GNU bug report logs - #73842
[PATCH] pack: Add support for AppImage pack format.

Previous Next

Package: guix-patches;

Reported by: Noé Lopez <noelopez <at> free.fr>

Date: Wed, 16 Oct 2024 21:52:01 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Noé Lopez <noe <at> xn--no-cja.eu>
To: 73842 <at> debbugs.gnu.org
Cc: Josselin Poiret <dev <at> jpoiret.xyz>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Simon Tournier <zimon.toutoune <at> gmail.com>, Mathieu Othacehe <othacehe <at> gnu.org>, Noé Lopez <noelopez <at> free.fr>, Tobias Geerinckx-Rice <me <at> tobias.gr>, pelzflorian <pelzflorian <at> pelzflorian.de>, Sebastian Dümcke <code <at> sam-d.com>, Christopher Baines <guix <at> cbaines.net>
Subject: [bug#73842] [Noé Lopez] Re: [bug#73842] [PATCH v5 2/3] pack: Add support for AppImage pack format.
Date: Sun, 17 Nov 2024 17:25:53 +0100

Forwarding here since I replied instead of replied to all :/
-------------------- Start of forwarded message --------------------
From: Noé Lopez <noe <at> xn--no-cja.eu>
To: Ludovic Courtès <ludo <at> gnu.org>
Subject: Re: [bug#73842] [PATCH v5 2/3] pack: Add support for AppImage pack
 format.
Date: Sun, 17 Nov 2024 17:20:48 +0100

Hi Ludovic,

Ludovic Courtès <ludo <at> gnu.org> writes:

> Hello Noé,
>
> The patch series LGTM, and tests pass: we’re all set!
>

Great! Thanks a lot for the time you spent reviewing.

> But… one thing I noticed when trying it out is that the resulting
> AppImage would fail to run on relatively bare-bones non-Guix systems:
>
> --8<---------------cut here---------------start------------->8---
> $ ./2i2l6irl2n8q24aimfmidvlglllc4s8z-hello-appimage-pack.AppImage 
> fuse: failed to exec fusermount3: No such file or directory
>
> Cannot mount AppImage, please check your FUSE setup.
> You might still be able to extract the contents of this AppImage 
> if you run it with the --appimage-extract option. 
> See https://github.com/AppImage/AppImageKit/wiki/FUSE 
> for more information
> open dir error: No such file or directory
> --8<---------------cut here---------------end--------------->8---
>
> I wonder if there’s something that can be done on our side about it or
> if it’s a limitation of the approach (I expect the latter: ‘fusermount’
> has to be available and setuid root), in which case we could just add a
> warning in the manual.
>
> WDYT?

This is an expected error from the AppImage runtime, as said in the
output the runtime depends on FUSE 3 to mount the AppImage.

The AppImage can still be ran using --appimage-extract-and-run, which I
believe we noted in the documentation:

>The runtime used by AppImages makes use of libfuse to mount the image
>quickly.  If libfuse is not available, the AppImage can still be started
>using the @option{--appimage-extract-and-run} flag.

As for things that can be done from our side, we could change runtime to
one that uses other technologies just like supported by “-RR”.

>
> Interestingly, it works on my Guix System laptop, except if I strace it:
>
> --8<---------------cut here---------------start------------->8---
> $ /gnu/store/2i2l6irl2n8q24aimfmidvlglllc4s8z-hello-appimage-pack.AppImage 
> Hello, world!
> $ strace -f -o /tmp/log.strace -s 500 /gnu/store/2i2l6irl2n8q24aimfmidvlglllc4s8z-hello-appimage-pack.AppImage 
> fusermount3: mount failed: Operation not permitted
>
> Cannot mount AppImage, please check your FUSE setup.
> You might still be able to extract the contents of this AppImage 
> if you run it with the --appimage-extract option. 
> See https://github.com/AppImage/AppImageKit/wiki/FUSE 
> for more information
> open dir error: No such file or directory
> $ grep 'mount(' /tmp/log.strace 
> 17569 mount("2i2l6irl2n8q24aimfmidvlglllc4s8z-hello-appimage-pack.AppImage", "/tmp/.mount_2i2l6iLZ8WYZ", "fuse.2i2l6irl2n8q24aimfmidvlglllc4s8z-hello-appimage-pack.AppImage", MS_RDONLY|MS_NOSUID|MS_NODEV, "fd=5,rootmode=40000,user_id=1000,group_id=998") = -1 EPERM (Operation not permitted)
> 17570 mount("2i2l6irl2n8q24aimfmidvlglllc4s8z-hello-appimage-pack.AppImage", ".", "fuse.2i2l6irl2n8q24aimfmidvlglllc4s8z-hello-appimage-pack.AppImage", MS_RDONLY|MS_NOSUID|MS_NODEV, "fd=6,rootmode=40000,user_id=1000,group_id=998") = -1 EPERM (Operation not permitted)
> 17571 mount("/dev/fuse", ".", "fuse", MS_RDONLY|MS_NOSUID|MS_NODEV, "fd=6,rootmode=40000,user_id=1000,group_id=998") = -1 EPERM (Operation not permitted)
> --8<---------------cut here---------------end--------------->8---
>
> Ludo’.

I’m pretty sure a process attached with ptrace can’t exec SUID programs,
for security reasons (ptrace allows you to change the code of the
attached program so its a privilege escalation).

I think you can run it with “sudo -E strace -f -o /tmp/log.strace -s 500
/gnu/store/2i2l6irl2n8q24aimfmidvlglllc4s8z-hello-appimage-pack.AppImage”.

Have a nice day,
Noé
-------------------- End of forwarded message --------------------
This bug report was last modified 178 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.