pi-apps icon indicating copy to clipboard operation
pi-apps copied to clipboard

Published 20 hours ago verified publisher icon Botspot

StackEdit (and potentially all electron apps) need `--disable-seccomp-filter-sandbox` to work in Bullseye

Open Crilum opened this issue 3 years ago • 14 comments

I just installed StackEdit, opened it, and it just hung. Then I tried it with --disable-seccomp-filter-sandbox, and it loaded right up. This seems to be the case for all (or at least most) Electron apps.

All that need to be changed is adding --disable-seccomp-filter-sandbox to the end of the exec command in the Desktop file, and maybe add a script to run it with the arg for the terminal, something like this put in a file called stackedit in /usr/local/bin/:

#!/bin/bash
~/stackedit/StackEdit --disable-seccomp-filter-sandbox

And then change description to match the changes.

EDIT: Thanks to @cycool29 for telling me/us that --no-sandbox can be dangerous. I have changed the bug report to another similar flag that is less dangerous, but still works. Thanks @cycool29!

Crilum avatar Nov 15 '21 20:11 Crilum

Also, StackEdit has a warning about an old version:

2021-11-15-134511_2560x1440_scrot

Crilum avatar Nov 15 '21 20:11 Crilum

@Botspot did you test the release of whatsapp and stackedit made with your script? I'm using stackedit on bullseye rpiOS (upgraded from buster) with debian repositories and it works fine.

Itai-Nelken avatar Nov 16 '21 05:11 Itai-Nelken

WhatsApp in my repo works well in bullseye, though.

cycool29 avatar Nov 16 '21 05:11 cycool29

From this article, the --no-sandbox flag potentially dangerous to users. I think we can replace it with --disable-seccomp-filter-sandbox. I tested it with Stackedit and it worked.

cycool29 avatar Nov 16 '21 05:11 cycool29

From this article, the --no-sandbox flag potentially dangerous to users. I think we can replace it with --disable-seccomp-filter-sandbox. I tested it with Stackedit and it worked.

Hmm, yes, that does look dangerous. I've changed the bug report to ask to use --disable-seccomp-filter-sandbox.

Crilum avatar Nov 16 '21 14:11 Crilum

I think this also causes StackEdit to fail when logging in to an account. The login window never loads.

Crilum avatar Nov 16 '21 15:11 Crilum

Anyone??

Crilum avatar Dec 07 '21 07:12 Crilum

I think we need someone to test all Electron apps in pi-apps on Bullseye and open a PR to add the flag.

cycool29 avatar Dec 07 '21 07:12 cycool29

Yeah.. We should start by testing all the electron apps, to see if all of them need to have the flag added, and then make a list, so we know what we need to do..

Crilum avatar Dec 07 '21 07:12 Crilum

any update on this? was this fixed in an OS update or electron update for the relevant apps or does the issue still remain?

theofficialgman avatar Apr 25 '22 00:04 theofficialgman

Brand new install of StackEdit:

pi@AwePi:~/stackedit $ ./StackEdit 
../../sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc:**CRASHING**:seccomp-bpf failure in syscall 0403
../../sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc:**CRASHING**:seccomp-bpf failure in syscall 0403
../../sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc:**CRASHING**:seccomp-bpf failure in syscall 0403
../../sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc:**CRASHING**:seccomp-bpf failure in syscall 0403
../../sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc:**CRASHING**:seccomp-bpf failure in syscall 0403
../../sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc:**CRASHING**:seccomp-bpf failure in syscall 0403
../../sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc:**CRASHING**:seccomp-bpf failure in syscall 0403
../../sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc:**CRASHING**:seccomp-bpf failure in syscall 0403
../../sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc:**CRASHING**:seccomp-bpf failure in syscall 0403
[25096:0427/192209.823335:FATAL:gpu_data_manager_impl_private.cc(415)] GPU process isn't usable. Goodbye.
Trace/breakpoint trap

with --disable-seccomp-filter-sandbox:

pi@AwePi:~/stackedit $ ./StackEdit --disable-seccomp-filter-sandbox
Not loading override URL passed as argument, because failed to parse: --disable-seccomp-filter-sandbox

and it loads and works normally. I guess StackEdit passes args it doesn't know what to do with to Electron??

RPi 4 4G, RPiOS Bullseye

Crilum avatar Apr 28 '22 01:04 Crilum

actually I just realized, stackedit doesn't have a native app itai-nelkin made a "desktop app" with nativefier @Itai-Nelken can you try making a new version of this nativefier with the latest nativefier version which is now using electron 18?

this probably also affects the whatsapp app

edit: upstream bug, needs electron >=13.5.Y https://github.com/electron/electron/pull/31091

theofficialgman avatar Apr 28 '22 02:04 theofficialgman

@Itai-Nelken this is also a nativefier app, please rebuilt once electron 18.2.4 releases sometime this week and this bug will be fixed you can also build with 17.x.y if nativefier allows you to chose the version

theofficialgman avatar May 17 '22 17:05 theofficialgman

@Itai-Nelken well... now 18.2.4 has been released for a few weeks and 19.0.0+ can not be used. if you can tell nativefier which version to use, do that... otherwise not sure what can be done here

theofficialgman avatar Jun 04 '22 00:06 theofficialgman