Ubuntu
linux package

crash when trying an AppImage

Bug #2064873 reported by Marian N. Ion
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Trying to run an AppImage (such as ungoogled-chromium_124.0.6367.91-1.AppImage from https://ungoogled-software.github.io/ungoogled-chromium-binaries/) will crash, with the following error message:

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[16771:16771:0505/192239.800083:FATAL:zygote_host_impl_linux.cc(126)] No usable sandbox! Update your kernel or see https://chromium.9oo91esource.qjz9zk/chromium/src/+/main/docs/linux/suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
Trace/breakpoint trap (core dumped)
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Some searches on Internet (https://stackoverflow.com/questions/67138645/error-the-suid-sandbox-helper-binary-was-found-but-is-not-configured-correctly) tell that one should use kernel.unprivileged_userns_clone=1 however on kernel 6.8.0-31-generic there is no such parameter.

Tags: noble
Revision history for this message
Marian N. Ion (marian75014) wrote :

It also happens with other packages, like Molotiv (from molotov.tv)

affects: gdebi (Ubuntu) → kernel-package (Ubuntu)
Revision history for this message
Paul White (paulw2u) wrote :

There is no 'kernel-package' in current Ubuntu releases so I'm moving this to 'linux'.

affects: kernel-package (Ubuntu) → linux (Ubuntu)
tags: added: noble
Revision history for this message
Juerg Haefliger (juergh) wrote :

Hm. I see that knob:

$ uname -r
6.8.0-31-generic
ubuntu@ubuntu-noble:~$ ls -1 /proc/sys/kernel/unprivileged_userns_*
/proc/sys/kernel/unprivileged_userns_apparmor_policy
/proc/sys/kernel/unprivileged_userns_clone

Have you checked dmesg for apparmor denials? You could also disable apparmor to see if that makes a difference (add 'apparmor=0' to the kernel commandline).

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Marian N. Ion (marian75014) wrote :

dmesg show the following messages:
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[... 22:21:37 2024] show_signal: 96 callbacks suppressed
[... 22:21:37 2024] traps: molotov[248896] trap int3 ip:5e682160f313 sp:7ffc1d650d40 error:0 in molotov[5e681e7af000+6882000]
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

In /var/log/syslog in addition withe kernel trap message there's another one from systemd:
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2024-05-11T22:... systemd[1]: tmp-user-<myuid>-.mount_MolotoEcWbZn.mount: Deactivated successfully.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

I shall reboot with apparmor=0 to see if that changes something.

Revision history for this message
Marian N. Ion (marian75014) wrote :

It is a pity that once a comment written it could not be edited anymore.... :-(

Revision history for this message
Marian N. Ion (marian75014) wrote :

Yes, unprivileged_userns_clone exists:

# cat /proc/sys/kernel/unprivileged_userns_clone
1

Revision history for this message
Marian N. Ion (marian75014) wrote :

Yes, it seems to be an AppArmor issue - modifying the kernel options (/proc/cmdline => BOOT_IMAGE=/boot/vmlinuz-6.8.0-31-generic root=UUID=... ro resume=UUID=... log_buf_len=2M apparmor=0) the applications start normally.

Ho could this be done to *all* AppImage applications?

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]

Changed in linux (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.