Flatpak Browser and Native Desktop App

Sn0wCrack
Sn0wCrack
Community Member
edited June 12 in Linux

Thought I would share this as I've managed to get the native desktop app working with my flatpak installation of Firefox.

I'm on Arch and using the version of 1Password from the AUR and the standard flatpak version of Firefox from flathub.

  • Add permissions to Firefox Flatpak via Flatseal:
    • Session Bus Talks: org.freedesktop.Flatpak
  • As root, create /etc/1password folder if it does not exist
  • As root, create /etc/1password/custom_allowed_browsers file if it does not exist
  • As root, edit /etc/1password/custom_allowed_browsers file and set content to:
    flatpak-session-helper
  • As user, create ~/.var/app/org.mozilla.firefox/data/bin folder if it does not exist
  • As user, create ~/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh file if it does not exist
  • As user, edit ~/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh and set content to:
#!/bin/bash

flatpak-spawn --host /opt/1Password/1Password-BrowserSupport "$@"
  • As user, mark ~/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh as executable via chmod +x ~/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh
  • As user, create ~/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts folder if it does not eixst
  • As user, create ~/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/com.1password.1password.json file if it does not exist
  • As user, edit ~/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/com.1password.1password.json and set content to:
{
   "name": "com.1password.1password",
   "description": "1Password BrowserSupport",
   "path": "/home/{USERNAME}/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh",
   "type": "stdio",
   "allowed_extensions": [
      "{0a75d802-9aed-41e7-8daa-24c067386e82}",
      "{25fc87fa-4d31-4fee-b5c1-c32a7844c063}",
      "{d634138d-c276-4fc8-924b-40a0ea21d284}"
   ]
}

Where {USERNAME} is the name of your user, essentially full path to the file we created before.
- Restart Firefox and 1Password

The above can be broken down into (mostly) the following commands:

sudo mkdir -p /etc/1password

sudo vim /etc/1password/custom_allowed_browsers

mkdir -p ~/.var/app/org.mozilla.firefox/data/bin

vim ~/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh

chmod +x ~/.var/app/org.mozilla.firefox/data/bin/1password-wrapper.sh

mkdir -p ~/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts

vim ~/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/com.1password.1password.json

I had also added xdg-run/1Password-BrowserSupport.sock, however it doesn't appear this socket file is actually needed for the extension to work from what I can tell so far.

This does somewhat break the isolation of Flatpak as it can now execute anything on the host via flatpak-spwan --host and there's no real easy way to whitelist specific host binaries that can run via Flatpak, kind of all or nothing annoyingly.

I also want to see if sometihng similar is possible for getting the Flatpak 1Password app communicating with a Flatpak browser, as KeePassXC has a kind of workaround for this that is similar.

This does somewhat break the isolation of Flatpak as it can now execute anything on the host via flatpak-spwan --host and there's no real easy way to whitelist specific host binaries that can run via Flatpak, kind of all or nothing annoyingly.

I also want to see if sometihng similar is possible for getting the Flatpak 1Password app communicating with a Flatpak browser, as KeePassXC has a kind of workaround for this that is similar.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • Sn0wCrack
    Sn0wCrack
    Community Member

    I've attempted with the Flatpak version of 1Password and unfortunately seems like a no-go due to 1Password's security.

    The further I got was adaptting the KeePassXC script:

    #!/bin/bash

# Adapted from: https://github.com/keepassxreboot/keepassxc-browser/issues/1631#issuecomment-1153736766

APP_REF="com.onepassword.OnePassword/x86_64/stable"

for inst in "${HOME}/.local/share/flatpak" "/var/lib/flatpak"; do
    if [ -d "${inst}/app/${APP_REF}" ]; then
        FLATPAK_INST="${inst}"
        break
    fi
done
[ -z "${FLATPAK_INST}" ] && exit 1

APP_PATH="${FLATPAK_INST}/app/${APP_REF}/active"

RUNTIME_REF=$(awk -F'=' '$1=="runtime" { print $2 }' < "${APP_PATH}/metadata")
RUNTIME_PATH="${FLATPAK_INST}/runtime/${RUNTIME_REF}/active"

exec flatpak-spawn \
    --env=LD_LIBRARY_PATH="/app/lib:${APP_PATH}" \
    --app-path="${APP_PATH}/files" \
    --usr-path="${RUNTIME_PATH}/files" \
    -- /app/1Password/1Password-BrowserSupport "$@"

    This will execute the Browser Support application, but it bails out due to not running under the correct libc, I imagine it detects the fact the load path has changed and nopes out.

    Error for reference is:

    process detected it was running without libc's security, aborting
  • flyinpancake
    flyinpancake
    Community Member

    Hey! I've made the whole process a bit more scriptable: https://gist.github.com/FlyinPancake/f4ff2318de48ae8dae6226384af953f5