Browser integration: Custom sockets

[Thulium-Drake]

Current Behavior

When running a browser (I've only tested Firefox, but I expect the same with other browsers) in a security sandbox such as Firejail, the plugin in the jailed browser is unable to talk to KeepassXC.

My Firefox has been configured to run in it's own Firejail, and from what I can see it doesn't detect the socket keepassxc creates in /tmp/keepassxc-$USER.socket (unless that is the wrong socket).

Expected Behavior

Is there a way in which I can 'force' the plugin to use a socket I specify, or better yet, to allow keepassxc-plugin to tell whether keepassxc is alive using that socket. This should open the way to run these applications completely separated from each other, whilst only sharing a piece of disk space.

Possible Solution

I think this could be solved if both KeepassXC and the browser plugin can have a socket hard configured to talk to.

Context

Currently I'm using KeepassX (not C, still checking it out before making the 'big move') only with Auto-Type macro's, but I wish to go to a bit more integrated solution :-), and this is stopping me from exploring and doing that.

Debug Info

KeePassXC - Version 2.3.1
Revision: 2fcaeea

Libraries:

• Qt 5.7.1
• libgcrypt 1.7.6-beta

Operating system: Debian GNU/Linux 9 (stretch)
CPU architecture: x86_64
Kernel: linux 4.9.0-6-amd64

Enabled extensions:

• Auto-Type
• Browser Integration
• Legacy Browser Integration (KeePassHTTP)
• SSH Agent
• YubiKey

[varjolintu]

Linux uses QStandardPaths::RuntimeLocation (XDG_RUNTIME_DIR) if it's found. I wonder how this changes with firejail. I have no experience with it but I assume the runtime/temp location changes every time a program is used through firejail? Using custom sockets wouldn't help in this case.

[Thulium-Drake]

I've done a little testing, I think it's possible to make this work! :-)

EDIT: Some more tuning on the profile

1. Create the following firejail profile, note that except from the added 'socat' this is very restrictive

## This is the default profile firejail ships, see https://github.com/netblue30/firejail/blob/0.9.52/etc/firefox.profile
## It provides a private /tmp, but we can modify that in this profile
include /usr/local/etc/firejail/firefox.profile

hostname jail
private-etc resolv.conf,localtime
private-dev
private-opt firefox
private-bin bash
# allow access to the KeepassXC socket for the password integration plugin
whitelist /tmp/keepassxc-username.socket

2. Run the jail (by starting Firefox) and run keepassxc outside of the jail
   firejail --profile=fileabove.profile firefox --no-remote
3. Check the PID of the jail
   firejail --list
4. Join the jail
   firejail --join=$PIDFROMLIST
5. Use socat to talk to the socket
   socat - UNIX-CONNECT:/tmp/keepassxc-username.socket
6. Notice that the KeepassXC window pops up above the rest.

I've been able to reproduce this consistently. Which would mean that given that a jail shares a filesystem with 'the outside world' it should be possible to talk to it. But it would require manually configuring the browserplugin to talk to a specified socket.

Are there any command's I can give to the socket using socat to try and see if it will talk back to me?

[varjolintu]

Please notice that any message sent to socket must fill the following requirements:

Each message is serialized using JSON, UTF-8 encoded and is preceded with 32-bit message length in native byte order.

You can try to see if the connection responds to a following random data test message:

{"action": "change-public-keys", "publicKey": opUmu+63qjbDpNbIRXUtpj5GlQ9uTP74RztIfBrEXV8=, "nonce": xbieJuVKil9v0j3cig/rtS01zeQpHaAY}

One thing you could try is to download the sources, modify NativeMessagingBase.cpp function getLocalServerPath() to return a static custom socket location.

[zivanfi]

I have $TMPDIR set to a ram disk, therefore my keepassxc (run without firejail) opens its socket at <ramdisk-mount-point>/keepassxc-<username>.socket. I whitelisted this location in the firejail profile for firefox and joined the firejail (following the suggestion above). Then I executed

cp -a <ramdisk-mount-point>/keepassxc-<username>.socket /tmp/

And the browser integration started working. I still have to figure it out how to automate it without sacrificing private-tmp.

[Thulium-Drake]

@varjolintu : Hi! Sorry for the long wait, this kinda shifted to the back burner a bit...

I've tried sending the command you proposed like so:

me@firejail:/tmp$ echo {"action": "change-public-keys", "publicKey": opUmu+63qjbDpNbIRXUtpj5GlQ9uTP74RztIfBrEXV8=, "nonce": xbieJuVKil9v0j3cig/rtS01zeQpHaAY} | socat - UNIX-CONNECT:/tmp/keepassxc-me.socket
me@firejail:/tmp$

But apart from the window popping up, nothing happens. But my functionality seems to have degraded somehow. Even when running Firefox 'plain', I can't get the integration working...

I'll try to do some more debugging, but I don't get a lot of feedback from the plugin nor keepassxc itself about the communication :-(

EDIT: Speak of the devil, and it starts working again xD (plain firefox and keepassxc). Even with the lightest form of firejail it breaks again. I didn't even bother isolating anything except /home (giving it a isolated copy of my homedir). Running it in the same jail as the browser does work BTW, but that breaks the tray icon.

[Thulium-Drake]

Hi all,

I have found the solution for the problem, or at least a source. In order for this to work with the default supplied profile for Firejail, you need to have the following things:

1. Be sure that the root user is able to access your homedirectory (in case of an NFS mount)
2. Do NOT use 'private' in your profile to relocate your homedirectory to somewhere else.
3. You may need to 'whitelist ${HOME}/.config/keepassxc' to make it work

When these conditions are met, you can use the plugin! :-)