7

After upgrading to 24.04, neither the Outline Client nor Outline Manager appimages works any more.

I did install libfuset64 as recommended in other places, but I get SUID permission errors.

$ ./Outline-Client.AppImage 
[584847:1001/220953.594798:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_Outlintr1Gf9/chrome-sandbox is owned by root and has mode 4755.
[1]    584847 trace trap (core dumped)  ./Outline-Client.AppImage

If I run outline with ./Outline-Client.AppImage --no-sandbox then it works perfectly fine, but this is supposed to be much less secure.

I'm wondering if there is a way to run outline without having to use the --no-sandbox flag

Andre
  • 520

1 Answers1

9

We should not disable AppArmor's user namespace restrictions completety on our system as suggested in the answer to this question since this would create security issues, please see this blog.

A better way is to create an apparmor profile which allows the specific application to make use of unprivileged usernamespaces.

Create the file /etc/apparmor.d/outline-client with the following content:

# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"


abi <abi/4.0>,
include <tunables/global>


profile outlineclient /path/to/Outline-Client.AppImage flags=(default_allow) {
userns,


Site-specific additions and overrides. See local/README for details.


include if exists <local/outline-client>
}

Replace /path/to/Outline-Client.AppImage with the path to your appimage.

After saving the file run sudo systemctl reload apparmor.service or reboot to reload all apparmor profiles.

Done, enjoy your appimage...

Note: Moving the appimage to a different location later or changing it's name makes it neccessary to update your apparmor profile with the correct path and reload the apparmor profiles.

The apparmor package will never provide profiles for appimages because appimages are stored in arbitrary locations. We have to create our own profile. I tested this method with several appimages, it works pretty well.

mook765
  • 18,764
  • Thank you! I was just busy reading about apparmor profiles and wondering how I'll need to set it up, but your answer makes it clear I'll give it a go and report back. – Andre Oct 01 '24 at 22:05
  • Note that this issue would pop up for almost every other appimage, and many apps in the official repositories. You have to manually apply this fix in each case, unless you disable the restriction permanently – Archisman Panigrahi Oct 02 '24 at 12:40
  • 1
    @ArchismanPanigrahi Yes, of course, but isn't security worth some effort? And to be honest, most users do not use that much appimages with this problem. Remind that the restriction was introduced due to securtity issues with usernamespaces.. Please read the link I provided in my answer. How many apps from official repositories are affected? I never had this problem so far with apps from official repos. – mook765 Oct 02 '24 at 14:15
  • How many apps are affected - dozens of them https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844 and also, every single electron app except VS Code is affected. This creates more problems than it solves. Solus and Mint reverted these apparmor changes https://getsol.us/2024/07/15/dropping-apparmor-kernel-patches/. Moreover other distros like Fedora, Red Hat or Arch never enabled this security "feature". In my opinion, it does not help much with security. A real malware could just disable this restriction with a postinstall script. – Archisman Panigrahi Oct 02 '24 at 14:41
  • FYI, I have edited https://askubuntu.com/a/1511983/124466 and added a note about security concerns – Archisman Panigrahi Oct 02 '24 at 15:04