Can't get flatpak running
Bastien Nocera
hadess at hadess.net
Fri Jun 24 14:17:22 UTC 2016
Hey,
A short list
On Fri, 2016-06-24 at 01:30 +0200, Bastien Nocera wrote:
<snip>
>
> As a normal user:
> $ flatpak run org.gnome.clocks
> Can't mount devpts on /newroot/dev/pts: Operation not permitted
> Can't read from privileged_op_socket
>
> As root:
> # flatpak run org.gnome.clocks
> error: No systemd user session available, sandboxing not available
Lie, that's as a sudo. Same problem as a normal user when logged in as
root.
After linking the flatpak provided bwrap in /usr/bin and installing the
"bats" test suite, this test suite runs without problems:
https://anonscm.debian.org/cgit/collab-maint/bubblewrap.git/tree/debian/tests
This shows all the mounts are shared:
$ cat /proc/self/mountinfo | grep -v shared
$
I have a systemd --user created for my user, and the cgroup is visible
in systemd-cgls.
"/" is not mounted with nosuid. flatpak-bwrap is suid.
The kernel is a vendor kernel, 4.3.0 but surprisingly close to the
Linus kernel, with just hardware enablement patches:
https://github.com/NextThingCo/CHIP-linux
Mounting a new devpts works outside the sandbox:
# mount -t devpts devpts "/foo" -o "newinstance,ptmxmode=0666,mode=6,nosuid,noexec"
But doesn't within flatpak:
mount("devpts", "/newroot/dev/pts", "devpts", MS_MGC_VAL|MS_NOSUID|MS_NOEXEC, "newinstance,ptmxmode=0666,mode=6"...) = -1 EPERM (Operation not permitted)
Any other ideas?
More information about the xdg-app
mailing list