Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Desktop: Resolves #10332: Ubuntu 24.04: Work around unprivileged user namespace restrictions by adding the --no-sandbox flag to the launcher #10338

Merged
merged 2 commits into from
Apr 20, 2024
Merged

Desktop: Resolves #10332: Ubuntu 24.04: Work around unprivileged user namespace restrictions by adding the --no-sandbox flag to the launcher #10338

merged 2 commits into from
Apr 20, 2024

Conversation

personalizedrefrigerator
Copy link
Collaborator

@personalizedrefrigerator personalizedrefrigerator commented Apr 19, 2024
edited
Loading

Summary

This pull request extends the unprivileged user namespace restriction workaround to Ubuntu 24.04. Previously, it was only enabled for Ubuntu 23.10.

Resolves #10332.

Testing plan

Testing plan

To test this change, in a bash shell, I've run:

print() {
    echo -e "$@"
}

DISTVER=$(lsb_release -is) && DISTVER=$DISTVER$(lsb_release -rs)
DISTCODENAME=$(lsb_release -cs)
DISTMAJOR=$(lsb_release -rs|cut -d. -f1)

sandbox_logic() {
  SANDBOXPARAM=""
  #--------------------------------------------------------
  # This is the modified version of the --no-sandbox logic
  #________________________________________________________
  echo " DISTVER: $DISTVER"
  echo " DISTCODENAME: $DISTCODENAME"
  echo " DISTMAJOR: $DISTMAJOR"

  #-----------------------------------------------------
  # Check for "The SUID sandbox helper binary was found, but is not configured correctly" problem.
  # It is present in Debian 1X. A (temporary) patch will be applied at .desktop file
  # Linux Mint 4 Debbie is based on Debian 10 and requires the same param handling.
  #
  # TODO: Remove: This is likely no longer an issue. See https://issues.chromium.org/issues/40462640.
  BAD_HELPER_BINARY=false
  if [[ $DISTVER =~ Debian1. || ( "$DISTVER" = "Linuxmint4" && "$DISTCODENAME" = "debbie" ) || ( "$DISTVER" = "CentOS" && "$DISTMAJOR" =~ 6|7 ) ]]; then
    BAD_HELPER_BINARY=true
  fi

  # Work around Ubuntu 23.10+'s restrictions on unprivileged user namespaces. Electron
  # uses these to sandbox processes. Unfortunately, it doesn't look like we can get around this
  # without writing the AppImage to a non-user-writable location (without invalidating other security
  # controls). See https://discourse.joplinapp.org/t/possible-future-requirement-for-no-sandbox-flag-for-ubuntu-23-10/.
  HAS_USERNS_RESTRICTIONS=false
  if [[ "$DISTVER" =~ ^Ubuntu && $DISTMAJOR -ge 23 ]]; then
    HAS_USERNS_RESTRICTIONS=true
  fi

  if [[ $HAS_USERNS_RESTRICTIONS = true || $BAD_HELPER_BINARY = true ]]; then
    SANDBOXPARAM="--no-sandbox"
    print "${COLOR_YELLOW}WARNING${COLOR_RESET} Electron sandboxing disabled."
    print "    See https://discourse.joplinapp.org/t/32160/5 for details."
  fi

  #--------------------------------------------------------
  # End modified version of the --no-sandbox logic
  #________________________________________________________

  echo " Sandbox: $SANDBOXPARAM"
  echo ""
}


echo "Output for current OS"
sandbox_logic

echo "Output for Ubuntu 24.04"
DISTVER="Ubuntu24.04"
DISTCODENAME=noble
DISTMAJOR=$(echo "24.04"|cut -d. -f1)
sandbox_logic

echo "Output for Ubuntu 22.04"
DISTVER="Ubuntu22.04"
DISTCODENAME=jammy
DISTMAJOR=$(echo "22.04"|cut -d. -f1)
sandbox_logic

echo "Output for Linuxmint4"
DISTVER="Linuxmint4"
DISTCODENAME=debbie
DISTMAJOR=4
sandbox_logic

echo "Output for some other OS"
DISTVER="Some OS"
DISTCODENAME=osnamehere
DISTMAJOR=1234
sandbox_logic

Test output

Output for current OS
 DISTVER: Ubuntu23.10
 DISTCODENAME: mantic
 DISTMAJOR: 23
WARNING Electron sandboxing disabled.
    See https://discourse.joplinapp.org/t/32160/5 for details.
 Sandbox: --no-sandbox

Output for Ubuntu 24.04
 DISTVER: Ubuntu24.04
 DISTCODENAME: noble
 DISTMAJOR: 24
WARNING Electron sandboxing disabled.
    See https://discourse.joplinapp.org/t/32160/5 for details.
 Sandbox: --no-sandbox

Output for Ubuntu 22.04
 DISTVER: Ubuntu22.04
 DISTCODENAME: jammy
 DISTMAJOR: 22
 Sandbox: 

Output for Linuxmint4
 DISTVER: Linuxmint4
 DISTCODENAME: debbie
 DISTMAJOR: 4
WARNING Electron sandboxing disabled.
    See https://discourse.joplinapp.org/t/32160/5 for details.
 Sandbox: --no-sandbox

Output for some other OS
 DISTVER: Some OS
 DISTCODENAME: osnamehere
 DISTMAJOR: 1234
 Sandbox:

Notes

personalizedrefrigerator
personalizedrefrigerator commented Apr 19, 2024
View reviewed changes
Joplin_install_and_update.sh
Comment on lines +211 to +215
# TODO: Remove: This is likely no longer an issue. See https://issues.chromium.org/issues/40462640.
BAD_HELPER_BINARY=false
if [[ $DISTVER =~ Debian1. || ( "$DISTVER" = "Linuxmint4" && "$DISTCODENAME" = "debbie" ) || ( "$DISTVER" = "CentOS" && "$DISTMAJOR" =~ 6|7 ) ]]; then
BAD_HELPER_BINARY=true
fi
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've left this logic for now. The suid helper binary seems to no longer be used/usable, but I think it makes more sense to remove this in a separate pull request, should this or the other pull request need to be reverted.

@laurent22 laurent22 merged commit 7fe98e9 into laurent22:dev Apr 20, 2024
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
linux
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Joplin does not work in Ubuntu 24.04 due to apparmor issue
2 participants
@personalizedrefrigerator @laurent22