diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1cce214..93390e2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -196,7 +196,8 @@ jobs: - **macOS**: On first launch, you may see "cannot verify developer". Go to System Preferences → Security & Privacy to allow the app to run - **Windows**: SmartScreen may block the app. Click "More info" → "Run anyway" to proceed - - **Linux**: AppImage requires executable permission: `chmod +x ClawX-*.AppImage` + - **Linux AppImage**: First run `chmod +x ClawX-*.AppImage` to add execute permission. On Ubuntu 22.04 you may also need `sudo apt install libfuse2`; on Ubuntu 24.04 use `sudo apt install libfuse2t64` + - **Linux .deb (Ubuntu 24.04)**: If installation fails due to missing dependencies, use `sudo apt install libgtk-3-0t64 libnotify4t64 libxss1t64` before installing --- diff --git a/electron-builder.yml b/electron-builder.yml index d4500a3..cd58978 100644 --- a/electron-builder.yml +++ b/electron-builder.yml @@ -173,13 +173,15 @@ appImage: deb: depends: - - libgtk-3-0 - - libnotify4 + # Use OR syntax to support both Ubuntu 22.04 and Ubuntu 24.04 (t64 transition). + # Ubuntu 24.04 renamed many libraries with a t64 suffix (64-bit time_t ABI transition). + - libgtk-3-0 | libgtk-3-0t64 + - libnotify4 | libnotify4t64 - libnss3 - - libxss1 - - libxtst6 + - libxss1 | libxss1t64 + - libxtst6 | libxtst6t64 - xdg-utils - - libatspi2.0-0 + - libatspi2.0-0 | libatspi2.0-0t64 - libuuid1 afterInstall: scripts/linux/after-install.sh afterRemove: scripts/linux/after-remove.sh diff --git a/scripts/linux/after-install.sh b/scripts/linux/after-install.sh index 53447be..ffff478 100644 --- a/scripts/linux/after-install.sh +++ b/scripts/linux/after-install.sh @@ -26,4 +26,37 @@ if [ -f "$OPENCLAW_WRAPPER" ]; then ln -sf "$OPENCLAW_WRAPPER" /usr/local/bin/openclaw 2>/dev/null || true fi +# Set chrome-sandbox permissions. +# On systems without working user namespaces, the SUID bit is required. +# On Ubuntu 24.04+, user namespaces are available but blocked by AppArmor; +# we rely on the AppArmor profile below instead, so 0755 is correct there. +if ! { [[ -L /proc/self/ns/user ]] && unshare --user true; }; then + # No user namespace support — fall back to SUID sandbox + chmod 4755 '/opt/ClawX/chrome-sandbox' || true +else + chmod 0755 '/opt/ClawX/chrome-sandbox' || true +fi + +# Install AppArmor profile (Ubuntu 24.04+). +# Ubuntu 24.04 enables kernel.apparmor_restrict_unprivileged_userns=1 by default, +# which blocks Electron's sandbox. The bundled AppArmor profile grants the 'userns' +# permission so the app can create user namespaces without disabling the global policy. +# +# We first check if AppArmor is enabled and if the running version supports abi/4.0 +# (Ubuntu 22.04 does not; it runs fine without the profile, so we skip it there). +if apparmor_status --enabled > /dev/null 2>&1; then + APPARMOR_PROFILE_SOURCE='/opt/ClawX/resources/apparmor-profile' + APPARMOR_PROFILE_TARGET='/etc/apparmor.d/clawx' + if apparmor_parser --skip-kernel-load --debug "$APPARMOR_PROFILE_SOURCE" > /dev/null 2>&1; then + cp -f "$APPARMOR_PROFILE_SOURCE" "$APPARMOR_PROFILE_TARGET" + + # Skip live-loading in a chroot environment (e.g. image-building pipelines). + if ! { [ -x '/usr/bin/ischroot' ] && /usr/bin/ischroot; } && hash apparmor_parser 2>/dev/null; then + apparmor_parser --replace --write-cache --skip-read-cache "$APPARMOR_PROFILE_TARGET" + fi + else + echo "Skipping AppArmor profile installation: this version of AppArmor does not support the bundled profile" + fi +fi + echo "ClawX has been installed successfully." diff --git a/scripts/linux/after-remove.sh b/scripts/linux/after-remove.sh index 1eade9e..9dbd238 100644 --- a/scripts/linux/after-remove.sh +++ b/scripts/linux/after-remove.sh @@ -18,4 +18,10 @@ if command -v gtk-update-icon-cache &> /dev/null; then gtk-update-icon-cache -q /usr/share/icons/hicolor || true fi +# Remove AppArmor profile +APPARMOR_PROFILE_TARGET='/etc/apparmor.d/clawx' +if [ -f "$APPARMOR_PROFILE_TARGET" ]; then + rm -f "$APPARMOR_PROFILE_TARGET" +fi + echo "ClawX has been removed."