ui: disable WebKit sandbox when unprivileged userns are blocked

WebKitGTK crashes at startup when its bubblewrap sandbox can't create an
unprivileged user namespace (bwrap: setting up uid map: Permission denied
-> Failed to fully launch dbus-proxy -> panic in webkit_web_view_load_uri).
This happens in containers/VMs and on Ubuntu 24.04+ where AppArmor
restricts unprivileged user namespaces. Detect that the kernel blocks
userns via procfs and set WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS so the
UI stays usable; honor an explicit user override either way.
This commit is contained in:
Zoltán Papp
2026-06-01 20:06:44 +02:00
parent 3dbd96b172
commit 5bebecc427

View File

@@ -2,10 +2,18 @@
package main
import "os"
import (
"os"
"strings"
)
// init runs before Wails' own init(), so the env var is set in time.
// init runs before Wails' own init(), so the env vars are set in time.
func init() {
disableDMABUFRenderer()
disableWebKitSandboxIfNeeded()
}
func disableDMABUFRenderer() {
if os.Getenv("WEBKIT_DISABLE_DMABUF_RENDERER") != "" {
return
}
@@ -18,6 +26,46 @@ func init() {
_ = os.Setenv("WEBKIT_DISABLE_DMABUF_RENDERER", "1")
}
// disableWebKitSandboxIfNeeded works around WebKitGTK crashing at startup when
// its bubblewrap (bwrap) sandbox can't create an unprivileged user namespace —
// "bwrap: setting up uid map: Permission denied" followed by "Failed to fully
// launch dbus-proxy" and a panic in webkit_web_view_load_uri. This happens in
// containers/VMs and on Ubuntu 24.04+ where AppArmor restricts unprivileged
// user namespaces (kernel.apparmor_restrict_unprivileged_userns=1). Software
// can't grant the namespace from here, so when we detect that userns are
// blocked we disable the WebKit sandbox to keep the UI usable. The user can
// override either way by setting WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS.
func disableWebKitSandboxIfNeeded() {
if _, set := os.LookupEnv("WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS"); set {
return
}
if unprivilegedUsernsAllowed() {
return
}
_ = os.Setenv("WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS", "1")
}
// unprivilegedUsernsAllowed reports whether the kernel currently permits
// unprivileged user namespaces, which WebKit's bwrap sandbox needs. It reads
// the relevant procfs knobs; on a kernel that doesn't expose them (older or
// hardened), it conservatively assumes namespaces are available so we don't
// needlessly weaken the sandbox.
func unprivilegedUsernsAllowed() bool {
// Debian/Ubuntu legacy switch: 0 disables unprivileged user namespaces.
if v, err := os.ReadFile("/proc/sys/kernel/unprivileged_userns_clone"); err == nil {
if strings.TrimSpace(string(v)) == "0" {
return false
}
}
// Ubuntu 24.04+ AppArmor restriction: non-zero restricts/blocks them.
if v, err := os.ReadFile("/proc/sys/kernel/apparmor_restrict_unprivileged_userns"); err == nil {
if strings.TrimSpace(string(v)) != "0" {
return false
}
}
return true
}
// On Linux, the system tray provider may require the menu to be recreated
// rather than updated in place. The rebuildExitNodeMenu method in tray.go
// already handles this by removing and re-adding items; no additional