Fix for KeePassXC plugin

[nidamanx]

KeePassXC changed the socket name.
keepassxreboot/keepassxc@a145bf9
Keep also old socket name in whitelist for back compatibility

[rusty-snake]

Since it is a whitelist, it shoud go to the whitelist block(s) above (line 12-23).

[rusty-snake]

Since it is a whitelist, it shoud go to the whitelist block(s) above (line 12-23).

and since it is a Add-On related thing, it should go in firefox-common-addons.inc. There we conflict with ignore include whitelist-runuser-common.inc (which I added because of KPXC).

[nidamanx]

Since it is a whitelist, it shoud go to the whitelist block(s) above (line 12-23).

and since it is a Add-On related thing, it should go in firefox-common-addons.inc. There we conflict with ignore include whitelist-runuser-common.inc (which I added because of KPXC).

Genau! :-)
Let me do a full test before
Also commenting the line ignore include whitelist-runuser-common.inc

[nidamanx]

Since it is a whitelist, it shoud go to the whitelist block(s) above (line 12-23).

and since it is a Add-On related thing, it should go in firefox-common-addons.inc. There we conflict with ignore include whitelist-runuser-common.inc (which I added because of KPXC).

Very strange.
My setup (Default Debian) is ignoring firefox-common-addons.inc and firefox-common-addons.local
Starting firejail firefox from terminal, I cannot see parsing firefox-common-addons.*
And, it didn't work at all while setting up the lines for KPXC (and commenting the ones in firefox.local profile,
I tried in .config/firejail and in /etc/firejail in all combinations, but no way.
The only way, in my side, seems to be using firefox.local or firefox.profile

$ firejail firefox
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 13835, child pid 13838
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 219.09 ms

$ ls -l /etc/firejail/firefox-common-addons*
-rw-r--r-- 1 root root 3203 feb 13 19:34 /etc/firejail/firefox-common-addons.inc
-rw-r--r-- 1 root root 3301 feb 13 19:23 /etc/firejail/firefox-common-addons.local

[rusty-snake]

Sorry, I don't fully get you. firefox-common-addons.inc is opt-in because it has wide relaxations and is used by a minority, if this is where you hang.

[nidamanx]

Sorry, I don't fully get you. firefox-common-addons.inc is opt-in because it has wide relaxations and is used by a minority, if this is where you hang.

So, that's the reason why I cannot see the parse of firefox-common-addons.inc while starting from the terminal.
But, anyway, if I insert the lines about KPRC only in firefox-common-addons.inc or firefox-common-addons.local, I cannot have a fully working plugin.
It really seems I need to use this way:

$ ls -1 ~/.config/firejail/
firefox.local
firefox.profile
keepassxc.profile

P.S. firefox.profile and keepassxc.profile are there to override the default from .deb (so I'm sure to use the very last from the git)
And firefox.local contains just the few lines fos KPHC

[kmk3]

(For cross-reference, this PR stems from the following issue: #3952)

[nidamanx]

Tried again this morning without good results.
The only way seems really to follow 3952#issuecomment-778640094

For the test, I deleted firefox.local and used the updated version for all firefox.profiles,
No way (at least on Debian 10) to use /etc/firejail/firefox-common-addons.local
I tried the following lines in any combinations but really seems this .local file is ignored

ignore include whitelist-runuser-common.inc (commented/uncommented/ignored/included)
#private-bin keepassxc-proxy (commented/uncommented)
whitelist ${RUNUSER}/kpxc_server (never commented)

[nidamanx]

What about this profile?
With the right socket seems going well and with no issues since 10 days

[rusty-snake]

My worry is that I don't understand why firefox-common-addons.inc doesn't work.

[nidamanx]

why firefox-common-addons.inc doesn't work

Mhhh, clear.
So, better investigate more. Let me do some more tests

One question: is the new named bus from keepassxc already included somewhere? if not, why firefox-common-addons should allow it? ...maybe I'm missing something
I think the problem was only the new renamed bus. All the rest is still the same. Isn't that correct?

[netblue30]

Merged, thanks!