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5450

Description

KeePassXC now creates its socket in a dedicated directory, so this directory can be cross-mounted to other sandboxes (e.g.: Firefox). See 40316ac7b9

I'm trying to update the profile for keepassxc to always mount this directory from the host, by adding this to keepassxc.local:

noblacklist ${RUNUSER}/app/org.keepassxc.KeePassXC
mkdir       ${RUNUSER}/app/org.keepassxc.KeePassXC
whitelist   ${RUNUSER}/app/org.keepassxc.KeePassXC

However, when starting keepassxc, firejail prints:

Warning: not remounting /run/user/1000/app/org.keepassxc.KeePassXC

I've no idea why this is happening; it's just warning me that it can't, but there's no obvious reason. What am I doing wrong?

Steps to Reproduce

See above

Expected behavior

Directory should be mounted or an indication of what failed should be given.

Actual behavior

The directory is not mounted without any explanation.

Behavior without a profile

n/a

Additional context

Full put:

> keepassxc
Reading profile /etc/firejail/keepassxc.profile
Reading profile /etc/firejail/keepassxc.local
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
Parent pid 352985, child pid 352989
3 programs installed in 134.02 ms
Warning: skipping alternatives for private /etc
Private /etc installed in 21.26 ms
Warning: skipping alternatives for private /usr/etc
Warning: skipping fonts for private /usr/etc
Warning: skipping ld.so.cache for private /usr/etc
Warning: skipping ld.so.preload for private /usr/etc
Warning: skipping machine-id for private /usr/etc
Private /usr/etc installed in 0.30 ms
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/app/org.keepassxc.KeePassXC
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 663.78 ms

Additionally, keepassxc.local needs:

whitelist ${RUNUSER}/wayland-1

Environment

ArchLinux

firejail version 0.9.71

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- firetunnel support is disabled
	- IDS support is disabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Checklist

n/a

Log

See above.

Originally created by @WhyNotHugo on GitHub (Nov 3, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5450 ### Description KeePassXC now creates its socket in a dedicated directory, so this directory can be cross-mounted to other sandboxes (e.g.: Firefox). See https://github.com/keepassxreboot/keepassxc/commit/40316ac7b9bb5276c3d3ae1be2c3d808db503e3c I'm trying to update the profile for keepassxc to always mount this directory from the host, by adding this to `keepassxc.local`: ``` noblacklist ${RUNUSER}/app/org.keepassxc.KeePassXC mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC ``` However, when starting keepassxc, firejail prints: ``` Warning: not remounting /run/user/1000/app/org.keepassxc.KeePassXC ``` I've no idea why this is happening; it's just warning me that it can't, but there's no obvious reason. What am I doing wrong? ### Steps to Reproduce See above ### Expected behavior Directory should be mounted **or** an indication of what failed should be given. ### Actual behavior The directory is not mounted without any explanation. ### Behavior without a profile n/a ### Additional context Full put: ``` > keepassxc Reading profile /etc/firejail/keepassxc.profile Reading profile /etc/firejail/keepassxc.local Reading profile /etc/firejail/globals.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown, Parent pid 352985, child pid 352989 3 programs installed in 134.02 ms Warning: skipping alternatives for private /etc Private /etc installed in 21.26 ms Warning: skipping alternatives for private /usr/etc Warning: skipping fonts for private /usr/etc Warning: skipping ld.so.cache for private /usr/etc Warning: skipping ld.so.preload for private /usr/etc Warning: skipping machine-id for private /usr/etc Private /usr/etc installed in 0.30 ms Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: not remounting /run/user/1000/app/org.keepassxc.KeePassXC Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown, Warning: cleaning all supplementary groups Child process initialized in 663.78 ms ``` Additionally, `keepassxc.local` needs: whitelist ${RUNUSER}/wayland-1 ### Environment ArchLinux ``` firejail version 0.9.71 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is disabled - IDS support is disabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` ### Checklist n/a ### Log See above.

gitea-mirror

2026-05-05 09:39:24 -06:00

closed this issue
added the
notabug
label

gitea-mirror commented

2026-05-05 09:39:27 -06:00

Author

Owner

@WhyNotHugo commented on GitHub (Nov 4, 2022):

On Fri, 4 Nov 2022, at 00:07, fred wrote:

i'm using a 'firejailed' firefox and keepassxc without firejail and also cant connect anymore to the keepassxc by using the firefox-addon on arch linux, which worked fine until a few days ago.
to me it looks that this is related to the firefox-profile.

—
Reply to this email directly, view it on GitHub https://github.com/netblue30/firejail/issues/5450#issuecomment-1302774910, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFSNOYCUNP2ZKZIWGKY77TWGRAT5ANCNFSM6AAAAAARWMB7V4.
You are receiving this because you authored the thread.Message ID: @.***>

Upstream KeePassXC has merged changes for this to work out of the box when firefox and/or kpxc are sandboxes. You need to drop any local hacks.

--
Hugo

@WhyNotHugo commented on GitHub (Nov 4, 2022): On Fri, 4 Nov 2022, at 00:07, fred wrote: > > > > > i'm using a 'firejailed' firefox and keepassxc without firejail and also cant connect anymore to the keepassxc by using the firefox-addon on arch linux, which worked fine until a few days ago. > to me it looks that this is related to the firefox-profile. > > > > > — > Reply to this email directly, view it on GitHub <https://github.com/netblue30/firejail/issues/5450#issuecomment-1302774910>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAFSNOYCUNP2ZKZIWGKY77TWGRAT5ANCNFSM6AAAAAARWMB7V4>. > You are receiving this because you authored the thread.Message ID: ***@***.***> > > Upstream KeePassXC has merged changes for this to work out of the box when firefox and/or kpxc are sandboxes. You need to drop any local hacks. -- Hugo

gitea-mirror commented

2026-05-05 09:39:28 -06:00

Author

Owner

@WhyNotHugo commented on GitHub (Nov 5, 2022):

Ah, figured out the issue: in one of the many files inherited by firejail, ${RUNUSER}/app is blacklisted, so whitelisting subdirectories of it is not allowed.

Need to change the original to:

noblacklist ${RUNUSER}/app
mkdir       ${RUNUSER}/app/org.keepassxc.KeePassXC
whitelist   ${RUNUSER}/app/org.keepassxc.KeePassXC

@WhyNotHugo commented on GitHub (Nov 5, 2022): Ah, figured out the issue: in one of the many files inherited by `firejail`, `${RUNUSER}/app` is blacklisted, so whitelisting subdirectories of it is not allowed. Need to change the original to: ``` noblacklist ${RUNUSER}/app mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC ```

gitea-mirror referenced this issue

2026-05-05 10:24:13 -06:00

[PR #3156] [MERGED] print rejected character in invalid filenames #4660

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3001

No description provided.

Rows
Columns