Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Packaging Electron v5 with sandbox (linux) #3872

Closed
thomasnordquist opened this issue May 3, 2019 · 95 comments · Fixed by #4364
Closed

Packaging Electron v5 with sandbox (linux) #3872

thomasnordquist opened this issue May 3, 2019 · 95 comments · Fixed by #4364

Comments

@thomasnordquist
Copy link

With electron 5 the sandbox is enabled by default. The sandbox requires elevated rights to run.
This can be achieved if the kernel has kernel.unprivileged_userns_clone enabled or a SUID flag is set on chrome-sandbox.

If unprivileged_userns_clone is disabled (default for Arch) the SUID-flag is required.

To disable / enable said kernel feature:

sudo sysctl kernel.unprivileged_userns_clone=0

Snaps cannot use the SUID flag (automatic app review) and seem to prevent access to the kernel feature.

One can disable the sandbox by running electron with the --no-sandbox argument.

As a workaround, I currently use an after-pack hook to wrap the electron binary and append the --no-sandbox argument, which seemed to be to be the only way to add the sandbox argument. (app.commandLine.appendSwitch does not work since electron has already launched)
https://github.com/thomasnordquist/MQTT-Explorer/blob/master/scripts/afterPack.ts

Electron issue concerning this: electron/electron#17972

@burtonator
Copy link

Can't the old behavior be resolved by specifying sandbox: false in the browser window constructor?

Seems like it could be a viable workaround. I've disabled our snaps for now but would be nice to have a workaround.

@burtonator
Copy link

sandbox: false doesn't seem to fix thigns. I still get:

"Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
Trace/breakpoint trap (core dumped)
"

@burtonator
Copy link

This might be possible if we pass --no-sandbox to the electron command line but I can't figure out how to set this in electron-builder.

@thomasnordquist
Copy link
Author

To my knowledge, as of now, one can not disable the sandbox/sandbox-helper with an electron builder configuration.

@burtonator see the initial comment for the workaround I chose to use for snaps and AppImage builds, (afterPack hook/electron wrapper script).
I believe there is still a lot to do for different parties (electron, snapcraft) until the sandbox feature will be available for snaps in snapcraft.

An electron-builder build-option to disable/configure the sandbox would be better, but until the situation is resolved I'll use the workaround.

@burtonator
Copy link

I implemented a hack where I renamed the main script to myapp.bin and then added the --no-sandbox argument manually and it worked fine. Not pretty but at least we have code pushed!

@p3x-robot
Copy link

@burtonator i resolved with this solution, but the problem is now, that we get 2 icons instead of 1 and is exactly because we use the --no-sandbox , i think this flag should be in the Gnome desktop using this flag.

electron/electron#17972 (comment)

@p3x-robot
Copy link

image

@vladimiry
Copy link
Contributor

@p3x-robot this is probably OS related as I don't have such issue with Xfce nor with Ubuntu 19.04, you can try the app yourself https://github.com/vladimiry/ElectronMail/releases (AppImage / Snap packages).

@p3x-robot
Copy link

@p3x-robot
Copy link

@vladimiry it shows exactly because of this, if you have a bottom bar with icons, like shortcuts, it will show 2 icons, which is ugly, many distros have this shortcuts (not in the menu...) and it only happens on --no-sandbox

image

@p3x-robot
Copy link

still an ugly hack. not 100%

@p3x-robot
Copy link

patrikx3/redis-ui#15

@p3x-robot
Copy link

patrikx3/onenote#64

@vladimiry
Copy link
Contributor

@p3x-robot what is that panel at the bottom (how do I enable it)?

@p3x-robot
Copy link

@vladimiry this is linux mint applet panel for the menu, for now i removed and run from the menu, but you have the same issue and everyone. it is still a proper solution, about 90%.

it is sure that if you use a shortcut instead from menu, it will appear twice any distro i think.

I got 2 electron apps, same issue.
of course with electron v4, no issue at all.

image

@vladimiry
Copy link
Contributor

linux mint applet panel

Which edition of Linux Mint (Cinnamon, Mate, Xfce)?

