-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Packaging Electron v5 with sandbox (linux) #3872
Comments
Can't the old behavior be resolved by specifying Seems like it could be a viable workaround. I've disabled our snaps for now but would be nice to have a workaround. |
sandbox: false doesn't seem to fix thigns. I still get: "Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted |
This might be possible if we pass --no-sandbox to the electron command line but I can't figure out how to set this in electron-builder. |
To my knowledge, as of now, one can not disable the sandbox/sandbox-helper with an electron builder configuration. @burtonator see the initial comment for the workaround I chose to use for snaps and AppImage builds, (afterPack hook/electron wrapper script). An electron-builder build-option to disable/configure the sandbox would be better, but until the situation is resolved I'll use the workaround. |
I implemented a hack where I renamed the main script to myapp.bin and then added the --no-sandbox argument manually and it worked fine. Not pretty but at least we have code pushed! |
@burtonator i resolved with this solution, but the problem is now, that we get 2 icons instead of 1 and is exactly because we use the |
@p3x-robot this is probably OS related as I don't have such issue with Xfce nor with Ubuntu 19.04, you can try the app yourself https://github.com/vladimiry/ElectronMail/releases (AppImage / Snap packages). |
would you mind show if works with p3x-onenote? |
@vladimiry it shows exactly because of this, if you have a bottom bar with icons, like shortcuts, it will show 2 icons, which is ugly, many distros have this shortcuts (not in the menu...) and it only happens on |
still an ugly hack. not 100% |
@p3x-robot what is that panel at the bottom (how do I enable it)? |
@vladimiry this is linux mint applet panel for the menu, for now i removed and run from the menu, but you have the same issue and everyone. it is still a proper solution, about 90%. it is sure that if you use a shortcut instead from menu, it will appear twice any distro i think. I got 2 electron apps, same issue. |
Which edition of Linux Mint (Cinnamon, Mate, Xfce)? |
@vladimiry Linux Mint 19.1 Cinnamon, the most used |
I don't believe it depends on the no-sandbox option but is related to the OS/panel setup and the way bash/sh preloader-like script used. Going to reproduce the issue first. |
@vladimiry well, you are right, but v4 works with 1 icon as it is supposed, with v5 it only works with the |
@vladimiry weird bug |
Try running the AppImage without sh/bash preloader but with |
@vladimiry yeah it works passing the |
the only problem is, how can i upload to github as i used to flag |
I stopped publishing the packages to GitHub by electron-builder for a list of reasons. There might be some hook/event in between building the package and uploading it, but I'm not aware of it. |
it works: rm -rf dist && electron-builder --ia32 --x64 --linux && electron-builder -p always it builds it, it uses |
i cannot upload, what do you use to upload releases and tags in github? i see in github-api to create a release, but how can i upload the files ? |
i had to generate the sha512 as well, but i fixed , i am on electron 6 and all perfect! |
if anyone is interested in fix the AppImage adding the |
besides it is an |
actually i moved in the builder into its own microservice, so it is like this: and the package.json: {
"name": "p3x-onenote",
"version": "2019.10.281",
"description": "📚 P3X OneNote Linux",
"main": "src/electron/app.js",
"corifeus": {
"snap": true,
"prefix": "p3x-",
"publish": true,
"type": "p3x",
"code": "Linux",
"nodejs": "v12.7.0",
"opencollective": true,
"reponame": "onenote",
"build": true
},
"bin": {
"p3x-onenote": "bin/p3x-onenote.js"
},
"scripts": {
"test": "grunt",
