FS#62985 - [bubblewrap] bubblewrap 0.3.3-2 wont open flatpak
Attached to Project:
Arch Linux
Opened by David (Marzal) - Sunday, 23 June 2019, 17:05 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Monday, 24 June 2019, 07:32 GMT
Opened by David (Marzal) - Sunday, 23 June 2019, 17:05 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Monday, 24 June 2019, 07:32 GMT
|
Details
Description:
After updating to 0.3.3-2 no flatpak app is able to launch with kernel.unprivileged_userns_clone = 0 Steps to reproduce: 1. Run any flatpak app from a non-root terminal flatpak run com.discordapp.Discord flatpak run org.shotcut.Shotcut flatpak run org.kde.kdenlive flatpak run org.kde.okular ... Result: bwrap: No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'. Which is a valid workaround This change seems to be the culprit: https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/bubblewrap&id=bf828975d4cf5654af7fabe0452e323636191748 Not sure if this is the new preferred behavior. But I think unprivileged_userns_clone is disabled by default for security reasons. https://wiki.archlinux.org/index.php/Security#Sandboxing_applications |
This task depends upon
Closed by Bartłomiej Piotrowski (Barthalion)
Monday, 24 June 2019, 07:32 GMT
Reason for closing: Duplicate
Additional comments about closing: FS#62990
Monday, 24 June 2019, 07:32 GMT
Reason for closing: Duplicate
Additional comments about closing:
You can see that bubblewrap is intended to be SUID by checking e.g. it's README:
https://github.com/projectatomic/bubblewrap
> While significant progress has been made, there are still concerns about it, and it is not available to unprivileged users in several production distributions such as CentOS/Red Hat Enterprise Linux 7, Debian Jessie, etc.
> Bubblewrap could be viewed as setuid implementation of a subset of user namespaces.