7

After upgrading to 24.04, neither the Outline Client nor Outline Manager appimages works any more.

I did install libfuset64 as recommended in other places, but I get SUID permission errors.

$ ./Outline-Client.AppImage 
[584847:1001/220953.594798:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_Outlintr1Gf9/chrome-sandbox is owned by root and has mode 4755.
[1]    584847 trace trap (core dumped)  ./Outline-Client.AppImage

If I run outline with ./Outline-Client.AppImage --no-sandbox then it works perfectly fine, but this is supposed to be much less secure.

I'm wondering if there is a way to run outline without having to use the --no-sandbox flag

Andre
  • 520

1 Answers1

9

We should not disable AppArmor's user namespace restrictions completety on our system as suggested in the answer to this question since this would create security issues, please see this blog.

A better way is to create an apparmor profile which allows the specific application to make use of unprivileged usernamespaces.

Create the file /etc/apparmor.d/outline-client with the following content:

# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>


profile outlineclient /path/to/Outline-Client.AppImage flags=(default_allow) {
  userns,


Site-specific additions and overrides. See local/README for details.


include if exists <local/outline-client>
}

Replace /path/to/Outline-Client.AppImage with the path to your appimage.

After saving the file run sudo systemctl reload apparmor.service or reboot to reload all apparmor profiles.

Done, enjoy your appimage...

Note: Moving the appimage to a different location later or changing it's name makes it neccessary to update your apparmor profile with the correct path and reload the apparmor profiles.

The apparmor package will never provide profiles for appimages because appimages are stored in arbitrary locations. We have to create our own profile. I tested this method with several appimages, it works pretty well.

mook765
  • 18,644