Does not work with Cisco Webex (LD_PRELOAD issue?)

[vincentbernat]

Hey!

I am trying to turn Cisco WebEx into a Flatpak and I am having trouble with the sandboxing.

Zypak is unable to detect the call to sandbox. If I strace the host, I get:

[pid   269] futex(0x7fff245d1ec8, FUTEX_WAIT_PRIVATE, 0, NULL <unfinished ...>
[pid   272] <... set_robust_list resumed>) = 0
[pid   272] mmap(NULL, 134217728, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7fe8bee10000
[pid   272] munmap(0x7fe8bee10000, 18808832) = 0
[pid   272] munmap(0x7fe8c4000000, 48300032) = 0
[pid   272] mprotect(0x7fe8c0000000, 135168, PROT_READ|PROT_WRITE) = 0
[pid   272] gettid()                    = 272
[pid   272] stat("/sys/fs/cgroup/cpuset/chrome", 0x7fe8c760fc90) = -1 ENOENT (No such file or directory)
[pid   272] stat("/sys/fs/cgroup/schedtune/chrome", 0x7fe8c760fc90) = -1 ENOENT (No such file or directory)
[pid   272] setpriority(PRIO_PROCESS, 0, 0) = 0
[pid   272] getpid()                    = 269
[pid   272] prctl(PR_SET_NAME, "sandbox_ipc_thr"...) = 0
[pid   272] futex(0x7fff245d1ec8, FUTEX_WAKE_PRIVATE, 2147483647) = 1
[pid   269] <... futex resumed>)        = 0
[pid   272] poll([{fd=19, events=POLLIN}, {fd=18, events=POLLIN}], 2, -1 <unfinished ...>
[pid   269] futex(0x7fff245d1e78, FUTEX_WAKE_PRIVATE, 1) = 0
[pid   269] getresuid([500], [500], [500]) = 0
[pid   269] getresgid([100], [100], [100]) = 0
[pid   269] access("/app/Webex/bin/chrome-sandbox", F_OK) = -1 ENOENT (No such file or directory)
[pid   269] stat("/proc/self/exe", {st_mode=S_IFREG|0755, st_size=14320, ...}) = 0
[pid   269] getuid()                    = 500
[pid   269] getresuid([500], [500], [500]) = 0
[pid   269] getresgid([100], [100], [100]) = 0
[pid   269] clone(child_stack=0x7fff245d1cf0, flags=CLONE_NEWUSER|SIGCHLD) = -1 EPERM (Operation not permitted)
[pid   269] futex(0x7fe8ebfa7580, FUTEX_WAKE_PRIVATE, 2147483647) = 0
[pid   269] write(2, "[0728/171833.442947:FATAL:zygote"..., 354) = 354
[pid   269] --- SIGTRAP {si_signo=SIGTRAP, si_code=SI_KERNEL} ---
[pid   272] <... poll resumed> <unfinished ...>) = ?
[pid   271] <... futex resumed>)        = ?
[pid   272] +++ killed by SIGTRAP (core dumped) +++
[pid   271] +++ killed by SIGTRAP (core dumped) +++
[pid   269] +++ killed by SIGTRAP (core dumped) +++

I think the main issue is that it uses a library instead of the dynamic linker to find dependencies:

[pid   269] openat(AT_FDCWD, "/app/Webex/lib/libWebexAppLoader.so", O_RDONLY|O_CLOEXEC) = 5
[pid   269] read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\6\0\0\0\0\0\0"..., 832) = 832
[pid   269] fstat(5, {st_mode=S_IFREG|0644, st_size=6088, ...}) = 0
[pid   269] mmap(NULL, 2101312, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fe8f85ef000
[pid   269] mprotect(0x7fe8f85f0000, 2093056, PROT_NONE) = 0
[pid   269] mmap(0x7fe8f87ef000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0) = 0x7fe8f87ef000
[pid   269] close(5)                    = 0

Neither the library nor the main binary has any dependencies, except the libc (from a linker point of view). At some point, the lib will load and mmap the "main" library (the ones that is linked to libcef).

[pid   269] openat(AT_FDCWD, "/app/Webex/lib/libspark-windows-desktop-ui.so", O_RDONLY|O_CLOEXEC) = 3
[pid   269] read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260+\347\0\0\0\0\0"..., 832) = 832
[pid   269] fstat(3, {st_mode=S_IFREG|0644, st_size=186998376, ...}) = 0
[pid   269] mmap(NULL, 191891288, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fe8eceee000
[pid   269] mprotect(0x7fe8f7eab000, 2093056, PROT_NONE) = 0
[pid   269] mmap(0x7fe8f80aa000, 2727936, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xafbc000) = 0x7fe8f80aa000
[pid   269] mmap(0x7fe8f8344000, 2795352, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fe8f8344000
[pid   269] close(3)                    = 0

I think this messes with the way symbols are searched through libraries.

What would be the best way to debug this in a more meaningful way? As it is trying to execute chrome-sandbox, I was hoping it would be possible to do something here.

[vincentbernat]

For reference, here is my current YAML:

app-id: com.cisco.Webex
runtime: org.freedesktop.Platform
runtime-version: '20.08'
sdk: org.freedesktop.Sdk
command: webex
tags:
  - proprietary
finish-args:
  - "--share=ipc"
  - "--socket=x11"
  - "--socket=pulseaudio"
  - "--share=network"
  - "--device=all"
  - "--talk-name=org.freedesktop.Notifications"
  - "--talk-name=org.freedesktop.secrets"
modules:
  - libsecret.json
  - name: zypak
    sources:
      - type: git
        url: https://github.com/refi64/zypak
        tag: v2021.06
  - name: webex
    buildsystem: simple
    build-commands:
      - ar x Webex.deb
      - tar xf data.tar.xz
      - cp -r opt/Webex $FLATPAK_DEST/Webex
      - rm $FLATPAK_DEST/Webex/lib/libstdc++.so.6
      - chmod -R a-s,go+rX,go-w $FLATPAK_DEST/Webex
      - install -Dm755 webex.sh $FLATPAK_DEST/bin/webex
      - touch $FLATPAK_DEST/Webex/deb.dat
    sources:
      - type: script
        dest-filename: webex.sh
        commands:
          - export TMPDIR="$XDG_RUNTIME_DIR/app/$FLATPAK_ID"
          - exec zypak-wrapper /app/Webex/bin/CiscoCollabHost "$@"
      - type: file
        only-arches:
          - x86_64
        url: https://binaries.webex.com/WebexDesktop-Ubuntu-Official-Package/Webex.deb
        sha256: 5b15f4f71024685baa3675e2e1f33d0572cb75943b618ccf67673b04c70904cc
        size: 216175364

[refi64]

Apologies for missing this issue previously!

It looks like WebEx is using fork + execve to start the actual main process, which breaks things because Zypak clears LD_PRELOAD for child processes. I'm not sure if this is a CEF thing in general, but it's definitely something I can add support for over here.

[lhw]

Would be great. WebEx is terrible with keeping its files stored in an appropriate location. Was about to post the same information. But looks like Vincent beat me to it by a few months.

[vincentbernat]

@refi64 Is there an easy way to experiment on your proposition to see if it fixes the issue?

[refi64]

I just pushed my code to the webex branch, you need to run Zypak with ZYPAK_QUIRKS=webex-trampoline to test it.

[vincentbernat]

Here is my current version:

app-id: com.cisco.Webex
runtime: org.freedesktop.Platform
runtime-version: '21.08'
sdk: org.freedesktop.Sdk
command: webex
tags:
  - proprietary
finish-args:
  - "--share=ipc"
  - "--socket=x11"
  - "--socket=pulseaudio"
  - "--share=network"
  - "--device=all"
  - "--talk-name=org.freedesktop.Notifications"
  - "--talk-name=org.freedesktop.secrets"
modules:
  - libsecret.json
  - name: zypak
    sources:
      - type: git
        url: https://github.com/refi64/zypak
        tag: webex
  - name: webex
    buildsystem: simple
    build-commands:
      - ar x Webex.deb
      - tar xf data.tar.xz
      - cp -r opt/Webex $FLATPAK_DEST/Webex
      - rm $FLATPAK_DEST/Webex/lib/libstdc++.so.6
      - chmod -R a-s,go+rX,go-w $FLATPAK_DEST/Webex
      - install -Dm755 webex.sh $FLATPAK_DEST/bin/webex
      - touch $FLATPAK_DEST/Webex/deb.dat
    sources:
      - type: script
        dest-filename: webex.sh
        commands:
          - export TMPDIR="$XDG_RUNTIME_DIR/app/$FLATPAK_ID"
          - exec env ZYPAK_QUIRKS=webex-trampoline zypak-wrapper /app/Webex/bin/CiscoCollabHost "$@"
      - type: file
        only-arches:
          - x86_64
        url: https://binaries.webex.com/WebexDesktop-Ubuntu-Official-Package/Webex.deb
        sha256: 5c54df0f70804ad1e8c8e49db8a207941fc038a15afeaf550614ae5ed1aad42d
        size: 292685338

