[GH-ISSUE #6681] element-desktop: program does not start (apparmor + electron) #3334

New issue

Open

opened 2026-05-05 09:55:21 -06:00 by gitea-mirror · 12 comments

gitea-mirror commented 2026-05-05 09:55:21 -06:00

Owner

Copy link

Originally created by @leukimi on GitHub (Mar 13, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6681

Description

firejail element-desktop does not start on Xubuntu 24.04.

...
Warning: networking feature is disabled in Firejail configuration file
Warning: An abstract unix socket for session D-BUS might still be available.
[FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Element/chrome-sandbox is owned by root and has mode 4755.
...

Steps to Reproduce

Steps to reproduce the behavior

1. Run in bash LC_ALL=C firejail /usr/bin/element-desktop (or LC_ALL=C firejail /opt/Element/element-desktop)
2. See error /opt/Element/chrome-sandbox ... owned by root ... mode 4755

Expected behavior

element-desktop window opens and app functions as normal

Actual behavior

app crasch: aborting...

Behavior without a profile

Calling LC_ALL=C firejail --noprofile /usr/bin/element-desktop (or LC_ALL=C firejail --noprofile /opt/Element/element-desktop) in a terminal makes app work as expected.

Environment

• Linux kernel: Linux 6.11.0-19-generic x86_64
• Linux distribution: Xubuntu 24.04
• package: element-desktop 1.11.95
• Version of Firejail: 0.9.72

Checklist

• The issues is caused by firejail.
• I can reproduce the issue without custom modifications.
• The program has a profile.
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).

Log

Output of LC_ALL=C firejail /usr/bin/element-desktop

$ firejail element-desktop
Reading profile /etc/firejail/element-desktop.profile
Reading profile /etc/firejail/riot-desktop.profile
Reading profile /etc/firejail/riot-web.profile
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 29020, child pid 29024
Private /opt installed in 2263.67 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Child process initialized in 2650.32 ms
[7:0313/150240.043565:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Element/chrome-sandbox is owned by root and has mode 4755.
Parent is shutting down, bye..

Output of LC_ALL=C firejail --debug /usr/bin/element-desktop

debug.log

Originally created by @leukimi on GitHub (Mar 13, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6681 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description firejail element-desktop does not start on Xubuntu 24.04. ``` ... Warning: networking feature is disabled in Firejail configuration file Warning: An abstract unix socket for session D-BUS might still be available. [FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Element/chrome-sandbox is owned by root and has mode 4755. ... ``` ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Run in bash `LC_ALL=C firejail /usr/bin/element-desktop` (or `LC_ALL=C firejail /opt/Element/element-desktop`) 2. See error `/opt/Element/chrome-sandbox ... owned by root ... mode 4755` ### Expected behavior element-desktop window opens and app functions as normal ### Actual behavior app crasch: `aborting...` ### Behavior without a profile Calling `LC_ALL=C firejail --noprofile /usr/bin/element-desktop` (or `LC_ALL=C firejail --noprofile /opt/Element/element-desktop`) in a terminal makes app work as expected. ### Environment - Linux kernel: Linux 6.11.0-19-generic x86_64 - Linux distribution: Xubuntu 24.04 - package: element-desktop 1.11.95 - Version of Firejail: 0.9.72 ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail. - [x] I can reproduce the issue without custom modifications. - [x] The program has a profile. - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). ### Log <details> <summary>Output of <code>LC_ALL=C firejail /usr/bin/element-desktop</code></summary> <p> ``` $ firejail element-desktop Reading profile /etc/firejail/element-desktop.profile Reading profile /etc/firejail/riot-desktop.profile Reading profile /etc/firejail/riot-web.profile Reading profile /etc/firejail/electron.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 29020, child pid 29024 Private /opt installed in 2263.67 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Child process initialized in 2650.32 ms [7:0313/150240.043565:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Element/chrome-sandbox is owned by root and has mode 4755. Parent is shutting down, bye.. ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /usr/bin/element-desktop</code></summary> <p> <!-- If the output is too long to embed it into the comment, create a secret gist at https://gist.github.com/ and link it here. --> [debug.log](https://github.com/user-attachments/files/19230554/debug.log) </p> </details>

gitea-mirror commented 2026-05-05 09:55:22 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Mar 14, 2025):

[FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Element/chrome-sandbox is owned by root and has mode 4755.

Looks similar to:

• #3586

What is the output of the following?

sysctl kernel.unprivileged_userns_clone

Does it work with the following?

sudo sysctl kernel.unprivileged_userns_clone=1

<!-- gh-comment-id:2723682562 --> @kmk3 commented on GitHub (Mar 14, 2025): > ``` > [FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Element/chrome-sandbox is owned by root and has mode 4755. > ``` Looks similar to: * #3586 What is the output of the following? ```sh sysctl kernel.unprivileged_userns_clone ``` Does it work with the following? ```sh sudo sysctl kernel.unprivileged_userns_clone=1 ```

gitea-mirror commented 2026-05-05 09:55:23 -06:00

Author

Owner

Copy link

@leukimi commented on GitHub (Mar 14, 2025):

Same issue detected also in Ubuntu Budgie 24.04.

$ firejail element-desktop --no-sandbox seems to open the element-desktop window.

$ sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 1
$ sudo sysctl kernel.unprivileged_userns_clone=1
kernel.unprivileged_userns_clone = 1
$ firejail /usr/bin/element-desktop 
[... same behavior as before ...]
Warning: networking feature is disabled in Firejail configuration file
...
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
...
[7:0314/121721.399141:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Element/chrome-sandbox is owned by root and has mode 4755.
Parent is shutting down, bye...

$ firejail element-desktop --no-sandbox
[ element-desktop window opens after a while and seems to work ]

<!-- gh-comment-id:2724485554 --> @leukimi commented on GitHub (Mar 14, 2025): Same issue detected also in Ubuntu Budgie 24.04. `$ firejail element-desktop --no-sandbox` seems to open the element-desktop window. ``` $ sysctl kernel.unprivileged_userns_clone kernel.unprivileged_userns_clone = 1 $ sudo sysctl kernel.unprivileged_userns_clone=1 kernel.unprivileged_userns_clone = 1 $ firejail /usr/bin/element-desktop [... same behavior as before ...] Warning: networking feature is disabled in Firejail configuration file ... Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. ... [7:0314/121721.399141:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Element/chrome-sandbox is owned by root and has mode 4755. Parent is shutting down, bye... $ firejail element-desktop --no-sandbox [ element-desktop window opens after a while and seems to work ] ```

gitea-mirror commented 2026-05-05 09:55:25 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Mar 14, 2025):

Same issue detected also in Ubuntu Budgie 24.04.

$ firejail element-desktop --no-sandbox seems to open the element-desktop
window.

$ sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 1
$ sudo sysctl kernel.unprivileged_userns_clone=1
kernel.unprivileged_userns_clone = 1
$ firejail /usr/bin/element-desktop 
[... same behavior as before ...]
Warning: networking feature is disabled in Firejail configuration file
...
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
...
[7:0314/121721.399141:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Element/chrome-sandbox is owned by root and has mode 4755.
Parent is shutting down, bye...

$ firejail element-desktop --no-sandbox
[ element-desktop window opens after a while and seems to work ]

Interesting.

For reference, this issue seems to affect other electron-based programs:

• #4422

And there is a similar issue that affects webkit-based programs:

• #2995

Note that there was an electron refactoring done in the current development
version.

Is there any change with firejail-git?

<!-- gh-comment-id:2724524492 --> @kmk3 commented on GitHub (Mar 14, 2025): > Same issue detected also in Ubuntu Budgie 24.04. > > `$ firejail element-desktop --no-sandbox` seems to open the element-desktop > window. > > ``` > $ sysctl kernel.unprivileged_userns_clone > kernel.unprivileged_userns_clone = 1 > $ sudo sysctl kernel.unprivileged_userns_clone=1 > kernel.unprivileged_userns_clone = 1 > $ firejail /usr/bin/element-desktop > [... same behavior as before ...] > Warning: networking feature is disabled in Firejail configuration file > ... > Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. > ... > [7:0314/121721.399141:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Element/chrome-sandbox is owned by root and has mode 4755. > Parent is shutting down, bye... > > $ firejail element-desktop --no-sandbox > [ element-desktop window opens after a while and seems to work ] > ``` Interesting. For reference, this issue seems to affect other electron-based programs: * #4422 And there is a similar issue that affects webkit-based programs: * #2995 Note that there was an electron refactoring done in the current development version. Is there any change with [firejail-git](https://github.com/netblue30/firejail?tab=readme-ov-file#building)?

gitea-mirror commented 2026-05-05 09:55:25 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 14, 2025):

Duplicate of #6368

<!-- gh-comment-id:2724526537 --> @rusty-snake commented on GitHub (Mar 14, 2025): Duplicate of #6368

gitea-mirror commented 2026-05-05 09:55:26 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 14, 2025):

Also see #6675

<!-- gh-comment-id:2724527620 --> @rusty-snake commented on GitHub (Mar 14, 2025): Also see #6675

gitea-mirror commented 2026-05-05 09:55:26 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Mar 14, 2025):

Duplicate of #6368

Can you clarify?

This seems to have been happening before AppArmor 4.x (such as with #4422) and
the error messages seem to be different.

@leukimi

Does anything change when running with --ignore=apparmor? Example:

LC_ALL=C firejail --ignore=apparmor /usr/bin/element-desktop

Are there recent audit messages when running sudo dmesg?

What is the output of the following?

ls -l /opt/Element/chrome-sandbox

<!-- gh-comment-id:2724605809 --> @kmk3 commented on GitHub (Mar 14, 2025): > Duplicate of #6368 Can you clarify? This seems to have been happening before AppArmor 4.x (such as with #4422) and the error messages seem to be different. @leukimi Does anything change when running with `--ignore=apparmor`? Example: ```sh LC_ALL=C firejail --ignore=apparmor /usr/bin/element-desktop ``` Are there recent `audit` messages when running `sudo dmesg`? What is the output of the following? ```sh ls -l /opt/Element/chrome-sandbox ```

gitea-mirror commented 2026-05-05 09:55:27 -06:00

Author

Owner

Copy link

@leukimi commented on GitHub (Mar 14, 2025):

LC_ALL=C firejail --ignore=apparmor /usr/bin/element-desktop opens the element-desktop window.

$ sudo dmesg | grep audit
[11000.374883] audit: type=1400 audit(1741951343.850:640): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=45962 comm="element-desktop" requested="userns_create" target="unprivileged_userns"
[11000.376913] audit: type=1400 audit(1741951343.852:641): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=45964 comm="element-desktop" capability=21  capname="sys_admin"

$ ls -l /opt/Element/chrome-sandbox
-rwxr-xr-x 1 root root 38224 mar 11 15:52 /opt/Element/chrome-sandbox

$ stat /opt/Element/chrome-sandbox
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)

<!-- gh-comment-id:2724806436 --> @leukimi commented on GitHub (Mar 14, 2025): `LC_ALL=C firejail --ignore=apparmor /usr/bin/element-desktop` opens the element-desktop window. ``` $ sudo dmesg | grep audit [11000.374883] audit: type=1400 audit(1741951343.850:640): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=45962 comm="element-desktop" requested="userns_create" target="unprivileged_userns" [11000.376913] audit: type=1400 audit(1741951343.852:641): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=45964 comm="element-desktop" capability=21 capname="sys_admin" $ ls -l /opt/Element/chrome-sandbox -rwxr-xr-x 1 root root 38224 mar 11 15:52 /opt/Element/chrome-sandbox $ stat /opt/Element/chrome-sandbox Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) ```

gitea-mirror commented 2026-05-05 09:55:27 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Mar 14, 2025):

LC_ALL=C firejail --ignore=apparmor /usr/bin/element-desktop opens the
element-desktop window.

$ sudo dmesg | grep audit
[11000.374883] audit: type=1400 audit(1741951343.850:640): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=45962 comm="element-desktop" requested="userns_create" target="unprivileged_userns"
[11000.376913] audit: type=1400 audit(1741951343.852:641): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=45964 comm="element-desktop" capability=21  capname="sys_admin"

$ ls -l /opt/Element/chrome-sandbox
-rwxr-xr-x 1 root root 38224 mar 11 15:52 /opt/Element/chrome-sandbox

$ stat /opt/Element/chrome-sandbox
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)

Thanks for the details.

To clarify, does the program just work normally with --ignore=apparmor?

If not, what is in the program output?

@rusty-snake

Thoughts on disabling apparmor on browser/electron profiles?

Or does the apparmor issue affect all profiles?

<!-- gh-comment-id:2724973814 --> @kmk3 commented on GitHub (Mar 14, 2025): > `LC_ALL=C firejail --ignore=apparmor /usr/bin/element-desktop` opens the > element-desktop window. > > ``` > $ sudo dmesg | grep audit > [11000.374883] audit: type=1400 audit(1741951343.850:640): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=45962 comm="element-desktop" requested="userns_create" target="unprivileged_userns" > [11000.376913] audit: type=1400 audit(1741951343.852:641): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=45964 comm="element-desktop" capability=21 capname="sys_admin" > > $ ls -l /opt/Element/chrome-sandbox > -rwxr-xr-x 1 root root 38224 mar 11 15:52 /opt/Element/chrome-sandbox > > $ stat /opt/Element/chrome-sandbox > Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) > ``` Thanks for the details. To clarify, does the program just work normally with `--ignore=apparmor`? If not, what is in the program output? @rusty-snake Thoughts on disabling apparmor on browser/electron profiles? Or does the apparmor issue affect all profiles?

gitea-mirror commented 2026-05-05 09:55:28 -06:00

Author

Owner

Copy link

@leukimi commented on GitHub (Mar 14, 2025):

The program seems work normally with --ignore=apparmor.

The program seems also to work normally with --no-sandbox.

It is a bit hard for me at this point to know if element-desktop works as "it should". For instance a user got automatically logged out when a computer rebooted. After re-install of element desktop, that logout behavior seems to be gone. At times it can be impossible to log in and one has to try many times. If these things are connected to firejail or only "bugs" and "glitches" is very hard to say. I have managed to get the basic things working like create a matrix:room, send a matrix:message and making a matrix:call both with firejail and without firejail.

<!-- gh-comment-id:2725033897 --> @leukimi commented on GitHub (Mar 14, 2025): The program seems work normally with `--ignore=apparmor`. The program seems also to work normally with `--no-sandbox`. It is a bit hard for me at this point to know if `element-desktop` works as "it should". For instance a user got automatically logged out when a computer rebooted. After re-install of `element desktop`, that logout behavior seems to be gone. At times it can be impossible to log in and one has to try many times. If these things are connected to firejail or only "bugs" and "glitches" is very hard to say. I have managed to get the basic things working like create a matrix:room, send a matrix:message and making a matrix:call both with firejail and without firejail.

gitea-mirror commented 2026-05-05 09:55:29 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 14, 2025):

Or does the apparmor issue affect all profiles?

All that

• have apparmor
• do not have restrict-namespaces (i.e. unshare a new user namespace)
• are used under a recent enough Ubuntu with pseudo-security garbage

Thoughts on disabling apparmor on browser/electron profiles?

@leukimi can you try if --ignore=apparmor --apparmor-replace works.

Disabling apparmor, kicking out of firecfg, ... no real opinion and actually I don't care much.

--no-sandbox

DON'T (except for testing)

<!-- gh-comment-id:2725161673 --> @rusty-snake commented on GitHub (Mar 14, 2025): > Or does the apparmor issue affect all profiles? All that - have `apparmor` - do not have `restrict-namespaces` (i.e. unshare a new user namespace) - are used under a recent enough Ubuntu with pseudo-security garbage > Thoughts on disabling apparmor on browser/electron profiles? @leukimi can you try if `--ignore=apparmor --apparmor-replace` works. Disabling apparmor, kicking out of firecfg, ... no real opinion and actually I don't care much. > --no-sandbox DON'T (except for testing)

gitea-mirror commented 2026-05-05 09:55:30 -06:00

Author

Owner

Copy link

@leukimi commented on GitHub (Mar 14, 2025):

LC_ALL=C firejail --ignore=apparmor --apparmor-replace /usr/bin/element-desktop works and app element-desktop opens and revives previous verified session.

<!-- gh-comment-id:2725211468 --> @leukimi commented on GitHub (Mar 14, 2025): `LC_ALL=C firejail --ignore=apparmor --apparmor-replace /usr/bin/element-desktop` works and app `element-desktop` opens and revives previous verified session.

gitea-mirror commented 2026-05-05 09:55:30 -06:00

Author

Owner

Copy link

@Nao-30 commented on GitHub (May 9, 2025):

Ubuntu 23.XX and higher versions implemented a stricter security model through AppArmor that specifically targets unprivileged user namespaces2.

you can review the full article

For a complete understanding of this issue, including technical details, implementation specifics, you can take a look at:

Technical Deep Dive

For a more direct practical solutions and safest options, you can take a look at:

Practical Workarounds

---

Basically yhe issue happens because AppImages are FUSE-mounted with nosuid, this prevents any set-UID helper from running~

Ubuntu’s default AppArmor policy also disallows unprivileged user namespaces

so now as mentioned the AppImage can use neither the kernel userns nor the setuid sandbox. In short, on Ubuntu 23.++ an electron AppImage is trapped: it's chrome-sandbox can’t be made set-UID on the FUSE mount, and userns is blocked (unless you add a custom AppArmor profile to allow it as mentioned in the blog based on askubuntu.com).

By contrast, the .tar.gz release is simply unpacked onto a normal filesystem (e.g. /opt/void). This means its chrome-sandbox binary is on an ordinary ext4 (or similar) partition, not under a FUSE nosuid mount. A packager or user can then run:

sudo chown root:root /opt/void/chrome-sandbox 
sudo chmod 4755 /opt/void/chrome-sandbox

– granting it the correct owner and set-UID bit. Once the helper is root-owned, and correct permissions are set the Chromium sandbox should run as intended. Because the tar.gz's files aren’t subject to AppImage/AppArmor quirks and stuff, the sandbox must work normally after this fix

and ofc (No special AppArmor profile is needed for the tar install, unlike the AppImage case)

<!-- gh-comment-id:2864895524 --> @Nao-30 commented on GitHub (May 9, 2025): Ubuntu 23.XX and higher versions implemented a stricter security model through AppArmor that specifically targets unprivileged user namespaces[2](https://blog.mohammed-al-kebsi.space/post/understanding-ubuntu-24-04-appimage-sandbox-restrictions/). you can review the full article For a complete understanding of this issue, including technical details, implementation specifics, you can take a look at: [Technical Deep Dive](https://blog.mohammed-al-kebsi.space/post/understanding-ubuntu-24-04-appimage-sandbox-restrictions/) For a more direct practical solutions and safest options, you can take a look at: [Practical Workarounds](https://blog.mohammed-al-kebsi.space/post/fix-appimage-sandbox-issues-ubuntu-24-04/) --- Basically yhe issue happens because AppImages are FUSE-mounted with `nosuid`, this prevents any set-UID helper from running~ Ubuntu’s default AppArmor policy also disallows unprivileged user namespaces so now as mentioned the AppImage can use neither the kernel userns nor the setuid sandbox. In short, on Ubuntu 23.++ an electron AppImage is trapped: it's `chrome-sandbox` can’t be made set-UID on the FUSE mount, and userns is blocked (unless you add a custom AppArmor profile to allow it as mentioned in the blog based on [askubuntu.com](https://askubuntu.com/questions/1512287/obsidian-appimage-the-suid-sandbox-helper-binary-was-found-but-is-not-configu#:~:text=flags%3D%28default_allow%29%20)). By contrast, the `.tar.gz` release is simply unpacked onto a normal filesystem (e.g. `/opt/void`). This means its `chrome-sandbox` binary is on an ordinary ext4 (or similar) partition, not under a FUSE `nosuid` mount. A packager or user **can** then run: ```bash sudo chown root:root /opt/void/chrome-sandbox sudo chmod 4755 /opt/void/chrome-sandbox ``` – granting it the correct owner and set-UID bit. Once the helper is root-owned, and correct permissions are set the Chromium sandbox should run as intended. Because the tar.gz's files aren’t subject to AppImage/AppArmor quirks and stuff, the sandbox must work normally after this fix and ofc (No special AppArmor profile is needed for the tar install, unlike the AppImage case)

gitea-mirror referenced this issue 2026-05-05 10:25:29 -06:00

[PR #3334] [MERGED] Request behavior change description in bug reports #4727

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3334

No description provided.