Talk Desktop is not running on Ubuntu 24 without AppArmor profile

[Naimado68]

🚧 Temporary workaround

After unpacking the files run the following 2 commands:

sudo chown root chrome-sandbox
sudo chmod 4755 chrome-sandbox

---

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

---

Steps to reproduce

1. ./Nextcloud\ Talk

Expected behaviour

Launch Nextcloud

Actual behaviour

but we can't use 'sudo'

Desktop client

Talk Desktop client version: v1.26.0

Operating system: Ubuntu

Operating system version: Ubuntu 20.02

Microphone available: yes/no

Camera available: yes/no

Server

Nextcloud version: (see status page: /status.php)

Talk app version: (see apps admin page: /index.php/settings/apps)

Custom Signaling server configured: yes/no and version (see additional admin settings: /index.php/index.php/settings/admin/talk#signaling_server)

Custom TURN server configured: yes/no (see additional admin settings: /index.php/settings/admin/talk#turn_server)

Custom STUN server configured: yes/no (see additional admin settings: /index.php/settings/admin/talk#stun_server)

Logs

Client log

``` Insert your browser log here, this could for example include: a) The javascript console log b) The network log c) ... ```

[nickvergessen]

According to your screenshot all files are owned by root:root But your current user seems to be produser

So if you run chown -R produser:produser Tele..../Nextcloud.Talk-linux… it should work correctly

[Naimado68]

I tried it, but encountered another issue stating that the 'chrome-sandbox' needs to be owned by root and have mode 4755. Even after adjusting the ownership and permissions accordingly, I faced the same problem as before.

[nickvergessen]

$ ls -la 
insgesamt 220272
drwx------  4 nickv nickv      4096 Mär 26 16:43  .
drwxr-xr-x 38 nickv nickv      4096 Mär 27 17:21  ..
-rw-r--r--  1 nickv nickv    154821 Mär 26 16:43  chrome_100_percent.pak
-rw-r--r--  1 nickv nickv    236588 Mär 26 16:43  chrome_200_percent.pak
-rwxr-xr-x  1 nickv nickv   1259424 Mär 26 16:43  chrome_crashpad_handler
-rwxr-xr-x  1 nickv nickv     54248 Mär 26 16:43  chrome-sandbox
-rw-r--r--  1 nickv nickv  10717680 Mär 26 16:43  icudtl.dat
-rwxr-xr-x  1 nickv nickv    252016 Mär 26 16:43  libEGL.so
-rwxr-xr-x  1 nickv nickv   2868792 Mär 26 16:43  libffmpeg.so
-rwxr-xr-x  1 nickv nickv   6461688 Mär 26 16:43  libGLESv2.so
-rwxr-xr-x  1 nickv nickv   4225360 Mär 26 16:43  libvk_swiftshader.so
-rwxr-xr-x  1 nickv nickv   7524712 Mär 26 16:43  libvulkan.so.1
-rw-r--r--  1 nickv nickv      1096 Mär 26 16:43  LICENSE
-rw-r--r--  1 nickv nickv   9242625 Mär 26 16:43  LICENSES.chromium.html
drwxrwxr-x  2 nickv nickv      4096 Mär 26 16:43  locales
-rwxr-xr-x  1 nickv nickv 176032352 Mär 26 16:43 'Nextcloud Talk'
drwxrwxr-x  3 nickv nickv      4096 Mär 26 16:43  resources
-rw-r--r--  1 nickv nickv   5481614 Mär 26 16:43  resources.pak
-rw-r--r--  1 nickv nickv    306214 Mär 26 16:43  snapshot_blob.bin
-rw-r--r--  1 nickv nickv    679161 Mär 26 16:43  v8_context_snapshot.bin
-rw-r--r--  1 nickv nickv         6 Mär 26 16:43  version
-rw-r--r--  1 nickv nickv       107 Mär 26 16:43  vk_swiftshader_icd.json

Works pretty fine here, without being root.

THat being said, on your screenshot chrome-sandbox does not have execute permission for the user

[Brocky453]

I have the same problem.

The issue there, is when Nextcloud is trying to use zygote_host_impl_linux.cc (library of chrome) but its not available due to permission so that's why it works in root but not in a regular user.

Do we have to change the permission of that flie ? if so where is this file suppose to be located if its not static linked ?

Our workaround there is simply to use the : --no-zygote and --no-sandbox which is not optimal

[nRaecheR]

Got the same problem after updating my working two test VMs to the new Ubuntu 24.04 LTS, currently in beta (no other changes).

It seems to be related to the apparmor audit, here's the related dmesg log output:

[ 294.686381] audit: type=1400 audit(1713765370.207:221): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=6251 comm=4E657874636C6F75642054616C6B requested="userns_create" target="unprivileged_userns" [ 294.686638] audit: type=1400 audit(1713765370.209:222): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=6253 comm=4E657874636C6F75642054616C6B capability=21 capname="sys_admin" [ 294.690438] traps: Nextcloud Talk[6251] trap int3 ip:5b974cbbf0fa sp:7fff37b8dbe0 error:0 in Nextcloud Talk[5b9748f9b000+8168000]

Trouble ahead...

The --no-zygote and --no-sandbox workaround works too.

EDIT: Seems to be related to this (Ubuntu) upstream issue: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844

[ShGKme]

Unfortunately, we are still unable to reproduce the issue (but we haven't tried Ubuntu 24 yet).

However, I have found some mentions of the error, and it seems it also happens with clean Chromium on some setups. So it could be a chromium compatibility issue in some environments.

The --no-zygote and --no-sandbox workaround works too.

We won't get rid of the sandbox mode because of security concerns. This is not a solution.

[nRaecheR]

The solution is to add a AppArmor profile. Ubuntu 24.04 comes with a lot of new profiles for applications that needs the unprivileged_userns capability, there is even one for other Electron applications like Signal-Desktop.

It's time to add an flatpak installer/ RPM|DEB package for Nextcloud Talk Desktop with a proper installation location and AppArmor profile. Here's my working profile:

# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile nextcloud-talk-desktop "/opt/Nextcloud Talk-linux-x64/Nextcloud Talk" flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/nextcloud-talk-desktop>
}

I've installed it to /opt/ and chowned it to root and chmodded the chrome-sandbox to 4755 too.

[ShGKme]

• Ref: https://github.com/electron/electron/issues/41066

[nickvergessen]

Another temporary solution can be:

sudo chown root chrome-sandbox
sudo chmod 4755 chrome-sandbox

So if the file is owned by root and has 4755 permissions it works.

[jwquaker]

I too was having the same issue on my Ubuntu 24.04 system. I tried to change the ownership of chrome-sandbox and it did not help. it also caused another one of the programs i use to stop working (Logos10 Bible software) I had to do a timeshift back so I could get back into Logos because I need it today and Talk is just something I would like to have.

I am glad you are doing it. and By the way I have this on my Debian 12 based T100 and it works great. I will definitely try to get it to work again.

[nickvergessen]

You need to change owner and the permissions (in the right order)

[Fuseteam]

i run into this same issue, i tried @nickvergessen's suggestion but that doesn't seem to work:

fuseteam@tuxecure ~/D/Nextcloud Talk-linux-x64 [SIGTRAP]> sudo chown root chrome-sandbox
[sudo] password for fuseteam: 
fuseteam@tuxecure ~/D/Nextcloud Talk-linux-x64> sudo chmod 4755 chrome-sandbox

fuseteam@tuxecure ~/D/Nextcloud Talk-linux-x64> ./Nextcloud\ Talk
LaunchProcess: failed to execvp:
/home/fuseteam/Downloads/Nextcloud
[7902:0806/074815.199186:FATAL:zygote_host_impl_linux.cc(201)] Check failed: . : Invalid argument (22)
fish: Job 1, './Nextcloud\ Talk' terminated by signal SIGTRAP (Trace or breakpoint trap)
fuseteam@tuxecure ~/D/Nextcloud Talk-linux-x64 [SIGTRAP]> 

[Fuseteam]

hmmm granted my original error message is

[7518:0806/074747.944183:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /home/fuseteam/Downloads/Nextcloud Talk-linux-x64/chrome-sandbox is owned by root and has mode 4755.
fish: Job 1, './Nextcloud\ Talk' terminated by signal SIGTRAP (Trace or breakpoint trap)

[Fuseteam]

hmm this seems to be an issue with electron v5 https://github.com/electron/electron/issues/17972

[Fuseteam]

this allows it to launch for me now: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 even without the chown and chmod Seems to be an actual apparmor restriction on Ubuntu 24.04

[Fuseteam]

looks like electron is looking into how to fix it: https://github.com/electron-userland/electron-builder/issues/8635

[ShGKme]

looks like electron is looking into how to fix it: electron-userland/electron-builder#8635

We don't use electron-builder

[Fuseteam]

oh, tho i guess their template could be used to create our own apparmor profile. not that i have managed to get it working, but i suspect that's on my configuration