[GH-ISSUE #1321] keepassx segfault

gitea-mirror commented

2026-05-05 07:05:51 -06:00

Owner

Originally created by @8cc on GitHub (May 30, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1321

Fedora 25 KDE spins, firejail 0.9.44.10 (copr nielsenb/firejail), keepassx 2.0.3.
When try to select a file, segfault.

$ firejail keepassx
Reading profile /etc/firejail/keepassx.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Parent pid 4773, child pid 4774
Blacklist violations are logged to syslog
Child process initialized
Qt: Session management error: Could not open network socket
ERROR: Running KSycoca failed.

Parent is shutting down, bye...

dmesg
[199975.701777] keepassx[5132]: segfault at 0 ip 00007f2fead15a09 sp 00007ffdb9aecad0 error 4 in libkio.so.5.14.30[7f2feab26000+2b4000]

Originally created by @8cc on GitHub (May 30, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1321 Fedora 25 KDE spins, firejail 0.9.44.10 (copr nielsenb/firejail), keepassx 2.0.3. When try to select a file, segfault. ``` $ firejail keepassx Reading profile /etc/firejail/keepassx.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Parent pid 4773, child pid 4774 Blacklist violations are logged to syslog Child process initialized Qt: Session management error: Could not open network socket ERROR: Running KSycoca failed. Parent is shutting down, bye... ``` dmesg `[199975.701777] keepassx[5132]: segfault at 0 ip 00007f2fead15a09 sp 00007ffdb9aecad0 error 4 in libkio.so.5.14.30[7f2feab26000+2b4000]`

gitea-mirror

2026-05-05 07:05:51 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 07:06:00 -06:00

Author

Owner

@netblue30 commented on GitHub (May 30, 2017):

In a text editor open /etc/firejail/kepassx.profile and change "protocol unix" in "protocol unix,inet,inet6". Let me know if is working.

@netblue30 commented on GitHub (May 30, 2017): In a text editor open /etc/firejail/kepassx.profile and change "protocol unix" in "protocol unix,inet,inet6". Let me know if is working.

gitea-mirror commented

2026-05-05 07:06:03 -06:00

Author

Owner

@8cc commented on GitHub (May 30, 2017):

It's not working. Problem persists.

@8cc commented on GitHub (May 30, 2017): It's not working. Problem persists.

gitea-mirror commented

2026-05-05 07:06:07 -06:00

Author

Owner

@netblue30 commented on GitHub (May 30, 2017):

I think is "net none" in the same file - comment it out. Somehow I missed it!

@netblue30 commented on GitHub (May 30, 2017): I think is "net none" in the same file - comment it out. Somehow I missed it!

gitea-mirror commented

2026-05-05 07:06:09 -06:00

Author

Owner

@8cc commented on GitHub (May 30, 2017):

Comment to "net none" could not help, problem persists.

@8cc commented on GitHub (May 30, 2017): Comment to "net none" could not help, problem persists.

gitea-mirror commented

2026-05-05 07:06:11 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (May 31, 2017):

@8cc Is the latest version of firejail (0.9.46) available for your distro?

On 05/30/2017 05:14 PM, 8cc wrote:

Comments to "net none" could not help, problem persists.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/1321#issuecomment-305024120,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AKphKwFGGhKj8kMI60GKOKSgq-wcvpNFks5r_JSogaJpZM4NqgG4.

@Fred-Barclay commented on GitHub (May 31, 2017): @8cc Is the latest version of firejail (0.9.46) available for your distro? On 05/30/2017 05:14 PM, 8cc wrote: > > Comments to "net none" could not help, problem persists. > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <https://github.com/netblue30/firejail/issues/1321#issuecomment-305024120>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AKphKwFGGhKj8kMI60GKOKSgq-wcvpNFks5r_JSogaJpZM4NqgG4>. >

gitea-mirror commented

2026-05-05 07:06:14 -06:00

Author

Owner

@8cc commented on GitHub (May 31, 2017):

Firejail is available in third-party repositories from the community, but I do not see the latest version. There is also a binary .rpm package with the latest version here: https://sourceforge.net/projects/firejail/files/firejail/ But it seemed to me that the problem is in configs, and the new version is not so much needed.

@8cc commented on GitHub (May 31, 2017): Firejail is available in third-party repositories from the community, but I do not see the latest version. There is also a binary .rpm package with the latest version here: https://sourceforge.net/projects/firejail/files/firejail/ But it seemed to me that the problem is in configs, and the new version is not so much needed.

gitea-mirror commented

2026-05-05 07:06:17 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (May 31, 2017):

Hi @8cc,

Go with the binary .rpm from
https://sourceforge.net/projects/firejail/files/firejail/ please, then
see if the problem still exists.

On 05/31/2017 01:24 AM, 8cc wrote:

Firejail is available in third-party repositories from the community,
but I do not see the latest version. There is also a binary .rpm
package with the latest version here:
https://sourceforge.net/projects/firejail/files/firejail/

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/1321#issuecomment-305095750,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AKphK8BXUbu9dwzT2kM0cJ8gGgrs3TT3ks5r_QeJgaJpZM4NqgG4.

@Fred-Barclay commented on GitHub (May 31, 2017): Hi @8cc, Go with the binary .rpm from https://sourceforge.net/projects/firejail/files/firejail/ please, then see if the problem still exists. On 05/31/2017 01:24 AM, 8cc wrote: > > Firejail is available in third-party repositories from the community, > but I do not see the latest version. There is also a binary .rpm > package with the latest version here: > https://sourceforge.net/projects/firejail/files/firejail/ > > — > You are receiving this because you commented. > Reply to this email directly, view it on GitHub > <https://github.com/netblue30/firejail/issues/1321#issuecomment-305095750>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AKphK8BXUbu9dwzT2kM0cJ8gGgrs3TT3ks5r_QeJgaJpZM4NqgG4>. >

gitea-mirror commented

2026-05-05 07:06:20 -06:00

Author

Owner

@8cc commented on GitHub (May 31, 2017):

Updated to the latest version through the .rpm , now the keepassx does not start. Tried to change configs, does not help.

@8cc commented on GitHub (May 31, 2017): Updated to the latest version through the .rpm , now the keepassx does not start. Tried to change configs, does not help.

gitea-mirror commented

2026-05-05 07:06:23 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (May 31, 2017):

@8cc let me make sure I understand the problem correctly:

For firejail 0.9.44.10 through copr nielsenb/firejail, keepassx starts but segfaults when you try to choose a file.'
For firejail 0.9.46, keepassx does not start at all
When not using firejail (either version), keepassx behaves normally

Is this correct?
Can you post the exact keepassx profile you are using?
Can you run the following and post the output: firejail --debug keepassx?

@Fred-Barclay commented on GitHub (May 31, 2017): @8cc let me make sure I understand the problem correctly: - For firejail 0.9.44.10 through copr nielsenb/firejail, keepassx starts but segfaults when you try to choose a file.' - For firejail 0.9.46, keepassx does not start at all - When not using firejail (either version), keepassx behaves normally Is this correct? Can you post the exact keepassx profile you are using? Can you run the following and post the output: `firejail --debug keepassx`?

gitea-mirror commented

2026-05-05 07:06:27 -06:00

Author

Owner

@8cc commented on GitHub (May 31, 2017):

Yes, that right.
I use default configuration in nielsenb/firejail:

# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include /etc/firejail/keepassx.local

# keepassx password manager profile
noblacklist ${HOME}/.config/keepassx
noblacklist ${HOME}/.keepassx
noblacklist ${HOME}/*.kdbx
noblacklist ${HOME}/*.kdb
 
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc

caps.drop all
net none
nogroups
nonewprivs
noroot
nosound
protocol unix
seccomp
shell none
tracelog

private-bin keepassx
private-etc fonts
private-dev
#private-tmp - mask KDE problems

firejail --debug keepassx
and tried to select a file.
https://gist.github.com/8cc/bbee4754f8b12e0b6a777e29f5ce3c73

@8cc commented on GitHub (May 31, 2017): Yes, that right. I use default configuration in nielsenb/firejail: ``` # This file is overwritten during software install. # Persistent customizations should go in a .local file. include /etc/firejail/keepassx.local # keepassx password manager profile noblacklist ${HOME}/.config/keepassx noblacklist ${HOME}/.keepassx noblacklist ${HOME}/*.kdbx noblacklist ${HOME}/*.kdb include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all net none nogroups nonewprivs noroot nosound protocol unix seccomp shell none tracelog private-bin keepassx private-etc fonts private-dev #private-tmp - mask KDE problems ``` firejail --debug keepassx and tried to select a file. https://gist.github.com/8cc/bbee4754f8b12e0b6a777e29f5ce3c73

gitea-mirror commented

2026-05-05 07:06:27 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Jun 1, 2017):

Try commenting out private-bin keepassx

Can you help me understand what this Ksyscoca is that keeps being referenced in the error message? I can't find it in the Fedora package database https://admin.fedoraproject.org/pkgdb/packages/KSycoca%2A/
The best I can tell it was dropped after KDE 3, though it's still in the Trinity DE.

@Fred-Barclay commented on GitHub (Jun 1, 2017): Try commenting out `private-bin keepassx` Can you help me understand what this Ksyscoca is that keeps being referenced in the error message? I can't find it in the Fedora package database https://admin.fedoraproject.org/pkgdb/packages/KSycoca%2A/ The best I can tell it was dropped after KDE 3, though it's still in the Trinity DE.

gitea-mirror commented

2026-05-05 07:06:29 -06:00

Author

Owner

@8cc commented on GitHub (Jun 1, 2017):

Сomment private-bin keepassx not help.
KDE SYstem COnfiguration CAche.

@8cc commented on GitHub (Jun 1, 2017): Сomment `private-bin keepassx` not help. [KDE SYstem COnfiguration CAche](https://userbase.kde.org/KDE_System_Administration/Caches#KSycoca).

gitea-mirror commented

2026-05-05 07:06:32 -06:00

Author

Owner

@Anyon3 commented on GitHub (Jun 1, 2017):

Try with firejail in command line without a defined profile

firejail --machine-id --noprofile --nonewprivs --noroot --caps.drop=all --nosound --private-dev --seccomp --no3d --private-tmp --nogroups --net=none keepassx

Hope it's help

@Anyon3 commented on GitHub (Jun 1, 2017): Try with firejail in command line without a defined profile firejail --machine-id --noprofile --nonewprivs --noroot --caps.drop=all --nosound --private-dev --seccomp --no3d --private-tmp --nogroups --net=none keepassx Hope it's help

gitea-mirror commented

2026-05-05 07:06:33 -06:00

Author

Owner

@8cc commented on GitHub (Jun 1, 2017):

firejail --machine-id --noprofile --nonewprivs --noroot --caps.drop=all --nosound --private-dev --seccomp --no3d --private-tmp --nogroups --net=none keepassx

Keepassx started, the file selection dialog appeared, but when try to select: "The specified folder does not exist or was not readable." Perhaps this is not the fault of the firejail.

@8cc commented on GitHub (Jun 1, 2017): `firejail --machine-id --noprofile --nonewprivs --noroot --caps.drop=all --nosound --private-dev --seccomp --no3d --private-tmp --nogroups --net=none keepassx` Keepassx started, the file selection dialog appeared, but when try to select: "The specified folder does not exist or was not readable." Perhaps this is not the fault of the firejail.

gitea-mirror commented

2026-05-05 07:06:35 -06:00

Author

Owner

@Anyon3 commented on GitHub (Jun 1, 2017):

Try to remove the argument --nogroups and --nonewprivs (nonewprivs is not required when --seccomp is passed)

If it's still the same, give a try to keepassxc

@Anyon3 commented on GitHub (Jun 1, 2017): Try to remove the argument --nogroups and --nonewprivs (nonewprivs is not required when --seccomp is passed) If it's still the same, give a try to keepassxc

gitea-mirror commented

2026-05-05 07:06:37 -06:00

Author

Owner

@8cc commented on GitHub (Jun 1, 2017):

Keepassx started, the file selection dialog appeared, but when try to select: "The specified folder does not exist or was not readable." Perhaps this is not the fault of the firejail.

Works! Files are selected when not --private. (I added it for some reason)

@8cc commented on GitHub (Jun 1, 2017): > Keepassx started, the file selection dialog appeared, but when try to select: "The specified folder does not exist or was not readable." Perhaps this is not the fault of the firejail. Works! Files are selected when not `--private`. (I added it for some reason)

gitea-mirror commented

2026-05-05 07:06:41 -06:00

Author

Owner

@Anyon3 commented on GitHub (Jun 1, 2017):

you could maybe try to add a directory inside your /home/$user/ like keepassxjail and add --private=~/keepassxjail/ (don't forget to place your kdbx database inside keepassxjail) to increase the security.

@Anyon3 commented on GitHub (Jun 1, 2017): you could maybe try to add a directory inside your /home/$user/ like keepassxjail and add --private=~/keepassxjail/ (don't forget to place your kdbx database inside keepassxjail) to increase the security.

gitea-mirror commented

2026-05-05 07:06:43 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 1, 2017):

Qt: Session management error: Could not open network socket

What bothers me is you have a password manager crashed by the sandbox when it tries to connect to the network. Why would a password manager try to connect to the network?

Also, make sure you run 0.9.46. In this version a lot of fixes went in for all keepass utilities. You can get an .rpm package from our download page, it was build on CentOS 7, it should work fine on any Fedora distro released after that.

@netblue30 commented on GitHub (Jun 1, 2017): > Qt: Session management error: Could not open network socket What bothers me is you have a password manager crashed by the sandbox when it tries to connect to the network. Why would a password manager try to connect to the network? Also, make sure you run 0.9.46. In this version a lot of fixes went in for all keepass utilities. You can get an .rpm package from our download page, it was build on CentOS 7, it should work fine on any Fedora distro released after that.

gitea-mirror commented

2026-05-05 07:06:45 -06:00

Author

Owner

@Anyon3 commented on GitHub (Jun 1, 2017):

Looking at the dmesg output, could https://en.wikipedia.org/wiki/KIO explain the connection of his keepassx over the network ?

@Anyon3 commented on GitHub (Jun 1, 2017): Looking at the dmesg output, could https://en.wikipedia.org/wiki/KIO explain the connection of his keepassx over the network ?

gitea-mirror commented

2026-05-05 07:06:48 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Jun 1, 2017):

What bothers me is you have a password manager crashed by the sandbox when it tries to connect to the network.

I'm not sure that it's crashed when trying to connect to the network. I get the exact same output on Debian Sid MATE and keepassx works fine in firejail:

Reading profile /etc/firejail/keepassx.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Parent pid 6387, child pid 6388
Blacklist violations are logged to syslog
Child process initialized in 75.42 ms
Qt: Session management error: Could not open network socket

@Fred-Barclay commented on GitHub (Jun 1, 2017): > What bothers me is you have a password manager crashed by the sandbox when it tries to connect to the network. I'm not sure that it's crashed when trying to connect to the network. I get the exact same output on Debian Sid MATE and keepassx works fine in firejail: ```$ firejail keepassx Reading profile /etc/firejail/keepassx.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Parent pid 6387, child pid 6388 Blacklist violations are logged to syslog Child process initialized in 75.42 ms Qt: Session management error: Could not open network socket ```

gitea-mirror commented

2026-05-05 07:06:50 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Jun 2, 2017):

I might have a fix in. On a Fedora 25 Gnome VM, keepassx would crash in firejail if private-bin did not contain both keepassx and keepassx2, or if it couldn't read /etc/machine-id (which we've been blocking with private-etc fonts). I've added keepassx2 to private-bin, and added /etc/machine-id to the sandbox... but it's spoofed with the machine-id option so keepassx still can't see your real machine id. 😁

@8cc Can you try the new profile? It's at https://raw.githubusercontent.com/netblue30/firejail/3a2428bd4ba70e4b4c71b8e7ae7aeee8e027428e/etc/keepassx.profile

@Fred-Barclay commented on GitHub (Jun 2, 2017): I might have a fix in. On a Fedora 25 Gnome VM, keepassx would crash in firejail if `private-bin` did not contain both keepassx and keepassx2, or if it couldn't read /etc/machine-id (which we've been blocking with `private-etc fonts`). I've added keepassx2 to private-bin, and added /etc/machine-id to the sandbox... but it's spoofed with the `machine-id` option so keepassx still can't see your real machine id. 😁 @8cc Can you try the new profile? It's at https://raw.githubusercontent.com/netblue30/firejail/3a2428bd4ba70e4b4c71b8e7ae7aeee8e027428e/etc/keepassx.profile

gitea-mirror commented

2026-05-05 07:06:53 -06:00

Author

Owner

@8cc commented on GitHub (Jun 3, 2017):

@8cc Can you try the new profile? It's at https://raw.githubusercontent.com/netblue30/firejail/3a2428bd4ba70e4b4c71b8e7ae7aeee8e027428e/etc/keepassx.profile

Profile did not help, firejail 0.9.46.

@8cc commented on GitHub (Jun 3, 2017): > @8cc Can you try the new profile? It's at https://raw.githubusercontent.com/netblue30/firejail/3a2428bd4ba70e4b4c71b8e7ae7aeee8e027428e/etc/keepassx.profile Profile did not help, firejail 0.9.46.

gitea-mirror commented

2026-05-05 07:06:55 -06:00

Author

Owner

@Anyon3 commented on GitHub (Jun 3, 2017):

I tried the keepassx profile proposed by Fred-Barclay on my Gentoo Hardened and got this

keepassx: error while loading shared libraries: libQtCore.so.4: cannot open shared object file: No such file or directory

I added a comment to

private-etc fonts,machine-id

And this fixed the error. Another small thing I spotted is the use of nonewprivs, I may be wrong but according to the man firejail

This option is enabled by default if seccomp filter is activated

As seccomp is passed in the profile, nonewprivs can be removed ?

Firejail 0.9.47
KeepassX 2.0.2-r1

@Anyon3 commented on GitHub (Jun 3, 2017): I tried the keepassx profile proposed by Fred-Barclay on my Gentoo Hardened and got this keepassx: error while loading shared libraries: libQtCore.so.4: cannot open shared object file: No such file or directory I added a comment to private-etc fonts,machine-id And this fixed the error. Another small thing I spotted is the use of nonewprivs, I may be wrong but according to the man firejail This option is enabled by default if seccomp filter is activated As seccomp is passed in the profile, nonewprivs can be removed ? Firejail 0.9.47 KeepassX 2.0.2-r1

gitea-mirror commented

2026-05-05 07:06:58 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 4, 2017):

As seccomp is passed in the profile, nonewprivs can be removed ?

Yes, you can remove it. However, if you remove seccomp, it is a very good idea to bring back nonewprivs.

@netblue30 commented on GitHub (Jun 4, 2017): > As seccomp is passed in the profile, nonewprivs can be removed ? Yes, you can remove it. However, if you remove seccomp, it is a very good idea to bring back nonewprivs.

gitea-mirror commented

2026-05-05 07:07:02 -06:00

Author

Owner

@Anyon3 commented on GitHub (Jun 5, 2017):

Ok thanks for this infos. Most of the profile have nonewprivs and seccomp, this is in case seccomp is not active on the system Linux right ?

@Anyon3 commented on GitHub (Jun 5, 2017): Ok thanks for this infos. Most of the profile have nonewprivs and seccomp, this is in case seccomp is not active on the system Linux right ?

gitea-mirror commented

2026-05-05 07:07:03 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 10, 2017):

this is in case seccomp is not active on the system Linux right ?

Seccomp and nonewprivs are not enabled by default on any Linux system. Seccomp configuration is very specific to the particular program running.

@netblue30 commented on GitHub (Jun 10, 2017): > this is in case seccomp is not active on the system Linux right ? Seccomp and nonewprivs are not enabled by default on any Linux system. Seccomp configuration is very specific to the particular program running.

gitea-mirror commented

2026-05-05 07:07:05 -06:00

Author

Owner

@Tanath commented on GitHub (Jan 22, 2018):

I was getting this issue until I commented out memory-deny-write-execute.

@Tanath commented on GitHub (Jan 22, 2018): I was getting this issue until I commented out `memory-deny-write-execute`.

gitea-mirror referenced this issue

2026-05-05 08:31:40 -06:00

[GH-ISSUE #2968] using --private=homedir and --private-cache, doesn't do --private-cache #1856

gitea-mirror referenced this issue

2026-05-05 08:41:06 -06:00

[GH-ISSUE #3217] --private creates empty dirs on $HOME #2016

gitea-mirror referenced this issue

2026-05-05 09:07:21 -06:00

[GH-ISSUE #3877] Using firejail with private /home with a folder on /home mount point but outside of users folders #2438

gitea-mirror referenced this issue

2026-05-05 09:11:31 -06:00

[GH-ISSUE #4026] --private and $HOME #2507