search

arduino / arduino-ide

Arduino IDE 2.x
https://www.arduino.cc/en/software
GNU Affero General Public License v3.0
2.07k stars 353 forks source link

2.3.2 AppImage fails to start due to missing sandboxing #2429

Open AndKe opened 2 weeks ago

AndKe commented 2 weeks ago

Describe the problem

./arduino-ide_2.3.2_Linux_64bit.AppImage 
[49662:0505/163801.040968:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_arduinl1RTCc/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap (core dumped)

To reproduce

Start .AppImage on Ubuntu 24.04

Expected behavior

Work as normal.

Arduino IDE version

2.3.2

Operating system

Linux

Operating system version

Ubuntu 24.04

Additional context

No response

Issue checklist

mariovaldez commented 1 week ago

The issue is with the AppArmor configuration in Ubuntu 24.04, not the AppImage. The change in the configuration is explained in the release notes of Ubuntu 24.04 (security reasons).

Because this problem is caused by the OS configuration, I'm not use what the Arduino IDE team can do, except for documenting the installation procedure.

You can disable the sandboxing restriction for all program with:

sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1

or by adding to /etc/sysctl.d/local.conf:

kernel.apparmor_restrict_unprivileged_userns=0

But that defeats the purpose of the new AppArmor restriction in Ubuntu 24.04.

You can also create a new AppArmor profile for the Arduino IDE (that allows a non-root user to use the sandboxing in a specific application). If you copy the AppImage to /usr/local/bin/arduino (for example), you can create an AppArmor profile with a configuration file, for example, in /etc/apparmor.d/usr.local.bin.arduino, containing:

abi <abi/4.0>,
include <tunables/global>
profile arduino /usr/local/bin/arduino flags=(unconfined) {
  userns,
  include if exists <local/arduino>
}

and reloading all AppArmor profiles with:

sudo service apparmor reload

Now you can run the Arduino IDE without the sandboxing error.

You could also run the Arduino IDE with the --no-sandbox option, but that is, in my opinion, a potentially very bad idea.

AndKe commented 1 week ago

@mariovaldez Thank you for a good explanation/solution. Is this going to be easier / fixed in future releases? - so far, I have seen this issue with only two .AppImage applications.

The /usr/local/bin/arduino you refer to, is that a directory, or is arduino the actual arduino.Appmage? I have a directory for all my AppImages. it would be tempting to make an AppArmor configuration file for all .AppImage files in that dir.

mariovaldez commented 1 week ago

@AndKe I don't think this will change with later versions of Ubuntu. My understanding is that allowing normal users to use kernel namespaces has been considered a security risk (the kernel namespaces are used to create the sandbox in some AppImage applications). The change in the AppArmor configuration of Ubuntu is a mitigation for that risk.

Regarding the "/usr/local/bin/arduino" path, that's the program name I used. You can use any filename you like (for example, "/usr/local/bin/arduino.AppImage"). I used the "/usr/local/bin" directory just to follow the Linux FHS guidelines but you can install the program anywhere you want (I'm sure lot of people prefer to install in /opt, or even in a per-user ~/opt or ~/bin directory).

Currently I'm using some other AppImage applications (ungoogled-chromium, teams-for-linux, upscayl) that also require their own AppArmor profile.

AndKe commented 1 week ago

@mariovaldez Thank you, sorry for asking a vague question, I did not mean to ask is it will change in future Ubuntu releases, but if the future Arduino IDE AppImage releases will require this fix in forseeable future. Or if some changes to the IDE will make this issue be a thing of the past.

mariovaldez commented 5 days ago

@AndKe The Arduino IDE 2 is really a Typescript/Javascript web application running locally with a Chromium engine (as an Electron app, in this case all packaged in an AppImage).

The Chromium engine uses the sandboxing to reduce security risks. There are several ways to implement the sandboxing. On Linux, the Chromium engine currently uses unprivileged kernel namespaces (in the past other ways have been used but I think they are deprecated now).

So, as long as the Arduino IDE uses the Chromium engine provided by the Electron framework, and as long as the Chromium engine requires unprivileged namespaces for the sandboxing, and as long as Ubuntu (or any other distribution) restricts the use of the namespaces, the apparmor profile is needed.