If you have installed the hardened Linux Kernel on Fedora, you may have encountered the following error when trying to launch Flatpak applications.<\/p>\n\n\n\n
bwrap: No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.\nerror: Failed to sync with dbus proxy<\/pre>\n\n\n\nhttps:\/\/security.stackexchange.com\/questions\/209529\/what-does-enabling-kernel-unprivileged-userns-clone-do<\/a><\/p>\n\n\n\n
https:\/\/github.com\/containers\/bubblewrap\/issues\/324<\/a><\/p>\n\n\n\n
The issue looks to arise from the fact that the hardened Linux Kernel disables unprivileged name space and Fedora does not have setuid on by default on the bubblewrap executable.<\/p>\n\n\n\n
Enabling setuid on bubblewrap<\/h2>\n\n\n\n
You can set the setuid permission on the bubblewrap executable with<\/p>\n\n\n\n
sudo chmod u+s \/usr\/bin\/bwrap<\/pre>\n\n\n\n<\/p>\n\n\n\n
Allow Unprivileged Name Space (Alternative work around)<\/h2>\n\n\n\n
You could also allow unprivileged name space by running <\/p>\n\n\n\n
sysctl kernel.unprivileged_userns_clone=1<\/pre>\n\n\n\nNote that setting the setuid seems the safer\/recommended option.<\/p>\n\n\n\n
It looks like using the setuid binary for bubblewrap would be better to use then enabling unprivileged user space.<\/p>\n\n\n\n
https:\/\/madaidans-insecurities.github.io\/guides\/linux-hardening.html#sysctl-kernel<\/a><\/p>\n\n\n\n
Remove setuid on bubblewrap<\/h2>\n\n\n\n
If you would like to remove the setuid permission for any reason, you can with the following command.<\/p>\n\n\n\n
sudo chmod u-s \/usr\/bin\/bwrap<\/pre>\n","protected":false},"excerpt":{"rendered":"If you have installed the hardened Linux Kernel on Fedora, you may have encountered the following error when trying to launch Flatpak applications. bwrap: No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. … Continue reading