ci: disable AppArmor restrictions on Ubuntu and update troubleshootin…

…g.md (#13196)
puppeteer · Oct 16, 2024 · 3984449 · 3984449
1 parent 19dd9c3
commit 3984449
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -134,6 +134,8 @@ jobs:
         with:
           cache: npm
           node-version-file: '.nvmrc'
+      - name: Disable AppArmor
+        run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - name: Install dependencies
         run: npm ci
         env:
@@ -183,6 +185,9 @@ jobs:
         with:
           cache: npm
           node-version-file: '.nvmrc'
+      - name: Disable AppArmor
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - name: Install dependencies
         run: npm ci
         env:
@@ -262,6 +267,9 @@ jobs:
         with:
           cache: npm
           node-version-file: '.nvmrc'
+      - name: Disable AppArmor
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - name: Install dependencies
         run: npm ci
         env:
@@ -328,6 +336,9 @@ jobs:
         with:
           cache: npm
           node-version-file: '.nvmrc'
+      - name: Disable AppArmor
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - name: Install dependencies
         run: npm ci
         env:
@@ -461,6 +472,9 @@ jobs:
         with:
           cache: npm
           node-version-file: '.nvmrc'
+      - name: Disable AppArmor
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - name: Install dependencies
         run: npm ci
         env:
@@ -510,6 +524,9 @@ jobs:
         with:
           cache: npm
           node-version-file: '.nvmrc'
+      - name: Disable AppArmor
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - name: Install dependencies
         run: npm ci
         env:

diff --git a/.github/workflows/daily.yml b/.github/workflows/daily.yml
@@ -44,6 +44,9 @@ jobs:
         with:
           cache: npm
           node-version-file: '.nvmrc'
+      - name: Disable AppArmor
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - name: Install dependencies
         run: npm ci
         env:
@@ -111,6 +114,9 @@ jobs:
         run: npm ci
         env:
           PUPPETEER_SKIP_DOWNLOAD: true
+      - name: Disable AppArmor
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       # Set up GitHub Actions caching for Wireit.
       - uses: google/wireit@eea3c9f0385a39e6eb4ff6a6daa273311381d436 # setup-github-actions-caching/v2.0.2
       - name: Build packages

diff --git a/.github/workflows/devtools.yml b/.github/workflows/devtools.yml
@@ -54,6 +54,8 @@ jobs:
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: puppeteer-build
+      - name: Disable AppArmor
+        run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - name: Checkout depot_tools
         run: git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
       - name: Add depot_tools to path

diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md
@@ -230,6 +230,15 @@ For this to work properly, the host should be configured first. If there's no
 good sandbox for Chrome to use, it will crash with the error
 `No usable sandbox!`.
 
+Ubuntu 23.10+ (or possibly other Linux distros in the future) ship an
+AppArmor profile that applies to Chrome stable binaries installed at
+/opt/google/chrome/chrome (the default installation path). This policy
+is stored at /etc/apparmor.d/chrome. This AppArmor policy prevents
+Chrome for Testing binaries downloaded by Puppeteer from using user namespaces
+resulting in the `No usable sandbox!` error when trying to launch the
+browser. For workarounds, see
+https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
+
 If you **absolutely trust** the content you open in Chrome, you can launch
 Chrome with the `--no-sandbox` argument: