Ubuntu
apparmor package

PHPStorm crashes when opening a project

Bug #2056627 reported by Christoph Reiter
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Filing mostly in case anyone else hits this and is looking for workarounds:

Since the Update to 24.04 PHPStorm crashes on open for me. I think when it tries to preview a markdown file, like a README.md which is shown when opening a project.

```
[0309/094602.913394:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /home/user/bin/phpstorm/jbr/lib/chrome-sandbox is owned by root and has mode 4755.
```

Workaround 1 (wont persist reboots, needs root):

sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

Workaround 2 (persists and doesn't need root):

thanks to https://youtrack.jetbrains.com/issue/IDEA-313202/IDE-crashes-due-to-chrome-sandbox-is-owned-by-root-and-has-mode-error-when-IDE-is-launching-the-JCEF-in-a-sandbox#focus=Comments-27-7059083.0-0

* Run `<path-to-phpstorm>/bin/phpstorm.sh dontReopenProjects` (to avoid it crashing on start)
* ctrl+shift+a
* type "Registry..." and select it
* disable the "ide.browser.jcef.sandbox.enable" option
* Restart phpstorm

See original description
Christoph Reiter (lazka)
description: updated
Revision history for this message
Tom Chiverton (bugs-launchpad-net-falkensweb) wrote :

Also occurs with https://lmstudio.ai/ which is also AppImage based.

I think the feature is broken in general ?

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

The unfortunate thing with AppImage is that there's no easy default path that can be confined as can be done for other systems. So you'll need to construct an AppArmor profile for your applications following the instructions at https://discourse.ubuntu.com/t/noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15

Thanks

Revision history for this message
John Johansen (jjohansen) wrote :

Its not just that app images don't have a default path, we can handle that as well. It is that user namespaces have become a privileged operation, and the user must take some privileged action to allow applications to use them.

That can be any of
- moving the application into a well known privileged location that has a profile already associated with it.
- creating a profile for the application where it is installed in their unprivileged location. This is currently allowed but problematic in that unprivileged code code potentially write to it and we are not currently restricting unprivileged applications from writing these locations. But that will come
- tagging the application with the correct security label.

The important part is the user must take a privileged action to allow applications that are using user namespaces to gain privilege. Note, applications that use user namespaces that don't require privilege are allowed, its only applications that require privilege within the user namespace.

Unfortunately appimages that use use namespaces need the user to take one of the above privileged actions. And unfortunately Ubuntu can not "fix" this without disabling the protection. There are plans to improve the user experience and make this easier for users to do, but atm it is a manual process.

The instructions provided by Seth will enable you to get the appimage running.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.