Firejail: After Firefox update to v67.Build2, KeepassXC suddenly cannot open URL links. Profile not accessible

Things to try:

• Does anything get printed on the terminal if you run firejail keepassxc?
• Does firejail --noprofile keepassxc help?
• Does keeping firefox (firejailed) open _before_ starting keepassxc (firejailed) help?

@chiraag-nataraj

• Yes, see below:

Opening...!
May 22 12:12:32 nohup: ignoring input
May 22 12:12:32 Reading profile /usr/local/etc/firejail/keepassxc.profile
May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-common.inc
May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-devel.inc
May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-interpreters.inc
May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-programs.inc
May 22 12:12:32 Reading profile /usr/local/etc/firejail/disable-xdg.inc
May 22 12:12:32 Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
May 22 12:12:32 Mounting appimage type 2
May 22 12:12:32 Parent pid 14245, child pid 14253
May 22 12:12:32 
May 22 12:12:32 **     Warning: dropping all Linux capabilities     **
May 22 12:12:32 Private /etc installed in 7.10 ms
May 22 12:12:32 ]0;firejail /home/user/KeePassXC-2.4.1-x86_64.AppImage Child process initialized in 198.01 ms
May 22 12:12:34 Qt: Session management error: Could not open network socket
May 22 12:12:34 QObject::startTimer: Timers cannot have negative intervals
May 22 12:12:34 libudev: udev_monitor_new_from_netlink_fd: error getting socket: Operation not supported
May 22 12:13:09 exo-open: /run/firejail/appimage/.appimage-14245/usr/lib/libdbus-1.so.3: no version information available (required by /usr/lib/x86_64-linux-gnu/libatk-bridge-2.0.so.0)
May 22 12:13:09 exo-open: /run/firejail/appimage/.appimage-14245/usr/lib/libdbus-1.so.3: no version information available (required by /usr/lib/x86_64-linux-gnu/libatspi.so.0)
May 22 12:13:09 
May 22 12:13:09 (exo-open:25150): dbind-WARNING **: 10:13:09.089: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-pDS07810mt: Connection refused
May 22 12:13:09 /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1: /run/firejail/appimage/.appimage-14245/usr/lib/libdbus-1.so.3: no version information available (required by /usr/lib/x86_64-linux-gnu/libatk-bridge-2.0.so.0)
May 22 12:13:09 /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1: /run/firejail/appimage/.appimage-14245/usr/lib/libdbus-1.so.3: no version information available (required by /usr/lib/x86_64-linux-gnu/libatspi.so.0)
May 22 12:13:09 
May 22 12:13:09 (exo-helper-1:25153): dbind-WARNING **: 10:13:09.099: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-pDS07810mt: Connection refused
May 22 12:13:10 Error: Access was denied while trying to open files in your profile directory.
May 22 12:13:23 libudev: udev_monitor_new_from_netlink_fd: error getting socket: Operation not supported
May 22 12:13:23 
May 22 12:13:23 Parent is shutting down, bye...
May 22 12:13:23 AppImage unmounted

• It works with: firejail --noprofile --appimage KeePassXC-2.4.1-x86_64.AppImage

• Firefox is not firejailed, but it is started before Keepassxc as usual.

The only difference between the output on the terminal now and before the Firefox update, is this error:
Error: Access was denied while trying to open files in your profile directory.

Everything else is normal

When keepassxc is running, can you do a firejail --ls=<pid of keepassxc sandbox> ~/? Does .mozilla appear there?

Also, looks like you compiled from Git, since it's reading stuff in /usr/local/etc/firejail?

Also, is this the default firejail profile? Have you modified it?

@chiraag-nataraj yes .mozilla does appear in the list ! This is very weird..

And yes i compiled from Git. Like i said, this has been working fine for many months and suddenly this happened after Firefox update. Firefox updated from: firefox (67.0+build1-0ubuntu0.18.04.1) bionic to firefox (67.0+build2-0ubuntu0.18.04.1) bionic
yes this is the default keepassxc.profile and no i didnt modify it.

What if you pass --ignore=private-bin, so firejail --ignore=private-bin --appimage KeePassXC-<whatever>?

no that doesnt work either.
I figured out what the problem is... however i do not have a solution for this.

Please ignore the version numbers of firefox that i mentioned, this is what really happened after digging further.

When everything was working, i was on Firefox v66.0.5 (i reverted to this now and the URL openings work as expected)
According to http://security.ubuntu.com/ubuntu/pool/main/f/firefox/ the next version in the list is Firefox 67.0Build2

After updating to Firefox 67.0Build2 today, the URL openings break, ie. gives the above error as explained.

Something has changed between Firefox v66.0.5 and v67.0 with KeepassXC 2.4.1

The only solution is to stay on a previous version of Firefox

Please try reproduce because i just did this now.

Can you try with the non-appimage version? I want to see if it's an appimage-specific problem or if it's an issue with the profile more generally.

Also, I'm currently on firefox 66.0.5 (I'm on Debian sid...).

There is only appimages for keepassxc and building it from source which i am not able to do. The rest is windows and mac binaries.
Can you try with building from source on your side? It seems to me that the execution for opening firefox links has somehow changed

No? https://packages.ubuntu.com/bionic/keepassxc It's in the bionic repos.

apologies, will check now.

When testing on a new PC, im getting a different error now when opening URL:
Unable to detect a web browser to launch 'www.google.com'

I tried on firefox v66.04 and firefox v67.0

I used keepassxc from bionic repo as you said.

Can you try with --ignore=private-bin? I suspect it's looking for browsers, but none are whitelisted in the default profile.

Ok i tried with:
$ firejail --ignore=private-bin keepassxc
and it tries to open, with the same error popup as it does on the appimage.

Reading profile /usr/local/etc/firejail/keepassxc.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/disable-xdg.inc
Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
Parent pid 5642, child pid 5643
Private /etc installed in 4.12 ms
Child process initialized in 73.98 ms

(keepassxc:7): dbind-WARNING **: 14:16:15.037: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-iXC69GD7YI: Connection refused
Qt: Session management error: Could not open network socket

(exo-open:32017): dbind-WARNING **: 14:16:47.063: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-iXC69GD7YI: Connection refused

(exo-helper-1:32020): dbind-WARNING **: 14:16:47.079: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-iXC69GD7YI: Connection refused
Error: Access was denied while trying to open files in your profile directory.

Hmm...I wonder if exo-helper or exo-open is throwing the error rather than firefox...

Or do you get the firefox popup saying "Your profile is missing" or something similar?

The popup i get is this:

in addition to the terminal error:
Error: Access was denied while trying to open files in your profile directory.

this is the same for appimage and the repo version

Okay yeah, that is a Firefox error. It doesn't make sense, though, since ~/.mozilla should exist. Can you make sure ~/.mozilla/firefox/ exists within the sandbox?

yes it exists
drwx------ 1000 1004 4096 .mozilla
Yeah it does not make sense. This is also a new fresh VM, so, i dont know what the issue could be.

Did you try this on debian?

Yes, and it actually worked. My firefox is tightly sandboxed though...

With what version firefox? you said 66.0.5 , Use the 67.0 version because thats the one with the actual issue.

When testing on a new PC, im getting a different error now when opening URL:
Unable to detect a web browser to launch 'www.google.com'

I tried on firefox v66.04 and firefox v67.0

I used keepassxc from bionic repo as you said.

So are you saying that once you did --ignore=private-bin, the error disappeared for 66.0.4?

With what version firefox? you said 66.0.5 , Use the 67.0 version because thats the one with the actual issue.

Yes, right now I've been using 66.0.5. Let me download 67 from Mozilla's site and see if I run into the same issue.

With what version firefox? you said 66.0.5 , Use the 67.0 version because thats the one with the actual issue.

Yes, right now I've been using 66.0.5. Let me download 67 from Mozilla's site and see if I run into the same issue.

I had no issue with Firefox 67.0 (from Mozilla's site) running with a fresh profile and keepassxc sandboxed with the default profile (from git master).

iirc 67 changes how profiles are handled and --no-remote is default now?

Hmm, I thought it was just that they automatically set up a new profile for release, nightly, dev, beta, etc? I don't think they do --no-remote by default, since I was able to open a link just fine (once I put --private-bin=firefox to add firefox to the sandbox).

