Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#62985 - [bubblewrap] bubblewrap 0.3.3-2 wont open flatpak

Attached to Project: Arch Linux
Opened by David (Marzal) - Sunday, 23 June 2019, 17:05 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Monday, 24 June 2019, 07:32 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 6
Private No

Details

Description:
After updating to 0.3.3-2 no flatpak app is able to launch with kernel.unprivileged_userns_clone = 0


Steps to reproduce:

1. Run any flatpak app from a non-root terminal
flatpak run com.discordapp.Discord
flatpak run org.shotcut.Shotcut
flatpak run org.kde.kdenlive
flatpak run org.kde.okular
...

Result:
bwrap: No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.

Which is a valid workaround

This change seems to be the culprit:
https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/bubblewrap&id=bf828975d4cf5654af7fabe0452e323636191748

Not sure if this is the new preferred behavior. But I think unprivileged_userns_clone is disabled by default for security reasons.
https://wiki.archlinux.org/index.php/Security#Sandboxing_applications
This task depends upon

Closed by  BartÅ‚omiej Piotrowski (Barthalion)
Monday, 24 June 2019, 07:32 GMT
Reason for closing:  Duplicate
Additional comments about closing:   FS#62990 
Comment by vasya (vasya) - Monday, 24 June 2019, 06:43 GMT
This is because the package changed to be non-SUID in the latest versions. It should, however, be SUID, and it was SUID in previous versions. Reversion of this change is required.

You can see that bubblewrap is intended to be SUID by checking e.g. it's README:

https://github.com/projectatomic/bubblewrap
> While significant progress has been made, there are still concerns about it, and it is not available to unprivileged users in several production distributions such as CentOS/Red Hat Enterprise Linux 7, Debian Jessie, etc.
> Bubblewrap could be viewed as setuid implementation of a subset of user namespaces.

Loading...