Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Talk Desktop is not running on Ubuntu 24 without AppArmor profile #588

Open
Tracked by #635
Naimado68 opened this issue Mar 27, 2024 · 18 comments
Open
Tracked by #635

Talk Desktop is not running on Ubuntu 24 without AppArmor profile #588

Naimado68 opened this issue Mar 27, 2024 · 18 comments
Labels

Comments

@Naimado68
Copy link

Naimado68 commented Mar 27, 2024

🚧 Temporary workaround

After unpacking the files run the following 2 commands:

sudo chown root chrome-sandbox
sudo chmod 4755 chrome-sandbox

How to use GitHub

  • Please use the 👍 reaction to show that you are affected by the same issue.
  • Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
  • Subscribe to receive notifications on status change and new comments.

Steps to reproduce

  1. ./Nextcloud\ Talk

Expected behaviour

Launch Nextcloud

Actual behaviour

IMG_1910

but we can't use 'sudo'

Desktop client

Talk Desktop client version: v1.26.0

Operating system: Ubuntu

Operating system version: Ubuntu 20.02

Microphone available: yes/no

Camera available: yes/no

Server

Nextcloud version: (see status page: /status.php)

Talk app version: (see apps admin page: /index.php/settings/apps)

Custom Signaling server configured: yes/no and version (see additional admin settings: /index.php/index.php/settings/admin/talk#signaling_server)

Custom TURN server configured: yes/no (see additional admin settings: /index.php/settings/admin/talk#turn_server)

Custom STUN server configured: yes/no (see additional admin settings: /index.php/settings/admin/talk#stun_server)

Logs

Client log

Insert your browser log here, this could for example include:
a) The javascript console log
b) The network log
c) ...
@Naimado68 Naimado68 added 0. Needs triage bug Something isn't working labels Mar 27, 2024
@nickvergessen
Copy link
Member

According to your screenshot all files are owned by root:root
But your current user seems to be produser

So if you run chown -R produser:produser Tele..../Nextcloud.Talk-linux… it should work correctly

@Naimado68
Copy link
Author

I tried it, but encountered another issue stating that the 'chrome-sandbox' needs to be owned by root and have mode 4755. Even after adjusting the ownership and permissions accordingly, I faced the same problem as before.

@nickvergessen
Copy link
Member

$ ls -la 
insgesamt 220272
drwx------  4 nickv nickv      4096 Mär 26 16:43  .
drwxr-xr-x 38 nickv nickv      4096 Mär 27 17:21  ..
-rw-r--r--  1 nickv nickv    154821 Mär 26 16:43  chrome_100_percent.pak
-rw-r--r--  1 nickv nickv    236588 Mär 26 16:43  chrome_200_percent.pak
-rwxr-xr-x  1 nickv nickv   1259424 Mär 26 16:43  chrome_crashpad_handler
-rwxr-xr-x  1 nickv nickv     54248 Mär 26 16:43  chrome-sandbox
-rw-r--r--  1 nickv nickv  10717680 Mär 26 16:43  icudtl.dat
-rwxr-xr-x  1 nickv nickv    252016 Mär 26 16:43  libEGL.so
-rwxr-xr-x  1 nickv nickv   2868792 Mär 26 16:43  libffmpeg.so
-rwxr-xr-x  1 nickv nickv   6461688 Mär 26 16:43  libGLESv2.so
-rwxr-xr-x  1 nickv nickv   4225360 Mär 26 16:43  libvk_swiftshader.so
-rwxr-xr-x  1 nickv nickv   7524712 Mär 26 16:43  libvulkan.so.1
-rw-r--r--  1 nickv nickv      1096 Mär 26 16:43  LICENSE
-rw-r--r--  1 nickv nickv   9242625 Mär 26 16:43  LICENSES.chromium.html
drwxrwxr-x  2 nickv nickv      4096 Mär 26 16:43  locales
-rwxr-xr-x  1 nickv nickv 176032352 Mär 26 16:43 'Nextcloud Talk'
drwxrwxr-x  3 nickv nickv      4096 Mär 26 16:43  resources
-rw-r--r--  1 nickv nickv   5481614 Mär 26 16:43  resources.pak
-rw-r--r--  1 nickv nickv    306214 Mär 26 16:43  snapshot_blob.bin
-rw-r--r--  1 nickv nickv    679161 Mär 26 16:43  v8_context_snapshot.bin
-rw-r--r--  1 nickv nickv         6 Mär 26 16:43  version
-rw-r--r--  1 nickv nickv       107 Mär 26 16:43  vk_swiftshader_icd.json

Works pretty fine here, without being root.

THat being said, on your screenshot chrome-sandbox does not have execute permission for the user

@Brocky453
Copy link

Brocky453 commented Mar 28, 2024

I have the same problem.

The issue there, is when Nextcloud is trying to use zygote_host_impl_linux.cc (library of chrome) but its not available due to permission so that's why it works in root but not in a regular user.

Do we have to change the permission of that flie ? if so where is this file suppose to be located if its not static linked ?

Our workaround there is simply to use the : --no-zygote and --no-sandbox which is not optimal

@nRaecheR
Copy link

nRaecheR commented Apr 22, 2024

Got the same problem after updating my working two test VMs to the new Ubuntu 24.04 LTS, currently in beta (no other changes).

