[Bug]: Can't run apps with persistent directories if userns is disabled at kernel level

mal1213 commented 2 months ago

Checklist

[X] I agree to follow the Code of Conduct that this project adheres to.
[X] I have searched the issue tracker for a bug that matches the one I want to file, without success.
[X] If this is an issue with a particular app, I have tried filing it in the appropriate issue tracker for the app (e.g. under https://github.com/flathub/) and determined that it is an issue with Flatpak itself.
[X] This issue is not a report of a security vulnerability (see here if you need to report a security issue).

Flatpak version

1.14.10

What Linux distribution are you using?

Other (specify below)

Linux distribution version

Custom built linux/musl distro

What architecture are you using?

x86_64

How to reproduce

No response

Expected Behavior

A browser window should pop up.

Actual Behavior

I get the same result when I try to run librewolf,firefox,waterfox and mullvard browser

bwrap: Can't find source path /proc/self/fd/32: No such file or directory

$ flatpak -v run io.gitlab.librewolf-community

F: No installations directory in /usr/etc/flatpak/installations.d. Skipping
F: Opening system flatpak installation at path /usr/var/lib/flatpak
F: Opening user flatpak installation at path /home/kfu/.local/share/flatpak
F: Opening user flatpak installation at path /home/kfu/.local/share/flatpak
F: Opening system flatpak installation at path /usr/var/lib/flatpak
F: Opening user flatpak installation at path /home/kfu/.local/share/flatpak
F: Opening system flatpak installation at path /usr/var/lib/flatpak
F: /usr/var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/lib32 does not exist
F: Cleaning up unused container id 1804373804
F: Cleaning up per-app-ID state for io.gitlab.librewolf-community
F: Allocated instance id 4082906640
F: Allowing dri access
F: Allowing wayland access
F: Allowing pulseaudio access
F: Pulseaudio user configuration file '/home/kfu/.config/pulse/client.conf': Error opening file /home/kfu/.config/pulse/client.conf: No such file or directory
F: Pulseaudio user configuration file '/etc/pulse/client.conf': Error opening file /etc/pulse/client.conf: No such file or directory
F: Could not find pulseaudio socket
F: CUPS configuration file '/home/kfu/.cups/client.conf': Error opening file /home/kfu/.cups/client.conf: No such file or directory
F: CUPS configuration file '/etc/cups/client.conf': Error opening file /etc/cups/client.conf: No such file or directory
F: Could not find CUPS server
F: Failed to run in transient scope: No systemd user session available, cgroups not available
F: Running 'bwrap --args 34 -- xdg-dbus-proxy --args=36'
F: Running 'bwrap --args 34 -- librewolf'
bwrap: Can't find source path /proc/self/fd/32: No such file or directory

Additional Information

I'm having trouble running some browser flatpaks. My kernel has unprivileged user namespaces disabled so I installed bubblewrap suid. Trying to run librewolf,firefox,waterfox or mullvard browser results in

bwrap: Can't find source path /proc/self/fd/32: No such file or directory

When I boot using a kernel with userns enabled they all run fine!

mal1213 commented 2 months ago

I've had a look at the source code and figured out a "fix". The command

flatpak -vv run org.mozilla.firefox

produces

F: No installations directory in /etc/flatpak/installations.d. Skipping
F: Opening system flatpak installation at path /var/lib/flatpak
F: Opening user flatpak installation at path /home/kfu/.local/share/flatpak
F: Opening user flatpak installation at path /home/kfu/.local/share/flatpak
F: Opening system flatpak installation at path /var/lib/flatpak
F: Opening user flatpak installation at path /home/kfu/.local/share/flatpak
F: Opening system flatpak installation at path /var/lib/flatpak
F: /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/lib32 does not exist
F: Cleaning up unused container id 1995273595
F: Cleaning up per-app-ID state for org.mozilla.firefox
F: Allocated instance id 1047396377
F: Trying to export read/write: /run/.heim_org.h5l.kcm-socket
F: Not sharing "/run/.heim_org.h5l.kcm-socket" with sandbox: Unable to open path "/run/.heim_org.h5l.kcm-socket": No such file or directory
F: Trying to replace with tmpfs: /home/kfu/.var/app
F: /home is not a symlink
F: /home/kfu is not a symlink
F: /home/kfu/.var is not a symlink
F: /home/kfu/.var/app is not a symlink
F: Will replace with tmpfs: /home/kfu/.var/app
F: Trying to export read/write: /home/kfu/.var/app/org.mozilla.firefox
F: /home is not a symlink
F: /home/kfu is not a symlink
F: /home/kfu/.var is not a symlink
F: /home/kfu/.var/app is not a symlink
F: /home/kfu/.var/app/org.mozilla.firefox is not a symlink
F: Will export read/write: /home/kfu/.var/app/org.mozilla.firefox
F: Trying to replace with tmpfs: /home/kfu/.local/share/flatpak
F: /home is not a symlink
F: /home/kfu is not a symlink
F: /home/kfu/.local is not a symlink
F: /home/kfu/.local/share is not a symlink
F: /home/kfu/.local/share/flatpak is not a symlink
F: Will replace with tmpfs: /home/kfu/.local/share/flatpak
F: Trying to ensure existence of directory: /home/kfu
F: /home is not a symlink
F: /home/kfu is not a symlink
F: Will ensure existence of directory: /home/kfu
F: Converting FlatpakExports to bwrap arguments...
F: "/home/kfu" is meant to be a directory
F: Ensuring "/home/kfu" is created as a directory
F: "/home/kfu/.local/share/flatpak" is meant to be a tmpfs or empty directory
F: Parent of "/home/kfu/.local/share/flatpak" is not mapped, creating empty directory
F: "/home/kfu/.var/app" is meant to be a tmpfs or empty directory
F: Parent of "/home/kfu/.var/app" is not mapped, creating empty directory
F: "/home/kfu/.var/app/org.mozilla.firefox" is meant to be shared (ro or rw) with the container
F: Allowing wayland access
F: Allowing pulseaudio access
F: Pulseaudio user configuration file '/home/kfu/.config/pulse/client.conf': Error opening file /home/kfu/.config/pulse/client.conf: No such file or directory
F: Pulseaudio user configuration file '/etc/pulse/client.conf': Error opening file /etc/pulse/client.conf: No such file or directory
F: Could not find pulseaudio socket
F: CUPS configuration file '/home/kfu/.cups/client.conf': Error opening file /home/kfu/.cups/client.conf: No such file or directory
F: CUPS configuration file '/etc/cups/client.conf': Error opening file /etc/cups/client.conf: No such file or directory
F: Could not find CUPS server
F: Failed to run in transient scope: No systemd user session available, cgroups not available
F: bwrap --args 36 = ...
F:     --symlink
F:     .
F:     /usr
F:     --ro-bind
F:     /bin
F:     /bin
F:     --bind
F:     /tmp
F:     /tmp
F:     --ro-bind
F:     '/lost+found'
F:     '/lost+found'
F:     --ro-bind
F:     /boot
F:     /boot
F:     --ro-bind
F:     /mnt
F:     /mnt
F:     --ro-bind
F:     /sys
F:     /sys
F:     --symlink
F:     var/run
F:     /run
F:     --bind
F:     /var
F:     /var
F:     --ro-bind
F:     /share
F:     /share
F:     --ro-bind
F:     /proc
F:     /proc
F:     --ro-bind
F:     /lib
F:     /lib
F:     --ro-bind
F:     /dev
F:     /dev
F:     --ro-bind
F:     /home
F:     /home
F:     --symlink
F:     bin
F:     /sbin
F:     --ro-bind
F:     /include
F:     /include
F:     --ro-bind
F:     /etc
F:     /etc
F:     --bind
F:     /tmp/xdg-1000/.dbus-proxy/
F:     /tmp/xdg-1000/.dbus-proxy/
F:     --perms
F:     0600
F:     --file
F:     31
F:     /.flatpak-info
F: bwrap --args 33 = ...
F:     --fd=35
F:     unix:path=/var/run/dbus/system_bus_socket
F:     /tmp/xdg-1000/.dbus-proxy/system-bus-proxy-P5OQS2
F:     --filter
F:     --talk=org.freedesktop.NetworkManager
F: Running 'bwrap --args 36 -- xdg-dbus-proxy --args=33'
F: bwrap --args 33 = ...
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files
F:     /usr
F:     --lock-file
F:     /usr/.ref
F:     --ro-bind
F:     /var/lib/flatpak/app/org.mozilla.firefox/x86_64/stable/58df947577536e4f826ed98ca220b766902200d5e45d2da0d91c398ddb4fa7e7/files
F:     /app
F:     --lock-file
F:     /app/.ref
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform.ffmpeg-full/x86_64/23.08/04008b50b43f06e6fc78dd7bec6f6ad4478a76e8464251a1663d2417cfccfe4e/files
F:     /app/lib/ffmpeg
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.mozilla.firefox.Locale/x86_64/stable/e1fa350dfe0c2fb655b7ba3636f716ffa902ab7e922d71b326bbb0c49f1e9642/files
F:     /app/share/runtime/langpack
F:     --ro-bind-data
F:     13
F:     /run/flatpak/ld.so.conf.d/app-001-org.freedesktop.Platform.ffmpeg-full.conf
F:     --tmpfs
F:     /usr/lib/x86_64-linux-gnu/GL
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform.GL.default/x86_64/23.08/9981cd935556ef0ec146129d66b232fa1dc3b2f04eb83fe8e881cb64056d8c5f/files
F:     /usr/lib/x86_64-linux-gnu/GL/default
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform.GL.default/x86_64/23.08-extra/1f6789acbc5410c18c9237f57ccbb34edda9b207429e6d74775e0aeb9fd66189/files
F:     /usr/lib/x86_64-linux-gnu/GL/default
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform.VAAPI.Intel/x86_64/23.08/3256b50a18714d9e45e9f38a84119549714953f42f4002e1d6537465b6ef55d1/files
F:     /usr/lib/x86_64-linux-gnu/dri/intel-vaapi-driver
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform.openh264/x86_64/2.2.0/bf24f23f3ba385f6e8c9215ed94d979db99814b0b614504a23a6d0751dc5f063/files
F:     /usr/lib/x86_64-linux-gnu/openh264
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform.Locale/x86_64/23.08/bc53b787ddc48e63d12494ee103c52412a6bade79e00be4068f3325f0396f853/files
F:     /usr/share/runtime/locale
F:     --ro-bind-data
F:     14
F:     /run/flatpak/ld.so.conf.d/runtime-001-org.freedesktop.Platform.GL.default.conf
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vulkan/icd.d/nouveau_icd.x86_64.json
F:     /usr/lib/x86_64-linux-gnu/GL/vulkan/icd.d/nouveau_icd.x86_64.json
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vulkan/icd.d/virtio_icd.x86_64.json
F:     /usr/lib/x86_64-linux-gnu/GL/vulkan/icd.d/virtio_icd.x86_64.json
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vulkan/icd.d/lvp_icd.x86_64.json
F:     /usr/lib/x86_64-linux-gnu/GL/vulkan/icd.d/lvp_icd.x86_64.json
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vulkan/icd.d/intel_icd.x86_64.json
F:     /usr/lib/x86_64-linux-gnu/GL/vulkan/icd.d/intel_icd.x86_64.json
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vulkan/icd.d/radeon_icd.x86_64.json
F:     /usr/lib/x86_64-linux-gnu/GL/vulkan/icd.d/radeon_icd.x86_64.json
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vulkan/icd.d/intel_hasvk_icd.x86_64.json
F:     /usr/lib/x86_64-linux-gnu/GL/vulkan/icd.d/intel_hasvk_icd.x86_64.json
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/glvnd/egl_vendor.d/50_mesa.json
F:     /usr/lib/x86_64-linux-gnu/GL/glvnd/egl_vendor.d/50_mesa.json
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/OpenCL/vendors/mesa.icd
F:     /usr/lib/x86_64-linux-gnu/GL/OpenCL/vendors/mesa.icd
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/OpenCL/vendors/rusticl.icd
F:     /usr/lib/x86_64-linux-gnu/GL/OpenCL/vendors/rusticl.icd
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/dri/nouveau_drv_video.so
F:     /usr/lib/x86_64-linux-gnu/GL/lib/dri/nouveau_drv_video.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/dri/r600_dri.so
F:     /usr/lib/x86_64-linux-gnu/GL/lib/dri/r600_dri.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/dri/virtio_gpu_dri.so
F:     /usr/lib/x86_64-linux-gnu/GL/lib/dri/virtio_gpu_dri.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/dri/vmwgfx_dri.so
F:     /usr/lib/x86_64-linux-gnu/GL/lib/dri/vmwgfx_dri.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/dri/libgallium_dri.so
F:     /usr/lib/x86_64-linux-gnu/GL/lib/dri/libgallium_dri.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/dri/nouveau_dri.so
F:     /usr/lib/x86_64-linux-gnu/GL/lib/dri/nouveau_dri.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/dri/libgallium_drv_video.so
F:     /usr/lib/x86_64-linux-gnu/GL/lib/dri/libgallium_drv_video.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/dri/iris_dri.so
F:     /usr/lib/x86_64-linux-gnu/GL/lib/dri/iris_dri.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/dri/virtio_gpu_drv_video.so
F:     /usr/lib/x86_64-linux-gnu/GL/lib/dri/virtio_gpu_drv_video.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/dri/i915_dri.so
F:     /usr/lib/x86_64-linux-gnu/GL/lib/dri/i915_dri.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/dri/kms_swrast_dri.so
F:     /usr/lib/x86_64-linux-gnu/GL/lib/dri/kms_swrast_dri.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/dri/zink_dri.so
F:     /usr/lib/x86_64-linux-gnu/GL/lib/dri/zink_dri.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/dri/crocus_dri.so
F:     /usr/lib/x86_64-linux-gnu/GL/lib/dri/crocus_dri.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/dri/r300_dri.so
F:     /usr/lib/x86_64-linux-gnu/GL/lib/dri/r300_dri.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/dri/r600_drv_video.so
F:     /usr/lib/x86_64-linux-gnu/GL/lib/dri/r600_drv_video.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/dri/radeonsi_dri.so
F:     /usr/lib/x86_64-linux-gnu/GL/lib/dri/radeonsi_dri.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/dri/radeonsi_drv_video.so
F:     /usr/lib/x86_64-linux-gnu/GL/lib/dri/radeonsi_drv_video.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/dri/swrast_dri.so
F:     /usr/lib/x86_64-linux-gnu/GL/lib/dri/swrast_dri.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/d3d/d3dadapter9.so.1
F:     /usr/lib/x86_64-linux-gnu/GL/lib/d3d/d3dadapter9.so.1
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/lib/d3d/d3dadapter9.so.1.0.0
F:     /usr/lib/x86_64-linux-gnu/GL/lib/d3d/d3dadapter9.so.1.0.0
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vulkan/explicit_layer.d/VkLayer_MESA_overlay.json
F:     /usr/lib/x86_64-linux-gnu/GL/vulkan/explicit_layer.d/VkLayer_MESA_overlay.json
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vulkan/implicit_layer.d/VkLayer_MESA_device_select.json
F:     /usr/lib/x86_64-linux-gnu/GL/vulkan/implicit_layer.d/VkLayer_MESA_device_select.json
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_virtio_gpu.so.1.0
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_virtio_gpu.so.1.0
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_trace.so.1.0.0
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_trace.so.1.0.0
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_radeonsi.so.1.0
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_radeonsi.so.1.0
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_nouveau.so
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_nouveau.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_nouveau.so.1
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_nouveau.so.1
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_nouveau.so.1.0.0
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_nouveau.so.1.0.0
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_virtio_gpu.so.1
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_virtio_gpu.so.1
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_r600.so.1.0
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_r600.so.1.0
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_trace.so.1
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_trace.so.1
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_radeonsi.so.1
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_radeonsi.so.1
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_gallium.so.1.0.0
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_gallium.so.1.0.0
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_r600.so.1
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_r600.so.1
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_r600.so.1.0.0
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_r600.so.1.0.0
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_virtio_gpu.so
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_virtio_gpu.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_trace.so
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_trace.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_nouveau.so.1.0
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_nouveau.so.1.0
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_radeonsi.so.1.0.0
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_radeonsi.so.1.0.0
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_r600.so
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_r600.so
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_virtio_gpu.so.1.0.0
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_virtio_gpu.so.1.0.0
F:     --symlink
F:     /usr/lib/x86_64-linux-gnu/GL/default/vdpau/libvdpau_radeonsi.so
F:     /usr/lib/x86_64-linux-gnu/GL/vdpau/libvdpau_radeonsi.so
F:     --ro-bind-data
F:     15
F:     /run/flatpak/ld.so.conf.d/runtime-002-org.freedesktop.Platform.VAAPI.Intel.conf
F:     --ro-bind-data
F:     16
F:     /run/flatpak/ld.so.conf.d/runtime-003-org.freedesktop.Platform.openh264.conf
F:     --ro-bind-data
F:     17
F:     /run/flatpak/ld.so.conf.d/runtime-004-org.freedesktop.Platform.GL.default.conf
F:     --proc
F:     /proc
F:     --unshare-pid
F:     --dir
F:     /tmp
F:     --dir
F:     /var/tmp
F:     --dir
F:     /run/host
F:     --perms
F:     0700
F:     --dir
F:     /run/user/1000
F:     --setenv
F:     XDG_RUNTIME_DIR
F:     /run/user/1000
F:     --symlink
F:     ../run
F:     /var/run
F:     --ro-bind-try
F:     /proc/self/ns/user
F:     /run/.userns
F:     --symlink
F:     /etc/timezone
F:     /var/db/zoneinfo
F:     --ro-bind
F:     /sys/block
F:     /sys/block
F:     --ro-bind
F:     /sys/bus
F:     /sys/bus
F:     --ro-bind
F:     /sys/class
F:     /sys/class
F:     --ro-bind
F:     /sys/dev
F:     /sys/dev
F:     --ro-bind
F:     /sys/devices
F:     /sys/devices
F:     --ro-bind-data
F:     19
F:     /etc/passwd
F:     --ro-bind-data
F:     20
F:     /etc/group
F:     --ro-bind-data
F:     21
F:     /etc/pkcs11/pkcs11.conf
F:     --ro-bind
F:     /var/lib/dbus/machine-id
F:     /etc/machine-id
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/nsswitch.conf
F:     /etc/nsswitch.conf
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/debuginfod
F:     /etc/debuginfod
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/rc_maps.cfg
F:     /etc/rc_maps.cfg
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/e2scrub.conf
F:     /etc/e2scrub.conf
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/moduli
F:     /etc/moduli
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/pulse
F:     /etc/pulse
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/security
F:     /etc/security
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/vdpau_wrapper.cfg
F:     /etc/vdpau_wrapper.cfg
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/ssl
F:     /etc/ssl
F:     --symlink
F:     ../usr/lib/os-release
F:     /etc/os-release
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/issue.net
F:     /etc/issue.net
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/protocols
F:     /etc/protocols
F:     --symlink
F:     ../../proc/self/mounts
F:     /etc/mtab
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/issue
F:     /etc/issue
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/xdg
F:     /etc/xdg
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/rc_keymaps
F:     /etc/rc_keymaps
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/mke2fs.conf
F:     /etc/mke2fs.conf
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/ld.so.conf
F:     /etc/ld.so.conf
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/xattr.conf
F:     /etc/xattr.conf
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/services
F:     /etc/services
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/ssh_config
F:     /etc/ssh_config
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/pki
F:     /etc/pki
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/gtk-3.0
F:     /etc/gtk-3.0
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/fonts
F:     /etc/fonts
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/profile.d
F:     /etc/profile.d
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/rpc
F:     /etc/rpc
F:     --ro-bind
F:     /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/23.08/64a85d9703e16a360fb65aeb40382183be68836567e2a3a9455f70b2a26a568f/files/etc/alsa
F:     /etc/alsa
F:     --bind
F:     /home/kfu/.var/app/org.mozilla.firefox/cache
F:     /var/cache
F:     --bind
F:     /home/kfu/.var/app/org.mozilla.firefox/data
F:     /var/data
F:     --bind
F:     /home/kfu/.var/app/org.mozilla.firefox/config
F:     /var/config
F:     --bind
F:     /home/kfu/.var/app/org.mozilla.firefox/cache/tmp
F:     /var/tmp
F:     --symlink
F:     usr/bin
F:     /bin
F:     --symlink
F:     usr/lib
F:     /lib
F:     --symlink
F:     usr/lib64
F:     /lib64
F:     --symlink
F:     usr/sbin
F:     /sbin
F:     --symlink
F:     ../usr/share/zoneinfo/UTC
F:     /etc/localtime
F:     --ro-bind-data
F:     22
F:     /etc/timezone
F:     --ro-bind
F:     /etc/resolv.conf
F:     /etc/resolv.conf
F:     --ro-bind
F:     /etc/hosts
F:     /etc/hosts
F:     --ro-bind-data
F:     24
F:     /etc/ld.so.conf
F:     --ro-bind-data
F:     18
F:     /etc/ld.so.cache
F:     --ro-bind
F:     /tmp/xdg-1000/.flatpak/1047396377
F:     /run/flatpak/.flatpak/1047396377
F:     --lock-file
F:     /run/flatpak/.flatpak/1047396377/.ref
F:     --perms
F:     0600
F:     --file
F:     26
F:     /.flatpak-info
F:     --ro-bind-data
F:     27
F:     /.flatpak-info
F:     --setenv
F:     container
F:     flatpak
F:     --ro-bind-data
F:     28
F:     /run/host/container-manager
F:     --info-fd
F:     29
F:     --bind
F:     /tmp/xdg-1000/.flatpak/org.mozilla.firefox/xdg-run
F:     /run/user/1000
F:     --dev-bind
F:     /dev
F:     /dev
F:     --tmpfs
F:     /dev/shm
F:     --bind
F:     /tmp/xdg-1000/.flatpak/org.mozilla.firefox/tmp
F:     /tmp
F:     --bind-fd
F:     32
F:     /home/kfu/.mozilla
F:     --bind
F:     /tmp/xdg-1000/app/org.mozilla.firefox
F:     /run/flatpak/app/org.mozilla.firefox
F:     --dir
F:     /home/kfu
F:     --dir
F:     /home/kfu/.local/share/flatpak
F:     --dir
F:     /home/kfu/.var/app
F:     --bind
F:     /home/kfu/.var/app/org.mozilla.firefox
F:     /home/kfu/.var/app/org.mozilla.firefox
F:     --sync-fd
F:     34
F:     --ro-bind
F:     /tmp/xdg-1000/.flatpak/wl/wayland-DZOQS2
F:     /run/flatpak/wayland-0
F:     --tmpfs
F:     /tmp/.X11-unix
F:     --dev-bind
F:     /dev/snd
F:     /dev/snd
F:     --ro-bind
F:     /tmp/xdg-1000/.dbus-proxy/system-bus-proxy-P5OQS2
F:     /run/dbus/system_bus_socket
F:     --ro-bind
F:     /tmp/xdg-1000/.flatpak/org.mozilla.firefox/.ref
F:     /run/flatpak/per-app-dirs-ref
F:     --lock-file
F:     /run/flatpak/per-app-dirs-ref
F:     --ro-bind
F:     /usr/share/fonts
F:     /run/host/fonts
F:     --ro-bind
F:     /var/cache/fontconfig
F:     /run/host/fonts-cache
F:     --ro-bind
F:     /home/kfu/.cache/fontconfig
F:     /run/host/user-fonts-cache
F:     --ro-bind-data
F:     31
F:     /run/host/font-dirs.xml
F:     --ro-bind
F:     /usr/share/icons
F:     /run/host/share/icons
F:     --symlink
F:     /app/lib/debug/source
F:     /run/build
F:     --symlink
F:     /usr/lib/debug/source
F:     /run/build-runtime
F:     --setenv
F:     ALSA_CONFIG_DIR
F:     /usr/share/alsa
F:     --setenv
F:     ALSA_CONFIG_PATH
F:     /usr/share/alsa/alsa-flatpak.conf
F:     --setenv
F:     COLORTERM
F:     truecolor
F:     --setenv
F:     DBUS_SYSTEM_BUS_ADDRESS
F:     unix:path=/run/dbus/system_bus_socket
F:     --setenv
F:     DICPATH
F:     /usr/share/hunspell
F:     --setenv
F:     FLATPAK_ID
F:     org.mozilla.firefox
F:     --setenv
F:     FLATPAK_SANDBOX_DIR
F:     /home/kfu/.var/app/org.mozilla.firefox/sandbox
F:     --setenv
F:     GI_TYPELIB_PATH
F:     /app/lib/girepository-1.0
F:     --setenv
F:     GST_PLUGIN_SYSTEM_PATH
F:     /app/lib/gstreamer-1.0:/usr/lib/extensions/gstreamer-1.0:/usr/lib/x86_64-linux-gnu/gstreamer-1.0
F:     --setenv
F:     HOME
F:     /home/kfu
F:     --setenv
F:     HUSHLOGIN
F:     FALSE
F:     --setenv
F:     LABWC_PID
F:     602
F:     --setenv
F:     LD_LIBRARY_PATH
F:     ''
F:     --setenv
F:     LOGNAME
F:     kfu
F:     --setenv
F:     PAGER
F:     less
F:     --setenv
F:     PATH
F:     /app/bin:/usr/bin
F:     --setenv
F:     PS1
F:     '\u [\W] #\# > '
F:     --setenv
F:     PWD
F:     /home/kfu
F:     --setenv
F:     PYTHONUSERBASE
F:     /var/data/python
F:     --setenv
F:     SHELL
F:     /bin/sh
F:     --setenv
F:     SHLVL
F:     2
F:     --setenv
F:     STY
F:     626.main
F:     --setenv
F:     TERM
F:     screen
F:     --setenv
F:     TERMCAP
F:     'SC|screen|VT 100/ANSI X3.64 virtual terminal:DO=\E[%dB:LE=\E[%dD:RI=\E[%dC:UP=\E[%dA:bs:bt=\E[Z:cd=\E[J:ce=\E[K:cl=\E[H\E[J:cm=\E[%i%d;%dH:ct=\E[3g:do=^J:nd=\E[C:pt:rc=\E8:rs=\Ec:sc=\E7:st=\EH:up=\EM:le=^H:bl=^G:cr=^M:it#8:ho=\E[H:nw=\EE:ta=^I:is=\E)0:li#27:co#105:am:xn:xv:LP:sr=\EM:al=\E[L:AL=\E[%dL:cs=\E[%i%d;%dr:dl=\E[M:DL=\E[%dM:dc=\E[P:DC=\E[%dP:im=\E[4h:ei=\E[4l:mi:IC=\E[%d@:ks=\E[?1h\E=:ke=\E[?1l\E>:vi=\E[?25l:ve=\E[34h\E[?25h:vs=\E[34l:ti=\E[?1049h:te=\E[?1049l:us=\E[4m:ue=\E[24m:so=\E[3m:se=\E[23m:mb=\E[5m:md=\E[1m:mh=\E[2m:mr=\E[7m:me=\E[m:ms:Co#8:pa#64:AF=\E[3%dm:AB=\E[4%dm:op=\E[39;49m:AX:vb=\Eg:G0:as=\E(0:ae=\E(B:ac=\140\140aaffggjjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{||}}~~..--++,,hhII00:Km=\E[<:k0=\E[10~:k1=\EOP:k2=\EOQ:k3=\EOR:k4=\EOS:k5=\E[15~:k6=\E[17~:k7=\E[18~:k8=\E[19~:k9=\E[20~:k;=\E[21~:F1=\E[23~:F2=\E[24~:kB=\E[Z:kh=\E[1~:@1=\E[1~:kH=\E[4~:@7=\E[4~:kN=\E[6~:kP=\E[5~:kI=\E[2~:kD=\E[3~:ku=\EOA:kd=\EOB:kr=\EOC:kl=\EOD:'
F:     --setenv
F:     USER
F:     kfu
F:     --setenv
F:     WAYLAND_DISPLAY
F:     /run/flatpak/wayland-0
F:     --setenv
F:     WINDOW
F:     5
F:     --setenv
F:     XDG_CACHE_HOME
F:     /home/kfu/.var/app/org.mozilla.firefox/cache
F:     --setenv
F:     XDG_CONFIG_DIRS
F:     /app/etc/xdg:/etc/xdg
F:     --setenv
F:     XDG_CONFIG_HOME
F:     /home/kfu/.var/app/org.mozilla.firefox/config
F:     --setenv
F:     XDG_CURRENT_DESKTOP
F:     wlroots
F:     --setenv
F:     XDG_DATA_DIRS
F:     /app/share:/usr/share:/usr/share/runtime/share:/run/host/user-share:/run/host/share
F:     --setenv
F:     XDG_DATA_HOME
F:     /home/kfu/.var/app/org.mozilla.firefox/data
F:     --setenv
F:     XDG_SESSION_TYPE
F:     wayland
F:     --setenv
F:     XDG_STATE_HOME
F:     /home/kfu/.var/app/org.mozilla.firefox/.local/state
F:     --setenv
F:     XKB_DEFAULT_OPTIONS
F:     ctrl:nocaps
F:     --setenv
F:     _
F:     /bin/flatpak
F:     --setenv
F:     _JAVA_AWT_WM_NONREPARENTING
F:     1
F:     --setenv
F:     __EGL_EXTERNAL_PLATFORM_CONFIG_DIRS
F:     /etc/egl/egl_external_platform.d:/usr/lib/x86_64-linux-gnu/GL/egl/egl_external_platform.d:/usr/share/egl/egl_external_platform.d
F: Running 'bwrap --args 33 -- firefox'
bwrap: Can't find source path /proc/self/fd/32: No such file or directory

Notice the 3 lines

F:     --bind-fd
F:     32
F:     /home/kfu/.mozilla

The command bwrap --help | grep -- --bind-fd tells me

--bind-fd FD DEST Bind open directory or path fd on DEST

I found the single occurrence of "--bind-fd" in the flatpak source tree in common/flatpak-context.c:flatpak_context_append_bwrap_filesystem(). The comment

/ Enable persistent mapping only if no access to real home dir /

lead me to the --filesystem flag of the run command, and running

flatpak run --filesystem=host org.mozilla.firefox

opens up a browser window. all my other browsers open fine too

so the "fix" is to expose my home directory to the flatpak!

edit: I upgraded to and did this on version 1.15.10

smcv commented 2 months ago

My kernel has unprivileged user namespaces disabled so I installed bubblewrap suid

Disabled in what way, exactly? There have been several mechanisms for disabling unprivileged creation of user namespaces, for example setting /proc/sys/user/max_user_namespaces to 0, or applying Debian's /proc/sys/kernel/unprivileged_userns_clone patch and setting the sysctl to 0.

I would not recommend this configuration, and increasingly many Flatpak apps cannot work as intended when run like this (notably, Chromium derivatives require unprivileged user namespaces, and so does Steam). I would not be surprised if Firefox and Firefox derivatives start requiring unprivileged user namespaces in future, for the same reason as Chromium (ability to create a new sandbox, to protect more-privileged parts of the browser like the UI and password manager from less-privileged parts like networking and web renderers).

I get the same result when I try to run librewolf,firefox,waterfox and mullvard browser

I suspect the common factor here is that these apps all use a persistent directory (the --persist option), which was affected by CVE-2024-42472.

I found the single occurrence of "--bind-fd" in the flatpak source tree

This is the solution for CVE-2024-42472. If someone (maybe you) can propose a way to make the setuid-root-bubblewrap code path work without reintroducing CVE-2024-42472, we'd consider a PR.

Unfortunately, it is not always possible to make Flatpak work as intended on every possible system configuration without compromising security.

so the "fix" is to expose my home directory to the flatpak

That is one possible workaround, yes.

Reverting 6bd603f6, so that the --bind-fd option is not used, would be less drastic. That partially re-introduces CVE-2024-42472 (it introduces a time-of-check/time-of-use race condition that could potentially be exploited by a malicious or compromised app), so we will not apply that change upstream, but it's a less bad workaround than sharing your whole home directory with the Flatpak app.

flatpak / flatpak