Firefox Apparmor profile prevents connection with KeePassXC

Bug #1826793 reported by Colan Schwartz on 2019-04-29
This bug affects 1 person
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)

Bug Description

The KeePassXC password manager ( allows passwords to be filled in automatically via the KeePassXC-Browser Firefox add-on (

In order for this to work, the add-on must communicate with the password manager. However, communication is being blocked by Firefox's Apparmor profile.

If KeePassXC is installed via Apt:

Apr 28 20:25:43 snake kernel: [79057.095759] audit: type=1400 audit(1556497543.512:878): apparmor="DENIED" operation="exec" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/bin/keepassxc-proxy" pid=23647 comm=444F4D20576F726B6572 requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

If KeePassXC is installed via Snap:

Apr 28 20:22:24 snake kernel: [78858.165807] audit: type=1400 audit(1556497344.579:799): apparmor="DENIED" operation="exec" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/bin/snap" pid=21695 comm=444F4D20576F726B6572 requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

Please alter the Apparmor profile to allow for communication with this password manager with either installation method.


Disable the profile with `sudo aa-disable usr.bin.firefox`.

ProblemType: Bug
DistroRelease: Ubuntu 19.04
Package: firefox 66.0.3+build1-0ubuntu1
ProcVersionSignature: Ubuntu 5.0.0-13.14-generic 5.0.6
Uname: Linux 5.0.0-13-generic x86_64
AddonCompatCheckDisabled: False
ApportVersion: 2.20.10-0ubuntu27
Architecture: amd64
 /dev/snd/controlC1: colan 12106 F.... pulseaudio
 /dev/snd/controlC0: colan 12106 F.... pulseaudio
BuildID: 20190410124846
Channel: Unavailable
CurrentDesktop: ubuntu:GNOME
Date: Sun Apr 28 20:31:43 2019
EcryptfsInUse: Yes
ExecutablePath: /usr/lib/firefox/firefox
ForcedLayersAccel: False
 # interfaces(5) file used by ifup(8) and ifdown(8)
 auto lo
 iface lo inet loopback
 English (South Africa) Language Pack - <email address hidden>
 English (GB) Language Pack - <email address hidden>
 Default - {972ce4c6-7e08-4474-a285-3208198ce6fd}
 default via dev wlan0 proto dhcp metric 600 dev wlan0 scope link metric 1000 dev wlan0 proto kernel scope link src metric 600
Plugins: Shockwave Flash - /usr/lib/adobe-flashplugin/ (adobe-flashplugin)
 PATH=(custom, user)
Profiles: Profile0 (Default) - LastVersion=66.0.3/20190410124846 (In use)
RelatedPackageVersions: adobe-flashplugin 1:20190409.1-0ubuntu1
RunningIncompatibleAddons: True
SourcePackage: firefox
UpgradeStatus: Upgraded to disco on 2019-04-26 (2 days ago) 07/09/2013
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 4.6.5
dmi.board.asset.tag: Tag 12345 Galago UltraPro
dmi.board.vendor: System76, Inc.
dmi.board.version: galu1
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 9
dmi.chassis.vendor: System76, Inc,
dmi.chassis.version: galu1
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr4.6.5:bd07/09/2013:svnSystem76,Inc.:pnGalagoUltraPro:pvrgalu1:rvnSystem76,Inc.:rnGalagoUltraPro:rvrgalu1:cvnSystem76,Inc,:ct9:cvrgalu1: Not Applicable Galago UltraPro
dmi.product.sku: Not Applicable
dmi.product.version: galu1
dmi.sys.vendor: System76, Inc.
mtime.conffile..etc.apport.crashdb.conf: 2017-10-30T13:06:38.618550

Colan Schwartz (colan) wrote :
Jonathan White (droidmonkey) wrote :

Hi KeePassXC maintainer here. This problem is not limited to KeePassXC-Browser Extension, any extension using Native Messaging will be blocked because of the nature with which native messaging works. The Browser itself launches a process that it communicates with using a named pipe.

Olivier Tilloy (osomon) wrote :

Please note that the firefox apparmor profile is disabled by default, precisly because it has known limitations like this one. See /usr/share/doc/firefox/README.Debian.

Changed in firefox (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Colan Schwartz (colan) wrote :

Thanks. Does anyone know if there's an upstream (Debian) bug report for this? If not, should one be created? Or is this simply a downstream (Ubuntu) thing?

Olivier Tilloy (osomon) wrote :

As far as I know, the firefox apparmor profile is Ubuntu-specific, not in Debian.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers