Issue with Flatpak, bwrap and suid

Captn138 · 2025-08-22 10:30:16

Hello,
I'm not new to Linux, but I have never seen this problem.

So I had Firefox installed with Flatpak.
I had it masked at version 136 to avoid updating it.
Today, I decided to unmask it to update.
That's when I was faced with a crash on startup.

By searching a bit, I found that Firefox switched runtimes from org.freedesktop.Platform/x86_64/23.08 in commit 589ae3479bb40c338fad467cea1b59825fa0b7ceb0576b0806ada58f48c68130 to org.freedesktop.Platform/x86_64/24.08 in commit bde7182cd54c6fef7f573f5bb933d4bc8a4bbbe6d6fea69296872126a79126d9.
This had a really weird consequence being that I can not run flatpak Firefox anymore (it starts with a crash reporter).

Here is the verbose run.

 $ flatpak run --verbose org.mozilla.firefox

F: No installations directory in /etc/flatpak/installations.d. Skipping
F: Opening system flatpak installation at path /var/lib/flatpak
F: Opening user flatpak installation at path /home/captn/.local/share/flatpak
F: Opening user flatpak installation at path /home/captn/.local/share/flatpak
F: Opening system flatpak installation at path /var/lib/flatpak
F: Opening user flatpak installation at path /home/captn/.local/share/flatpak
F: Opening system flatpak installation at path /var/lib/flatpak
F: /var/lib/flatpak/runtime/org.freedesktop.Platform/x86_64/24.08/a1067968b8023e4e14afbde8c7171d15ecb8c8e7a62ad53ca8b130a3725269c8/files/lib32 does not exist
F: Allocated instance id 923177846
F: Add defaults in dir /org/mozilla/firefox/
F: Add locks in dir /org/mozilla/firefox/
F: Not sharing "/run/.heim_org.h5l.kcm-socket" with sandbox: Unable to open path "/run/.heim_org.h5l.kcm-socket": No such file or directory
F: Allowing wayland access
F: Allowing pulseaudio access
F: Pulseaudio user configuration file '/home/captn/.config/pulse/client.conf': Error opening file /home/captn/.config/pulse/client.conf: No such file or directory
F: CUPS configuration file '/home/captn/.cups/client.conf': Error opening file /home/captn/.cups/client.conf: No such file or directory
F: CUPS configuration file '/etc/cups/client.conf': Error opening file /etc/cups/client.conf: No such file or directory
F: Running 'bwrap --args 43 -- xdg-dbus-proxy --args=45'
F: Running 'bwrap --args 43 -- firefox'
[2] Sandbox: CanCreateUserNamespace() clone() failure: EPERM
ExceptionHandler::GenerateDump attempting to generate:/home/captn/.mozilla/firefox/7u2uqvdn.default-release/minidumps/15266c39-01e4-ed70-a614-ce7defe0a65c.dmp
ExceptionHandler::GenerateDump cloned child 111
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
ExceptionHandler::WaitForContinueSignal waiting for continue signal...
ExceptionHandler::GenerateDump minidump generation succeeded

I have several apps installed with flatpak and never had this issue.
Firefox seems like the only app using 24.08.

I don't really know what to do about this, can someone please advise ?
I only found this on the Mozilla bugtracker but they say it's not fatal, whereas in my case it is fatal : https://bugzilla.mozilla.org/show_bug.cgi?id=1981001

I am using linux-zen-6.16.1, and I have also tried with linux-6.16.1.
No Apparmor or SELinux have been installed.

Thanks

Last edited by Captn138 (2025-08-22 10:47:04)

seth · 2025-08-22 15:31:01

https://wiki.archlinux.org/title/Flatpa … ned_kernel

sysctl kernel.unprivileged_userns_clone

Captn138 · 2025-08-22 16:10:30

seth wrote:

https://wiki.archlinux.org/title/Flatpa … ned_kernel
sysctl kernel.unprivileged_userns_clone

Thank you for reading my post.
As I previously mentioned, I am not using the linux-hardened kernel, but linux-zen.
I have alternatively installed the regular linux kernel, and on both cases kernel.unprivileged_userns_clone was set to 1.

seth · 2025-08-22 18:53:57

I read your post and got that you're running the zen kernel, the idea was more that you had disable unprivileged_userns_clone and the link to explain/advise on that situation.
So, this not being the case and assuming this is (as by upstream comment) not fatal either: what does the minidump look like and how and where does FF crash?
https://firefox-source-docs.mozilla.org … e-on-linux
https://wiki.archlinux.org/title/Core_d … _core_dump

Sidebar: is there a specific reason why you're using the flatschpak and does the repo version crash on you as well?

Captn138 · 2025-08-22 19:25:11

Sorry for jumping you and thank you for your help.

unprivileged_userns_clone in indeed well activated.
My case is fatal, I can not start Firefox at all and am directly greeted by the Firefox Crash Reporter.
The dump that should have been created at line 21 does not exist (i have tried again).
coredumpctl does not have any dump related to this issue.
The pacman version works as intended.

I use the flatpak version because I use a lot of softwares and some of them require old libs so I use only flatpaks when possible to avoid dependency hell.

seth · 2025-08-22 20:10:00

ls -l /home/captn/.mozilla/firefox/7u2uqvdn.default-release/minidumps/

You'll have to convert the minidump (see the first link) into a coredump - the second link shows how to get a backtrace from that.

However

some of them require old libs

doesn't apply here so

pacman version works as intended

might be the saner option.
Did you previously flatseal-adjust FF in any way?

Captn138 · 2025-08-22 20:25:08

The minidump directory is empty.
I did not adjust any perms for FF.
I am currently using the pacman version since I have no other choice currently

seth · 2025-08-22 20:29:01

The minidump directory is empty.

:colbertemoji:
https://wiki.archlinux.org/title/Flatpa … pplication
Does the FF flatschpak have access to your $HOME at all?

Captn138 · 2025-08-22 20:56:15

It has access to the .mozilla dir

 $ flatpak info --show-permissions org.mozilla.firefox
[Context]
shared=network;ipc;
sockets=x11;wayland;pulseaudio;fallback-x11;pcsc;cups;
devices=all;
features=devel;
filesystems=xdg-download;/run/.heim_org.h5l.kcm-socket;xdg-run/speech-dispatcher:ro;
persistent=.mozilla;

[Session Bus Policy]
org.mozilla.firefox_beta.*=own
org.mozilla.firefox.*=own
org.gtk.vfs.*=talk
org.mpris.MediaPlayer2.firefox.*=own
org.a11y.Bus=talk
org.freedesktop.FileManager1=talk

[System Bus Policy]
org.freedesktop.NetworkManager=talk

[Environment]
DICPATH=/usr/share/hunspell

seth · 2025-08-22 21:16:49

https://docs.flatpak.org/en/latest/sand … ions.html#

The --persist=DIR option can be used to map directories from the user’s home directory into the sandbox filesystem. This only works if the application has no home or a broader permission like host that includes home.
For example, if an application hardcodes the directory ~/.foo, without any home access and no --persist the directory will be lost from the sandbox once exited due to the filesystem being set up as tmpfs by flatpak unless overriden. A --persist=.foo bind mounts ~/.foo inside the sandbox to ~/.var/app/$FLATPAK_ID/.foo on host thus allowing an app to persistently store data in ~/.var/app/$FLATPAK_ID/.foo which would otherwise be lost.

ls -l /home/captn/.var/app/*/.mozilla/firefox/7u2uqvdn.default-release/minidumps/

Arch Linux

#1 2025-08-22 10:30:16

Issue with Flatpak, bwrap and suid

#2 2025-08-22 15:31:01

Re: Issue with Flatpak, bwrap and suid

#3 2025-08-22 16:10:30

Re: Issue with Flatpak, bwrap and suid

#4 2025-08-22 18:53:57

Re: Issue with Flatpak, bwrap and suid

#5 2025-08-22 19:25:11

Re: Issue with Flatpak, bwrap and suid

#6 2025-08-22 20:10:00

Re: Issue with Flatpak, bwrap and suid

#7 2025-08-22 20:25:08

Re: Issue with Flatpak, bwrap and suid

#8 2025-08-22 20:29:01

Re: Issue with Flatpak, bwrap and suid

#9 2025-08-22 20:56:15

Re: Issue with Flatpak, bwrap and suid

#10 2025-08-22 21:16:49

Re: Issue with Flatpak, bwrap and suid

Board footer