@p3x-robot
Copy link

@vladimiry Linux Mint 19.1 Cinnamon, the most used

@vladimiry
Copy link
Contributor

vladimiry commented May 25, 2019

I don't believe it depends on the no-sandbox option but is related to the OS/panel setup and the way bash/sh preloader-like script used. Going to reproduce the issue first.

@p3x-robot
Copy link

@vladimiry well, you are right, but v4 works with 1 icon as it is supposed, with v5 it only works with the --no-sandbox and it appears the icon twice as on your app as well, if you check out distrowatch.com, Linux Mint is the one of the most liked distro.

@p3x-robot
Copy link

@vladimiry weird bug

@vladimiry
Copy link
Contributor

vladimiry commented May 25, 2019

Try running the AppImage without sh/bash preloader but with --no-sandbox argument, means don't hack the AppImage package in any way. I think there will be no duplicated icon issue. So I still don't think there is a bug.

@p3x-robot
Copy link

@vladimiry yeah it works passing the --no-sandbox and without the hack on the raw AppImage, but they want to not want to play with arguments, just click the menu and it works, that is my issue, but minor bug or issue whatever

@p3x-robot
Copy link

the only problem is, how can i upload to github as i used to flag -p always it does not wait after my hook is done, so it starts to upload right away.
do you know how i can upload the files aftter the afterAllArtifactBuild, or is there any way to not build anymore just upload with eht electron builder? :(

@vladimiry
Copy link
Contributor

I stopped publishing the packages to GitHub by electron-builder for a list of reasons. There might be some hook/event in between building the package and uploading it, but I'm not aware of it.

@p3x-robot
Copy link

it works:

rm -rf dist && electron-builder --ia32 --x64 --linux  && electron-builder -p always

it builds it, it uses after-all-artifact-build.js and when i execute electron-builder -p always it does not generate, it just uploads.
so it works, just testing.
thanks for your help!

@p3x-robot
Copy link

i cannot upload, what do you use to upload releases and tags in github? i see in github-api to create a release, but how can i upload the files ?

@p3x-robot
Copy link

i can create a tag via github-api, my only problem is that when i it auto upload tries to itself the sha512 sum are wrong, here, as i changed the file, how can is calcaulte? it is not even sha512sum, but some base64:
image

@p3x-robot
Copy link

image

@p3x-robot
Copy link

i had to generate the sha512 as well, but i fixed , i am on electron 6 and all perfect!
thanks dudes!

@p3x-robot
Copy link

if anyone is interested in fix the AppImage adding the --no-sandbox, the code is here and is javascript:
https://github.com/patrikx3/onenote/tree/master/src/build
(it uploads to github as well, in 2 steps, first afterAllArtifactBuild, unpack the AppImage add the --no-sandbox to the AppRun script, then re-pack (at this point the latest-linux.yml will have different sha512 signature will be), then at then end, when electron builder is done, it executes post-build.js as the new AppImage-s yaml-s have different sha512 signatures so i had to calculate by hand... (it is only for linux, had no time to fix all platforms).
(as i build for AMDx64 and i386 as well)

@p3x-robot
Copy link

besides it is an AppImage so it is enough for Linux , not needed for Win... or macOs...:)

@p3x-robot
Copy link

actually i moved in the builder into its own microservice, so it is like this:
https://github.com/patrikx3/corifeus-builder/tree/master/src/utils/appimage

and the package.json:
https://github.com/patrikx3/onenote/blob/master/package.json

{
    "name": "p3x-onenote",
    "version": "2019.10.281",
    "description": "📚 P3X OneNote Linux",
    "main": "src/electron/app.js",
    "corifeus": {
        "snap": true,
        "prefix": "p3x-",
        "publish": true,
        "type": "p3x",
        "code": "Linux",
        "nodejs": "v12.7.0",
        "opencollective": true,
        "reponame": "onenote",
        "build": true
    },
    "bin": {
        "p3x-onenote": "bin/p3x-onenote.js"
    },
    "scripts": {
        "test": "grunt",
        "build": "electron-builder --ia32 --x64  build/dist",
        "build-test": "electron-builder build/dist -p always",
        "postinstall": "opencollective postinstall",
        "start": "node ./node_modules/.bin/electron ./src/electron/app.js",
        "publish-electron": "rm -rf dist && electron-builder -p onTagOrDraft --ia32 --x64 --linux",
        "publish-electron-snap": "electron-builder --linux snap -p never",
        "publish-electron-yml": "node ./node_modules/corifeus-builder/src/utils/appimage/post-build.js"
    },
    "repository": {
        "type": "git",
        "url": "git+https://github.com/patrikx3/onenote.git"
    },
    "keywords": [
        "onenote",
        "linux"
    ],
    "author": "Patrik Laszlo <[email protected]>",
    "license": "MIT",
    "bugs": {
        "url": "https://github.com/patrikx3/onenote/issues"
    },
    "homepage": "https://pages.corifeus.com/onenote",
    "dependencies": {
        "@fortawesome/fontawesome-free": "^5.10.1",
        "angular": "^1.7.8",
        "angular-animate": "^1.7.8",
        "angular-aria": "^1.7.8",
        "angular-material": "^1.1.19",
        "angular-messages": "^1.7.8",
        "configstore": "^4.0.0",
        "corifeus-utils": "^2019.10.140",
        "electron-updater": "^4.1.2",
        "jquery": "^3.4.1",
        "opencollective": "^1.0.3",
        "semver": "^6.3.0",
        "typeface-roboto": "0.0.75"
    },
    "devDependencies": {
        "angular-mocks": "^1.7.8",
        "corifeus-builder": "^2019.10.223",
        "electron-builder": "^21.2.0",
        "escape-string-regexp": "^2.0.0",
        "fs-extra": "^8.1.0",
        "github-api": "^3.2.2",
        "globby": "^10.0.1",
        "jsdom": "^15.1.1",
        "yaml": "^1.6.0"
    },
    "build": {
        "afterAllArtifactBuild": "./node_modules/corifeus-builder/src/utils/appimage/after-all-artifact-build.js",
        "publish": [
            {
                "provider": "github",
                "owner": "patrikx3",
                "repo": "onenote"
            }
        ],
        "appId": "p3x.onenote",
        "copyright": "MIT",
        "productName": "P3X OneNote",
        "linux": {
            "category": "Office",
            "icon": "src/electron/images/",
            "target": [
                "AppImage"
            ]
        },
        "snap": {
            "environment": {
                "DISABLE_WAYLAND": 1
            }
        }
    }
}

a publish is like this

#!/usr/bin/env bash
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
TOP=$DIR/..
pushd $TOP

grunt
export GH_TOKEN=$(cat $DIR/token.txt)
npm run publish-electron
npm run publish-electron-yml

npm run publish-electron-snap

export VERSION=$($DIR/get-version.js)
SNAP_FILE=p3x-onenote_${VERSION}_amd64.snap
pushd dist

####snapcraft login
snapcraft push --release=beta $SNAP_FILE

jryans added a commit to jryans/electron-builder that referenced this issue Aug 16, 2019
Add SUID bit to packaged `chrome-sandbox` so that it works out of the box on
distros like Debian.

Part of electron-userland#3872
develar pushed a commit that referenced this issue Sep 23, 2019
Add SUID bit to packaged `chrome-sandbox` so that it works out of the box on
distros like Debian.

Part of #3872
@christianbundy
Copy link
Contributor

@develar I think this issue should be re-opened. It's great that #4364 resolves this for the .deb distribution, but this problem remains unsolved on AppImage (and maybe Snap?).

@vladimiry
Copy link
Contributor

@christianbundy
Copy link
Contributor

Thanks. (Snap won't install on my machine, so I haven't been able to test.) It sounds like the problem is now just limited to AppImage installations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants