[GH-ISSUE #1176] Firejail app cannot communicate with my Yubikey

gitea-mirror commented

2026-05-05 06:53:07 -06:00

Owner

Originally created by @ghost on GitHub (Mar 29, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1176

I'm currently testing a new app with firejail that needs to access my Yubikee (connected in a USB port) but cannot see it inside a jail.

Is there a option I could add (or remove) to the app profile that will most likely give access to the Yubikey?

Thank you!

Originally created by @ghost on GitHub (Mar 29, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1176 I'm currently testing a new app with firejail that needs to access my Yubikee (connected in a USB port) but cannot see it inside a jail. Is there a option I could add (or remove) to the app profile that will most likely give access to the Yubikey? Thank you!

gitea-mirror

2026-05-05 06:53:07 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:53:13 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Mar 29, 2017):

@BytesTuner
Could you post the app profile you are currently using?

Thanks!

@Fred-Barclay commented on GitHub (Mar 29, 2017): @BytesTuner Could you post the app profile you are currently using? Thanks!

gitea-mirror commented

2026-05-05 06:53:15 -06:00

Author

Owner

@ghost commented on GitHub (Mar 29, 2017):

The app I'm testing is the current git version of KeepassXC (the new and most active fork of KeepassX):

https://github.com/keepassxreboot/keepassxc

...and the profile I'm using with it is the default Firejail KeepassX (I obviously customize it with the right keepassxc directory):

https://github.com/netblue30/firejail/blob/master/etc/keepassx.profile

KeepassXC is working fine with this profile and the custom path but it cannot see the Yubikey (which the app is able to see without the jail).

@ghost commented on GitHub (Mar 29, 2017): The app I'm testing is the current git version of KeepassXC (the new and most active fork of KeepassX): https://github.com/keepassxreboot/keepassxc ...and the profile I'm using with it is the default Firejail KeepassX (I obviously customize it with the right keepassxc directory): https://github.com/netblue30/firejail/blob/master/etc/keepassx.profile KeepassXC is working fine with this profile and the custom path but it cannot see the Yubikey (which the app is able to see without the jail).

gitea-mirror commented

2026-05-05 06:53:17 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Mar 29, 2017):

The problem is probably the private-dev option. You'll want to whitelist (or noblacklist or something) the appropriate device in /dev to ensure KeepassXC sees the yubikey.

@chiraag-nataraj commented on GitHub (Mar 29, 2017): The problem is probably the `private-dev` option. You'll want to `whitelist` (or `noblacklist` or something) the appropriate device in `/dev` to ensure KeepassXC sees the yubikey.

gitea-mirror commented

2026-05-05 06:53:19 -06:00

Author

Owner

@ghost commented on GitHub (Mar 29, 2017):

OK, I done some more tests and the culprits were:

protocol unix
private-dev

This is my working final profile for keepassxc:

noblacklist ${HOME}/.config/keepassxc
noblacklist ${HOME}/.keepassxc
noblacklist ${HOME}/.kdbx
noblacklist ${HOME}/.kdb

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc

caps.drop all
net none
nogroups
nonewprivs
noroot
nosound
#protocol unix
seccomp
shell none

private-bin keepassxc
#private-etc fonts
#private-dev
private-tmp

I obviously don't mind if someone wants to add it to this git.

Important thing:

The 'net none' option should be comment out if someone needs to use their new KeePassHTTP support for use with PassIFox in Mozilla Firefox and chromeIPass in Google Chrome or Chromium. In my case, I don't use it so I leave it uncommented.

@ghost commented on GitHub (Mar 29, 2017): OK, I done some more tests and the culprits were: protocol unix private-dev This is my working final profile for keepassxc: _________________________________________ noblacklist ${HOME}/.config/keepassxc noblacklist ${HOME}/.keepassxc noblacklist ${HOME}/*.kdbx noblacklist ${HOME}/*.kdb include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all net none nogroups nonewprivs noroot nosound #protocol unix seccomp shell none private-bin keepassxc #private-etc fonts #private-dev private-tmp ___________________________________________ I obviously don't mind if someone wants to add it to this git. Important thing: The 'net none' option should be comment out if someone needs to use their new KeePassHTTP support for use with PassIFox in Mozilla Firefox and chromeIPass in Google Chrome or Chromium. In my case, I don't use it so I leave it uncommented.

gitea-mirror commented

2026-05-05 06:53:20 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Mar 30, 2017):

@BytesTuner I've added the profile, thanks! 5a982a1e5e

Currently private-dev and protocol unix are commented out. I or someone else might change this later (I'm not sure it's a good idea to disable this for all users - we don't for the other keypass profiles). If so, you can just copy the profile to ~/.config/firejail and comment out/remove those two lines.

Cheers and thanks for the profile!
Fred

@Fred-Barclay commented on GitHub (Mar 30, 2017): @BytesTuner I've added the profile, thanks! 5a982a1e5e32be3fd99e7988b2f052d49c1f8a12 Currently private-dev and protocol unix are commented out. I or someone else *might* change this later (I'm not sure it's a good idea to disable this for all users - we don't for the other keypass profiles). If so, you can just copy the profile to ~/.config/firejail and comment out/remove those two lines. Cheers and thanks for the profile! Fred

gitea-mirror commented

2026-05-05 06:53:21 -06:00

Author

Owner

@ghost commented on GitHub (Mar 30, 2017):

I or someone else might change this later (I'm not sure it's a good idea to disable this for all users - we don't for the other keypass profiles)

It basically all depends which new KeepassXC features the user wants to use. The more secure option is to not commented them out. The basic features of KeepassXC will work this way.