It seems to be related to the apparmor audit, here's the related dmesg log output:

[ 294.686381] audit: type=1400 audit(1713765370.207:221): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=6251 comm=4E657874636C6F75642054616C6B requested="userns_create" target="unprivileged_userns" [ 294.686638] audit: type=1400 audit(1713765370.209:222): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=6253 comm=4E657874636C6F75642054616C6B capability=21 capname="sys_admin" [ 294.690438] traps: Nextcloud Talk[6251] trap int3 ip:5b974cbbf0fa sp:7fff37b8dbe0 error:0 in Nextcloud Talk[5b9748f9b000+8168000]

Trouble ahead...

The --no-zygote and --no-sandbox workaround works too.

EDIT: Seems to be related to this (Ubuntu) upstream issue: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844

@ShGKme
Copy link
Contributor

ShGKme commented Apr 22, 2024

Unfortunately, we are still unable to reproduce the issue (but we haven't tried Ubuntu 24 yet).

However, I have found some mentions of the error, and it seems it also happens with clean Chromium on some setups. So it could be a chromium compatibility issue in some environments.

The --no-zygote and --no-sandbox workaround works too.

We won't get rid of the sandbox mode because of security concerns. This is not a solution.

@nRaecheR
Copy link

nRaecheR commented Apr 23, 2024

The solution is to add a AppArmor profile. Ubuntu 24.04 comes with a lot of new profiles for applications that needs the unprivileged_userns capability, there is even one for other Electron applications like Signal-Desktop.

It's time to add an flatpak installer/ RPM|DEB package for Nextcloud Talk Desktop with a proper installation location and AppArmor profile. Here's my working profile:

# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile nextcloud-talk-desktop "/opt/Nextcloud Talk-linux-x64/Nextcloud Talk" flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/nextcloud-talk-desktop>
}

I've installed it to /opt/ and chowned it to root and chmodded the chrome-sandbox to 4755 too.

@ShGKme ShGKme changed the title Can't launch Nextcloud desktop Talk Desktop is not running on Ubuntu 24 without AppArmor profile May 7, 2024
@ShGKme ShGKme mentioned this issue May 7, 2024
54 tasks
@nickvergessen
Copy link
Member

Another temporary solution can be:

sudo chown root chrome-sandbox
sudo chmod 4755 chrome-sandbox

So if the file is owned by root and has 4755 permissions it works.

@jwquaker
Copy link

I too was having the same issue on my Ubuntu 24.04 system. I tried to change the ownership of chrome-sandbox and it did not help. it also caused another one of the programs i use to stop working (Logos10 Bible software) I had to do a timeshift back so I could get back into Logos because I need it today and Talk is just something I would like to have.

I am glad you are doing it. and By the way I have this on my Debian 12 based T100 and it works great. I will definitely try to get it to work again.

@nickvergessen
Copy link
Member

You need to change owner and the permissions (in the right order)

@Fuseteam
Copy link

Fuseteam commented Aug 6, 2024

i run into this same issue, i tried @nickvergessen's suggestion but that doesn't seem to work:

fuseteam@tuxecure ~/D/Nextcloud Talk-linux-x64 [SIGTRAP]> sudo chown root chrome-sandbox
[sudo] password for fuseteam: 
fuseteam@tuxecure ~/D/Nextcloud Talk-linux-x64> sudo chmod 4755 chrome-sandbox

fuseteam@tuxecure ~/D/Nextcloud Talk-linux-x64> ./Nextcloud\ Talk
LaunchProcess: failed to execvp:
/home/fuseteam/Downloads/Nextcloud
[7902:0806/074815.199186:FATAL:zygote_host_impl_linux.cc(201)] Check failed: . : Invalid argument (22)
fish: Job 1, './Nextcloud\ Talk' terminated by signal SIGTRAP (Trace or breakpoint trap)
fuseteam@tuxecure ~/D/Nextcloud Talk-linux-x64 [SIGTRAP]> 

@Fuseteam
Copy link

Fuseteam commented Aug 6, 2024

hmmm granted my original error message is

[7518:0806/074747.944183:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /home/fuseteam/Downloads/Nextcloud Talk-linux-x64/chrome-sandbox is owned by root and has mode 4755.
fish: Job 1, './Nextcloud\ Talk' terminated by signal SIGTRAP (Trace or breakpoint trap)

@Fuseteam
Copy link

Fuseteam commented Aug 6, 2024

hmm this seems to be an issue with electron v5 electron/electron#17972

@Fuseteam
Copy link

Fuseteam commented Aug 6, 2024

this allows it to launch for me now: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 even without the chown and chmod
Seems to be an actual apparmor restriction on Ubuntu 24.04

@nickvergessen nickvergessen pinned this issue Aug 19, 2024
@Fuseteam
Copy link

looks like electron is looking into how to fix it: electron-userland/electron-builder#8635

@ShGKme
Copy link
Contributor

ShGKme commented Oct 28, 2024

looks like electron is looking into how to fix it: electron-userland/electron-builder#8635

We don't use electron-builder

@Fuseteam
Copy link

oh, tho i guess their template could be used to create our own apparmor profile. not that i have managed to get it working, but i suspect that's on my configuration

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: 📄 To do (~10 entries)
Development

No branches or pull requests

7 participants