Opening file with flatpak apps crashes the system on linux-hardened

miguel375 · 2024-08-06 19:34:31

When I open a file with a flatpak app that doesn't have direct file system access but instead uses portals, the entire system immediately freezes and I have to forcefully power it off. I've observed this in a few different flatpak apps, so I don't think this is a problem with any specific one. Examples:
- selecting a file on the portal file picker opened by discord crashes the system,
- opening a file with haruna or libreoffice through the file explorer (tested on gnome files and dolphin) crashes the system.

If I run journalctl or dmesg with --follow before opening the files, neither of them shows anything before the system freezes. Checking the logs after booting back in also doesn't show anything boot because they end just a few seconds before the freeze.
Only happens on the linux-hardened kernel and not on the regular linux kernel. It also happens on both my computers, which run kde and gnome, so it's likely not a problem with a specific DE.

cryptearth · 2024-08-07 00:32:57

is there a specific reason you use flatpack?

miguel375 · 2024-08-07 10:55:05

cryptearth wrote:

is there a specific reason you use flatpack?

Mostly because some apps are only officially distributed on Flathub, and because of the sandboxing. This is not really relevant to my question though.

Lone_Wolf · 2024-08-08 10:05:58

There are many xdg-desktop-portal backends that provide a filechooser , which one are you using ?
Please post the output of pacman -Qs xdg-desktop-protal .

X or wayland ? what WM/DE/wayland compositor are you using ?

As for flatpak :
Often issues with apps are caused by using flatpak instead of a repo/aur package .

Also the sandboxing used by flatpak lacks a lot . There are much better solutions for sandboxing apps, see https://wiki.archlinux.org/title/Category:Sandboxing for an overview .

miguel375 · 2024-08-10 22:35:03

Lone_Wolf wrote:

There are many xdg-desktop-portal backends that provide a filechooser , which one are you using ?
Please post the output of pacman -Qs xdg-desktop-protal .
X or wayland ? what WM/DE/wayland compositor are you using ?
As for flatpak :
Often issues with apps are caused by using flatpak instead of a repo/aur package .
Also the sandboxing used by flatpak lacks a lot . There are much better solutions for sandboxing apps, see https://wiki.archlinux.org/title/Category:Sandboxing for an overview .

Sorry for the late response. As I mentioned, this is happening on both GNOME and KDE, both on Wayland.
On GNOME, for example, I'm using these providers: xdg-desktop-portal, xdg-desktop-portal-gnome, xdg-desktop-portal-gtk.

Also, I'm aware that many apps have poor sandboxing by default so I'm using flatseal to modify the permissions.

Lone_Wolf · 2024-08-11 14:25:30

Discord, haruna and libreoffice are all present in archlinux repos .

Please install them and verify whether those also crash on linux-hardened.

cryptearth · 2024-08-11 14:32:15

using hardened kernel and flatpack "for the sake of isolation" smeels like mis-understanding of concepts of security - and somehow like my dad several times nuked his fresh win7 install cause he was (still is? idk) so paraniod to delete and block everything he didn'T understood - rendering windows quite crippled
anyway - if you think you need a hardened kernel just for the sake of it being hardened without having an actual threat vector - and messing around with flathubs sandbox with flatseal - to me this looks like an xy-problem and you doing it very wrong
so - aside from those which are only supplied via flathub (I doubt any you use fits that and they're likely available in another way) - what is your exact threat-vector you try to protect against by using a hardened kernel and flatpak in the first place?
this has user error written all over it

seth · 2024-08-11 14:45:53

At lease discord will (try to) use xdg-desktop-portal for the file dialog.

However

so I'm using flatseal to modify the permissions

What if you don't?

the entire system immediately freezes and I have to forcefully power it off

Let's see whether that is actually true, https://wiki.archlinux.org/title/Keyboa … el_(SysRq)
(nb.! that you have to explicitly enable the feature *before* the system crashes)

In general, please understand that flatpak is for lazy distribution of binary blobs and introduces a shitload of security issues
It is BY NO MEANS a way to increase security, no matter how you twist it. You can use it if you want, but you should not fool yourself about that.

miguel375 · 2024-08-12 20:49:46

seth wrote:

What if you don't?