And I get:

ERROR: ld.so: object '/app/bin/../lib/libzypak-preload-quirks-webex-trampoline.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.

I only get these files:

build~/files/lib/libzypak-preload-child-mimic-strategy.so
build~/files/lib/libzypak-preload-child.so
build~/files/lib/libzypak-preload-child-spawn-strategy.so
build~/files/lib/libzypak-preload-host.so
build~/files/lib/libzypak-preload-host-spawn-strategy.so

Maybe I missed something obvious?

[Meister1593]

Here is my current version:

app-id: com.cisco.Webex
runtime: org.freedesktop.Platform
runtime-version: '21.08'
sdk: org.freedesktop.Sdk
command: webex
tags:
  - proprietary
finish-args:
  - "--share=ipc"
  - "--socket=x11"
  - "--socket=pulseaudio"
  - "--share=network"
  - "--device=all"
  - "--talk-name=org.freedesktop.Notifications"
  - "--talk-name=org.freedesktop.secrets"
modules:
  - libsecret.json
  - name: zypak
    sources:
      - type: git
        url: https://github.com/refi64/zypak
        tag: webex
  - name: webex
    buildsystem: simple
    build-commands:
      - ar x Webex.deb
      - tar xf data.tar.xz
      - cp -r opt/Webex $FLATPAK_DEST/Webex
      - rm $FLATPAK_DEST/Webex/lib/libstdc++.so.6
      - chmod -R a-s,go+rX,go-w $FLATPAK_DEST/Webex
      - install -Dm755 webex.sh $FLATPAK_DEST/bin/webex
      - touch $FLATPAK_DEST/Webex/deb.dat
    sources:
      - type: script
        dest-filename: webex.sh
        commands:
          - export TMPDIR="$XDG_RUNTIME_DIR/app/$FLATPAK_ID"
          - exec env ZYPAK_QUIRKS=webex-trampoline zypak-wrapper /app/Webex/bin/CiscoCollabHost "$@"
      - type: file
        only-arches:
          - x86_64
        url: https://binaries.webex.com/WebexDesktop-Ubuntu-Official-Package/Webex.deb
        sha256: 5c54df0f70804ad1e8c8e49db8a207941fc038a15afeaf550614ae5ed1aad42d
        size: 292685338

And I get:

ERROR: ld.so: object '/app/bin/../lib/libzypak-preload-quirks-webex-trampoline.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.

I only get these files:

build~/files/lib/libzypak-preload-child-mimic-strategy.so
build~/files/lib/libzypak-preload-child.so
build~/files/lib/libzypak-preload-child-spawn-strategy.so
build~/files/lib/libzypak-preload-host.so
build~/files/lib/libzypak-preload-host-spawn-strategy.so

Maybe I missed something obvious?

Makefile didn't include library at the end and thus, it wasn't preloaded properly

You can try using this script for now, with fix for makefile (and libsecret from main webex flatpak repo)

Overall, chat functions work fine, didn't check anything else yet, but i noticed that avatars aren't loading and only show up as name/surname (only group chats avatars work)

app-id: com.cisco.Webex
runtime: org.freedesktop.Platform
runtime-version: '21.08'
sdk: org.freedesktop.Sdk
command: webex
tags:
  - proprietary
finish-args:
  - "--share=ipc"
  - "--socket=x11"
  - "--socket=pulseaudio"
  - "--share=network"
  - "--device=all"
  - "--talk-name=org.freedesktop.Notifications"
  - "--talk-name=org.freedesktop.secrets"
modules:
  - name: libsecret
    buildsystem: meson
    config-opts:
      - "-Dmanpage=false"
      - "-Dvapi=false"
      - "-Dgtk_doc=false"
    cleanup:
      - "/bin"
      - "/include"
      - "/lib/pkgconfig"
      - "/share/gir-1.0"
      - "/share/man"
    sources:
    - type: archive
      url: https://download.gnome.org/sources/libsecret/0.19/libsecret-0.19.1.tar.xz
      sha256: 8583e10179456ae2c83075d95455f156dc08db6278b32bf4bd61819335a30e3a 
  - name: zypak
    sources:
      - type: git
        url: https://github.com/Meister1593/zypak
        branch: webex
  - name: webex
    buildsystem: simple
    build-commands:
      - ar x Webex.deb
      - tar xf data.tar.xz
      - cp -r opt/Webex $FLATPAK_DEST/Webex
      - rm $FLATPAK_DEST/Webex/lib/libstdc++.so.6
      - chmod -R a-s,go+rX,go-w $FLATPAK_DEST/Webex
      - install -Dm755 webex.sh $FLATPAK_DEST/bin/webex
      - touch $FLATPAK_DEST/Webex/deb.dat
    sources:
      - type: script
        dest-filename: webex.sh
        commands:
          - export TMPDIR="$XDG_RUNTIME_DIR/app/$FLATPAK_ID"
          - export ZYPAK_QUIRKS=webex-trampoline
          - exec zypak-wrapper /app/Webex/bin/CiscoCollabHost "$@"
      - type: file
        only-arches:
          - x86_64
        url: https://binaries.webex.com/WebexDesktop-Ubuntu-Official-Package/Webex.deb
        sha256: 5c54df0f70804ad1e8c8e49db8a207941fc038a15afeaf550614ae5ed1aad42d
        size: 292685338

I'm going to make pull request from my zypak repo into main one to fix this

[vincentbernat]

@Meister1593 It works with your change. Thanks! For some reason, the webcam does not work. @refi64 any chance to merge your branch to master?

Edit: webcam works when disabling HD.

[wshanks]

Are any of you still using Webex in a flatpak? I was trying to get it working in flathub/flathub#2654 but currently, after I sign in, I get a message that it "Failed to initialize the Spark local database" with just a Close button that exits the app

[vincentbernat]

I didn't try since a long time. At the time, the app was just a more buggy version of the web app.

[wshanks]

I didn't try since a long time. At the time, the app was just a more buggy version of the web app.

Many people still feel that way 🙁 . It is a lot less buggy than it used to be (doesn't crash much for me and the audio/video quality is fine), but it still lacks key features that the web app has like chat and screen sharing on Wayland (I think; I still use X). When I don't need chat, I find it convenient to have Webex in a separate window that is easier to switch to than a browser tab / second window, and I like the pop ups the app makes for joining meetings when they start.

[diegofn]

Hello I tested the latest Webex Version but I get the following error:

Invalid fd assignment: /app/Webex/bin/CiscoCollabHost

Do you know how can solve this? or finally the better way is use the web.webex.com in the web browser?

Thanks for your help.

[wshanks]

@diegofn The browser is definitely the more smooth experience. Cisco first released the Linux client multiple years ago and still has yet to add support for in-meeting chat, which gives an indication for how much Cisco values the Linux client. When you are regularly in meetings with 4+ other people using clients that support chat, you realize that it is impossible to use the Linux client as you miss links and other context that people add to the chat. I have not tested building the flatpak recently but I would if they added chat support. I do not like using the deb/rpm from Cisco because I found that it would download 100+ MB binaries into my home directory (I think updating parts of itself dynamically), so I would prefer to keep it sandboxed from the rest of my system if using it.

One note about the browser version: for me on Firefox, it takes five minutes for the stream to appear when someone share's their screen. I just live with this but I have heard it works flawlessly in Chromium based browsers. The streams of other users' webcams work fine in Firefox.

[nr23730]

Unfortunately the browser does not offer the SIP and voicemail functionality. Therefore I am forced to use the Desktop client.
I rebased the current main branch of zypak with the webex branch: 348de7b
That gave me once a

[3 zypak-helper] Wait found events, but sd-event found none

Apart from that no erros, but Webex still not starting (tried with and without ZYPAK_QUIRKS=webex-trampoline).

By the way: For now I run a distrobox with ubuntu - that also works.