Remove --no-sandbox as soon as possible

[Toniob]

I've just updated riot via flathub this morning. I can't start it anymore since :

[3:0806/091941.599709:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /app/Riot/chrome-sandbox is owned by root and has mode 4755.

[SISheogorath]

Seems like we introduced this with the last update. I'll do a roll back and see what Riot upstream has to say about that.

[SISheogorath]

Done by 91bfc5a

[viccuad]

I was unfortunate to update to the new version, so I can't use it anymore.
I cannot uninstall and install again because I would lose the riot keys, and the verified keys of people I talk with.

Is there any workaround for an already installed 1.3.2?

Will I get an automatic update if you re-release 1.3.2, meanwhile I have it already installed?

Also, thanks for looking into this, and reacting so fast.

[SISheogorath]

@viccuad You can run sudo flatpak --system update im.riot.Riot --commit=8304f2966327bda5864945b19459050f046e75c98ab67cd6a730e9022c80a3eb to make a rollback to the last release of Riot.

But yes, you will get an update as soon as flathub is rolling it (might takes until tomorrow). No matter if the Riot version number changed or not :)

[SISheogorath]

Seems like we are not the only ones: flatpak/flatpak#3044

[SISheogorath]

In the long term perspective this will be hopefully solved, in the mean time, I would still like to be able to ship new Riot Versions. Any objections about running Riot in Flatpak with --no-sandbox?

[gasinvein]

@SISheogorath Well, --no-sandbox is clearly decreasing security. But is would make Riot as insecure as it was before electron 5. Maybe we should somehow harden flatpak permissions to compensate this.
Also I've heard @refi64 is working on a good solution for this.

[SISheogorath]

@gasinvein Definitely, and I look forward to that, but AFAIK it's not even in a PR yet and until this gets merged and reviewed and Riot updates electron, there will be some time in-between.

So I guess we need something until those changes made it into the upstream project.

[SISheogorath]

I think while we wait for the flatpak general solution to this topic, we should deploy the --no-sandbox parameter. Right now, from a sandbox perspective we can't remote that much more. We only mount xdg-download and the rest of the provided parameters are required for features to work properly.

• x11 to display anything
• devices=all to allow video conferences
• notifications and keyring to let chromium/electron store secrets and send notifications/display tray icons
• pulseaudio for sound

[Erick555]

@SISheogorath this was fixed by #88

[SISheogorath]

Great, @Erick555!