If I keep the default permissions, which allow direct file system access, then they don't crash when selecting a file.

seth wrote:

Let's see whether that is actually true, https://wiki.archlinux.org/title/Keyboa … el_(SysRq)
(nb.! that you have to explicitly enable the feature *before* the system crashes)

I ran sysctl kernel.sysrq=1 before the crash, and none of the shortcuts in the wiki page does anything after it freezes (they do work before though).

seth wrote:

In general, please understand that flatpak is for lazy distribution of binary blobs and introduces a shitload of security issues
It is BY NO MEANS a way to increase security, no matter how you twist it. You can use it if you want, but you should not fool yourself about that.

I know that the isolation provided by flatpak is far from perfect and you should never run untrusted software inside it, etc., but I completely disagree that it doesn't increase security at all. Just as a fun example: last year a few Minecraft mods were injected with malware that also targeted linux, and those running the game in flatpak didn't get infected, because the malware wrote to a tmpfs inside the sandbox instead of the real file system.

seth · 2024-08-12 21:31:15

If I keep the default permissions, which allow direct file system access, then they don't crash when selecting a file.

You might want to elaborate on the config, do you get the same problem using anything else using xdg-desktop-portal (eg. chromium/discord)
Does it happen for a flatpak that's actually inherently limited FS access w/o your interfering with it's defaults?

https://wiki.archlinux.org/title/Kdump - a strace might also help, but isn't an option when the kernel freezes…
Though the kernel might not even freeze - how do you get around https://wiki.archlinux.org/title/Flatpa … ned_kernel ?
Edit: https://www.reddit.com/r/archlinux/comm … ser_issue/ claims that chromium (and therefore likely any electron stuff) doesn't work w/ the SUID' bwrap
Edit #2: https://bbs.archlinux.org/viewtopic.php?id=297658 - ie. https://archlinux.org/packages/?name=bubblewrap-suid has probably turned useless…

---- OT ---

last year a few Minecraft mods were injected with malware that also targeted linux, and those running the game in flatpak didn't get infected, because the malware wrote to a tmpfs inside the sandbox instead of the real file system.

Do you know whether that's actually true for the specific flatpak or is this assumed based on the "sandbox" icon?
Because https://flatkill.org/2020/ (yes, the source is *obviously* biased but the problem was/is real)

That aside, running completely untrustworthy stuff in something that's sanbox-adjacent and pointing at the most clumsy attack ever failing doesn't make it systematically raising security - in the best case scenario you were lucky. Like picking up coins doesn't make you more bullet-proof because you once dodged one this way.
The flatpak "sandbox" does not withstand an actual attack for five seconds, https://hanako.codeberg.page/ but the systematic security issues of stale versions and having to undermine security measures of the kernel can't be avoided.

If you're concerned about running insecure code, use an actual sandbox or, better, a virtual machine. Not luck.

Last edited by seth (2024-08-12 21:35:17)

miguel375 · 2024-08-12 22:16:49

seth wrote:

If I keep the default permissions, which allow direct file system access, then they don't crash when selecting a file.
You might want to elaborate on the config, do you get the same problem using anything else using xdg-desktop-portal (eg. chromium/discord)
Does it happen for a flatpak that's actually inherently limited FS access w/o your interfering with it's defaults?

Yes, the discord flatpak by default only allows access to a few directories and selecting a file outside those causes the crash.
Edit: Haruna also uses portals and crashes when selecting a file with the portal file picker or launching it through Dolphin/Gnome files. Libreoffice doesn't use portals so it can't show files it doesn't have access to but launching it by opening through Dolphin/Gnome files by opening a file causes the issue. Based on this, I don't think the issue is related to portals.

seth wrote:

https://wiki.archlinux.org/title/Kdump - a strace might also help, but isn't an option when the kernel freezes…
Though the kernel might not even freeze - how do you get around https://wiki.archlinux.org/title/Flatpa … ned_kernel ?
Edit: https://www.reddit.com/r/archlinux/comm … ser_issue/ claims that chromium (and therefore likely any electron stuff) doesn't work w/ the SUID' bwrap
Edit #2: https://bbs.archlinux.org/viewtopic.php?id=297658 - ie. https://archlinux.org/packages/?name=bubblewrap-suid has probably turned useless…

---- OT ---

I can run flatpak electron apps just fine with bubblewrap-suid installed on linux-hardened. I believe those flatpaks use some kind of workaround but I'm not aware of the details.

seth wrote:

last year a few Minecraft mods were injected with malware that also targeted linux, and those running the game in flatpak didn't get infected, because the malware wrote to a tmpfs inside the sandbox instead of the real file system.
Do you know whether that's actually true for the specific flatpak or is this assumed based on the "sandbox" icon?
Because https://flatkill.org/2020/ (yes, the source is *obviously* biased but the problem was/is real)
That aside, running completely untrustworthy stuff in something that's sanbox-adjacent and pointing at the most clumsy attack ever failing doesn't make it systematically raising security - in the best case scenario you were lucky. Like picking up coins doesn't make you more bullet-proof because you once dodged one this way.
The flatpak "sandbox" does not withstand an actual attack for five seconds, https://hanako.codeberg.page/ but the systematic security issues of stale versions and having to undermine security measures of the kernel can't be avoided.
If you're concerned about running insecure code, use an actual sandbox or, better, a virtual machine. Not luck.

The developers of Prism launcher themselves confirmed that the malware didn't infect people using the flatpak version.
You could definitely argue that more sophisticated malware could easily escape the sandbox. But not all attacks are that advanced, and if those don't account for sandboxes and flatpak can prevent them, then isn't it fair to say that flatpak does increase security somewhat?

Last edited by miguel375 (2024-08-12 22:47:27)

seth · 2024-08-13 07:06:14

What if you allow "sysctl kernel.unprivileged_userns_clone=1" instead of the suid' bwrap?

miguel375 · 2024-08-13 10:47:31

seth wrote:

What if you allow "sysctl kernel.unprivileged_userns_clone=1" instead of the suid' bwrap?

I forgot to mention I had tried that already and it still happens.
I've spent enough time on this so I'll just switch to the regular kernel for now. Thanks for the help.

syntheticbird · 2024-08-16 20:30:54

Thanks god I thought I was crazy and the only one experiencing it. I confirm miguel issue. I'm using linux-hardened and any file import in flatpak causes complete system to hang on wayland.
I tested if it was graphics related but same result whether you use amdgpu or nvidia.

This is really a big issue for me and I don't want to switch back to normal kernel. I'll try doing what seth proposed. Hopefully we find the root cause of this awful issue

cryptearth · 2024-08-17 06:57:35

syntheticbird wrote:

Thanks god I thought I was crazy and the only one experiencing it. I confirm miguel issue. I'm using linux-hardened and any file import in flatpak causes complete system to hang on wayland.
I tested if it was graphics related but same result whether you use amdgpu or nvidia.
This is really a big issue for me and I don't want to switch back to normal kernel. I'll try doing what seth proposed. Hopefully we find the root cause of this awful issue

let me ask you the same question I didn't got a reply to from OP: Why do you use hardened kernel and flatpak? What is the threat vector you try to protect against? Based on what informations did you make your descision to used hardened kernel and flatpak?
Again: To me this has user error written all over it by you likely misunderstanding why hardened kernel and flatpak exist and having a very wrong picture of security.

syntheticbird · 2024-08-17 10:40:49

-- OT --

> let me ask you the same question I didn't got a reply to from OP: Why do you use hardened kernel and flatpak? What is the threat vector you try to protect against? Based on what informations did you make your descision to used hardened kernel and flatpak?
Again: To me this has user error written all over it by you likely misunderstanding why hardened kernel and flatpak exist and having a very wrong picture of security.

No offense, the way you ask the question sounds really like you want to expand your knowledge over people. I'll answer it but i'm not miguel so my reasons are different.

> Why do you use hardened kernel and flatpak?

