core-updates: webkitgtk web process sandbox incomplete

  • Done
  • quality assurance status badge
Details
4 participants
  • sirgazil via web
  • Jack Hill
  • Marius Bakke
  • sirgazil
Owner
unassigned
Submitted by
Jack Hill
Severity
normal
J
J
Jack Hill wrote on 25 Apr 2020 04:55
core-updates: epiphany web process crashes
(address . bug-guix@gnu.org)
alpine.DEB.2.20.2004242240420.5735@marsh.hcoop.net
Hi Guix,

On Guix System with the current core-updates branch, epiphany/GNOME-Web
starts, but doesn't work because the web process crash in a loop.

When I run epiphany from the terminal I see

"""
$ epiphany

** (epiphany:29457): CRITICAL **: 22:37:21.415: void webkit_web_context_register_uri_scheme(WebKitWebContext*, const char*, WebKitURISchemeRequestCallback, gpointer, GDestroyNotify): assertion 'g_ascii_strcasecmp(scheme, "ftp") != 0' failed
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory

** (epiphany:29457): WARNING **: 22:37:21.866: Web process crashed
"""

The bwrap… and …Web process crashed lines then continue to print
alternating.

Windows and tabs are created, but no content is ever drawn in them.

/etc/pulse/client.conf exists on the host, but maybe not in the namespaces
created by bwrap?

Could this be related to WebKitGTK sandboxing:

Best,
Jack
J
J
Jack Hill wrote on 25 Apr 2020 05:19
(address . 40837@debbugs.gnu.org)
alpine.DEB.2.20.2004242319160.5735@marsh.hcoop.net
I expericne the problem with epiphany installed both in the system profile
and in an ad-hoc environment.

Best,
Jack
S
S
sirgazil wrote on 25 Apr 2020 23:55
core-updates: epiphany web process crashes
(name . 40837)(address . 40837@debbugs.gnu.org)
171b356d9e2.1154aefce15638.8921669740072490388@zoho.com
I can reproduce this bug. I can't load any page and see the same messages in the terminal.
J
J
Jack Hill wrote on 26 Apr 2020 03:23
(name . sirgazil)(address . sirgazil@zoho.com)(name . 40837)(address . 40837@debbugs.gnu.org)
alpine.DEB.2.20.2004252059380.5735@marsh.hcoop.net
On Sat, 25 Apr 2020, sirgazil via Bug reports for GNU Guix wrote:

Toggle quote (2 lines)
> I can reproduce this bug. I can't load any page and see the same messages in the terminal.

Thanks, as a fist step it is helpful to know that the problem can be
reproduced.

The second step is to figure out why this is happening. My suspicion is
that the bwrap invocation by webkitgtk is not sharing some paths into the
new namespace it creates that it should be, because the paths are
different on Guix System than they are on FHS systems.

Stracing epiphany, I've turned up the bwrap invocation to be:

execve("/gnu/store/kzq4v5fvjbdbbwah74k10pf698xkbdpr-bubblewrap-0.4.1/bin/bwrap",
["/gnu/store/kzq4v5fvjbdbbwah74k10pf698xkbdpr-bubblewrap-0.4.1/bin/bwrap",
"--args", "36", "--",
"/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0/WebKitWebProcess",
"11", "31"]

File descriptor 36, which hold the bwrap arguments is

write(36,
"--die-with-parent\0--unshare-pid\0--unshare-uts\0--unshare-net\0--ro-bind\0/etc\0/etc\0--dev\0/dev\0--proc\0/proc\0--tmpfs\0/tmp\0--unsetenv\0TMPDIR\0--dir\0/run\0--symlink\0../run\0/var/run\0--symlink\0../tmp\0/var/tmp\0--ro-bind\0/sys/block\0/sys/block\0--ro-bind\0/sys/bus\0/sys/bus\0--ro-bind\0/sys/class\0/sys/class\0--ro-bind\0/sys/dev\0/sys/dev\0--ro-bind\0/sys/devices\0/sys/devices\0--ro-bind-try\0/usr/share\0/usr/share\0--ro-bind-try\0/usr/local/share\0/usr/local/share\0--ro-bind-try\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share\0--ro-bind-try\0/lib\0/lib\0--ro-bind-try\0/usr/lib\0/usr/lib\0--ro-bind-try\0/usr/local/lib\0/usr/local/lib\0--ro-bind-try\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/lib\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/lib\0--ro-bind-try\0/lib64\0/lib64\0--ro-bind-try\0/usr/lib64\0/usr/lib64\0--ro-bind-try\0/usr/local/lib64\0/usr/local/lib64\0--ro-bind-try\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0\0--ro-bind-try\0/gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib\0/gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib\0--ro-bind-try\0/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib\0/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib\0--ro-bind-try\0/gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib\0/gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib\0--ro-bind-try\0/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib\0/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib\0--setenv\0LD_LIBRARY_PATH\0/gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib:/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib:/gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib:/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib\0--ro-bind-data\00033\0/.flatpak-info\0--bind-try\0/tmp/.X11-unix/X1\0/tmp/.X11-unix/X1\0--ro-bind-try\0/run/user/1000/gdm/Xauthority\0/run/user/1000/gdm/Xauthority\0--ro-bind-try\0/tmp/epiphany-jackhill-hoj0lD\0/tmp/epiphany-jackhill-hoj0lD\0--ro-bind-try\0/home/jackhill/.local/share/epiphany\0/home/jackhill/.local/share/epiphany\0--ro-bind-try\0/home/jackhill/.cache/epiphany\0/home/jackhill/.cache/epiphany\0--ro-bind-try\0/home/jackhill/.config/epiphany\0/home/jackhill/.config/epiphany\0--bind-try\0/home/jackhill/.cache/epiphany/applications\0/home/jackhill/.cache/epiphany/applications\0--bind-try\0/home/jackhill/.local/share/webkitgtk/mediakeys\0/home/jackhill/.local/share/webkitgtk/mediakeys\0--bind-try\0/home/jackhill/.local/share/epiphany/databases\0/home/jackhill/.local/share/epiphany/databases\0--bind-try\0/run/user/1000/pulse\0/run/user/1000/pulse\0--ro-bind-try\0/etc/pulse/client.conf\0/etc/pulse/client.conf\0--ro-bind-try\0/home/jackhill/.config/pulse\0/home/jackhill/.config/pulse\0--ro-bind-try\0/home/jackhill/.pulse\0/home/jackhill/.pulse\0--ro-bind-try\0/home/jackhill/.asoundrc\0/home/jackhill/.asoundrc\0--dev-bind-try\0/dev/snd\0/dev/snd\0--ro-bind-try\0/home/jackhill/.config/fontconfig\0/home/jackhill/.config/fontconfig\0--ro-bind-try\0/home/jackhill/.fontconfig\0/home/jackhill/.fontconfig\0--bind-try\0/home/jackhill/.cache/fontconfig\0/home/jackhill/.cache/fontconfig\0--ro-bind-try\0/home/jackhill/.fonts.conf\0/home/jackhill/.fonts.conf\0--ro-bind-try\0/home/jackhill/.config/.fonts.conf.d\0/home/jackhill/.config/.fonts.conf.d\0--ro-bind-try\0/home/jackhill/.local/share/fonts\0/home/jackhill/.local/share/fonts\0--ro-bind-try\0/home/jackhill/.fonts\0/home/jackhill/.fonts\0--ro-bind-try\0/var/cache/fontconfig\0/var/cache/fontconfig\0--ro-bind-try\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0--ro-bind-try\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0--ro-bind-try\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0--ro-bind-try\0/run/current-system/profile/lib/gstreamer-1.0\0/run/current-system/profile/lib/gstreamer-1.0\0--bind-try\0/home/jackhill/.cache/gstreamer-1.0\0/home/jackhill/.cache/gstreamer-1.0\0--ro-bind-try\0/usr/libexec/gstreamer-1.0/gst-plugin-scanner\0/usr/libexec/gstreamer-1.0/gst-plugin-scanner\0--ro-bind-try\0/usr/libexec/gst-install-plugins-helper\0/usr/libexec/gst-install-plugins-helper\0--dev-bind-try\0/dev/dri\0/dev/dri\0--dev-bind-try\0/dev/mali\0/dev/mali\0--dev-bind-try\0/dev/mali0\0/dev/mali0\0--dev-bind-try\0/dev/umplock\0/dev/umplock\0--dev-bind-try\0/dev/nvidiactl\0/dev/nvidiactl\0--dev-bind-try\0/dev/nvidia0\0/dev/nvidia0\0--dev-bind-try\0/dev/nvidia\0/dev/nvidia\0--dev-bind-try\0/dev/kgsl-3d0\0/dev/kgsl-3d0\0--dev-bind-try\0/dev/ion\0/dev/ion\0--dev-bind-try\0/dev/v4l\0/dev/v4l\0--dev-bind-try\0/dev/video0\0/dev/video0\0--dev-bind-try\0/dev/video1\0/dev/video1\0--ro-bind\0/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0\0/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0\0--setenv\0AT_SPI_BUS_ADDRESS\0unix:path=/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0\0--ro-bind-try\0/home/jackhill/.config/gtk-3.0\0/home/jackhill/.config/gtk-3.0\0--ro-bind-try\0/home/jackhill/.local/share/themes\0/home/jackhill/.local/share/themes\0--ro-bind-try\0/home/jackhill/.themes\0/home/jackhill/.themes\0--ro-bind-try\0/home/jackhill/.icons\0/home/jackhill/.icons\0--seccomp\00035\0"

For readability, here is is removing the null bytes, and using newlines:

