zypak-wrapper with a custom CEF binary

[nmlynch94]

We are trying to get zypak-wrapper working with the CEF build using the ungoogled patch set referenced in #34. Your fix works for the standard CEF binaries provided by Google, but not that build.

I know you mentioned you are on an arm64 host and cannot test with that build, but I was wondering if you have any hunches as to what could cause a custom CEF build to break zypak-wrapper's functionality so we can dig into it.

Would appreciate any leads you have.

[Adamcake]

[0729/023942.779632:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /app/opt/bolt-launcher/chrome-sandbox is owned by root and has mode 4755.

What's interesting is the error claims that it comes from here: https://github.com/chromium/chromium/blob/main/sandbox/linux/suid/client/setuid_sandbox_host.cc#L156-L162, but as far as I can tell this check should never ever pass, not even for the official Chromium builds. The chrome-sandbox has st_mode 0100755 (i.e. totally normal executable file, no setuid) and is not owned by root. So I don't understand why this error isn't getting hit with official builds. Is Zypak doing anything that would affect this? Maybe causing the check to get run when it otherwise wouldn't, or messing with CEF's interpretation of its mode and access permissions, anything like that at all?

PS: I know this is quite a vague issue description, sorry, but it does seem like Zypak is at least tangentially related..

[Adamcake]

In the end, we solved this by applying the patches from org.chromium.Chromium to our custom CEF build, in order to create a special target for flatpak to use, which removes the need for zypak. I'm assuming this is just a more direct version of the same solution? If anyone else finds themselves in the same situation then I'd recommend they do the same.

Anyway, I think we're done pestering you for now, feel free to close this.

[refi64]

(sorry for the delayed reply)

but as far as I can tell this check should never ever pass, not even for the official Chromium builds. The chrome-sandbox has st_mode 0100755 (i.e. totally normal executable file, no setuid) and is not owned by root. So I don't understand why this error isn't getting hit with official builds. Is Zypak doing anything that would affect this?

Indeed it is, it works by mimicking the setuid sandbox.

Honestly I am...not sure what about a custom build would affect this? I tried looking through the patch list for anything that might affect this but didn't find any. Is this being built against the normal Chromium sysroots?

In the end, we solved this by applying the patches from org.chromium.Chromium to our custom CEF build, in order to create a special target for flatpak to use, which removes the need for zypak.

That...probably does make more sense, actually. You should only need the first one; the others affect more Chromium-/building-in-a-Flatpak-specific things.

[Adamcake]

Is this being built against the normal Chromium sysroots?

I made my builds with use_sysroot=false in the GN_ARGS. My understanding is that use_sysroot would download a sysroot with dependency binaries in it and build against that instead of my host filesystem, so I set it to false. Is that the key difference here?

[Adamcake]

Since making this change, a couple of users have claimed they haven't been able to use my application via flatpak. One such case is using Debian on a chromebook, and gets this error: Your Flatpak installation is setuid, which is not supported https://github.com/flathub/org.chromium.Chromium/blob/master/patches/chromium/flatpak-Add-initial-sandbox-support.patch#L788 This appears to happen if the flatpak sandbox is set to "expose pids", but I can't find any info on what exactly causes this condition and what I or the user could do about it, nor really what it even means for a flatpak installation to "be setuid".

So as per usual, any insight would be greatly appreciated.

[refi64]

ohhhh that :sweat_smile: so in Chromium we have an intermediate launcher that has a guide on how to fix that. Really I should just throw that up on a web page (on the Chromium Flatpak wiki?) and link to it from the error message.