I'll divide it into two questions:

> Why do you use hardened kernel

Because I don't believe the linux mainline kernel is secure as is (I won't go on a debate over this, I've already done it plenty of time with people online but they it finish with nothing more than hate over misunderstanding between privacy and security). The Linux-hardened kernel is maintained (mainly) by anthraax (which is the current Arch Linux Leader), based on KSPP, implement minimal supplement coming from GrapheneOS and come with saner default (disabled unprivileged user namespace). I'm not claiming the linux-hardened kernel to be completely safe obviously, but it is certainly more secure than the default one.

> Why do you use flatpak

For the same reason anyone uses it. Ease of distribution, updates in gnome-software, no incompatibility because of SDK shipping. I like GNOME and most of the circle apps are first found in flatpak before being found in the main repo. I don't particularly like using AUR all the time.
I agree with you that the flatpak sandbox is ridiculous and do not reflect the security they promised us. I myself prefer to use tweaked bubblewrap profiles from the wiki when needed. (bubblewrap-suid of course). But otherwise flatpak is great.

> What is the threat vector you try to protect against?

*What type of criminals do you try to protect your house from ?*. Anyone, whenever I reasonably can.

> Based on what informations did you make your descision to used hardened kernel and flatpak?*

for linux-hardened: madaidan's insecurities, grapheneOS, Kicksecure, privacy-guides, random friends, gentoo hardening, linux-hardening, description of recent linux CVE
for flatpak: I use flatpak since I started using linux

> To me this has user error written all over it by you likely misunderstanding why hardened kernel and flatpak exist and having a very wrong picture of security.

That miguel have a *very wrong picture of security* might be a thing (tho you judge someone over a single post on a forum, it's not too much to make a conclusion). But that isn't a *user error*. I mean. We're talking about a bug here, whether it you think its wrong to use flatpak on linux-hardened doesn't change that a kernel is actually crashing because of a single and basic functionality in one of the most used package distribution system on linux. I repeat: This is a bug. There is no reason, you could call a kernel freeze over a standard usage an *user error*.

seth · 2024-08-17 15:29:51

I'm not claiming the linux-hardened kernel to be completely safe obviously, but it is certainly more secure than the default one.

nb. that flatpak requires to undermine some security aspects one way or another - ESPECIALLY if you end up having to set unprivileged_userns_clone = 1
I'm not gonna argue with your preferences, but using flatpak implies to actively soften your system on multiple angles, there's no way around that.

cryptearth · 2024-08-17 16:06:48

What is the threat vector you try to protect against?
*What type of criminals do you try to protect your house from ?*. Anyone, whenever I reasonably can.

Ok - I see - talkin to a wall here: You reply with nonesense as you don't understand the question - let alone the topic of OS hardening.

syntheticbird · 2024-08-17 16:32:17

seth wrote:

I'm not claiming the linux-hardened kernel to be completely safe obviously, but it is certainly more secure than the default one.
nb. that flatpak requires to undermine some security aspects one way or another - ESPECIALLY if you end up having to set unprivileged_userns_clone = 1
I'm not gonna argue with your preferences, but using flatpak implies to actively soften your system on multiple angles, there's no way around that.

Yes I'm well aware of it. Still thanks you for repeating it in case I didn't know.

syntheticbird · 2024-08-17 16:35:33

cryptearth wrote:

What is the threat vector you try to protect against?
*What type of criminals do you try to protect your house from ?*. Anyone, whenever I reasonably can.
Ok - I see - talkin to a wall here: You reply with nonesense as you don't understand the question - let alone the topic of OS hardening.

Translating:
"Oh look, I know so much more, I've reduced your entire knowledge about a topic over one sentence because I'm so intellectually superior on this topic that I can get what are red flags. You should really feel stupid right now, I'm 100% certain you are an idiot that don't understand a thing about security and OS hardening, much more like miguel."

You're pretty pitiful you know that? You literally stand up more than 24 hours in front of a forum post, of a user reporting a bug, just to wait for a single sentence to go over sperging how much you know better. Go touch grass

seth · 2024-08-17 21:29:38

Opinions are like porn: everybody has a lot of them and for the most part it's better to keep them private.
So I suggest we refrain from calling each other names or preferences into question and focus on the topic.