--die-with-parent
--unshare-pid
--unshare-uts
--unshare-net
--ro-bind /etc /etc
--dev /dev
--proc /proc
--tmpfs /tmp
--unsetenv TMPDIR
--dir /run
--symlink ../run /var/run
--symlink ../tmp /var/tmp
--ro-bind /sys/block /sys/block
--ro-bind /sys/bus /sys/bus
--ro-bind /sys/class /sys/class
--ro-bind /sys/dev /sys/dev
--ro-bind /sys/devices /sys/devices
--ro-bind-try /usr/share /usr/share
--ro-bind-try /usr/local/share /usr/local/share
--ro-bind-try /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share
--ro-bind-try /lib /lib
--ro-bind-try /usr/lib /usr/lib
--ro-bind-try /usr/local/lib /usr/local/lib
--ro-bind-try /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/lib /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/lib
--ro-bind-try /lib64 /lib64
--ro-bind-try /usr/lib64 /usr/lib64
--ro-bind-try /usr/local/lib64 /usr/local/lib64
--ro-bind-try /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0 /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0
--ro-bind-try /gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib /gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib
--ro-bind-try /gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib /gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib
--ro-bind-try /gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib /gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib
--ro-bind-try /gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib /gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib
--setenv LD_LIBRARY_PATH /gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib:/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib:/gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib:/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib
--ro-bind-data 0033 /.flatpak-info
--bind-try /tmp/.X11-unix/X1 /tmp/.X11-unix/X1
--ro-bind-try /run/user/1000/gdm/Xauthority /run/user/1000/gdm/Xauthority
--ro-bind-try /tmp/epiphany-jackhill-hoj0lD /tmp/epiphany-jackhill-hoj0lD
--ro-bind-try /home/jackhill/.local/share/epiphany /home/jackhill/.local/share/epiphany
--ro-bind-try /home/jackhill/.cache/epiphany /home/jackhill/.cache/epiphany
--ro-bind-try /home/jackhill/.config/epiphany /home/jackhill/.config/epiphany
--bind-try /home/jackhill/.cache/epiphany/applications /home/jackhill/.cache/epiphany/applications
--bind-try /home/jackhill/.local/share/webkitgtk/mediakeys /home/jackhill/.local/share/webkitgtk/mediakeys
--bind-try /home/jackhill/.local/share/epiphany/databases /home/jackhill/.local/share/epiphany/databases
--bind-try /run/user/1000/pulse /run/user/1000/pulse
--ro-bind-try /etc/pulse/client.conf /etc/pulse/client.conf
--ro-bind-try /home/jackhill/.config/pulse /home/jackhill/.config/pulse
--ro-bind-try /home/jackhill/.pulse /home/jackhill/.pulse
--ro-bind-try /home/jackhill/.asoundrc /home/jackhill/.asoundrc
--dev-bind-try /dev/snd /dev/snd
--ro-bind-try /home/jackhill/.config/fontconfig /home/jackhill/.config/fontconfig
--ro-bind-try /home/jackhill/.fontconfig /home/jackhill/.fontconfig
--bind-try /home/jackhill/.cache/fontconfig /home/jackhill/.cache/fontconfig
--ro-bind-try /home/jackhill/.fonts.conf /home/jackhill/.fonts.conf
--ro-bind-try /home/jackhill/.config/.fonts.conf.d /home/jackhill/.config/.fonts.conf.d
--ro-bind-try /home/jackhill/.local/share/fonts /home/jackhill/.local/share/fonts
--ro-bind-try /home/jackhill/.fonts /home/jackhill/.fonts
--ro-bind-try /var/cache/fontconfig /var/cache/fontconfig
--ro-bind-try /home/jackhill/.guix-profile/lib/gstreamer-1.0 /home/jackhill/.guix-profile/lib/gstreamer-1.0
--ro-bind-try /home/jackhill/.guix-profile/lib/gstreamer-1.0 /home/jackhill/.guix-profile/lib/gstreamer-1.0
--ro-bind-try /home/jackhill/.guix-profile/lib/gstreamer-1.0 /home/jackhill/.guix-profile/lib/gstreamer-1.0
--ro-bind-try /run/current-system/profile/lib/gstreamer-1.0 /run/current-system/profile/lib/gstreamer-1.0
--bind-try /home/jackhill/.cache/gstreamer-1.0 /home/jackhill/.cache/gstreamer-1.0
--ro-bind-try /usr/libexec/gstreamer-1.0/gst-plugin-scanner /usr/libexec/gstreamer-1.0/gst-plugin-scanner
--ro-bind-try /usr/libexec/gst-install-plugins-helper /usr/libexec/gst-install-plugins-helper
--dev-bind-try /dev/dri /dev/dri
--dev-bind-try /dev/mali /dev/mali
--dev-bind-try /dev/mali0 /dev/mali0
--dev-bind-try /dev/umplock /dev/umplock
--dev-bind-try /dev/nvidiactl /dev/nvidiactl
--dev-bind-try /dev/nvidia0 /dev/nvidia0
--dev-bind-try /dev/nvidia /dev/nvidia
--dev-bind-try /dev/kgsl-3d0 /dev/kgsl-3d0
--dev-bind-try /dev/ion /dev/ion
--dev-bind-try /dev/v4l /dev/v4l
--dev-bind-try /dev/video0 /dev/video0
--dev-bind-try /dev/video1 /dev/video1
--ro-bind /run/user/1000/webkitgtk/dbus-proxy-SQHVJ0 /run/user/1000/webkitgtk/dbus-proxy-SQHVJ0
--setenv AT_SPI_BUS_ADDRESS unix:path=/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0
--ro-bind-try /home/jackhill/.config/gtk-3.0 /home/jackhill/.config/gtk-3.0
--ro-bind-try /home/jackhill/.local/share/themes /home/jackhill/.local/share/themes
--ro-bind-try /home/jackhill/.themes /home/jackhill/.themes
--ro-bind-try /home/jackhill/.icons /home/jackhill/.icons
--seccomp 0035

On my system, /etc/pulse/client.conf is a symlink to the store item
/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf, which is not
shared into the new mount namespace created by bubblewrap. It seems like
the right way to solve this is for webkitgtk or bubblewrap resolve the
symlinks at runtime.

As a workaround/test perhaps we can share all of /gnu/store

All that said, I could be on the wrong track as well, since I haven't
tested a solution yet.

Best,
Jack
J
J
Jack Hill wrote on 26 Apr 2020 03:46
(name . sirgazil)(address . sirgazil@zoho.com)(name . 40837)(address . 40837@debbugs.gnu.org)
alpine.DEB.2.20.2004252139570.5735@marsh.hcoop.net
I now think what is being shared with bubblewrap is on the write track.

After seeing

"""
const char* pulseConfig = g_getenv("PULSE_CLIENTCONFIG");
if (pulseConfig)
bindIfExists(args, pulseConfig);
"""

in Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp of
WebKitGTK, I set the PULSE_CLIENTCONFIG environemnt variable to the store
path rather than /etc/pulse/client.conf, which is what it was set to
before.

That allowed epiphany to get past the problem with client.conf. However,
it then hits another problem with something not being shared as seen in
this session:

"""
$ env |grep PULSE
PULSE_CLIENTCONFIG=gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf
PULSE_CONFIG=/etc/pulse/daemon.conf
$ epiphany

** (epiphany:11528): CRITICAL **: 21:38:10.896: void webkit_web_context_register_uri_scheme(WebKitWebContext*, const char*, WebKitURISchemeRequestCallback, gpointer, GDestroyNotify): assertion 'g_ascii_strcasecmp(scheme, "ftp") != 0' failed
bwrap: execvp /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0/WebKitWebProcess: No such file or directory
^C
"""

Best,
Jack
J
J
Jack Hill wrote on 26 Apr 2020 05:03
(name . 40837)(address . 40837@debbugs.gnu.org)(name . sirgazil)(address . sirgazil@zoho.com)
alpine.DEB.2.20.2004252257540.5735@marsh.hcoop.net
On Sat, 25 Apr 2020, Jack Hill wrote:

Toggle quote (8 lines)
> in Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp of WebKitGTK,
> I set the PULSE_CLIENTCONFIG environemnt variable to the store path rather
> than /etc/pulse/client.conf, which is what it was set to before.
>
> That allowed epiphany to get past the problem with client.conf. However, it
> then hits another problem with something not being shared as seen in this
> session:

I tried patching webkitgtk to share the whole /gnu/store in the new mount
namespace (see attached patch). Unfortunately, when I ran epiphany with
that patch applied and PULSE_CLIENTCONFIG set to /etc/pulse/client.conf,
the "bwrap: Can't create file at /etc/pulse/client.conf: No such file or
directory" error returned.

Via strace, I saw that my patch was having an effect on the arguments to
bwrap. Could it be that the order of the --bind/--ro-bind arguments
matters?

Thoughts?
Jack
From f8901a83e2abc2c6ab34f5883663315b8d715e2f Mon Sep 17 00:00:00 2001
From: Jack Hill <jackhill@jackhill.us>
Date: Sat, 25 Apr 2020 22:03:48 -0400
Subject: [PATCH] gnu: webkitgtk: Patch to share store via bwarp
* gnu/packages/patches/webkitgtk-share-store.patch: New File.
* gnu/local.mk: Add here.
* gnu/packages/webkit.scm (webkitgtk)[source]: Apply patch.
---
gnu/local.mk | 1 +
.../patches/webkitgtk-share-store.patch | 18 ++++++++++++++++++
gnu/packages/webkit.scm | 4 +++-
3 files changed, 22 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/webkitgtk-share-store.patch
Toggle diff (53 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 2780434455..6c11a07c24 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1554,6 +1554,7 @@ dist_patch_DATA = \
%D%/packages/patches/vte-CVE-2012-2738-pt1.patch \
%D%/packages/patches/vte-CVE-2012-2738-pt2.patch \
%D%/packages/patches/weasyprint-library-paths.patch \
+ %D%/packages/patches/webkitgtk-share-store.patch \
%D%/packages/patches/websocketpp-fix-for-boost-1.70.patch \
%D%/packages/patches/wicd-bitrate-none-fix.patch \
%D%/packages/patches/wicd-get-selected-profile-fix.patch \
diff --git a/gnu/packages/patches/webkitgtk-share-store.patch b/gnu/packages/patches/webkitgtk-share-store.patch
new file mode 100644
index 0000000000..b927ab7b0a
--- /dev/null
+++ b/gnu/packages/patches/webkitgtk-share-store.patch
@@ -0,0 +1,18 @@
+Author: Jack Hill <jackhill@jackhill.us>
+Tell bubblewrap to share the store
+---
+diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+index ad301ab2..d53b680e 100644
+--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
++++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+@@ -737,6 +737,10 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
+ "--ro-bind-try", "/usr/local/share", "/usr/local/share",
+ "--ro-bind-try", DATADIR, DATADIR,
+
++ // TESTING: bind moutn /gnu/store
++ // This should be improved
++ "--ro-bind", "/gnu/store", "/gnu/store",
++
+ // We only grant access to the libdirs webkit is built with and
+ // guess system libdirs. This will always have some edge cases.
+ "--ro-bind-try", "/lib", "/lib",
diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm
index 377fc0dfaf..fcfd28666b 100644
--- a/gnu/packages/webkit.scm
+++ b/gnu/packages/webkit.scm
@@ -128,7 +128,9 @@ engine that uses Wayland for graphics output.")
"webkitgtk-" version ".tar.xz"))
(sha256
(base32
- "1n7k4yriqhr38f4fgy8pzdn1nm60m53z8p478sgg64swxnijdg5c"))))
+ "1n7k4yriqhr38f4fgy8pzdn1nm60m53z8p478sgg64swxnijdg5c"))
+ (patches
+ (search-patches "webkitgtk-share-store.patch"))))
(build-system cmake-build-system)
(outputs '("out" "doc"))
(arguments
--
2.26.2
J
J
Jack Hill wrote on 26 Apr 2020 22:37
(no subject)
(address . control@debbugs.gnu.org)
alpine.DEB.2.20.2004261636470.5735@marsh.hcoop.net
retitle 40837 core-updates: webkitgtk web process sandbox incomplete
J
J
Jack Hill wrote on 26 Apr 2020 22:42
Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete
(name . 40837)(address . 40837@debbugs.gnu.org)(name . sirgazil)(address . sirgazil@zoho.com)
alpine.DEB.2.20.2004261638070.5735@marsh.hcoop.net
Some additional observations:

With my patched webkitgtk, if I set:

PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf

it does work, which is an improvement compared to without the patch.

I notice that Nix [0] has a similar patch:

"""
diff -ru old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
--- old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp 2019-09-09 04:47:07.000000000 -0400
+++ webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp 2019-09-20 21:14:10.537921173 -0400
@@ -585,7 +585,7 @@
{ SCMP_SYS(keyctl), nullptr },
{ SCMP_SYS(request_key), nullptr },

- // Scary VM/NUMA ops
+ // Scary VM/NUMA ops
{ SCMP_SYS(move_pages), nullptr },
{ SCMP_SYS(mbind), nullptr },
{ SCMP_SYS(get_mempolicy), nullptr },
@@ -724,6 +724,10 @@
"--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",

"--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
+
+ // Nix Directories
+ "--ro-bind", "@storeDir@", "@storeDir@",
+ "--ro-bind", "/run/current-system", "/run/current-system",
};
// We would have to parse ld config files for more info.
bindPathVar(sandboxArgs, "LD_LIBRARY_PATH");
"""


so I wonder if I didn't do the mounts in the right place and or if it is
becasue I missed /run/current-system.

I'm going to try to adapt the Nix patch to see if that helps.

Best,
Jack
J
J
Jack Hill wrote on 28 Apr 2020 00:02
(name . 40837)(address . 40837@debbugs.gnu.org)(name . sirgazil)(address . sirgazil@zoho.com)
alpine.DEB.2.20.2004271759320.5735@marsh.hcoop.net
I didn't have any better luck with the Nix patch. I was also unable to any
problems with /etc/pulse/client.conf when calling bwrap manually on the
command line.

I'm afraid that I'm stuck for now. I have asked the WebKit developers for

Best,
Jack
J
J
Jack Hill wrote on 28 Apr 2020 05:03
(name . 40837)(address . 40837@debbugs.gnu.org)(name . sirgazil)(address . sirgazil@zoho.com)
alpine.DEB.2.20.2004272247330.5735@marsh.hcoop.net
I'm a little bit unstuck now. I found a bubblwrap issue [0], which I
believe is the one that we're running into.

--bind used with a symlinked path"

With insight gained there, I've determined that the following simplified
bwrap invocation succeeds:

"""
$ bwrap --ro-bind-try /etc/pulse/client.conf /etc/pulse/client.conf
--ro-bind /gnu /gnu --ro-bind /run/current-system /run/current-system --
/run/current-system/profile/bin/bash
"""

while the following invocation fails:

"""
$ bwrap --ro-bind /etc /etc --ro-bind-try /etc/pulse/client.conf
/etc/pulse/client.conf --ro-bind /gnu /gnu --ro-bind /run/current-system
/run/current-system -- /run/current-system/profile/bin/bash

bwrap: Can't create file at /etc/pulse/client.conf: No such file or
directory
"""

The difference between the working and non-working invocations in that in
the non-working invocation, /etc is already mounted withing the new
namespace, which includes symlinks at /etc/pulse and
/etc/pulse/client.conf, and the later mount of the /etc/pulse/client.conf
symlink causese the problem.

Now to figure out what the solution is, and if it is best fixed in
webkitgtk or bubblewrap :)

Ideas welcome!

Best,
Jack
J
J
Jack Hill wrote on 28 Apr 2020 18:27
(name . 40837)(address . 40837@debbugs.gnu.org)(name . sirgazil)(address . sirgazil@zoho.com)
alpine.DEB.2.20.2004281218560.5735@marsh.hcoop.net
After further discussion on the Bubblewrap issue [0], it was determined
that the problem should be fixed by having WebKitGTK canonicalize paths
before passing them to bwrap. There is now a WebKit issue for that fix [1].


When the WebKit issue is fixed, that should solve the problem with
/etc/pulse/client.conf. I believe that we will still have work to do in
Guix to make sure the store is available inside the sandbox.

Best,
Jack
S
S
sirgazil wrote on 28 Apr 2020 18:33
(name . Jack Hill)(address . jackhill@jackhill.us)(name . 40837)(address . 40837@debbugs.gnu.org)
171c1a2ae49.fd191b3320285.7608315760355987557@zoho.com
---- On Tue, 28 Apr 2020 23:27:57 +0000 Jack Hill <jackhill@jackhill.us> wrote ----
> After further discussion on the Bubblewrap issue [0], it was determined
> that the problem should be fixed by having WebKitGTK canonicalize paths
> before passing them to bwrap. There is now a WebKit issue for that fix [1].
>
>
> When the WebKit issue is fixed, that should solve the problem with
> /etc/pulse/client.conf. I believe that we will still have work to do in
> Guix to make sure the store is available inside the sandbox.


Thanks for working on this, Jack.
S
S
sirgazil via web wrote on 4 May 2020 21:27
(no subject)
(address . 40837@debbugs.gnu.org)
7fbdd51a1f10.ac6d83595bb47cb@guile.gnu.org
I can reproduce this problem.
M
M
Marius Bakke wrote on 6 May 2020 18:39
Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete
(name . sirgazil)(address . sirgazil@zoho.com)
87h7wt3tmv.fsf@devup.no
Hello Jack,

Thanks a lot for this work.

Jack Hill <jackhill@jackhill.us> writes:

Toggle quote (8 lines)
> Some additional observations:
>
> With my patched webkitgtk, if I set:
>
> PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf
>
> it does work, which is an improvement compared to without the patch.

Great. I have attached a patch for Guix that stops using /etc for these
variables.

Toggle quote (35 lines)
> I notice that Nix [0] has a similar patch:
>
> """
> diff -ru old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
> --- old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp 2019-09-09 04:47:07.000000000 -0400
> +++ webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp 2019-09-20 21:14:10.537921173 -0400
> @@ -585,7 +585,7 @@
> { SCMP_SYS(keyctl), nullptr },
> { SCMP_SYS(request_key), nullptr },
>
> - // Scary VM/NUMA ops
> + // Scary VM/NUMA ops
> { SCMP_SYS(move_pages), nullptr },
> { SCMP_SYS(mbind), nullptr },
> { SCMP_SYS(get_mempolicy), nullptr },
> @@ -724,6 +724,10 @@
> "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",
>
> "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
> +
> + // Nix Directories
> + "--ro-bind", "@storeDir@", "@storeDir@",
> + "--ro-bind", "/run/current-system", "/run/current-system",
> };
> // We would have to parse ld config files for more info.
> bindPathVar(sandboxArgs, "LD_LIBRARY_PATH");
> """
>
> [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch
>
> so I wonder if I didn't do the mounts in the right place and or if it is
> becasue I missed /run/current-system.
>
> I'm going to try to adapt the Nix patch to see if that helps.

Were you able to verify whether /run/current-system is required inside
the sandbox?

