Allowing Firefox to access the socket of KeePassXC. Starting keepassxc-proxy by Firefox (solution: we run it inside the Firefox sandbox). To spoiler, this are the main points we need to solve: 
However, even if we’ve solved the fact of Firefox having to run the proxy, there are more problems. So glad news ahead: This solution preserves all sandboxes and security aspects! After all, from a security POV you could then also just install Firefox on the host, yet again. However, seeing how lovely and quite securley the Firefox sandbox is already built, I would not dare to destroy that security for such a feature. So we could solve that by making wrapper scripts and using flatpak-spawn to let Firefox escape it’s sandbox. Anyway, whatever it does, it cannot do one thing: Spawn a process on the host or in another flatpak. it does not have any generic access to the file system (it uses portals).
Now why it does not work if Firefox is installed as a flatpak: The very good official Firefox flatpak by Mozilla really does have few permissions for being a browser. That is, so far, why Firefox installed on the host does work…. Flathub KeePassXC has a patch that allows the keepassxc-proxy to be started via flatpak run, i.e. The only thing it possibly needs to do is get into the KeePassXC flatpak. If Firefox is not sandboxed, that proxy can start as usual. KeePassXC-Browser) and tries to listen on that socket to find messages. keepassxc-proxy is started – via native messaging – by the browser (triggered by the add-on i.e. KeePassXC creates an UNIX socket in $XDG_RUNTIME_DIR/kpxc_server for applications to listen too. But for the curious, I’ll explain the problems we face: If you just want the solution, you can skip this part. This problem is shown in various GitHub issues: flathub/#29, keepassxreboot/keepassxc#2656, xhorak/firefox-devedition-flatpak#92, keepassxreboot/keepassxc-browser#297, flathub/#13, xhorak/firefox-devedition-flatpak#92, this Bugzilla bug, not to mention the many dupes like keepassxreboot/keepassxc-browser#297, keepassxreboot/keepassxc-browser#276, keepassxreboot/keepassxc-browser#102 etc. I show a workaround that makes it possible to use both configurations. this does not: Firefox (sandboxed), KeePassXC (host or sandboxed, does not matter). this should work out-of-the box: Firefox (host-installed), KeePassXC (flatpak from flathub). Firefox, and KeePassXC – or at least the browser and installing KeePassXC natively, which you’d actually want for security reasons – is not possible. installed as an deb/rpm package or similar on the host. 
If KeePassXC is sandboxed in a Flatpak, browsers can only access it, if they are not sandboxed, i.e.
0 kommentar(er)
