AppImage executable won't launch

[Mukund-Bhardwaj]

Bug Description:

AppImage executable won't launch without disabling sandboxing.
Application works completely find after adding --no-sandbox command line argument
The following error is shown in the terminal:

[184044:0610/211014.832520:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_TheiaI98fe20/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap (core dumped)

Steps to Reproduce:

1. Give executable permission to the AppImage file
2. Run the executable via terminal

Additional Information

• Operating System: Kubuntu 24.04
• Theia Version: 1.49

[jfaltermeier]

Thank you for the report. Sounds like this: https://docs.appimage.org/user-guide/troubleshooting/electron-sandboxing.html
We may try https://www.npmjs.com/package/electron-builder-sandbox-fix

[otherpaco]

@jfaltermeier, that seems not to be the problem.

I use Ubuntu 24.04. and have the same problem.

sysctl kernel.unprivileged_userns_clone returns
kernel.unprivileged_userns_clone = 1

So no need for the sandbox-fix package.

But I found this:

The issue comes from Ubuntu 24.04 deprecating unprivileged kernel namespaces, which the Arduino IDE (and other applications) rely on for their sandboxes.

From a sandbox problem with the Arduino IDE discussed on askubuntu, here the corresponding github issue

The workaround ./TheiaIDE.AppImage --no-sandbox works but you loose the security of a sandbox.

[sgraband]

I will take a look.

[JonasHelming]

@sgraband Is this related to #377 maybe?

[sgraband]

Unfortunately, I haven't had much time to look into this. Hopefully i can do so this week. Will take a look if they are related.

[hklene]

The way forward seems to be an AppArmor profile for each electron-based AppImage:
arduino/arduino-ide#2429 (comment)

Question is, how to get it included with Ubuntu for them to ship it same as they already do for vscode (so that not each and everyone has to hack those exceptions herself)?

$ cat /etc/apparmor.d/code
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile vscode /usr/share/code{/bin,}/code flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/code>
}

[tuxPM]

Question is, how to get it included with Ubuntu for them to ship it same as they already do for vscode (so that not each and everyone has to hack those exceptions herself)?

Indeed, the problem is that AppImage can be placed anywhere by the user. So apparmor file should be updated each time file is moved.

Anyway, I confirm that adding the file on ubuntu 24.04, fix the issue.

I put all theia versions in /opt/theira/

and created this file in /etc/apparmor.d/opt.theia

abi <abi/4.0>,

include <tunables/global>

profile theia /opt/theia/* flags=(unconfined) {

  userns,

  include if exists <local/theia>
} 

[sgraband]

Thank you @hklene & @tuxPM for the workaround. As far as i understand, this is a common issue for all electron apps running in sandbox mode from Ubuntu 24.04 going forward. This is also indicated by AppArmor shipping the same workaround for most of the applications.
For short term help i would suggest to link this issue in the troubleshooting section of the README. Long term we should investigate if it makes more sense to focus on a *.deb package where we can control the installation folder and ship the workaround with it (or add the workaround for the Theia IDE to the default AppArmor profiles). Like you already mentioned the issue with the AppImage is that it can be placed anywhere by the user.