Permission denied running Native Messaging app

When a webextension tries to run a native messaging app nothing happens (no response or error message in the console), and strace shows “Permission denied” when execve tries to run the app.

Create simple example

A simple example to show this is a modified version of the MDN native messaging webextension example.

The only significant change is to background.js, which is modified to create a new connection to the app each time the icon is clicked, rather than when the extension is loaded. This is to make it easier to strace the attempt to start the app, which is where the problem seems to be.

/*  Each time the icon is clicked it replaces the port if any with a new one  
 *  before sending a message and listening for a reply.
 */

var port;
    
browser.browserAction.onClicked.addListener(() => {

    /* Disconnecting previous closes the app */
    if (port) {
        port.disconnect();
        console.log("Disconnected");
    }
    
    /* Connect to the "ping_pong" app */
    port = browser.runtime.connectNative("ping_pong");
    console.log("Conected to port", port);
    
    /* Add listener for replies from the app */
    port.onMessage.addListener((response) => {
        console.log("Received: " + response);
    });
    
    /* Send a message to the app */
    console.log("Sending:  ping");
    port.postMessage("ping");
    
});

The extension’s manifest.json can optionally be updated to reflect the changes:

{
  "description": "Native messaging example add-on, modified to first create a new port on each click".
  "manifest_version": 2,
  "name": "Modified native messaging example",
  "version": "2.1",
  "icons": {
    "48": "icons/message.svg"
  },
  ....
}

The app’s manifest (ping_pong.json) is normally stored in /usr/lib/mozilla/native-messaging-hosts/ or /usr/lib64/mozilla/native-messaging-hosts/, but according to some other discussions Tor looks for it deep in /home/user/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/, which was confirmed by strace.

When this webext+app is tested in Firefox ESR the app can be executed OK in /usr/bin, but when I tried the same for Tor it produced the “Permission denied” problem. When I had tried to install the native-messaging.zip file in the usual way, using “Install Add-On From File”, Tor’s file browser couldn’t access any files above /home/user/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/ because of permission problems. So I thought that the app’s problem might because it wasn’t below what seemed to be Tor’s root, so put it in a new in a new Extensions folder /home/user/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/Extensions/.

{
  "name": "ping_pong",
  "description": "Example host for native messaging",
  "path": "/home/user/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Extensions/ping_pong.py",
  "type": "stdio",
  "allowed_extensions": [ "ping_pong@example.org" ]
}

Test results

When the icon was clicked the debugging console logged the connection made and the “ping” sent, but no “pong” reply.

strace gave the following output:

strace -f -p $(pgrep fox.real) 2>&1 | grep -i ping
[pid 13982] openat(AT_FDCWD, "/home/user/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/ping_pong.json", O_RDONLY) = 43
[pid 13982] <... read resumed>"{\n  \"name\": \"ping_pong\",\n  \"desc"..., 259) = 259
[pid 13975] stat("/home/user/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/Extensions/ping_pong.py",  <unfinished ...>
[pid 14129] execve("/home/user/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/Extensions/ping_pong.py", ["/home/user/.local/share/torbrowser"..., "/home/user/.local/share/torbrowser"..., "ping_pong@example.org"], 0x7f50a0897000 /* 100 vars */) = -1 EACCES (Permission denied)

ping_pong.py has full execute permissions (-rwxr-xr-x), so why is permission denied? What permissions are required to enable it be run as a native messaging app from Tor Browser?

I am a Tor newbie, and hoping that someone can give advice on how to get native messaging working.
Thanks.

(This is using the Tor Browser 11.0.6 in Linux, installed using Tor Browser Launcher, at the standard security level.)

The reason you’re getting the “Permission denied” isn’t because of Tor Browser itself but because of AppArmor. My Whonix VM comes with an AppArmor config file restricting the Tor Browser: /etc/apparmor.d/home.tor-browser.firefox. In my case I was trying to get the KeePassXC password manager to work with the Tor Browser. Your post helped me find the correct location to put the org.keepassxc.keepassxc_browser.json config file. In the Whonix case where Tor Browser is installed in $HOME/.tb, I had to create a folder: $HOME/.tb/tor-browser/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts and put the json config file there.

But that was only half of the story as you found out. I too was getting “Permission denied” when Tor Browser tried to execute the /usr/bin/keepassxc-proxy executable. For me the solution was to add the line “/usr/bin/keepassxc-proxy rix” to the /etc/apparmor.d/home.tor-browser.firefox AppArmor config file and then run: sudo apparmor_parser -r /etc/apparmor.d/home.tor-browser.firefox. That loosened AppArmor’s grip on Tor Browser just enough to allow it to run the necessary keepassxc-proxy binary and now the KeePassXC browser extension works.

I hope this helps future people looking to do the same. Cheers! :beers: