Open AndKe opened 2 weeks ago
The issue is with the AppArmor configuration in Ubuntu 24.04, not the AppImage. The change in the configuration is explained in the release notes of Ubuntu 24.04 (security reasons).
Because this problem is caused by the OS configuration, I'm not use what the Arduino IDE team can do, except for documenting the installation procedure.
You can disable the sandboxing restriction for all program with:
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1
or by adding to /etc/sysctl.d/local.conf:
kernel.apparmor_restrict_unprivileged_userns=0
But that defeats the purpose of the new AppArmor restriction in Ubuntu 24.04.
You can also create a new AppArmor profile for the Arduino IDE (that allows a non-root user to use the sandboxing in a specific application). If you copy the AppImage to /usr/local/bin/arduino (for example), you can create an AppArmor profile with a configuration file, for example, in /etc/apparmor.d/usr.local.bin.arduino, containing:
abi <abi/4.0>,
include <tunables/global>
profile arduino /usr/local/bin/arduino flags=(unconfined) {
userns,
include if exists <local/arduino>
}
and reloading all AppArmor profiles with:
sudo service apparmor reload
Now you can run the Arduino IDE without the sandboxing error.
You could also run the Arduino IDE with the --no-sandbox option, but that is, in my opinion, a potentially very bad idea.
@mariovaldez Thank you for a good explanation/solution. Is this going to be easier / fixed in future releases? - so far, I have seen this issue with only two .AppImage applications.
The /usr/local/bin/arduino you refer to, is that a directory, or is arduino the actual arduino.Appmage? I have a directory for all my AppImages. it would be tempting to make an AppArmor configuration file for all .AppImage files in that dir.
@AndKe I don't think this will change with later versions of Ubuntu. My understanding is that allowing normal users to use kernel namespaces has been considered a security risk (the kernel namespaces are used to create the sandbox in some AppImage applications). The change in the AppArmor configuration of Ubuntu is a mitigation for that risk.
Regarding the "/usr/local/bin/arduino" path, that's the program name I used. You can use any filename you like (for example, "/usr/local/bin/arduino.AppImage"). I used the "/usr/local/bin" directory just to follow the Linux FHS guidelines but you can install the program anywhere you want (I'm sure lot of people prefer to install in /opt, or even in a per-user ~/opt or ~/bin directory).
Currently I'm using some other AppImage applications (ungoogled-chromium, teams-for-linux, upscayl) that also require their own AppArmor profile.
@mariovaldez Thank you, sorry for asking a vague question, I did not mean to ask is it will change in future Ubuntu releases, but if the future Arduino IDE AppImage releases will require this fix in forseeable future. Or if some changes to the IDE will make this issue be a thing of the past.
@AndKe The Arduino IDE 2 is really a Typescript/Javascript web application running locally with a Chromium engine (as an Electron app, in this case all packaged in an AppImage).
The Chromium engine uses the sandboxing to reduce security risks. There are several ways to implement the sandboxing. On Linux, the Chromium engine currently uses unprivileged kernel namespaces (in the past other ways have been used but I think they are deprecated now).
So, as long as the Arduino IDE uses the Chromium engine provided by the Electron framework, and as long as the Chromium engine requires unprivileged namespaces for the sandboxing, and as long as Ubuntu (or any other distribution) restricts the use of the namespaces, the apparmor profile is needed.
Describe the problem
To reproduce
Start .AppImage on Ubuntu 24.04
Expected behavior
Work as normal.
Arduino IDE version
2.3.2
Operating system
Linux
Operating system version
Ubuntu 24.04
Additional context
No response
Issue checklist