0

I'm trying to run the latest version of carbonyl (0.0.3) via the binaries on GitHub on Ubuntu 24.04 server/minimal - I almost entirely use it for accessing local resources, so security isn't that huge an issue.

The system it's on is headless and doesn't run a window manager, so this is a very convenient shortcut to configuring self-hosted webapps.

I get an error about a sandbox if I run it 'normally':

geek@zimanas1:~/carbonyl-0.0.3$ ./carbonyl
[0803/000038.726347:FATAL:zygote_host_impl_linux.cc(127)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.

I'm pretty sure this used to run on 20.04 without this error. There's no such script. While I'm running with --no-sandbox it is somewhat annoying to need to remember and I'd like to use it properly.

The error message refers to kernel versions so:

geek@zimanas1:~/carbonyl-0.0.3$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 24.04 LTS
Release:        24.04
Codename:       noble
geek@zimanas1:~/carbonyl-0.0.3$ uname -r
6.8.0-39-generic

There seems to be an open issue for it, but no solutions yet.

Any way I can set up a usable sandbox for carbonyl or otherwise 'properly' deal with the error?

Amazon Dies In Darkness
  • 9,990
Journeyman Geek
  • 133,878

1 Answers1

0

Turns out my answers were in the ubuntu 24.04 release notes.. Specifically, that I needed to set up an appropriate/unconfined apparmor profile for the application. Since Carbonyl is essentially a chromium fork, I ended up making a copy of /etc/apparmor.d/chrome as /etc/apparmor.d/carbonyl

I have carbonyl copied to a directory in my home folder - so it looks something like this

# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>


profile carbonyl /home/geek/software/carbonyl-0.0.3/carbonyl flags=(unconfined) {
  userns,


Site-specific additions and overrides. See local/README for details.


include if exists <local/carbonyl>
}

Restarting apparmor then means it seems to work perfectly fine with no fuss over sandboxes.

Journeyman Geek
  • 133,878