search

AppImageCommunity / pkg2appimage

Tool and recipes to convert existing deb packages to AppImage
http://appimage.org
MIT License
698 stars 215 forks source link

Google Chrome builds fine but fails to run #458

Closed nidamanx closed 3 years ago

nidamanx commented 3 years ago

Hi,

I followed your official procedure to install and build

wget -c https://github.com/$(wget -q https://github.com/AppImage/pkg2appimage/releases -O - | grep "pkg2appimage-.*-x86_64.AppImage" | head -n 1 | cut -d '"' -f 2)
chmod +x ./pkg2appimage-*.AppImage
./pkg2appimage-*-x86_64.AppImage Google_Chrome
./out/Google_Chrome-*-x86_64.AppImage

The last command to run Google Chrome fails with the following error

user@host:bin/AppImage_pkg2appimage$ ./out/Google_Chrome-*-x86_64.AppImage
The setuid sandbox is not running as root. Common causes:
  * An unprivileged process using ptrace on it, like a debugger.
  * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
Trace/breakpoint trap
user@host:bin/AppImage_pkg2appimage$ [29894:29894:0100/000000.456976:ERROR:zygote_linux.cc(646)] write: Pipe interrotta (32)

Thanks!

nidamanx commented 3 years ago

I found the answer https://discourse.appimage.org/t/image-wont-install-steuid-sandbox-is-not-running-as-root/1705/2

I think, for safety reasons, could be better to add --no-sandbox while launch ./out/Google_Chrome-*-x86_64.AppImage --no-sandbox

btw, i'm searching a way to use firejail and sandbox the AppImage

probonopd commented 3 years ago

Proper solution:

sysctl kernel.unprivileged_userns_clone=1 like Ubuntu does by default.

https://docs.appimage.org/user-guide/troubleshooting/electron-sandboxing.html#configure-unprivileged-sandboxes

nidamanx commented 3 years ago

Proper solution:

sysctl kernel.unprivileged_userns_clone=1 like Ubuntu does by default.

https://docs.appimage.org/user-guide/troubleshooting/electron-sandboxing.html#configure-unprivileged-sandboxes

Thanks very much. That seems the only way to use firejail and, without firejail, I would not open that kernel param at all (as Debian does by default). I'm evaluating the best choice for the super very seldom usage of that application. Thanks again

probonopd commented 3 years ago

sudo sysctl kernel.unprivileged_userns_clone=1 worked for me on Debian last time I tried.

nidamanx commented 3 years ago

sudo sysctl kernel.unprivileged_userns_clone=1 worked for me on Debian last time I tried.

Yes, it work fine. It's only related to my way to behave. I prefer to not open something potentially dangerous only for one application (Chrome in this case). Even more for a Closed Source one. Who knows what is doing in background.

About your software. I think it's absolutely and totally great! Could be even better if there will be a way to keep all in a sandbox and with kernel privileges on.