6

I have just updated to 24.04 and am having my first teething problems. I cannot run my Arduino IDE since updating, if I try it in the terminal I get the warning

"FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /home/stevetux/ArduinoLatest/arduino-ide_2.3.2_Linux_64bit/chrome-sandbox is owned by root and has mode 4755."

I considered just changing the permissions of arduino-ide_2.3.2_Linux_64bit/chrome-sandbox but if I try and open my arduino-lab-micropython-ide a different sandbox (MicroPythonIDE/chrome-sandbox) needs the permission altered.

Both of these IDEs were working perfectly under 23.10 and I don't know how many other applications are affected as I have only just upgraded, so is there a fix to this issue which doesn't involve changing the permissions on lots of files?

Edit: I have discovered that I can run the IDEs if I put --no-sandbox at the end of the launch command. But I have no idea if this has security or other implications. Advice would be appreciated.

SteveInBavaria
  • 3,736
  • 1
    Please can you try if the apparmore rule is working? https://github.com/arduino/arduino-ide/issues/2429 – nobody May 23 '24 at 22:25

2 Answers2

4

The issue comes from Ubuntu 24.04 deprecating unprivileged kernel namespaces, which the Arduino IDE (and other applications) rely on for their sandboxes

To solve this, you can create a new AppArmor profile for the Arduino IDE. Assuming you installed it in /home/username/bin/arduino (that's the whole filename), you can do something like sudo vim /etc/apparmor.d/home.username.bin.arduino (or nano, or some other editor) and write:

abi <abi/4.0>,
include <tunables/global>
profile arduino /home/username/bin/arduino flags=(unconfined) {
  userns,
  include if exists <local/arduino>
}

Then run sudo service apparmor reload

As an alternative, that still lets you run things without --no-sandbox, you can disable this new Ubuntu policy by running sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1

Source

camilo.forero
  • 276
  • If I have to create a new AppArmor profile for each IDE I might as well simply change the owner and prmissions for each IDE instead. Is either method preferable? – SteveInBavaria May 25 '24 at 06:11
  • @SteveInBavaria the AppArmor method is preferrable because it doesn't expose your computer to security vulnerabilities. If you don't want it, try sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1 or adding kernel.apparmor_restrict_unprivileged_userns=0 to /etc/sysctl.d/local.conf first. It is better than giving root permissions to external apps and you only have to do it once. The source I linked explains it all. – camilo.forero May 27 '24 at 00:04
  • This doesn't work on 24.04.2 LTS. – user568021 Sep 01 '25 at 11:42
  • I fixed it by reading this comment: "You can use any filename you want, just make sure the filename in the AppArmor profile (the path after the word profile) matches the executable filename." https://github.com/arduino/arduino-ide/issues/2429#issuecomment-2146151498 – user568021 Sep 01 '25 at 11:48
0

The security implications of --no-sandbox is that your Arduino IDE will not be run in a sandbox. Rather, it will run in your regular environment.

You should make /home/stevetux/ArduinoLatest/arduino-ide_2.3.2_Linux_64bit/chrome-sandbox a setuid root binary (owned by root, uses UID:GID from file ownership, rather than using $USER's UID:GID). It requires the power of root to setup the sandbox. Then your Arduino IDE should run in its own sandbox. The same should apply to your other IDE.

waltinator
  • 1