Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Snap: Improve Web-browser Native Messaging host functionality #10906

Merged
merged 3 commits into from
Jun 19, 2024

Conversation

JGCarroll
Copy link
Contributor

@JGCarroll JGCarroll commented Jun 16, 2024

This commit allows for the snap distribution of KeepassXC to self-manage native messaging manifests This is done by making the binary aware of the snapd environment changes that currently prevent this. Furthermore, the snap sandbox is expanded to the bare minimum needed to access these privileged files.

Please note if running a self-compiled / untrusted KeepassXC snap build (I.E, installed with --dangerous) that you must manually run sudo snap connect keepassxc:browser-native-messaging to grant permissions.

This will work on all distributions that expose /snap/bin/ - such as Ubuntu, Debian, etc. For systems which don't provide /snap/, such as Fedora, follow instructions for enabling "Classic" snaps. e.g., sudo ln -s /var/lib/snapd/snap /snap

Describe your changes in detail, why is this change required?

Currently, if users install KeepassXC as a snap, the "Browser Integration" interface will instruct them to use an external script to set up the Native Messaging hosts. This is a poor user experience as it's a snap specific requirement, and also because it prevents KeepassXC being able clean up the host files (the user cannot "untick" and press ok on any browser).

This helps remove user friction by making things "just work" without compromising in security in any manner, the sandbox is expanded purely to accommodate the exact files required, and all existing certificate checks on the app & extensions themselves, the authentication process, etc, all remain as standard.

Explain large or complex code modifications.

Ultimately, this mirrors the workarounds used for the Flatpak build, the app needs to actively consider that the $HOME path it is presented with is not the real value on the host. By doing so, the files are instead exposed where they need to be to enable other programs to use them.

Whilst this will reduce bug reports and user problems significantly, it's not a magic bullet. There's 2 elements that come into play with compatibility.

  1. The browser itself may be sandboxed. If so, native-messaging support isn't guaranteed. It's available on Firefox and Chromium snaps in distributions newer than 22.04, in a "it just works experience". This is done via a downstream patch to the XDG Desktop Portals, and so, it wouldn't be compatible with e.g Fedora using the Firefox snap, until/unless webextensions: add a portal for managing WebExtensions native messaging servers flatpak/xdg-desktop-portal#705 is merged and widely distributed.

Ultimately, most Snap users are Ubuntu users, so considering population demographics, this should still improve the majority of typical use cases.

  1. The binary is hardcoded as /bin/snap/keepassxc.proxy, this isn't guaranteed to exist at that location. E.G., on Fedora, users would have to run sudo ln -s /var/lib/snapd/snap /snap, this follows the same semantics as enabling "Classic Snaps" support. This can be done before or after installation of KeepassXC, and KeepassXC itself is still operating under Strict confinement.

Again, considering user demographics, I'd imagine most other distributions use the AppImage, Flatpak, or distro repo versions before considering snap, meaning this shouldn't be a common occurrence relatively.

Screenshots

N/A

Testing strategy

  1. Build the Snap
  2. Ensure sudo snap connect keepassxc:browser-native-messaging is run, as will be required on any untrusted builds not published from the Snap Store.
  3. Enable the browser integration functionality and test it on browsers.

Test Environment, Ubuntu 24.04

Firefox Snap + KeepassXC snap: ✅
Firefox native + KeepassXC snap: ✅
Chromium Snap + KeepassXC Snap: ✅
Google-Chrome native + KeepassXC snap: ✅
Brave Snap + KeepassXC Snap: Failure as Brave has not adopted the XDG Desktop Portal patches, no regression in this patch.
Brave native + KeepassXC Snap: ✅

Type of change

  • ✅ Bug fix (non-breaking change that fixes an issue)
  • ✅ New feature (change that adds functionality)

@JGCarroll JGCarroll marked this pull request as draft June 16, 2024 13:53
@JGCarroll
Copy link
Contributor Author

PR marked as a draft as due Snap Store policy, being able to distribute KeepassXC will require a one time review that could take up to 2 weeks. We would like to minimize the time between acquiring permission from the Snap Store and actually building/uploading any snaps with this functionality as otherwise doing so will keep triggering the review process and deny uploads.

