IDE fails to start on Linux due to missing sandboxing

[AndKe]

Describe the problem

./arduino-ide_2.3.2_Linux_64bit.AppImage 
[49662:0505/163801.040968:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_arduinl1RTCc/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap (core dumped)

To reproduce

Start Arduino IDE on a Ubuntu 24.04 machine.

Expected behavior

Work as normal.

Arduino IDE version

2.3.2

Operating system

Linux

Operating system version

Ubuntu 24.04

Additional context

The fault occurs with both the AppImage and ZIP packages of Arduino IDE.

Additional reports

• AppImage executable won't launch eclipse-theia/theia-ide#363 (comment)
• https://forum.arduino.cc/t/linux-install-issues/880034
• https://forum.arduino.cc/t/install-arduino-2-0/952428/4
• https://forum.arduino.cc/t/impossible-dinstaller-arduino-ide-v2-sur-debian-buster/1159541
• https://forum.arduino.cc/t/chrome-sandbox-error-in-ide-2-3-in-ubuntu-24-04/1247330/1
• https://forum.arduino.cc/t/chrome-sandbox-error-in-ide-2-3-in-ubuntu-24-04/1247330/2
• https://forum.arduino.cc/t/unable-to-install-2-3-2-on-kubuntu-24-04/1268893/1
• https://forum.arduino.cc/t/unable-to-install-2-3-2-on-kubuntu-24-04/1268893/4
• https://forum.arduino.cc/t/ide-under-ubuntu/1295528
• https://forum.arduino.cc/t/ide-launch-fails-sandbox-helper-binary-was-found-but-is-not-configured-correctly/1303643
• https://forum.arduino.cc/t/no-additional-boards-manager-urls-preference/1303646/3
• https://forum.arduino.cc/t/cant-install-2-3-3-on-ubuntu-24-04/1322047

Issue checklist

• I searched for previous reports in the issue tracker
• I verified the problem still occurs when using the latest nightly build
• My report contains all necessary details

[mariovaldez]

The issue is with the AppArmor configuration in Ubuntu 24.04, not the AppImage. The change in the configuration is explained in the release notes of Ubuntu 24.04 (security reasons).

Because this problem is caused by the OS configuration, I'm not use what the Arduino IDE team can do, except for documenting the installation procedure.

You can disable the sandboxing restriction for all program with:

sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1

or by adding to /etc/sysctl.d/local.conf:

kernel.apparmor_restrict_unprivileged_userns=0

But that defeats the purpose of the new AppArmor restriction in Ubuntu 24.04.

You can also create a new AppArmor profile for the Arduino IDE (that allows a non-root user to use the sandboxing in a specific application). If you copy the AppImage file to /usr/local/bin/arduino (this is the new name of the AppImage file), you can create an AppArmor profile with a configuration file, for example, in /etc/apparmor.d/usr.local.bin.arduino, containing:

abi <abi/4.0>,
include <tunables/global>
profile arduino /usr/local/bin/arduino flags=(unconfined) {
  userns,
  include if exists <local/arduino>
}

and reloading all AppArmor profiles with:

sudo service apparmor reload

Now you can run the Arduino IDE without the sandboxing error.

You could also run the Arduino IDE with the --no-sandbox option, but that is, in my opinion, a potentially very bad idea.

[AndKe]

@mariovaldez Thank you for a good explanation/solution.
Is this going to be easier / fixed in future releases? - so far, I have seen this issue with only two .AppImage applications.

The /usr/local/bin/arduino you refer to, is that a directory, or is arduino the actual arduino.Appmage?
I have a directory for all my AppImages. it would be tempting to make an AppArmor configuration file for all .AppImage files in that dir.

[mariovaldez]

@AndKe I don't think this will change with later versions of Ubuntu. My understanding is that allowing normal users to use kernel namespaces has been considered a security risk (the kernel namespaces are used to create the sandbox in some AppImage applications). The change in the AppArmor configuration of Ubuntu is a mitigation for that risk.

Regarding the "/usr/local/bin/arduino" path, that's the program name I used. You can use any filename you like (for example, "/usr/local/bin/arduino.AppImage"). I used the "/usr/local/bin" directory just to follow the Linux FHS guidelines but you can install the program anywhere you want (I'm sure lot of people prefer to install in /opt, or even in a per-user ~/opt or ~/bin directory).

Currently I'm using some other AppImage applications (ungoogled-chromium, teams-for-linux, upscayl) that also require their own AppArmor profile.

[AndKe]

@mariovaldez Thank you, sorry for asking a vague question, I did not mean to ask is it will change in future Ubuntu releases, but if the future Arduino IDE AppImage releases will require this fix in forseeable future. Or if some changes to the IDE will make this issue be a thing of the past.

[mariovaldez]

@AndKe The Arduino IDE 2 is really a Typescript/Javascript web application running locally with a Chromium engine (as an Electron app, in this case all packaged in an AppImage).

The Chromium engine uses the sandboxing to reduce security risks. There are several ways to implement the sandboxing. On Linux, the Chromium engine currently uses unprivileged kernel namespaces (in the past other ways have been used but I think they are deprecated now).

So, as long as the Arduino IDE uses the Chromium engine provided by the Electron framework, and as long as the Chromium engine requires unprivileged namespaces for the sandboxing, and as long as Ubuntu (or any other distribution) restricts the use of the namespaces, the apparmor profile is needed.

[AndKe]

Yes, unpriviliged is deprecated now, but at least Ubuntu, when upgraded to 24.04 is still accepting unprivileged kernel namespaces - while new installations of the same distro enforces this.
This issue will only grow as time goes, also: it is more likely to annoy new Linux users. (due to new installation)

[eccentricOrange]

@mariovaldez AFAIK, other applications like VS Code also use the Electron+Chromium+NodeJS combination right? How do they get around this issue? I didn't have to muck around with this when installing VS Code in Ubuntu 24.04

(apologies if I seem ignorant of something, I am not a web developer and do not know about JS/TS-related concepts in depth)

[mariovaldez]

@eccentricOrange I don't use VS Code but in the default Ubuntu 24.04 installation there are some AppArmor profiles already configured, among those there is one for VSCode (in the file /etc/apparmor.d/code).

See Launchpad bug # 2046844, specifically comment 37 about how to handle the installation of AppImage applications.

[eccentricOrange]

Got it, thanks for the explanation!

[shaw-a]

Hi @mariovaldez, all,

I am using Ubuntu 24.04. I tried to use the AppArmor profile solution, I like the idea of complying with canonical's security decisions rather than working around them. However after following these steps, I still get the same error as in the original post.

1. Download arduino-ide_2.3.2_Linux_64bit.AppImage
2. sudo mkdir /usr/local/bin/arduino && sudo cp ~/Downloads/arduino-ide_2.3.2_Linux_64bit.AppImage /usr/local/bin/arduino/
3. chmod +x /usr/local/bin/arduino/arduino-ide_2.3.2_Linux_64bit.AppImage
4. create /etc/apparmor.d/usr.local.bin.arduino containing:

abi <abi/4.0>,
include <tunables/global>
profile arduino /usr/local/bin/arduino flags=(unconfined) {
  userns,
  include if exists <local/arduino>
} 

4. reload AppArmor with sudo service apparmor reload

Now, when I run usr/local/bin/arduino/arduino-ide_2.3.2_Linux_64bit.AppImage I get the error:

/usr/local/bin/arduino/arduino-ide_2.3.2_Linux_64bit.AppImage
[5481:0603/171920.702980:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_arduineWT4bK/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap (core dumped)

Funnily enough, I am unable to run arduino as a command to launch the AppImage even though I expected to since /usr/local/bin is in my $PATH:

$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

I'm not sure if this is related to why the solution did not work as expected and I wonder do you have any advice for what to try next.

So far I have tried:

1. rebooting
2. sudo apt update and sudo apt upgrade, then rebooting
3. setting `PATH=$PATH'
4. double checking all the paths and the contents of the /etc/apparmor.d/usr.local.bin.arduino file
5. downloading the arduino appimage again and repeating the steps

[mariovaldez]

@shaw-a the "/usr/local/bin/arduino" path I used in my example is actually the filename, not a directory (I just edited my previous comment to make that clear).

So, with your steps, it would be something like:

sudo cp ~/Downloads/arduino-ide_2.3.2_Linux_64bit.AppImage /usr/local/bin/arduino
chmod +x /usr/local/bin/arduino

You can use any filename you want, just make sure the filename in the AppArmor profile (the path after the word "profile") matches the executable filename.

Regarding the problem with the search path, the shell path search is not recursive, so normally will only search for executables (or symbolic links) only in the specified directories, not in subdirectories inside. If you really want to have the executable file inside a subdirectory you can create a symbolic link in /usr/local/bin pointing to the executable in the subdirectory.

Of course you can do this differently, for example, if you would like to keep different versions of the Arduino IDE available, you could create an AppArmor profile with a wildcard path (so that you can keep the version number in the filename). This is also useful if you want to keep the filename with version number but don't want to keep updating the AppArmor profile every time you install a new version of the IDE. For example (assuming you keep the original filename and the executables are in /usr/local/bin/):

abi <abi/4.0>,
include <tunables/global>
profile arduino /usr/local/bin/arduino-ide* flags=(unconfined) {
  userns,
  include if exists <local/arduino>
}

[shaw-a]

Hi @mariovaldez,

I really appreciate your response and your explanation. Following this advice the solution works for me as expected and I can launch the arduino IDE from anywhere by typing the command arduino. It was a big aha moment when you mentioned that it was the file name. Thanks for explaining more about the symbolic links and AppArmor profile, I will definitely try those out.

Kind regards!

[zolki]

Thank you all for the help. My successful set-up with my /etc/apparmor.d/arduino-ide file is:

abi <abi/4.0>,
include <tunables/global>
profile arduino-ide* /opt/arduino-ide* flags=(unconfined) {
  userns,
  include if exists <local/arduino*>
}

I set the SUID attribute flag for the chrome-sandbox executable, the 4 ahead of 755, as the message recommended earlier: 4755, when the app could not run.

My chosen path was /opt/arduino-ide_2.3.3_Linux_64bit/ of the unzipped software package, containing also the arduino-ide executable file.

My desktop entry shortcut file is:

arduino-arduinoide.desktop

[Desktop Entry]
Type=Application
Name=Arduino IDE
GenericName=Arduino IDE
Comment=Open-source electronics prototyping platform
Exec=/opt/arduino-ide_2.3.3_Linux_64bit/arduino-ide
Icon=arduino-arduinoide
Terminal=false
Categories=Development;IDE;Electronics;
MimeType=text/x-arduino;
Keywords=embedded electronics;electronics;avr;microcontroller;
StartupWMClass=processing-app-Base

[martin3000]

You could also run the Arduino IDE with the --no-sandbox option, but that is, in my opinion, a potentially very bad idea.

Why should running an appimage without sandboxing be worse than running any other linux binary (without sudo)?