@tinmanx, can you download firefox from mozilla's website, close all open firefox windows, and do the following?

1. cd to the directory where you extracted firefox (from the tar.bz2 file).
2. ff=$(mktemp -d)
3. ./firefox --profile "$ff"
4. Now, in a separate terminal: firejail --private-bin=firefox keepassxc
5. Click on the link.

This should: (a) make sure you're running with a clean profile and (b) ensure you're opening it in the mozilla version rather than the bionic version.

[edit] Hopefully Xfce won't mess with this...

@chiraag-nataraj i take it this is the portable version of firefox and you putting a profile into memory to test?
I tried this as you said, but i get the below error:
Launch failed (/usr/local/bin/firefox https://www.google.com/)

Just note that, by default usually in my own situation Firefox is not jailed at all.

@tinmanx -no-remote is an firefox arg. firefox --help:

--no-remote Do not accept or send remote commands; implies --new-instance.
--new-instance Open new instance, not a new window in running instance.

remote commands means something like "open a new window" or "open URL XY in a new tab".

Just note that, by default usually in my own situation Firefox is not jailed at all.

Yes. For this test, I didn't jail firefox (even though I normally do).

With what version firefox? you said 66.0.5 , Use the 67.0 version because thats the one with the actual issue.

Yes, right now I've been using 66.0.5. Let me download 67 from Mozilla's site and see if I run into the same issue.

I had no issue with Firefox 67.0 (from Mozilla's site) running with a fresh profile and keepassxc sandboxed with the default profile (from git master).

What do you mean from git master?
im using the following:
firejail 0.9.58.2
keepassxc 2.4.1

Did you use Firefox 67.0 tar.bz2 or did you install from your debian repo?

Guys this is very strange, im telling you something was changed in Firefox 67.0. We need to find out what it is. Firefox v66.0.5 works perfectly as it always did, even in previous versions.

I used firejail from git master (so 0.9.60~rc2), not 0.9.58.2, keepassxc2.3.4(latest version in Debian), andfirefoxdownloaded from Mozilla (so67.0`).

I didn't attempt to install firefox at all — just ran it from the directory I extracted to (happened to be in my Downloads folder).

If you use a new Firefox profile, does it work? You can (easily) create a new profile by going to about:profiles.

i have a big problem since FF 67 too, when i click on a link from an sandboxed application it launch a whole new firefox instance with a new profile instead of using my firefox instance which is already launched in background! it really ruin my pc use :/

If you use a new Firefox profile, does it work? You can (easily) create a new profile by going to about:profiles.

No it doesnt, i tried that now.

I also found this: https://www.reddit.com/r/firefox/comments/brh3s7/firefox_67_forces_a_new_profile_is_there_any_way/ not sure if this might be of any help to you that you can maybe figure out if its using an incorrect profile.

[Edit]
check this:
https://www.reddit.com/r/firefox/comments/broebr/just_updated_to_firefox_67_and_have_a_new_profile/
and this:
https://bugzilla.mozilla.org/show_bug.cgi?id=1553526

i have a big problem since FF 67 too, when i click on a link from an sandboxed application it launch a whole new firefox instance with a new profile instead of using my firefox instance which is already launched in background! it really ruin my pc use :/

I am under the impression that when firejail is trying to open a URL, Firefox forces a brand new instance and profile, which wont work, (because when firefox is closed in general and you try to open a link, its the exact same error i get)

I am under the impression that when firejail is trying to open a URL, Firefox forces a brand new instance and profile, which wont work, (because when firefox is closed in general and you try to open a link, its the exact same error i get)

Something's _very_ weird because _that is not the behavior I experienced_. When I had firefox 67.0 running (although it wasn't officially installed), keepassxc opened links in the running instance.

@chiraag-nataraj i dont know what to tell you. I also tried this on a fresh Ubuntu 18.04 no xfce4 or anything like that. just plain Ubuntu 18.04 Desktop. Same issue after installed firefox from repo.

Can you try installing firefox from Debian repo, delete ~/.mozilla and open firefox for it to create new profile. Then run keepassxc with firejail so you can tell me

Interesting, once I installed it system-wide, I had the same issue. Can you try this profile for keepassxc and report back? (NB: It assumes your database is stored in ~/.config/keepassxc for simplicity...you can add other whitelist paths if you want).
~/.config/firejail/keepassxc.profile:

ignore memory-deny-write-execute

include ${HOME}/.config/firejail/common.inc

whitelist ${HOME}/.config/keepassxc

private-bin keepassxc,firefox
private-etc alternatives,fonts
protocol netlink,unix
join-or-start keepassxc

~/.config/firejail/common.inc:

blacklist /usr/local/bin
blacklist /usr/local/sbin

blacklist /boot

private-tmp
read-only /tmp/.X11-unix
private-dev
disable-mnt
private-opt emp
private-srv emp

shell none
seccomp
seccomp.block-secondary
noroot
caps.drop all
apparmor
nonewprivs
ipc-namespace
machine-id
nodbus
nou2f
nogroups
net none
netfilter
memory-deny-write-execute

noexec ${HOME}
noexec /tmp
noexec ${RUNUSER}

@tinmanx, any luck with the keepassxc profile I posted above?

@tinmanx, I'm not sure how to proceed from here. If the profile I sent you works, then we can figure out which directive is causing the issue in the stock profile and we can fix it. But I can't do that unless someone else tests the profile...

@chiraag-nataraj sorry for the late response - i havent been able to log on for a while.

I did the tests right now. Please see findings below:

I tried to run it with: firejail keepassxc but when clicking the link, it gave an error in terminal:
Launch failed (/usr/sbin/firefox https://www.site.com/)
and it didnt open.

So i tried with: firejail --ignore=private-bin keepassxc and the following happened:
I already had firefox open..so when clicking the link it prompted with this screenshot

so i chose it and it opened a brand new instance of firefox, so it didnt open a new tab in the existing firefox profile.

On another note:
I still dont know why I have to run firejail --ignore=private-bin keepassxc and if i run firejail keepassxc it wont launch the site.

Is it possible you could also do these tests on your side?

The profile I posted worked fine when firefox was already open. I suspect you have to tweak the profile a bit. I really don't know what it might take, since I've been on a highly-customized Debian sid/experimental setup for quite some time now (AwesomeWM and manual mimetype configuration if required).

From the looks of it, it's probably something to do with xdg-open not having access to its config files (and xdg-open not being whitelisted in private-bin).

Honestly, the safest (and most _secure_) option is to manually copy the URLs and paste them. I've been doing this for a long time now since it allows for _much_ stricter sandboxes.

If someone else is out there running Ubuntu and wants to help @tinmanx troubleshoot, please have at it! I'm at my wit's end at this point, since the profile above worked for me.

@tinmanx, one more thing you can try is commenting whitelist ${HOME}/.config/keepassxc in the profile and seeing if it works then. If so, that points to additional directories you need to whitelist in your home directory.

@chiraag-nataraj
running firejail --ignore=private-bin keepassxc now while having commented out whitelist ${HOME}/.config/keepassxc it worked and opened up the link in the same firefox instance.

So knowing this.. what can you do to actually fix this?
Is this profile of keepassxc.profile and commenting out whitelist ${HOME}/.config/keepassxc secure?

Okay, this means you need to figure out which other directories need to be whitelisted for xdg-open to work. I can't help you there since I don't use that mechanism for opening programs (as I mentioned earlier).

Is this profile of keepassxc.profile and commenting out whitelist ${HOME}/.config/keepassxc secure?

Not _as_ secure as whitelisting _just_ the specific directories it needs to function. Again, if you care about security, keep the profile as-is and just copy-paste the URL.

@chiraag-nataraj if you dont use the first whitelist..does it by default allow all directories?

if you care about security, keep the profile as-is and just copy-paste the URL.

if this is the case, how was it working before the firefox upgrade? was it less secure previously??

@chiraag-nataraj if you dont use the first whitelist..does it by default allow all directories?

Yes. If there are no blacklists or whitelists (and my profiles tend to take a whitelist approach), then all directories in ~ (your home directory) are able to be accessed.

If this is the case, how was it working before the firefox upgrade? was it less secure previously??

I never had a setup where clicking on a link worked without relaxing many settings on the sandbox. Looking at the keepassxc profile provided in this repository (not the one I posted above), it seems it allows keepassxc access to your .mozilla directory, which means it theoretically could access anything stored in your firefox profile. I suppose we decided it's an acceptable compromise to not break everyone's setup.

Personally, I find that whenever I need to allow a program to access configuration files that aren't its own, I should change my workflow. So in this case, if I took a look at the profile and realized that clicking on links only works because keepassxc has access to my firefox data, I would create a stricter profile in ~/.config/firejail without that and copy and paste the links.

I mean, in this case, you might deem it an acceptable risk _as long as keepassxc doesn't have internet access_ (so net none or protocol unix or similar is enabled in the sandbox). Otherwise, it's not even a question in my mind.

@chiraag-nataraj i appreciate your input and you make great points, however this is not really a solution to the actual problem. Knowing that net none provides network block is enough for most users. This again shouldn't be an excuse to render the link-launcher useless and tedious.

Also, saying that xdg-open is somehow the cause of it being blocked wouldn't make sense, because this has to do with a Firefox update. i mean ive downgraded and upgraded the Firefox versions like 10 times and i get the same results.

A basic and simple question, what exactly could have changed from Firefox 66.0.5 to Firefox 67.0 which causes keepassxc not being able to launch links anymore from firejail?

@chiraag-nataraj i just found out i am having the same issue and not being able to click links on a jailed cherrytree.profile too. Never used to be like this.
Do you think i should open a bug report on mozilla? Can you please assist? I cant be the only one with this issue. Il do whatever else that i can to make this work again.

A basic and simple question, what exactly could have changed from Firefox 66.0.5 to Firefox 67.0 which causes keepassxc not being able to launch links anymore from firejail?

I really don't know. Every new firefox release adds so many things (and changes so many things) that I'm not entirely even sure what could have done this.

Do you think i should open a bug report on mozilla? Can you please assist? I cant be the only one with this issue. Il do whatever else that i can to make this work again.

I don't think opening a bug report on Firefox's bugzilla will be useful at all — they will just redirect you back here an close as NOTABUG.

As I've already mentioned, this functionality requires you to at the minimum whitelist your firefox folder (~/.mozilla) in all programs where you would like to click on links and have them open. This has not changed and is still the case. To me, that represents a lot more trust than I am willing to give random programs (especially internet-connected ones).

Given your input above, I think the thing that's broken is that firefox (or whatever is calling it) now requires additional directories to be whitelisted (in addition to ~/.mozilla) before it will work. This might have happened with a firefox update, but I don't _think_ firefox broke it.

You will have to play around with whitelisting directories in your home directory (build off of the profile I sent you) and don't worry too much about the private-bin for now (you can comment it if you want, we can deal with that later) — just focus on getting the home directory whitelist to work.

You might be able to use the --debug and --trace arguments for firejail or run it from the terminal to hopefully get more output, which might give you a better idea of what's going on.

I really don't know. Every new firefox release adds so many things (and changes so many things) that I'm not entirely even sure what could have done this.

As @SkewedZeppelin already said "67 changes how profiles are handled"

Profiles per installation to avoid conflicts

New Firefox installations will use a dedicated profile automatically starting with the release of Firefox 67. Firefox used existing profiles previously by default which led to two issues:

Profiles were shared between different Firefox installations, e.g. Nightly and Stable, which could lead to conflicts.
You could not run multiple Firefox installations side by side by default.

Firefox supports options to run multiple profiles side-by-side and the new release does not take these away. It makes things easier for users of the browser who install different versions of Firefox on a single device.

(Source: https://www.ghacks.net/2019/05/21/firefox-67-0-release-information/)

@rusty-snake Yes, but I'm not quite sure if that's the issue here. In particular, it doesn't explain why the firejail profile that worked for me seems to not work for OP or why this broke in the first place.

The profile handling you're describing is more related to versioning firefox profiles such that each one is associated with a specific firefox channel (release, beta, nightly). It pretty much has nothing to do with this issue (afaik).

@tinmanx @chiraag-nataraj I go ahead and close this for now.