Ideally, the store would agree for this to be autoconnected as it enables major functionality in the app and the permissions required to do so are very specific and within reasonable users expectations.

JGCarroll and others added 2 commits June 16, 2024 10:15
This commit allows for the snap distribution of KeepassXC to self-manage native messaging manifests
This is done by making the binary aware of the snapd environment changes that currently prevent this.
Furthermore, the snap sandbox is expanded to the bare minimum needed to access these privileged files.

Please note if running a self-compiled / untrusted KeepassXC snap build (I.E, installed with --dangerous)
that you must manually run `sudo snap connect keepassxc:browser-native-messaging` to grant permissions.

This will work on all distributions that expose `/snap/bin/` - such as Ubuntu, Debian, etc.
For systems which don't provide `/snap/`, such as Fedora, follow instructions for enabling "Classic" snaps.
e.g., `sudo ln -s /var/lib/snapd/snap /snap`
@droidmonkey droidmonkey force-pushed the snap-native-messaging branch from fd5bbcb to a7849e4 Compare June 16, 2024 14:18
@droidmonkey
Copy link
Member

Request for personal-files access was submitted: https://forum.snapcraft.io/t/personal-files-access-request-for-keepassxc/40628

@varjolintu
Copy link
Member

This looks excellent! Haven't tested it yet though.

Decrease privileges on TBB Native Hosts folder to just the KeepassXC manifest
@droidmonkey droidmonkey marked this pull request as ready for review June 19, 2024 12:15
@droidmonkey droidmonkey merged commit 5f2ee86 into keepassxreboot:develop Jun 19, 2024
11 checks passed
droidmonkey added a commit that referenced this pull request Jun 19, 2024
* Snap: Improve Web-browser Native Messaging host functionality

This commit allows for the snap distribution of KeepassXC to self-manage native messaging manifests
This is done by making the binary aware of the snapd environment changes that currently prevent this.
Furthermore, the snap sandbox is expanded to the bare minimum needed to access these privileged files.

Please note if running a self-compiled / untrusted KeepassXC snap build (I.E, installed with --dangerous)
that you must manually run `sudo snap connect keepassxc:browser-native-messaging` to grant permissions.

This will work on all distributions that expose `/snap/bin/` - such as Ubuntu, Debian, etc.
For systems which don't provide `/snap/`, such as Fedora, follow instructions for enabling "Classic" snaps.
e.g., `sudo ln -s /var/lib/snapd/snap /snap`

---------

Co-authored-by: Jonathan White <[email protected]>
libf-de pushed a commit to libf-de/keepassxc-secretservice-dbus that referenced this pull request Jun 20, 2024
Release 2.7.9

* Passkeys: Ability to easily remove a passkey from an entry [keepassxreboot#10777]
* Snap: Use new desktop portal for native messaging integration [keepassxreboot#10906]

* Improve entry placeholder/reference feature [keepassxreboot#10846]
* Improve CSV importing when title field isn't specified [keepassxreboot#10843]
* Improve encrypted Bitwarden importing [keepassxreboot#10800]
* Improve database settings UX [keepassxreboot#10821]
* Improve handling of clipboard actions from entry preview [keepassxreboot#10810]
* Improve group/entry view resize behavior and set sensible defaults [keepassxreboot#10641]
* Passkeys: Fix incorrect username fill [keepassxreboot#10874]
* Passkeys: Return additional data to the extension [keepassxreboot#10857]
* Fix password clear timer inconsistency on unlock view [keepassxreboot#10708]
* Fix portability check [keepassxreboot#10760]
* Fix page overflow on HTML exports [keepassxreboot#10735]
* Fix broken builds when using system provided zxcvbn [keepassxreboot#10717]
* Fix copy password button when text is selected [keepassxreboot#10853]
* Fix tab ordering on application settings pages [keepassxreboot#10907]
* SSH Agent: Fix broken decrypt button [keepassxreboot#10638]
* Windows: Fix ALT Auto-Type modifier [keepassxreboot#10795]
* Windows: Fix wrong DACL memory size allocation [keepassxreboot#10712]
* macOS: Fix monospace font sizing [keepassxreboot#10739]
* Flatpak: Fix configuration settings off-by-one error [keepassxreboot#10688]
* BSD: Fix compiling with libusb implementation [keepassxreboot#10736]

# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCAAdFiEENIkEDB8MPuq41ValRA/GXy4MbgEFAmZzTogACgkQRA/GXy4M
# bgHahggAg+hzMTiM0uDaw5yfxhv6GEfQQBPHMhX3JDyHEC+i7Pq6OjlxQkdUrRdu
# f4w74od5jSul0Al/ehu9L2eZwNPMnU87FWDn16o1btYHsG9n24v5S0DuQoLXUjde
# Y9nJNKeRNoWAlVKWbUG2YGvy9hF9YbtrFaiBksaQ+g3w8Xz82PzLY0VaUu4Xa/LO
# RXAhryJC+8T3T479dXpHxJcUmEWkoY4bqj1i6R8tEK5Kz9y1c0kqzqwWysKMj+rD
# WxTb2V4y9s57pO35zt9yxMLg66xx9bdcQHbSULa2vZNMFd9qdqk8WJmWFle112yG
# UCBXv2ZIjd3lghPt0IrD+WKcuL85Aw==
# =rbfs
# -----END PGP SIGNATURE-----
# gpg: directory '/home/runner/.gnupg' created
# gpg: keybox '/home/runner/.gnupg/pubring.kbx' created
# gpg: Signature made Wed Jun 19 21:32:56 2024 UTC
# gpg:                using RSA key 3489040C1F0C3EEAB8D556A5440FC65F2E0C6E01
# gpg: Can't check signature: No public key
pull bot pushed a commit to tigerwill90/keepassxc that referenced this pull request Jun 23, 2024
…sxreboot#10906)

* Snap: Improve Web-browser Native Messaging host functionality

This commit allows for the snap distribution of KeepassXC to self-manage native messaging manifests
This is done by making the binary aware of the snapd environment changes that currently prevent this.
Furthermore, the snap sandbox is expanded to the bare minimum needed to access these privileged files.

Please note if running a self-compiled / untrusted KeepassXC snap build (I.E, installed with --dangerous)
that you must manually run `sudo snap connect keepassxc:browser-native-messaging` to grant permissions.

This will work on all distributions that expose `/snap/bin/` - such as Ubuntu, Debian, etc.
For systems which don't provide `/snap/`, such as Fedora, follow instructions for enabling "Classic" snaps.
e.g., `sudo ln -s /var/lib/snapd/snap /snap`

---------

Co-authored-by: Jonathan White <[email protected]>
Perlover added a commit to Perlover/keepassxc that referenced this pull request Jul 24, 2024
Release 2.7.9

* Passkeys: Ability to easily remove a passkey from an entry [keepassxreboot#10777]
* Snap: Use new desktop portal for native messaging integration [keepassxreboot#10906]

* Improve entry placeholder/reference feature [keepassxreboot#10846]
* Improve CSV importing when title field isn't specified [keepassxreboot#10843]
* Improve encrypted Bitwarden importing [keepassxreboot#10800]
* Improve database settings UX [keepassxreboot#10821]
* Improve handling of clipboard actions from entry preview [keepassxreboot#10810]
* Improve group/entry view resize behavior and set sensible defaults [keepassxreboot#10641]
* Passkeys: Fix incorrect username fill [keepassxreboot#10874]
* Passkeys: Return additional data to the extension [keepassxreboot#10857]
* Fix password clear timer inconsistency on unlock view [keepassxreboot#10708]
* Fix portability check [keepassxreboot#10760]
* Fix page overflow on HTML exports [keepassxreboot#10735]
* Fix broken builds when using system provided zxcvbn [keepassxreboot#10717]
* Fix copy password button when text is selected [keepassxreboot#10853]
* Fix tab ordering on application settings pages [keepassxreboot#10907]
* SSH Agent: Fix broken decrypt button [keepassxreboot#10638]
* Windows: Fix ALT Auto-Type modifier [keepassxreboot#10795]
* Windows: Fix wrong DACL memory size allocation [keepassxreboot#10712]
* macOS: Fix monospace font sizing [keepassxreboot#10739]
* Flatpak: Fix configuration settings off-by-one error [keepassxreboot#10688]
* BSD: Fix compiling with libusb implementation [keepassxreboot#10736]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants