Normally I run firefox and chrome with the default firejail settings, however, the browser integration does not seem to work within firejail. It works fine without firejail. Does anyone know what firejail configuration is necessary for this to work within firejail?
Thanks for having a look. I created a firefox.local file in /etc/firejail with the following (firefox.profile includes firefox.local if it is there):
whitelist ${RUNUSER}/1Password-BrowserSupport.sock #(I tried without the .sock also, but that is what is in ${RUNUSER})
whitelist /opt/1Password/1Password-KeyringHelper
ignore noroot
seccomp !keyctl
But it is still not working. I must be missing something.
It looks like you allowed access to the .sock file itself, but we're thinking you might still need to whitelist /opt/1Password/1Password-BrowserSupport as well so that 1Password in your browser can spawn it. This was something we missed during our first look at configuring FireJail with 1Password for Linux.
Can you give that a shot and let me know if you see different results?
My colleagues have taken a deeper look at this, and it seems that there are some roadblocks currently that prevent communication between the extension and the desktop app when running FireJail. While this may be something that we can revisit in the future, currently we do not have plans to support browser integration under a FireJail environment
System
Comments
Normally I run firefox and chrome with the default firejail settings, however, the browser integration does not seem to work within firejail. It works fine without firejail. Does anyone know what firejail configuration is necessary for this to work within firejail?
Team Member
Howdy @dhaavyieds
So... we've found a few things:
whitelist ${RUNUSER}/1Password-BrowserSupport whitelist /opt/1Password/1Password-KeyringHelpernorootin the FireJail profile and aseccompallowance of thekeyctlsyscall.Can you give that a shot and let me know if that kicks things into gear for you?
Hi Blake,
Thanks for having a look. I created a firefox.local file in /etc/firejail with the following (firefox.profile includes firefox.local if it is there):
whitelist ${RUNUSER}/1Password-BrowserSupport.sock #(I tried without the .sock also, but that is what is in ${RUNUSER}) whitelist /opt/1Password/1Password-KeyringHelper ignore noroot seccomp !keyctlBut it is still not working. I must be missing something.
Team Member
@dhaavyieds
It looks like you allowed access to the
.sockfile itself, but we're thinking you might still need to whitelist/opt/1Password/1Password-BrowserSupportas well so that 1Password in your browser can spawn it. This was something we missed during our first look at configuring FireJail with 1Password for Linux.Can you give that a shot and let me know if you see different results?
Thanks in advance!
Hi Blake,
Thanks! I tried your suggestion, but still no joy. My firejail.local profile is now:
whitelist ${RUNUSER}/1Password-BrowserSupport.sock whitelist /opt/1password/1Password-BrowserSupport whitelist /opt/1password/1Password-KeyringHelper ignore noroot seccomp !keyctl(I have /opt/1password not /opt/1Password)
I wondered if it might also need something like:
dbus-user.talk com.onepassword.OnePassword.*However, this is still not enough.
Thank you for your help, it is appreciated.
Team Member
Hey @dhaavyieds,
My colleagues have taken a deeper look at this, and it seems that there are some roadblocks currently that prevent communication between the extension and the desktop app when running FireJail. While this may be something that we can revisit in the future, currently we do not have plans to support browser integration under a FireJail environment