I have issues with Electron-based AppImages and their sandboxing
AppImages based on Electron require the kernel to be configured in a certain way to allow for its sandboxing to work as intended (specifically, the kernel needs to be allowed to provide “unprivileged namespaces”). Many distributions come with this configured out of the box (like Ubuntu for instance), but some do not (for example Debian).
Warning
Please note that the AppImage team does not provide any guarantees that enabling this feature is secure and safe. If in doubt, you need to contact your distribution first. If they enable those securely by default, all users can benefit from this feature.
Check if kernel is configured correctly already
To check if your distribution has unprivileged namespaces enabled, please run:
> sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 1
A 1
means that the unprivileged namespaces are enabled already, and you do not have to take any action.
A 0
indicates that the feature is available, but not enabled at the moment. Please see the following sections on how to enable it.
Note
The command does not need to be run as root
.
Configure unprivileged sandboxes
To temporarily enable unprivileged namespaces, you can run this command:
sudo sysctl -w kernel.unprivileged_userns_clone=1
You can run the same command, swapping the 1
for a 0
, to disable this again.
To permanently enable the feature, it is recommended to create a new file in /etc/sysctl.d/
. For your convenience, we have prepared the following command which creates the file on the fly:
echo kernel.unprivileged_userns_clone = 1 | sudo tee /etc/sysctl.d/00-local-userns.conf
Note
This command will take effect only on the next reboot. To change this on a running system, please refer to the previous section.
Allow Electron AppImages to run without unprivileged namespaces
@gergof made a tool that automatically applies the –no-sandbox flag when the unprivileged_userns_clone kernel feature is not enabled: https://www.npmjs.com/package/electron-builder-sandbox-fix
More information on unprivileged namespaces
For more information on unprivileged namespaces, please see https://lwn.net/Articles/673597/.