Can't get flatpak running

[Alexander Larsson]

On Fri, 2016-06-24 at 16:17 +0200, Bastien Nocera wrote:
> Hey,
> 
> A short list 
> 
> On Fri, 2016-06-24 at 01:30 +0200, Bastien Nocera wrote:
> <snip>
> > 
> 
> > As a normal user:
> > $ flatpak run org.gnome.clocks
> > Can't mount devpts on /newroot/dev/pts: Operation not permitted
> > Can't read from privileged_op_socket
> > 
> > As root:
> > # flatpak run org.gnome.clocks
> > error: No systemd user session available, sandboxing not available
> 
> Lie, that's as a sudo. Same problem as a normal user when logged in
> as
> root.
> 
> After linking the flatpak provided bwrap in /usr/bin and installing
> the
> "bats" test suite, this test suite runs without problems:
> https://anonscm.debian.org/cgit/collab-maint/bubblewrap.git/tree/debi
> an/tests
> 
> This shows all the mounts are shared:
> $ cat /proc/self/mountinfo | grep -v shared
> $
> 
> I have a systemd --user created for my user, and the cgroup is
> visible
> in systemd-cgls.
> 
> "/" is not mounted with nosuid. flatpak-bwrap is suid.
> 
> The kernel is a vendor kernel, 4.3.0 but surprisingly close to the
> Linus kernel, with just hardware enablement patches:
> https://github.com/NextThingCo/CHIP-linux
> 
> Mounting a new devpts works outside the sandbox:
> # mount -t devpts devpts "/foo" -o
> "newinstance,ptmxmode=0666,mode=6,nosuid,noexec"
> 
> But doesn't within flatpak:
> mount("devpts", "/newroot/dev/pts", "devpts",
> MS_MGC_VAL|MS_NOSUID|MS_NOEXEC,
> "newinstance,ptmxmode=0666,mode=6"...) = -1 EPERM (Operation not
> permitted)

That is very weird, because the above linked test:
https://anonscm.debian.org/cgit/collab-maint/bubblewrap.git/tree/debian
/tests/dev

Seems to use --dev, which is what flatpak uses, and which is triggering
the above devpts mount.

Maybe you can edit common/flatpak-run.c to print the argument list to
bwrap before execing it. Then you can build up a minimal commandline
arg list that makes it fail.