loslesscut-bin crashes at startup

[wamserma]

Describe the bug

Losslesscut crashes at startup due to missing --disable-seccomp-filter-sandbox

Steps To Reproduce

Steps to reproduce the behavior:

1. nix-shell -p losslesscut-bin
2. losslesscut # crash
3. losslesscut --disable-seccomp-filter-sandbox # works

Expected behavior

Losslesscut works out-of-the-box.

pkgs/applications/video/losslesscut-bin/appimage.nix probably just needs a
wrapProgram $out/bin/${nameExecutable} --add-flags "--disable-seccomp-filter-sandbox"
in extraInstallCommands.

Notify maintainers

@ShamrockLee

Metadata

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 5.15.43, NixOS, 22.05 (Quokka), 22.05.git.fc189538fd8`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.8.1`
 - channels(root): `"home-manager-22.05.tar.gz, mypkgs, nixos-22.05, nur, unstable"`
 - channels(markus): `""`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

[ShamrockLee]

It seems to come from a sandboxing feature of Chromium. (LosslessCut is an Electron app, and Electron uses Chromium, IIUC.)

https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/linux/sandboxing.md

I'll add the flag when I'm available. Should it be added to both the Linux and the Darwin binary, or just to the former?

[wamserma]

I'll add the flag when I'm available. Should it be added to both the Linux and the Darwin binary, or just to the former?

I was only able to test on Linux.

While you're at it:

When bumping the version, filenames need a change (only tested for Linux):

diff --git a/pkgs/applications/video/losslesscut-bin/appimage.nix b/pkgs/applications/video/losslesscut-bin/appimage.nix
index 87518479db4..b2ec3d00f19 100644
--- a/pkgs/applications/video/losslesscut-bin/appimage.nix
+++ b/pkgs/applications/video/losslesscut-bin/appimage.nix
@@ -5,7 +5,7 @@
   nameRepo = "lossless-cut";
   nameCamel = "LosslessCut";
   name = "${pname}-${version}";
-  nameSource = "${nameCamel}-linux.AppImage";
+  nameSource = "${nameCamel}-linux-x86_64.AppImage";
   nameExecutable = "losslesscut";
   owner = "mifi";
   src = fetchurl {

diff --git a/pkgs/applications/video/losslesscut-bin/default.nix b/pkgs/applications/video/losslesscut-bin/default.nix
index be7786f9102..45872818995 100644
--- a/pkgs/applications/video/losslesscut-bin/default.nix
+++ b/pkgs/applications/video/losslesscut-bin/default.nix
@@ -1,7 +1,7 @@
 { callPackage, stdenvNoCC, lib }:
 let
-  version = "3.43.0";
-  appimage = callPackage ./appimage.nix { inherit version; sha256 = "1xfr3i4gsi13wj374yr5idhgs0q71s4h33yxdr7b7xjdg2gb8lp1"; };
+  version = "3.45.0";
+  appimage = callPackage ./appimage.nix { inherit version; sha256 = "01iymckir87vlh0h3pcyj1x2rhg8pwx7b249y186b9s530vy3vg2"; };
   dmg = callPackage ./dmg.nix { inherit version; sha256 = ""; };
   windows = callPackage ./windows.nix { inherit version; sha256 = ""; };
 in (
diff --git a/pkgs/applications/video/losslesscut-bin/dmg.nix b/pkgs/applications/video/losslesscut-bin/dmg.nix
index 3cbd77198b9..e334c0a58b9 100644
--- a/pkgs/applications/video/losslesscut-bin/dmg.nix
+++ b/pkgs/applications/video/losslesscut-bin/dmg.nix
@@ -4,7 +4,7 @@ let
   pname = "losslesscut";
   nameRepo = "lossless-cut";
   nameCamel = "LosslessCut";
-  nameSource = "${nameCamel}-mac.dmg";
+  nameSource = "${nameCamel}-mac-x64.dmg";
   nameApp = nameCamel + ".app";
   owner = "mifi";
   src = fetchurl {
diff --git a/pkgs/applications/video/losslesscut-bin/windows.nix b/pkgs/applications/video/losslesscut-bin/windows.nix
index 0e6ed9b0412..92c86313fec 100644
--- a/pkgs/applications/video/losslesscut-bin/windows.nix
+++ b/pkgs/applications/video/losslesscut-bin/windows.nix
@@ -12,7 +12,7 @@ let
   nameRepo = "lossless-cut";
   nameCamel = "LosslessCut";
   nameSourceBase = "${nameCamel}-win";
-  nameSource = "${nameSourceBase}.zip";
+  nameSource = "${nameSourceBase}-x64.zip";
   nameExecutable = "${nameCamel}.exe";
   owner = "mifi";
   getSymlinkCommand = if (customSymlinkCommand != null) then customSymlinkCommand

and #154838 is still open.

[ShamrockLee]

@wamserma Thank you for reminding!

After a quick test, losslesscut-bin 3.43.0 does run out-of-the-box on my machine

$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 5.10.111, NixOS, 21.11 (Porcupine)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.5.0pre20211206_d1aaa7e`
 - nixpkgs: `/nix/store/3g25cg20m43hvsy17d7nz0jxwk79a77w-source`

Does it crash because the user namespaces is unavailable?

Does the same problem happen to caprine, it is another electron app packaged the same way. Does it happen to chromium itself?

[wamserma]

I can confirm that it works ootb on NixOS 21.11, but not on 22.05.
Caprine crashes in a similar way on NixOS 22.05:
[2:0610/180156.893958:FATAL:gpu_data_manager_impl_private.cc(442)] GPU process isn't usable. Goodbye.
Chromium works on both.

[ShamrockLee]

@wamserma How about onlyoffice-bin?

If onlyoffice-bin does work, it might have something to do with buildFHSUserEnv.

[wamserma]

onlyoffice-bin works on 22.05

[ShamrockLee]

@wamserma I'm working on it, but couldn't find a way to call wrapProgram in extraInstallCommands. To be exact, I don't know how to inject the dependency makeWrapper, a setup hook, into the appimageTools.wrapType2 builder.

How should I do it?

Thanks a lot for your patience.

[ShamrockLee]

@wamserma Is this issue still relevant?

[wamserma]

Last time I checked: Yes. I've got this still on my list and will close in case it is resolved.

[ShamrockLee]

It should now be fixed in #154838.

[wamserma]

It should now be fixed in #154838.

Confirmed.