"build": "electron-builder --ia32 --x64 build/dist",
"build-test": "electron-builder build/dist -p always",
"postinstall": "opencollective postinstall",
"start": "node ./node_modules/.bin/electron ./src/electron/app.js",
"publish-electron": "rm -rf dist && electron-builder -p onTagOrDraft --ia32 --x64 --linux",
"publish-electron-snap": "electron-builder --linux snap -p never",
"publish-electron-yml": "node ./node_modules/corifeus-builder/src/utils/appimage/post-build.js"
},
"repository": {
"type": "git",
"url": "git+https://github.com/patrikx3/onenote.git"
},
"keywords": [
"onenote",
"linux"
],
"author": "Patrik Laszlo <[email protected]>",
"license": "MIT",
"bugs": {
"url": "https://github.com/patrikx3/onenote/issues"
},
"homepage": "https://pages.corifeus.com/onenote",
"dependencies": {
"@fortawesome/fontawesome-free": "^5.10.1",
"angular": "^1.7.8",
"angular-animate": "^1.7.8",
"angular-aria": "^1.7.8",
"angular-material": "^1.1.19",
"angular-messages": "^1.7.8",
"configstore": "^4.0.0",
"corifeus-utils": "^2019.10.140",
"electron-updater": "^4.1.2",
"jquery": "^3.4.1",
"opencollective": "^1.0.3",
"semver": "^6.3.0",
"typeface-roboto": "0.0.75"
},
"devDependencies": {
"angular-mocks": "^1.7.8",
"corifeus-builder": "^2019.10.223",
"electron-builder": "^21.2.0",
"escape-string-regexp": "^2.0.0",
"fs-extra": "^8.1.0",
"github-api": "^3.2.2",
"globby": "^10.0.1",
"jsdom": "^15.1.1",
"yaml": "^1.6.0"
},
"build": {
"afterAllArtifactBuild": "./node_modules/corifeus-builder/src/utils/appimage/after-all-artifact-build.js",
"publish": [
{
"provider": "github",
"owner": "patrikx3",
"repo": "onenote"
}
],
"appId": "p3x.onenote",
"copyright": "MIT",
"productName": "P3X OneNote",
"linux": {
"category": "Office",
"icon": "src/electron/images/",
"target": [
"AppImage"
]
},
"snap": {
"environment": {
"DISABLE_WAYLAND": 1
}
}
}
} a publish is like this #!/usr/bin/env bash
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
TOP=$DIR/..
pushd $TOP
grunt
export GH_TOKEN=$(cat $DIR/token.txt)
npm run publish-electron
npm run publish-electron-yml
npm run publish-electron-snap
export VERSION=$($DIR/get-version.js)
SNAP_FILE=p3x-onenote_${VERSION}_amd64.snap
pushd dist
####snapcraft login
snapcraft push --release=beta $SNAP_FILE |
Add SUID bit to packaged `chrome-sandbox` so that it works out of the box on distros like Debian. Part of electron-userland#3872
Add SUID bit to packaged `chrome-sandbox` so that it works out of the box on distros like Debian. Part of #3872
The Snap case was handled months ago, ref https://github.com/electron-userland/electron-builder/blame/fc311995c196f1063ceb2d0bb0af61beac6038e8/packages/app-builder-lib/src/targets/snap.ts#L188 |
Thanks. (Snap won't install on my machine, so I haven't been able to test.) It sounds like the problem is now just limited to AppImage installations. |
With electron 5 the sandbox is enabled by default. The sandbox requires elevated rights to run.
This can be achieved if the kernel has
kernel.unprivileged_userns_clone
enabled or a SUID flag is set onchrome-sandbox
.If
unprivileged_userns_clone
is disabled (default for Arch) the SUID-flag is required.To disable / enable said kernel feature:
Snaps cannot use the SUID flag (automatic app review) and seem to prevent access to the kernel feature.
One can disable the sandbox by running electron with the
--no-sandbox
argument.As a workaround, I currently use an after-pack hook to wrap the electron binary and append the
--no-sandbox
argument, which seemed to be to be the only way to add the sandbox argument. (app.commandLine.appendSwitch
does not work since electron has already launched)https://github.com/thomasnordquist/MQTT-Explorer/blob/master/scripts/afterPack.ts
Electron issue concerning this: electron/electron#17972
The text was updated successfully, but these errors were encountered: