2021-learning-through-breaking.md 6.23 KB
Newer Older
Bryan Quigley's avatar
Bryan Quigley committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146
<!--
.. title: Learning through breaking
.. slug: learning-through-breaking
.. date: 2021-03-03 23:40:45+00:00
.. tags: 
.. category: 
.. link: 
.. description: 
.. type: text
-->

I run [Steam in a flatpak](https://flathub.org/apps/details/com.valvesoftware.Steam) for convenience and confinment reasons. One day my Steam install failed with

![32 bit libarires not installed](/images/2021-learning-through-breaking-steam.png)

 My first instinct is to check to make sure libc6:i386 is actually installed - it is. Then I check to see if there are flatpak updates, but with the 32-bit libraries I find more errors:

```bash
        ID                                                  Branch        Op        Remote         Download
 1. [✗] org.freedesktop.Platform.GL32.nvidia-460-39         1.4           i         flathub        178.7 MB / 178.7 MB

Error: While trying to apply extra data: apply_extra script failed, exit status 40704
error: Failed to install org.freedesktop.Platform.GL32.nvidia-460-39: While trying to apply extra data: apply_extra script failed, exit status 40704
```

Journal log
```bash
Feb 26 08:18:24 desktop polkitd(authority=local)[641]: Registered Authentication Agent for unix-process:3535:65589 (system bus name :1.75 [flatpak install org.freedesktop.Platform.GL32.nvidia-460-39], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Feb 26 08:18:26 desktop flatpak[3535]: libostree pull from 'flathub' for runtime/org.freedesktop.Platform.GL32.nvidia-460-39/x86_64/1.4 complete
                                       security: GPG: summary+commit 
                                       security: SIGN: disabled http: TLS
                                       delta: parts: 1 loose: 3
                                       transfer: secs: 0 size: 349.8 kB


Feb 26 08:18:54 desktop flatpak[3535]: system: Pulled runtime/org.freedesktop.Platform.GL32.nvidia-460-39/x86_64/1.4 from flathub
Feb 26 08:18:55 desktop audit[3583]: SECCOMP auid=1000 uid=0 gid=0 ses=2 subj==unconfined pid=3583 comm="apply_extra" exe="/app/bin/apply_extra" sig=31 arch=40000003 syscall=122 compat=1 ip=0x80a933d code=0x0
```

This is where I remember that I've been testing a lot of systemd confinement changes (including limiting SystemCalls) and one of the services I modified was gpg-agent. However, reverting that change doesn't help but I'm getting closer. (Aside: Great time to guess what config change I made that caused the errors..)

I then run:
```bash
sudo flatpak repair
```
to verify all the files in flatpak but nothing needed fixing.

I then ran:
```bash
$ sudo dpkg -V
...
/etc/systemd/system.conf
...
```

Oh, shoot I did setup
```bash
SystemCallArchitectures=native
```
This is saying I only want native syscalls to be run, but why is it applying to an application! I would have thought it just applied to services or other things systemd runs.

Sure enough disabling that option fixes it, Steam works, and the 32-bit NVidia via Flatpak install too.

## But.. why?

Flatpak runs apps in a systemd scope (if available).

```bash
$ systemctl status --user app-flatpak-com.valvesoftware.Steam-6702.scope 
● app-flatpak-com.valvesoftware.Steam-6702.scope
     Loaded: loaded (/run/user/1000/systemd/transient/app-flatpak-com.valvesoftware.Steam-6702.scope; transient)
  Transient: yes
     Active: active (running) since Wed 2021-03-03 12:16:23 PST; 1min 2s ago
      Tasks: 113 (limit: 38415)
     Memory: 352.0M
        CPU: 16.066s
     CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/app-flatpak-com.valvesoftware.Steam-6702.scope
             ├─6702 bwrap --args 41 /app/bin/steam-wrapper
             ├─6706 bwrap --args 4But what does 1 xdg-dbus-proxy --args=43
             ├─6707 xdg-dbus-proxy --args=43
             ├─6711 bwrap --args 41 /app/bin/steam-wrapper
             ├─6713 bash /home/bryan/.local/share/Steam/steam.sh
            ....etc
```

I want to explore inside this scope more and I stumble upon [some Sandbox docs](https://github.com/flatpak/flatpak/wiki/Sandbox), but using flatpak run just creates it's own scope:

```bash
$ systemctl status --user app-flatpak-com.valvesoftware.Steam-7616.scope 
● app-flatpak-com.valvesoftware.Steam-7616.scope
     Loaded: loaded (/run/user/1000/systemd/transient/app-flatpak-com.valvesoftware.Steam-7616.scope; transient)
  Transient: yes
     Active: active (running) since Wed 2021-03-03 12:20:21 PST; 33s ago
      Tasks: 6 (limit: 38415)
     Memory: 2.8M
        CPU: 61ms
     CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/app-flatpak-com.valvesoftware.Steam-7616.scope
             ├─7616 bwrap --args 42 bash
             ├─7620 bwrap --args 42 xdg-dbus-proxy --args=44
             ├─7621 xdg-dbus-proxy --args=44
             ├─7624 bwrap --args 42 bash
             └─7626 bash
```

But this is an awesome way to see what the Flatpak actually has access to (and the package icon is just such a nice touch)

```bash
$ flatpak run --command=bash com.valvesoftware.Steam 
[📦 com.valvesoftware.Steam ~]$ ls
Music  Pictures  cache	config	data
[📦 com.valvesoftware.Steam ~]$ pwd
/home/bryan
```

I totally forgot that Steam has a built-in music player. Let's turn that off.

flatpak permissions-show or list doesn't seem to do anything.  

flatpak info --show-permissions com.valvesoftware.Steam is the right answer ([thanks!](https://unix.stackexchange.com/questions/476759/how-to-list-permissions-of-flatpak-applications))

```bash
filesystems=xdg-run/app/com.discordapp.Discord:create;xdg-pictures:ro;xdg-music:ro;
persistent=.;
```

I then decide to just install [Flatseal](https://flathub.org/apps/details/com.github.tchx84.Flatseal) to review those and end up disabling all the default file permissions.


```bash
$ flatpak run --command=bash com.valvesoftware.Steam 
[📦 com.valvesoftware.Steam ~]$ ls
Music  Pictures  cache	config	data
```

Hmm.. Did I do something wrong?

```bash
$ ls Music/ Pictures/
Music/:

Pictures/:
```

Nope, those directories are now empty.  Previosly they were my actual music and pictures. Better confinement and a better understanding of how it works. Nice!

Have a comment or did I make a mistake?  Add it via [Gitlab](https://gitlab.com/BryanQuigley/bryanquigley.com/-/blob/master/posts/2021-learning-through-breaking.md).