Open Mukund-Bhardwaj opened 3 months ago
jfaltermeier
commented
3 months ago Thank you for the report. Sounds like this: https://docs.appimage.org/user-guide/troubleshooting/electron-sandboxing.html We may try https://www.npmjs.com/package/electron-builder-sandbox-fix
otherpaco
commented
2 months ago @jfaltermeier, that seems not to be the problem.
I use Ubuntu 24.04. and have the same problem.
sysctl kernel.unprivileged_userns_clone returns
kernel.unprivileged_userns_clone = 1
So no need for the sandbox-fix package.
But I found this:
The issue comes from Ubuntu 24.04 deprecating unprivileged kernel namespaces, which the Arduino IDE (and other applications) rely on for their sandboxes.
From a sandbox problem with the Arduino IDE discussed on askubuntu, here the corresponding github issue
The workaround ./TheiaIDE.AppImage --no-sandbox works but you loose the security of a sandbox.
sgraband
commented
1 month ago I will take a look.
JonasHelming
commented
1 month ago @sgraband Is this related to https://github.com/eclipse-theia/theia-blueprint/issues/377 maybe?
sgraband
commented
1 month ago Unfortunately, I haven't had much time to look into this. Hopefully i can do so this week. Will take a look if they are related.
hklene
commented
3 weeks ago The way forward seems to be an AppArmor profile for each electron-based AppImage: https://github.com/arduino/arduino-ide/issues/2429#issuecomment-2099775010
Question is, how to get it included with Ubuntu for them to ship it same as they already do for vscode (so that not each and everyone has to hack those exceptions herself)?
$ cat /etc/apparmor.d/code
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi <abi/4.0>,
include <tunables/global>
profile vscode /usr/share/code{/bin,}/code flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/code>
}
tuxPM
commented
3 weeks ago Question is, how to get it included with Ubuntu for them to ship it same as they already do for vscode (so that not each and everyone has to hack those exceptions herself)?
Indeed, the problem is that AppImage can be placed anywhere by the user. So apparmor file should be updated each time file is moved.
Anyway, I confirm that adding the file on ubuntu 24.04, fix the issue.
I put all theia versions in /opt/theira/
and created this file in /etc/apparmor.d/opt.theia
abi <abi/4.0>,
include <tunables/global>
profile theia /opt/theia/* flags=(unconfined) {
userns,
include if exists <local/theia>
} Thank you @hklene & @tuxPM for the workaround. As far as i understand, this is a common issue for all electron apps running in sandbox mode from Ubuntu 24.04 going forward. This is also indicated by AppArmor shipping the same workaround for most of the applications. For short term help i would suggest to link this issue in the troubleshooting section of the README. Long term we should investigate if it makes more sense to focus on a *.deb package where we can control the installation folder and ship the workaround with it (or add the workaround for the Theia IDE to the default AppArmor profiles). Like you already mentioned the issue with the AppImage is that it can be placed anywhere by the user.
Bug Description:
AppImage executable won't launch without disabling sandboxing. Application works completely find after adding --no-sandbox command line argument The following error is shown in the terminal:
[184044:0610/211014.832520:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_TheiaI98fe20/chrome-sandbox is owned by root and has mode 4755. Trace/breakpoint trap (core dumped)
Steps to Reproduce:
Additional Information