Is there an existing issue for this?
Current Behavior
Installing any app via proot-apps install <app> fails at the proot -R ... /install step. The layer download succeeds, but proot cannot execute /install:
proot error: ptrace(TRACEME): Operation not permitted
proot error: execve("/install"): Operation not permitted
proot info: It seems your kernel contains this bug: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1202161
To workaround it, set the env. variable PROOT_NO_SECCOMP to 1.
fatal error: see `proot --help`.
As a result, no desktop shortcut, menu entry, or icon is created. The app folder is extracted under ~/proot-apps/ but the install script never runs.
Expected Behavior
Investigation
PROOT_NO_SECCOMP=1 does not fix it (suggests seccomp workaround is unrelated; the real block is ptrace_scope=2).
- Running the same command as
root works (root has CAP_SYS_PTRACE).
- Running
setcap cap_sys_ptrace+ep ~/.local/bin/proot (as root) fixes it for abc — proot then inherits the capability since NoNewPrivs=0.
Root cause
With ptrace_scope=2, only root (or binaries with CAP_SYS_PTRACE file capability) can call ptrace(PTRACE_TRACEME). The abc user has CapEff=0, so proot is blocked.
The webtop:latest (Alpine) image does not have this issue — proot works as abc there.
Suggested fix
Ship proot with the cap_sys_ptrace file capability, or set it during init-selkies-config:
setcap cap_sys_ptrace+ep "$HOME/.local/bin/proot"
Steps To Reproduce
- Start
webtop:ubuntu-xfce
- As
abc user: proot-apps install qbittorrent
- Layer downloads, then proot fails with
ptrace(TRACEME): Operation not permitted
Environment
- Image: `lscr.io/linuxserver/webtop:ubuntu-xfce`
- OS: Ubuntu 26.04 LTS (Resolute)
- Kernel: `5.4.241-1-tlinux4-0023.7`
- `kernel.yama.ptrace_scope = 2` (read-only, cannot change)
- proot-apps: 0.3.2
- proot: static ELF, no file capabilities
- User: `abc` (runs the desktop session, `CapEff=0`, `NoNewPrivs=0`)
CPU architecture
x86-64
Docker creation
Container logs
Is there an existing issue for this?
Current Behavior
Installing any app via
proot-apps install <app>fails at theproot -R ... /installstep. The layer download succeeds, but proot cannot execute/install:As a result, no desktop shortcut, menu entry, or icon is created. The app folder is extracted under
~/proot-apps/but the install script never runs.Expected Behavior
Investigation
PROOT_NO_SECCOMP=1does not fix it (suggests seccomp workaround is unrelated; the real block isptrace_scope=2).rootworks (root hasCAP_SYS_PTRACE).setcap cap_sys_ptrace+ep ~/.local/bin/proot(as root) fixes it forabc— proot then inherits the capability sinceNoNewPrivs=0.Root cause
With
ptrace_scope=2, only root (or binaries withCAP_SYS_PTRACEfile capability) can callptrace(PTRACE_TRACEME). Theabcuser hasCapEff=0, so proot is blocked.The
webtop:latest(Alpine) image does not have this issue — proot works asabcthere.Suggested fix
Ship proot with the
cap_sys_ptracefile capability, or set it duringinit-selkies-config:setcap cap_sys_ptrace+ep "$HOME/.local/bin/proot"Steps To Reproduce
webtop:ubuntu-xfceabcuser:proot-apps install qbittorrentptrace(TRACEME): Operation not permittedEnvironment
CPU architecture
x86-64
Docker creation
Container logs