Desktop: Resolves #9136: Install script: Work around unprivlidged user namespace restrictions by adding the --no-sandbox flag to the launcher (#9137)

2024-12-21 09:38:01 +02:00 · 2023-11-14 10:49:25 -08:00 · 2023-11-14 10:49:25 -08:00 · e61c4acce5
commit e61c4acce5
parent 184499711d
1 changed files with 8 additions and 1 deletions
--- a/Joplin_install_and_update.sh
+++ b/Joplin_install_and_update.sh
@ -205,9 +205,16 @@ if command -v lsb_release &> /dev/null; then
  # Check for "The SUID sandbox helper binary was found, but is not configured correctly" problem.
  # It is present in Debian 1X. A (temporary) patch will be applied at .desktop file
  # Linux Mint 4 Debbie is based on Debian 10 and requires the same param handling.
-  if [[ $DISTVER =~ Debian1. ]] || [ "$DISTVER" = "Linuxmint4" ] && [ "$DISTCODENAME" = "debbie" ] || [ "$DISTVER" = "CentOS" ] && [[ "$DISTMAJOR" =~ 6|7 ]]
+  #
+  # This also works around Ubuntu 23.10+'s restrictions on unprivileged user namespaces. Electron
+  # uses these to sandbox processes. Unfortunately, it doesn't look like we can get around this
+  # without writing the AppImage to a non-user-writable location (without invalidating other security
+  # controls). See https://discourse.joplinapp.org/t/possible-future-requirement-for-no-sandbox-flag-for-ubuntu-23-10/.
+  if [[ $DISTVER = "Ubuntu23.10" || $DISTVER =~ Debian1. || ( "$DISTVER" = "Linuxmint4" && "$DISTCODENAME" = "debbie" ) || ( "$DISTVER" = "CentOS" && "$DISTMAJOR" =~ 6|7 ) ]]
  then
    SANDBOXPARAM="--no-sandbox"
+    print "${COLOR_YELLOW}WARNING${COLOR_RESET} Electron sandboxing disabled."
+    print "    See https://discourse.joplinapp.org/t/32160/5 for details."
  fi
 fi