Ubuntu 24.04: No usable sandbox!

[olodar]

OS/Platform

Debian, Ubuntu, and derivatives

Installed

https://ungoogled-software.github.io/ungoogled-chromium-binaries/

Version

123.0.6312.122-1

Have you tested that this is not an upstream issue or an issue with your configuration?

• I have tried reproducing this issue in Chrome and it could not be reproduced there
• I have tried reproducing this issue in vanilla Chromium and it could not be reproduced there
• I have tried reproducing this issue in ungoogled-chromium with a new and empty profile using --user-data-dir command line argument and it could not be reproduced there

Description

Ungoogled Chromium won't launch

How to Reproduce?

Try to run UC and see error:
[110483:110483:0415/143659.359212:FATAL:zygote_host_impl_linux.cc(127)] No usable sandbox! Update your kernel or see https://chromium.9oo91esource.qjz9zk/chromium/src/+/main/docs/linux/suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
Trace/breakpoint trap (core dumped)

Actual behaviour

Expected behaviour

Relevant log output

No response

Additional context

No response

[olodar]

OS Ubuntu 24.04, latest.

[networkException]

I have tried reproducing this issue in ungoogled-chromium with a new and empty profile using --user-data-dir command line argument and it could not be reproduced there

Did you just tick all the boxes or did you actually test that? In which case the problem would be with your default profile.

[olodar]

I have tried reproducing this issue in ungoogled-chromium with a new and empty profile using --user-data-dir command line argument and it could not be reproduced there

Did you just tick all the boxes or did you actually test that? In which case the problem would be with your default profile.

Of course I test all of this boxes. Chrome downloaded from official site, Chromium installed with 'chromium' package, and UC ungoogled-chromium_123.0.6312.122-1.AppImage

[berkley4]

Try running this.....

cat /proc/sys/kernel/unprivileged_userns_clone

For the sandbox to work the command should return a value of 1. If it's zero then run.....

sudo sysctl -w kernel.unprivileged_userns_clone=1

[olodar]

command should return a value of 1

cat /proc/sys/kernel/unprivileged_userns_clone
1

Yes, it returns 1.

[berkley4]

The only other problems I can think of is with the chrome-sandbox binary. You could try seeing if it's named properly (with a hypen '-', not an underscore '_').

Also see if it's got the correct permissions.....

stat -c %a /usr/lib/chromium/chrome-sandbox

This should return 4755. If it doesn't then you could try.....

chmod 4755 /usr/lib/chromium/chrome-sandbox

[olodar]

The only other problems I can think of is with the chrome-sandbox binary. You could try seeing if it's named properly (with a hypen '-', not an underscore '_').

Also see if it's got the correct permissions.....

stat -c %a /usr/lib/chromium/chrome-sandbox

This should return 4755. If it doesn't then you could try.....

chmod 4755 /usr/lib/chromium/chrome-sandbox

stat -c %a /usr/lib/chromium/chrome-sandbox
4755

But appimage version shouldn't depend from system chromium sandbox. Btw, on previous ubuntu release (mantic) everything working well. You better try by yourself - install daily kubuntu noble build in VM and try to run UC.

[mariovaldez]

I think this is related to the restrictions enabled in Ubuntu 24.04. See:
https://discourse.ubuntu.com/t/noble-numbat-release-notes/39890#security-improvements-14

It seems Ubuntu 24.04 already provides configuration profiles for some applications, including Chrome, that could be used as reference to create a profile for UC.

[mariovaldez]

Yeah, it works with an AppArmor profile.

I created a /etc/apparmor.d/usr.local.bin.ungoogled-chromium file with the following content:

abi <abi/4.0>,
include <tunables/global>
profile ungoogled-chromium /usr/local/bin/ungoogled-chromium flags=(unconfined) {
  userns,
  include if exists <local/ungoogled-chromium>
}

I used the AppImage executable, renamed to /usr/local/bin/ungoogled-chromium.

Then reloaded the profile with:

sudo apparmor_parser -r /etc/apparmor.d/usr.local.bin.ungoogled-chromium

And now UC works.

Note: I'm using Ubuntu Mate 24.04, but this should work with all Ubuntu "flavors".

[mariovaldez]

An alternative is to disable the restriction for all applications with:

sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

or permanently by adding to /etc/sysctl.d/local.conf or similar configuration file:

kernel.apparmor_restrict_unprivileged_userns=0

[olodar]

Yeah, it works with an AppArmor profile.

I created a /etc/apparmor.d/usr.local.bin.ungoogled-chromium file with the following content:

abi <abi/4.0>,
include <tunables/global>
profile ungoogled-chromium /usr/local/bin/ungoogled-chromium flags=(unconfined) {
  userns,
  include if exists <local/ungoogled-chromium>
}

I used the AppImage executable, renamed to /usr/local/bin/ungoogled-chromium.

Then reloaded the profile with:

sudo apparmor_parser -r /etc/apparmor.d/usr.local.bin.ungoogled-chromium

And now UC works.

Note: I'm using Ubuntu Mate 24.04, but this should work with all Ubuntu "flavors".

Great, it works! Thanks!