Can’t run any flatpak app

Question

Every flatpak app fails with this message:

$ flatpak run org.mozilla.firefox 
bwrap: Unexpected capabilities but not setuid, old file caps config?
error: ldconfig failed, exit status 256

Ubuntu Mantic, flatpak installed with apt.

It must be something with bubblewrap or with the way it’s used, because:

$ bwrap 
bwrap: Unexpected capabilities but not setuid, old file caps config?
$ sudo bwrap 
usage: bwrap [OPTIONS...] [--] COMMAND [ARGS...]
--help                       Print this help
--version                    Print version
...

More info for commenters:

$ type -a bwrap 
bwrap is /bin/bwrap
bwrap is /usr/bin/bwrap
bwrap is /bin/bwrap
$ ls -l /usr/bin/bwrap /bin/bwrap 
.rwxr-xr-x 72k root 28 Feb 10:38 /usr/bin/bwrap
.rwxr-xr-x 72k root 28 Feb 10:38 /bin/bwrap
$ sudo flatpak repair
[21/23] Verifying flathub:app/com.google.Chrome/x86_64/stable…
Checking remotes...
Pruning objects
Erasing .removed
$ unshare --map-root-user 
$ whoami
root
$ sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 1

I tried to set setuid for bwrap:

$ sudo chmod 4755 /usr/bin/bwrap

That makes flatpaks run, but with an ugly warning. I don’t think that’s a correct solution.

Answer 1

Not an answer, but important notes that don't fit into comments and will most likely help you or others trying to help solve this issue.

Note #1

This:

$ bwrap 
bwrap: Unexpected capabilities but not setuid, old file caps config?

Can be reproduced (on other systems with default normal functioning bwrap command) when nesting containers within other containers and asking for all capabilities to be used with e.g. --cap-add ALL like for example:

$ bwrap --bind / / --cap-add ALL -- bwrap --bind / / -- bash
bwrap: Unexpected capabilities but not setuid, old file caps config?

... Bubblewrap drops all capabilities within a sandbox and the child tasks cannot gain greater privileges than their parent. That's how it works, but I can't go into detail about how that might be causing this.

Now, why this is happening depends on what you have done either deliberately by hand or unknowingly by some script/package you installed ... So, only you can guess what.

Probable causes might be that you have enabled persistent user namespaces/sandboxes or something like it related to Bublewrap configuration/settings.

Note #2

$ type -a bwrap 
bwrap is /bin/bwrap
bwrap is /usr/bin/bwrap
bwrap is /bin/bwrap

... should print bwrap is /bin/bwrap only once unless there are two routs leading to it ... Find out why and fix it.

Note #3

The kernel feature allowing unprivileged users namespaces is enabled by default in recent Ubuntu kernels ... That is a requirement for Bubblewrap to work without the setuid bit (the default) or otherwise the setuid bit on the executable binary file i.e. /usr/bin/bwrap might be required.

Note #4

The default ownership and permissions on the executable /usr/bin/bwrap should be:

$ ls -l /usr/bin/bwrap
-rwxr-xr-x 1 root root 72160 Feb 25  2022 /usr/bin/bwrap

... those can be restored with first setting ownership:

sudo chown root:root /usr/bin/bwrap

... then setting permissions:

sudo chmod 0755 /usr/bin/bwrap

or both actions at once with:

sudo dpkg-statoverride --update --add root root 0755 /usr/bin/bwrap