Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Electron 5 based AppImage and Snap packages #134

Closed
vladimiry opened this issue Apr 30, 2019 · 5 comments
Closed

Electron 5 based AppImage and Snap packages #134

vladimiry opened this issue Apr 30, 2019 · 5 comments
Labels
backlog

Comments

@vladimiry
Copy link
Owner

vladimiry commented Apr 30, 2019
edited
Loading

Currently, if there is no User Namespaces feature enabled AppImage and Snap fail to start. This is why these packages are still being released as Electron 4 based builds. See the error messages below.

AppImage:

The setuid sandbox is not running as root. Common causes:
  * An unprivileged process using ptrace on it, like a debugger.
  * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
Trace/breakpoint trap (core dumped)

Snap:

Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
Trace/breakpoint trap (core dumped)

The goal is to somehow make those packages work with SUID Sandbox.
@vladimiry vladimiry mentioned this issue Apr 30, 2019
Merged
@vladimiry
Copy link
Owner Author

vladimiry commented Apr 30, 2019
edited
Loading

For the Snap case adding { "browser-sandbox": { "interface": "browser-support", "allow-sandbox": true }} plug might be a solution. Going to test it later. Proper testing requires disabling User Namespaces feature by executing sudo sysctl kernel.unprivileged_userns_clone=0 command so the SUID Sandbox will be used as a fallback.

This was referenced May 2, 2019
Closed
Closed
@burtonator
Copy link

@vladimiry this didn't work for me... (browser-sandbox)

My current strategy is to try to replace the 'electron' binary with a wrapper for force --no-sandbox

@vladimiry
Copy link
Owner Author

vladimiry commented May 13, 2019
edited
Loading

My current strategy is to try to replace the 'electron' binary with a wrapper for force --no-sandbox

I did the same and can confirm the solution is functional.

@vladimiry
Copy link
Owner Author

vladimiry commented May 13, 2019
edited
Loading

Also tried a tricky way to first detecting if the sandbox is supported by simply running electron --version (as it fails even if you run just that command) and then falling back to adding --no-sandbox argument if version getting failed or starting without arguments if succeeded. But I took a pause on this idea as if I run electron --version inside the packaged AppImage it just starts the app instead (like the normal start with UI). Although I can read the --version argument in the app and exit if I got it. Or maybe introducing the custom argument. So the idea is not yet tested to the end. Related code is here.

@vladimiry
Copy link
Owner Author

v3.3.1 has been released with a disabled sandbox for AppImage and Snap packages. Will reopen if there will be a better reliable solution for the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backlog
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@burtonator @vladimiry