Vendicated
commented
1 month ago what? vesktop does not disable the sandbox
Closed odomingao closed 1 month ago
Vendicated
commented
1 month ago what? vesktop does not disable the sandbox
odomingao
commented
1 month ago @Vendicated launching via flatpak, and looking through the running processes, it shows that vesktop is launched with --no-sandbox:
ps axZ | grep vesktop | grep no-sandbox
- 871129 pts/0 S<l+ 0:06 /app/bin/vesktop/vesktop.bin --type=renderer --enable-crash-reporter=1e0c24f5-c6f8-40cc-b07c-faab24c2b9b4,no_channel --user-data-dir=/home/user/.var/app/dev.vencord.Vesktop/config/vesktop --app-path=/app/bin/vesktop/resources/app.asar --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --ozone-platform=wayland --lang=en-US --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1727099422334190 --launch-time-ticks=14670498479 --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,13521630818923871438,8366015073558315631,262144 --enable-features=VaapiVideoDecodeLinuxGL,VaapiVideoDecoder,VaapiVideoEncoder --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version(edit: it's also the same for the unofficial aur package)
Discord Account
No response
Motivation
vesktop doesn't use the electron sandbox (it's always launched with --no-sandbox), and yet denying the sys_admin capability results in a crash because it will "not run without sandboxing".
[2:0923/135754.211316:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/electron31/chrome-sandbox is owned by root and has mode 4755.Solution
Enable the electron sandbox
Alternatives
Allow vesktop to launch without these privileges, if possible
Additional context
No response
Request Agreement