fix ubuntu debs

.github/workflows/release.yml

@@ -196,7 +196,8 @@ jobs:
             
             - **macOS**: On first launch, you may see "cannot verify developer". Go to System Preferences → Security & Privacy to allow the app to run
             - **Windows**: SmartScreen may block the app. Click "More info" → "Run anyway" to proceed
-            - **Linux**: AppImage requires executable permission: `chmod +x ClawX-*.AppImage`
+            - **Linux AppImage**: First run `chmod +x ClawX-*.AppImage` to add execute permission. On Ubuntu 22.04 you may also need `sudo apt install libfuse2`; on Ubuntu 24.04 use `sudo apt install libfuse2t64`
+            - **Linux .deb (Ubuntu 24.04)**: If installation fails due to missing dependencies, use `sudo apt install libgtk-3-0t64 libnotify4t64 libxss1t64` before installing
             
             ---
             

electron-builder.yml

@@ -173,13 +173,15 @@ appImage:
 
 deb:
   depends:
-    - libgtk-3-0
+    # Use OR syntax to support both Ubuntu 22.04 and Ubuntu 24.04 (t64 transition).
-    - libnotify4
+    # Ubuntu 24.04 renamed many libraries with a t64 suffix (64-bit time_t ABI transition).
+    - libgtk-3-0 | libgtk-3-0t64
+    - libnotify4 | libnotify4t64
     - libnss3
-    - libxss1
+    - libxss1 | libxss1t64
-    - libxtst6
+    - libxtst6 | libxtst6t64
     - xdg-utils
-    - libatspi2.0-0
+    - libatspi2.0-0 | libatspi2.0-0t64
     - libuuid1
   afterInstall: scripts/linux/after-install.sh
   afterRemove: scripts/linux/after-remove.sh

scripts/linux/after-install.sh

@@ -26,4 +26,37 @@ if [ -f "$OPENCLAW_WRAPPER" ]; then
     ln -sf "$OPENCLAW_WRAPPER" /usr/local/bin/openclaw 2>/dev/null || true
 fi
 
+# Set chrome-sandbox permissions.
+# On systems without working user namespaces, the SUID bit is required.
+# On Ubuntu 24.04+, user namespaces are available but blocked by AppArmor;
+# we rely on the AppArmor profile below instead, so 0755 is correct there.
+if ! { [[ -L /proc/self/ns/user ]] && unshare --user true; }; then
+    # No user namespace support — fall back to SUID sandbox
+    chmod 4755 '/opt/ClawX/chrome-sandbox' || true
+else
+    chmod 0755 '/opt/ClawX/chrome-sandbox' || true
+fi
+
+# Install AppArmor profile (Ubuntu 24.04+).
+# Ubuntu 24.04 enables kernel.apparmor_restrict_unprivileged_userns=1 by default,
+# which blocks Electron's sandbox. The bundled AppArmor profile grants the 'userns'
+# permission so the app can create user namespaces without disabling the global policy.
+#
+# We first check if AppArmor is enabled and if the running version supports abi/4.0
+# (Ubuntu 22.04 does not; it runs fine without the profile, so we skip it there).
+if apparmor_status --enabled > /dev/null 2>&1; then
+    APPARMOR_PROFILE_SOURCE='/opt/ClawX/resources/apparmor-profile'
+    APPARMOR_PROFILE_TARGET='/etc/apparmor.d/clawx'
+    if apparmor_parser --skip-kernel-load --debug "$APPARMOR_PROFILE_SOURCE" > /dev/null 2>&1; then
+        cp -f "$APPARMOR_PROFILE_SOURCE" "$APPARMOR_PROFILE_TARGET"
+
+        # Skip live-loading in a chroot environment (e.g. image-building pipelines).
+        if ! { [ -x '/usr/bin/ischroot' ] && /usr/bin/ischroot; } && hash apparmor_parser 2>/dev/null; then
+            apparmor_parser --replace --write-cache --skip-read-cache "$APPARMOR_PROFILE_TARGET"
+        fi
+    else
+        echo "Skipping AppArmor profile installation: this version of AppArmor does not support the bundled profile"
+    fi
+fi
+
 echo "ClawX has been installed successfully."

scripts/linux/after-remove.sh

@@ -18,4 +18,10 @@ if command -v gtk-update-icon-cache &> /dev/null; then
     gtk-update-icon-cache -q /usr/share/icons/hicolor || true
 fi
 
+# Remove AppArmor profile
+APPARMOR_PROFILE_TARGET='/etc/apparmor.d/clawx'
+if [ -f "$APPARMOR_PROFILE_TARGET" ]; then
+    rm -f "$APPARMOR_PROFILE_TARGET"
+fi
+
 echo "ClawX has been removed."