However, some options must be commented out if the user wants to use the new features:

To use KeePassHTTP -> 'net none' must be commented out

To use YubiKey HMAC-SHA1 authentication for unlocking databases -> 'protocol unix' and 'private-dev' must be commented out. If not, the app won't see the Yubikey connected on the computer.

I don't know but maybe it could be a good thing to add this information directly in the profile file...?

Cheers and thanks for the profile!

No problem. You're welcome! :)

@ghost commented on GitHub (Mar 30, 2017): > I or someone else might change this later (I'm not sure it's a good idea to disable this for all users - we don't for the other keypass profiles) It basically all depends which new KeepassXC features the user wants to use. The more secure option is to not commented them out. The basic features of KeepassXC will work this way. However, some options must be commented out if the user wants to use the new features: To use KeePassHTTP -> 'net none' must be commented out To use YubiKey HMAC-SHA1 authentication for unlocking databases -> 'protocol unix' and 'private-dev' must be commented out. If not, the app won't see the Yubikey connected on the computer. I don't know but maybe it could be a good thing to add this information directly in the profile file...? >Cheers and thanks for the profile! No problem. You're welcome! :)

gitea-mirror commented

2026-05-05 06:53:23 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Mar 30, 2017):

Good idea - I've added a note for KeePassHTTP.
For YubiKey, that's more of a general firejail knowledge issue than with the keepassxc profile (private-dev should interfere with usb keys in any profile) but it's definitely good to know for future reference.

Cheers!

@Fred-Barclay commented on GitHub (Mar 30, 2017): Good idea - I've added a note for KeePassHTTP. For YubiKey, that's more of a general firejail knowledge issue than with the keepassxc profile (private-dev should interfere with usb keys in **any** profile) but it's definitely good to know for future reference. Cheers!

gitea-mirror commented

2026-05-05 06:53:25 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Mar 30, 2017):

@chiraag-nataraj Thanks for the help too! 👍

@Fred-Barclay commented on GitHub (Mar 30, 2017): @chiraag-nataraj Thanks for the help too! :+1:

gitea-mirror commented

2026-05-05 06:53:26 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Mar 30, 2017):

Hehe glad to see you sorted it out! 😄

@chiraag-nataraj commented on GitHub (Mar 30, 2017): Hehe glad to see you sorted it out! 😄

gitea-mirror commented

2026-05-05 06:53:29 -06:00

Author

Owner

@arigit commented on GitHub (Oct 5, 2017):

In Fedora 26 under wayland, the following two options didn't work:
--noroot
--private-tmp
--nosound

"No root" gives an error ("invalid --noroot command line option" even if not launching as root)
Private-tmp seems to have an issue with wayland, it gives:
QXcbConnection: Could not connect to display :0
nosound blocks keepassxc from seeing Yubikeys

If launching via command line, this can help:
firejail --profile=/etc/firejail/disable-common.inc --net=none --caps.drop=all --nogroups --nonewprivs --seccomp --shell=none --private-bin=keepassxc keepassxc -style adwaita-dark

@arigit commented on GitHub (Oct 5, 2017): In Fedora 26 under wayland, the following two options didn't work: --noroot --private-tmp --nosound **"No root"** gives an error ("invalid --noroot command line option" even if not launching as root) **Private-tmp** seems to have an issue with wayland, it gives: QXcbConnection: Could not connect to display :0 **nosound** blocks keepassxc from seeing Yubikeys If launching via command line, this can help: ` firejail --profile=/etc/firejail/disable-common.inc --net=none --caps.drop=all --nogroups --nonewprivs --seccomp --shell=none --private-bin=keepassxc keepassxc -style adwaita-dark`

gitea-mirror commented

2026-05-05 06:53:30 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Oct 6, 2017):

@arigit disable-common.inc isn't meant to be used as a profile. We use it to blacklist common files that shouldn't be visible inside the sandbox. It would probably be better to use the keepassxc profile (in which case you won't have to specify a profile on the command line - firejail will know to use the keepassxc profile since you're launching keepassxc), or the default profile, which you can specify with --profile=/etc/firejail/default.profile.
Cheers!

@Fred-Barclay commented on GitHub (Oct 6, 2017): @arigit disable-common.inc isn't meant to be used as a profile. We use it to blacklist common files that shouldn't be visible inside the sandbox. It would probably be better to use the keepassxc profile (in which case you won't have to specify a profile on the command line - firejail will know to use the keepassxc profile since you're launching keepassxc), or the default profile, which you can specify with `--profile=/etc/firejail/default.profile`. Cheers!

gitea-mirror referenced this issue

2026-05-05 10:07:23 -06:00

[PR #809] [MERGED] Fixed typo in comment #3757

Rows
Columns

[GH-ISSUE #1176] Firejail app cannot communicate with my Yubikey #809