I cleaned up your patch a bit and rebased it on the latest master
branch, available as patch 2/2 below. Currently building it on
'core-updates' to verify that it works. It takes a while on my dinky
quad-core server though. :-)

It does not bind /run/current-system, and I think we should avoid it if
possible. Ideally we would only mount the store paths required by the
consumers instead of all of /gnu/store, but not sure how to achieve
that.
From a2607c8246456460a6bbed62144daf7196a5c9bd Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Wed, 6 May 2020 17:48:42 +0200
Subject: [PATCH 1/2] services: Do not use symbolic links in PulseAudio
variables.

This addresses https://bugs.gnu.org/40837 by making these configuration
files more easily accessible within the WebKitGTK+ sandbox.

* gnu/services/sound.scm (pulseaudio-environment): Move below
PULSEAUDIO-CONF-ENTRY. Create PULSE_CONFIG and PULSE_CLIENTCONFIG entries
directly instead of referring to /etc/pulse.
(pulseaudio-etc): Do not create /etc/pulse/client.conf and /etc/pulse/daemon.conf.
---
gnu/services/sound.scm | 27 ++++++++++++---------------
1 file changed, 12 insertions(+), 15 deletions(-)

Toggle diff (59 lines)
diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm
index a1c928222a..bdf819b422 100644
--- a/gnu/services/sound.scm
+++ b/gnu/services/sound.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2018, 2020 Oleg Pykhalov <go.wigust@gmail.com>
;;; Copyright © 2020 Leo Prikler <leo.prikler@student.tugraz.at>
+;;; Copyright © 2020 Marius Bakke <mbakke@fastmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -127,11 +128,6 @@ ctl.!default {
(default
(file-append pulseaudio "/etc/pulse/system.pa"))))
-(define (pulseaudio-environment config)
- `(;; Define these variables, so that pulseaudio honors /etc.
- ("PULSE_CONFIG" . "/etc/pulse/daemon.conf")
- ("PULSE_CLIENTCONFIG" . "/etc/pulse/client.conf")))
-
(define (pulseaudio-conf-entry arg)
(match arg
((key . value)
@@ -139,21 +135,22 @@ ctl.!default {
((? string? _)
(string-append arg "\n"))))
+(define pulseaudio-environment
+ (match-lambda
+ (($ <pulseaudio-configuration> client-conf daemon-conf default-script-file)
+ `(("PULSE_CONFIG" . ,(apply mixed-text-file "daemon.conf"
+ "default-script-file = " default-script-file "\n"
+ (map pulseaudio-conf-entry daemon-conf)))
+ ("PULSE_CLIENTCONFIG" . ,(apply mixed-text-file "client.conf"
+ (map pulseaudio-conf-entry client-conf)))))))
+
(define pulseaudio-etc
(match-lambda
- (($ <pulseaudio-configuration> client-conf daemon-conf
- default-script-file system-script-file)
+ (($ <pulseaudio-configuration> _ _ default-script-file system-script-file)
`(("pulse"
,(file-union
"pulse"
- `(("client.conf"
- ,(apply mixed-text-file "client.conf"
- (map pulseaudio-conf-entry client-conf)))
- ("daemon.conf"
- ,(apply mixed-text-file "daemon.conf"
- "default-script-file = " default-script-file "\n"
- (map pulseaudio-conf-entry daemon-conf)))
- ("default.pa" ,default-script-file)
+ `(("default.pa" ,default-script-file)
("system.pa" ,system-script-file))))))))
(define pulseaudio-service-type
--
2.26.2
From 3864b54f4aadefc600433d3654b0a1a73ab6fa98 Mon Sep 17 00:00:00 2001
From: Jack Hill <jackhill@jackhill.us>
Date: Sat, 25 Apr 2020 22:03:48 -0400
Subject: [PATCH 2/2] gnu: webkitgtk: Patch to share store via Bubblewrap.


* gnu/packages/patches/webkitgtk-share-store.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/webkit.scm (webkitgtk)[source](patches): Use it.

Co-authored-by: Marius Bakke <mbakke@fastmail.com>
---
gnu/local.mk | 1 +
.../patches/webkitgtk-share-store.patch | 20 +++++++++++++++++++
gnu/packages/webkit.scm | 12 ++++++++++-
3 files changed, 32 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/webkitgtk-share-store.patch

