Keepassxc: Add AppArmour security profile

This is a little difficult, because KeePassXC actually does need to access the network for two reasons:

• KeePassHTTP
• Downloading Favicons

Not sure what is the first thing for but for the second one, it could be enough to rely on regular application updates, could it not?

I'm not sure what you mean.

Not sure what is the first thing for but for the second one, it could be enough to rely on regular application updates, could it not?

The first one is the protocol for communicating with browser extension like chromeIPass and passIFox (is disabled by default and can be removed at compile time) the second one is the option to download the URL favicon for an entry in the database to display as entry's icon. (the download must be activated manually)

Does it mean that for the basic functionality the application doesn't need
the network access? Or for the first use case only localhost connectivity
must be enabled?

On Sun, 19 Feb 2017, 21:15 TheZ3ro, notifications@github.com wrote:

Not sure what is the first thing for but for the second one, it could be
enough to rely on regular application updates, could it not?

The first one is the protocol for communicating with browser extension
like chromeIPass and passIFox (is disabled by default and can be removed at
compile time) the second one is the option to download the URL favicon for
an entry in the database to display as entry's icon. (the download must be
activated manually)

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/keepassxreboot/keepassxc/issues/298#issuecomment-280945239,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AYiZYGlDONXOWm3xNvvUG36IBBTUpUu9ks5reKLTgaJpZM4L-o1H
.

For KeePassHTTP connections to localhost need to be possible, for the latter HTTP connections to anywhere are necessary. The rest of the program will work without, but you will get an error message when you try to download a favicon without having a working Internet connection.

Please consider this functionality. On Android, I can choose an application without internet access (which I did). On Linux, there is no such feature as "system level permissions for accessing the internet" which is a pity when it comes to a sensitive private data.

If you do not want this application to have ANY network access you have two choices:

1. Compile it yourself (very easy), and make sure to set -DWITH_XC_HTTP=OFF in the CMake options.
2. Compile the app as a snap and remove the "network" and "network-bind" plugs from snapcraft.yaml.

You could also use a sandbox like firejail to do this for any application. There's already a profile available for keepassx. You can just copy it from /etc/firejail to ~/.config/firejail, rename it to keepassxc.profile and add the line net none to it.

The tray icon on KDE is missing however after adding the net none line. Not sure if this is a bug in KDE, Qt or Keepassxc.

Qt: Session management error: Could not open network socket
org.kde.knotifications: env says KDE is running but SNI unavailable -- check KDE_FULL_SESSION and XDG_CURRENT_DESKTOP

Thank you for both options. I will not compile the application but I may try the firejail. However, both SE Linux and AppArmor are Linux standard solutions for this so I would suppose they could be also available out-of-the-box.

Compile it yourself (very easy), and make sure to set -DWITH_XC_HTTP=OFF in the CMake options.

That doesn't get rid of the Favicon feature.

The tray icon on KDE is missing however after adding the net none line. Not sure if this is a bug in KDE, Qt or Keepassxc.

Neither. Tray icons are implemented over SNI which is a DBus protocol. Simply setting net none in firejail also prevents IPC over DBus. This can break things horribly. Don't try this on Ubuntu Unity as you will have no menu.

Thought that there was something going on with Dbus. So I guess the normal Keepassx profile of firejail is enough as it already just exposes the app to Unix sockets and nothing else.
The tray icon doesn't even work when starting Keepassxc with firejail --noprofile keepassxc, so that seems to be something else though.

Just to comment here that if you don't want the snap to access the network, you can disconnect the plugs with sudo snap disconnect.

@elopio I just tested out your idea. (sudo snap disconnect keepassxc:network) yet keepass is still able to request and display favicons. Should this happen, what other plugs need to be removed to prevent this snap from accessing the network?

Thanks

@PMaynard the only network plugs we enable are network and network-bind, disconnecting network should suffice

Note that right now only Ubuntu enforces AppArmor policies (AFAIK).

Yup, what's your distro @PMaynard ?

@elopio - I'm running Ubuntu 17.10
@TheZ3ro - I saw that it needed the network-bind plug, but was unable to disconnect that.

ubuntu 17.10 here too. I gave it a try and noticed that if I disconnect network-bind, I can no longer open keepassxc. Maybe, keepassxc is not degrading gracefully when it can't become a server?

Make sure that KeePassHTTP is disabled before you disconnect the plug.

@phoerious KeePassHTTP is disabled, but when I disconnect network-bind I can no longer start keepassxc. I'm running Ubuntu 17.10 and keepassxc 2.2.4 via snap

I'll look into this for 2.3 snap

@droidmonkey - tested keepassxc 2.3.1 with disconnected network-bind. The problem still exists, there is no GUI showing up.

@droidmonkey I tested it with snap keepassxc 2.3.3 and now it works for me. I can disconnect network and network-bind and keepassxc starts and can be used.

I also tested the behavior of 2.3.3 snap. The application starts without network and network-bind interfaces, but when I click "download icon" button in an entry, a blank download window pops up.

After closing that window the application segfaults.

I don't know exactly how snaps work, but can an application detect, if the network access has been disabled? Removing "download icon" button should be trivial, if that's possible.

Could you please open a separate issue for that? Thanks!

I created a fairly coarse and permissive AppArmor profile for KeePassXC that blocks network connections. I tested it on Ubuntu 18.04 with KeePassXC 2.3.1 (the current version from repository).

I'm sure that lot of stuff is missing from this profile but maybe someone from the developers could pick up on this to eventually create an "official" AppArmor profile for KeePassXC.

#include <tunables/global>

/usr/bin/keepassxc {
  #include <abstractions/base>
  #include <abstractions/gnome>
  #include <abstractions/dbus-strict>
  #include <abstractions/dbus-session-strict>
  #include <abstractions/dbus-accessibility-strict>

  owner @{HOME}/ r,
  owner @{HOME}/** rwk,

  owner /run/user/*/dconf/user rw,

  @{PROC}/[0-9]*/mountinfo r,
  @{PROC}/@{pid}/cmdline r,

  /usr/bin/xdg-open CUx,

  /usr/bin/ r,
  /usr/share/keepassxc/** r,
  /usr/share/nvidia/* r,
  /usr/share/qt5/translations/* r,
  /usr/share/themes/** r,

  /dev/console  rw,
  /dev/tty      rw,
  /dev/bus/usb/ r,
  /etc/fstab    r,

  /sys/bus/ r,
  /sys/bus/usb/devices/ r,
  /sys/class/ r,
  /sys/devices/** r,
  /run/udev/data/** r,

  /{usr/,}lib{,32,64}/** mr,

  dbus (send)
       bus=session
       peer=(name=org.a11y.Bus),
  dbus (receive)
       bus=session
       interface=org.a11y.atspi**,
  dbus (receive, send)
       bus=accessibility,
  dbus send
       bus=session
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=RequestName
       peer=(name=org.freedesktop.DBus),
  dbus (receive, send)
       bus=session
       interface=org.gtk.vfs.MountTracker,
  dbus (send)
       bus=session
       interface=org.gtk.vfs.Daemon,
  dbus (send)
       bus=session
       interface=org.gtk.Private.RemoteVolumeMonitor,
  dbus (bind)
       bus=session
       name=org.keepassxc.KeePassXC.*,

  # Deny all network connections
  deny network inet,
  deny network inet6,
  deny network raw,
  deny /etc/nsswitch.conf r,
  deny /etc/passwd r,
}

@phoerious can you convert this to something we can integrate into our repository? How do we deploy this?

Denying network would prevent us from downloading favicons.

I was thinking on an "as wanted" basis

@phoerious - would be great to have an official AppArmor profile (confirmed by devs) that users can use (optionally) to disable networking.