Firejail: KeePassXC profile breaks features - would be fixed by $USER variable

You can use ignore private-tmp

@t4777sd Does it write to specific directory within /tmp? If so, we can whitelist that specific directory instead of using private-tmp.

Or if we used mkfile to touch those files, could we then whitelist those specific files? It would be nice to keep the isolating properties of private-tmp.

It writes to the following

/tmp/keepassxc-[user].lock
/tmp/keepassxc-[user].socket

Replace [user] by the current user so if that is dan it would be keepassxc-dan.lock

Hmm, if we implement variables ${USER} and ${UID} (which was suggested on an issue somewhere...), then we could do a

mkfile /tmp/keepassxc-${USER}.lock
mkfile /tmp/keepassxc-${USER}.socket
whitelist /tmp/keepassxc-${USER}.lock
whitelist /tmp/keepassxc-${USER}.socket

or something similar (although I'm not sure how keepassxc would react if the files existed but nothing was listening...)

I tested it with those files pre-created and re-opened it and it caused no issues for keepass. So, I guess the only thing left is the ${USER} ability

Cool. I think we should be able to do that.

Side question: @t4777sd, did you use mkfifo for the socket? We may need to bring in an option mkfifo if keepassxc can't deal with a regular file at keepassxc-${USER}.socket (to be fair, it might be good to have anyway).

@netblue30 I was looking at the code, and this variable already exists internally as I understand it (cfg.username). But I'm not sure exactly where the variable substitution should take place. I assume it would be somewhere in fs_whitelist.c...?

Or...in util.c?

Does KeePassXC honor TMPDIR? If yes, you may simply add env TMPDIR=/home/user/.cache to its profile. That would be much simpler than adding new code.

Yes, it does (just tested). I suppose that solves this issue then (maybe we should add it to the profile?).

@t4777sd Can you verify that the new profile fixes this issue?

@chiraag-nataraj I had some weird issues with f9aeac080a830fc1aaf07f0beff781a1ed7e42ad
does 5ee6ed83bb2f631f2c04696357c0863af59e4e7b work for you?

@SkewedZeppelin Lemme try (I don't actually _use_ keepassxc lol, but I'll try it for this :joy:)

HAHAHAHAHAHA...hahahahahaha...ha. Oh god, this is too good. I think the fix for #942 breaks your fix. The sandbox name is changed to keepassxc-1 and it doesn't join the existing one.

But also, join-or-start should attach to the existing one if it's specified, shouldn't it?

Or maybe it's because I have hidepid enabled...lemme see.

@chiraag-nataraj yes, sorry I forgot that. We have join-or-start on several profiles so it's weird this one doesn't work.

No, it's because of hidepid, since join-or-start joins by looking for the pid.

So yes, @SkewedZeppelin, this is fixed now :) @t4777sd I'm going to close this now, but feel free to re-open if the profile in master doesn't work for you.