search

subgraph / subgraph-os-issues

Subgraph OS issues repository
73 stars 10 forks source link

Using Flatpak with Subgraph #347

Closed ghost closed 6 years ago

ghost commented 6 years ago

Good night,

I've recently tried installing Gimp and Krita through Flatpak, as through it I can get access to their latest release. Both of them launch, but Krita gets terminated before the welcome screen vanishes.

Aug 06 15:44:28 subgraph kernel: grsec: denied RWX mprotect of <anonymous mapping> by /newroot/app/bin/krita[krita:25365] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bwrap[bwrap:25363] uid/euid:1000/1000 gid/egid:1000/1000

I've tried adding a paxrat conf file for it under etc/paxrat/conf.d like so:

{ "/newroot/app/bin/krita": {
     "flags": "m"
   }
 }

Though it seems that the /newroot is created as the sandbox is launched. So it fails to assign flag to it:

> sudo paxrat -x | string match -ae wine-preloader
 [sudo] password for user:
 2018/08/06 15:53:05 Reading config from: /etc/paxrat/conf.d/wine-preloader-1_7_46.conf
 2018/08/06 15:53:05 Reading config from: /etc/paxrat/conf.d/wine-preloader-2_1.conf
 2018/08/06 15:53:05 Reading config from: /etc/paxrat/conf.d/wine-preloader-3_4.conf
 2018/08/06 15:53:06 Setting 'm' PaX flags via xattr on /home/user/.PlayOnLinux/wine/linux-x86/2.10/bin/wine-preloader
 2018/08/06 15:53:08 Setting 'm' PaX flags via xattr on /home/user/.PlayOnLinux/wine/linux-x86/1.7.46-staging/bin/wine-preloader
 2018/08/06 15:53:08 Setting 'm' PaX flags via xattr on /home/user/.PlayOnLinux/wine/linux-x86/3.4/bin/wine-preloader
 > sudo paxrat -x | string match -ae krita
 2018/08/06 15:53:17 Reading config from: /etc/paxrat/conf.d/krita.conf

How to proceed?

matthewruffell commented 6 years ago

/newroot is a directory mapping that is made inside of flatpak, and it does not exist outside of the sandbox. What you need to do is set the pax flags on the binary itself, in the flatpak lib dir.

I don't run Subgraph, but on Dapper Linux, flatpak stores all runtimes and applications inside the /var/lib/flatpak directory. On my system, the Krita binary lives here: /var/lib/flatpak/app/org.kde.krita/current/active/files/bin/krita

You can quickly test with setfattr / getfattr, but paxrat works as well. In the "bin" directory where the krita binary lives: $ sudo setfattr -n user.pax.flags -v em krita

and then looking at the flags:

$ getfattr -n user.pax.flags krita
# file: krita
user.pax.flags="em"

And krita works as expected when you launch it.

Do the same on other programs you want to work. I have scripts to handle all of this stuff in my github repos, do take a look.

ghost commented 6 years ago

That's correct!