slack does not work with kernelPackages set to linuxPackages_latest_hardened

[terlar]

Describe the bug
If boot.kernelPackages is set to pkgs.linuxPackages_latest_hardened, slack will refuse to launch due to the following error:

[4669:0701/213102.789623:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /nix/store/4hjwhz43wmbwywc8iqb47v3mpdaiapnd-slack-4.4.3/lib/slack/chrome-sandbox is owned by root and has mode 4755.
fish: “slack” terminated by signal SIGTRAP (Trace or breakpoint trap)

To Reproduce
Steps to reproduce the behavior:

1. Configure NixOS with boot.kernelPackages = pkgs.linuxPackages_latest_hardened
2. Configure NixOS with `environment.systemPackages = [ pkgs.slack ];
3. Run slack

Expected behavior
Slack should launch successfully.

Additional context
Add any other context about the problem here.

Notify maintainers
@NeQuissimus

Metadata

• system: "x86_64-linux"
• host os: Linux 5.6.19-hardened, NixOS, 20.09.20200630.b3251e0 (Nightingale)
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.4pre20200622_334e26b
• channels(root): "nixos-20.03.1950.48723f48ab9"
• channels(terje.larsen): ""
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

Maintainer information:

attribute:
- slack

[8573]

Are you using the hardened profile as well as the hardened kernel?

This looks related to my issue #89599.

[terlar]

What is hardened profile? I don't know about that one, but I am using the hardened kernel. I also see the same issue with Google Chrome, I think you are correct that it is the same kind of issue.

[terlar]

Ah, just happened to read the documentation and found what you mean with the profile, so my answer is no, I do not.

For those curious:

• https://nixos.org/nixos/manual/index.html#sec-profile-hardened
• https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix

[StephenWithPH]

Of note, this also happens on a Debian OS using nix for package management to install Slack.

[stale]

I marked this as stale due to inactivity. → More info

[joachifm]

If this also occurs on a Debian host it seems to me the problem is not related to the hardened kernel provided by NixPkgs. I suggest closing the issue or at least renaming it.

[joachifm]

Closing this for now.

Nix strips setuid bits from any binary installed to the Store, so you need to patch the software to use a suid stub installed outside the Store (setuid wrappers in NixOS, for example).

I believe chromium will make use of unprivileged user namespaces instead of setuid stubs, if possible. It may be that your host disables unprivileged user namespaces and that the software falls back to suid stub, which then fails because it is located in the Store (and hence lacks the requisite bits).

[8573]

My fix for #89599 might help Slack too, though I don't use that or any other Electron application.

[joachifm]

@8573 indeed, this looks like #89599 and #97682.