@syntheticbird, did you test the kernel.unprivileged_userns_clone=1 sysctl and did that have any impact on the situation?
Otherwise: this *might* be down to a specific xdg-desktop-portal implementation, though the OP has indicated that KDE and gnome (and likely their resp. portal implementations, though gtk should™ run in either environment) are affected.

Also this is going to be your avatar:

syntheticbird · 2024-08-18 14:33:21

seth wrote:

Opinions are like porn: everybody has a lot of them and for the most part it's better to keep them private.
So I suggest we refrain from calling each other names or preferences into question and focus on the topic.
@syntheticbird, did you test the kernel.unprivileged_userns_clone=1 sysctl and did that have any impact on the situation?
Otherwise: this *might* be down to a specific xdg-desktop-portal implementation, though the OP has indicated that KDE and gnome (and likely their resp. portal implementations, though gtk should™ run in either environment) are affected.
Also this is going to be your avatar:
https://0x0.st/X4Dm.png

Yes I've tested with bwrap and userns. Same issue.

Meanwhile I've opened an issue on Gitlab: https://gitlab.archlinux.org/archlinux/ … -/issues/7
It is confirmed to be an issue with the kernel (kernel is dead)

-- OT --
I don't know what this avatar is supposed to mean but I like it so i'm accepting it

seth · 2024-08-18 15:20:06

Looking though the hardened commits and bugs, try to add "transparent_hugepage=never" to the https://wiki.archlinux.org/title/Kernel_parameters

The only systematic way to get ahead w/ this is gonna be the forementioned kdump, whether manually or using kdumpst

--
That 's the drinking bird Homer uses to operate his keyboard for him what causes another incident at the Springfield nu·ku·lar reactor - and you'll still have to configure it in your profile

Arch Linux

#1 2024-08-06 19:34:31

Opening file with flatpak apps crashes the system on linux-hardened

#2 2024-08-07 00:32:57

Re: Opening file with flatpak apps crashes the system on linux-hardened

#3 2024-08-07 10:55:05

Re: Opening file with flatpak apps crashes the system on linux-hardened

#4 2024-08-08 10:05:58

Re: Opening file with flatpak apps crashes the system on linux-hardened

#5 2024-08-10 22:35:03

Re: Opening file with flatpak apps crashes the system on linux-hardened

#6 2024-08-11 14:25:30

Re: Opening file with flatpak apps crashes the system on linux-hardened

#7 2024-08-11 14:32:15

Re: Opening file with flatpak apps crashes the system on linux-hardened

#8 2024-08-11 14:45:53

Re: Opening file with flatpak apps crashes the system on linux-hardened

#9 2024-08-12 20:49:46

Re: Opening file with flatpak apps crashes the system on linux-hardened

#10 2024-08-12 21:31:15

Re: Opening file with flatpak apps crashes the system on linux-hardened

#11 2024-08-12 22:16:49

Re: Opening file with flatpak apps crashes the system on linux-hardened

#12 2024-08-13 07:06:14

Re: Opening file with flatpak apps crashes the system on linux-hardened

#13 2024-08-13 10:47:31

Re: Opening file with flatpak apps crashes the system on linux-hardened

#14 2024-08-16 20:30:54

Re: Opening file with flatpak apps crashes the system on linux-hardened

#15 2024-08-17 06:57:35

Re: Opening file with flatpak apps crashes the system on linux-hardened

#16 2024-08-17 10:40:49

Re: Opening file with flatpak apps crashes the system on linux-hardened

#17 2024-08-17 15:29:51

Re: Opening file with flatpak apps crashes the system on linux-hardened

#18 2024-08-17 16:06:48

Re: Opening file with flatpak apps crashes the system on linux-hardened

#19 2024-08-17 16:32:17

Re: Opening file with flatpak apps crashes the system on linux-hardened

#20 2024-08-17 16:35:33

Re: Opening file with flatpak apps crashes the system on linux-hardened

#21 2024-08-17 21:29:38

Re: Opening file with flatpak apps crashes the system on linux-hardened

#22 2024-08-18 14:33:21

Re: Opening file with flatpak apps crashes the system on linux-hardened

#23 2024-08-18 15:20:06

Re: Opening file with flatpak apps crashes the system on linux-hardened

Board footer