Problems with 1Password + Firejail

SystemSystem

Team Member
This discussion was created from comments split from: 1Password for Linux beta #27 🎉.

Comments

  • Normally I run firefox and chrome with the default firejail settings, however, the browser integration does not seem to work within firejail. It works fine without firejail. Does anyone know what firejail configuration is necessary for this to work within firejail?

  • BlakeBlake

    Team Member

    Howdy @dhaavyieds :)

    So... we've found a few things:

    1. In your FireJail Firefox profile, you'll need to have
    whitelist ${RUNUSER}/1Password-BrowserSupport
    
    whitelist /opt/1Password/1Password-KeyringHelper
    
    1. Your browser profile will need to be not be running with noroot in the FireJail profile and a seccomp allowance of the keyctl syscall.

    Can you give that a shot and let me know if that kicks things into gear for you?

  • Hi Blake,

    Thanks for having a look. I created a firefox.local file in /etc/firejail with the following (firefox.profile includes firefox.local if it is there):

    whitelist ${RUNUSER}/1Password-BrowserSupport.sock      #(I tried without the .sock also, but that is what is in  ${RUNUSER})
    whitelist /opt/1Password/1Password-KeyringHelper
    ignore noroot
    seccomp !keyctl
    
    

    But it is still not working. I must be missing something.

  • BlakeBlake

    Team Member

    @dhaavyieds

    It looks like you allowed access to the .sock file itself, but we're thinking you might still need to whitelist /opt/1Password/1Password-BrowserSupport as well so that 1Password in your browser can spawn it. This was something we missed during our first look at configuring FireJail with 1Password for Linux.

    Can you give that a shot and let me know if you see different results?

    Thanks in advance!

  • edited March 23

    Hi Blake,

    Thanks! I tried your suggestion, but still no joy. My firejail.local profile is now:

    whitelist ${RUNUSER}/1Password-BrowserSupport.sock
    whitelist /opt/1password/1Password-BrowserSupport
    whitelist /opt/1password/1Password-KeyringHelper
    ignore noroot
    seccomp !keyctl
    

    (I have /opt/1password not /opt/1Password)

    I wondered if it might also need something like:
    dbus-user.talk com.onepassword.OnePassword.*
    However, this is still not enough.

    Thank you for your help, it is appreciated.

  • Dayton_agDayton_ag

    Team Member

    Hey @dhaavyieds,

    My colleagues have taken a deeper look at this, and it seems that there are some roadblocks currently that prevent communication between the extension and the desktop app when running FireJail. While this may be something that we can revisit in the future, currently we do not have plans to support browser integration under a FireJail environment

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file