Toggle diff (70 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 62eeb39ece..5c06415205 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1542,6 +1542,7 @@ dist_patch_DATA = \
%D%/packages/patches/vte-CVE-2012-2738-pt2.patch \
%D%/packages/patches/warsow-qfusion-fix-bool-return-type.patch \
%D%/packages/patches/weasyprint-library-paths.patch \
+ %D%/packages/patches/webkitgtk-share-store.patch \
%D%/packages/patches/websocketpp-fix-for-boost-1.70.patch \
%D%/packages/patches/wicd-bitrate-none-fix.patch \
%D%/packages/patches/wicd-get-selected-profile-fix.patch \
diff --git a/gnu/packages/patches/webkitgtk-share-store.patch b/gnu/packages/patches/webkitgtk-share-store.patch
new file mode 100644
index 0000000000..4174e73b6c
--- /dev/null
+++ b/gnu/packages/patches/webkitgtk-share-store.patch
@@ -0,0 +1,20 @@
+Author: Jack Hill <jackhill@jackhill.us>
+Tell bubblewrap to share the store.
+
+See <https://bugs.gnu.org/40837>.
+
+---
+diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+index ad301ab2..d53b680e 100644
+--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
++++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+@@ -737,6 +737,9 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
+ "--ro-bind-try", "/usr/local/share", "/usr/local/share",
+ "--ro-bind-try", DATADIR, DATADIR,
+
++ // Bind mount the store inside the WebKitGTK sandbox.
++ "--ro-bind", "@storedir@", "@storedir@",
++
+ // We only grant access to the libdirs webkit is built with and
+ // guess system libdirs. This will always have some edge cases.
+ "--ro-bind-try", "/lib", "/lib",
diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm
index e52536c279..6035d6c59d 100644
--- a/gnu/packages/webkit.scm
+++ b/gnu/packages/webkit.scm
@@ -128,7 +128,8 @@ engine that uses Wayland for graphics output.")
"webkitgtk-" version ".tar.xz"))
(sha256
(base32
- "1g9hik3bprki5s9d7y5288q5irwckbzajr6rnlvjrlnqrwjkblmr"))))
+ "1g9hik3bprki5s9d7y5288q5irwckbzajr6rnlvjrlnqrwjkblmr"))
+ (patches (search-patches "webkitgtk-share-store.patch"))))
(build-system cmake-build-system)
(outputs '("out" "doc"))
(arguments
@@ -156,6 +157,15 @@ engine that uses Wayland for graphics output.")
"-DUSE_WOFF2=OFF")
#:phases
(modify-phases %standard-phases
+ (add-after 'unpack 'configure-bubblewrap-store-directory
+ (lambda _
+ ;; This phase is a corollary to 'webkitgtk-share-store.patch' to
+ ;; avoid hard coding /gnu/store, for users with other prefixes.
+ (let ((store-directory (%store-directory)))
+ (substitute*
+ "Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp"
+ (("@storedir@") store-directory))
+ #t)))
(add-after 'unpack 'patch-gtk-doc-scan
(lambda* (#:key inputs #:allow-other-keys)
(for-each (lambda (file)
--
2.26.2
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl6y6DkACgkQoqBt8qM6
VPrkJQf+O74awPVgfywhjJEVTzjA8jvvsJilr/tI+I6OQk9aehdZO4SF6kP0Kyv+
a4OVopKyBRzplvoGrZpbS0smooOhY6DfF8/3T86d6dUv97O+iPP0ctSbfVDEdVsE
xpH6GZef7cO+HwXjTpuoB82Zu74c1NLBese4MKNwPlHY4Ft+lGAXqlOewRm1J6x8
jyXy38VdDYiTFurFMbW9aStw1J0BuQ29nblM1nXhN26Nz/P7u3dxIzRSlNcdRJuy
6tL/QsMaegr5zRJ0P0CD1FF/rJv2/gzisyMfEP0DQ3yPYqF3kmEh5rVnMgIB1SLD
L5WnIVfjHasYYHm8E2AANOfzDeDekA==
=4Siz
-----END PGP SIGNATURE-----

J
J
Jack Hill wrote on 6 May 2020 22:17
(name . Marius Bakke)(address . mbakke@fastmail.com)
alpine.DEB.2.20.2005061607510.5735@marsh.hcoop.net
On Wed, 6 May 2020, Marius Bakke wrote:

Toggle quote (4 lines)
> Hello Jack,
>
> Thanks a lot for this work.

You're welcome. I'm happy that we seem to be making good progress.

Toggle quote (13 lines)
> Jack Hill <jackhill@jackhill.us> writes:
>
>> Some additional observations:
>>
>> With my patched webkitgtk, if I set:
>>
>> PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf
>>
>> it does work, which is an improvement compared to without the patch.
>
> Great. I have attached a patch for Guix that stops using /etc for these
> variables.

Good idea! That way we won't have to wait for WebKitGTK to canonicalize
all paths :)

Toggle quote (10 lines)
>>
>> so I wonder if I didn't do the mounts in the right place and or if it is
>> becasue I missed /run/current-system.
>>
>> I'm going to try to adapt the Nix patch to see if that helps.
>
> Were you able to verify whether /run/current-system is required inside
> the sandbox?

I don't think /run/current-system is needed.

Toggle quote (10 lines)
> I cleaned up your patch a bit and rebased it on the latest master
> branch, available as patch 2/2 below. Currently building it on
> 'core-updates' to verify that it works. It takes a while on my dinky
> quad-core server though. :-)
>
> It does not bind /run/current-system, and I think we should avoid it if
> possible. Ideally we would only mount the store paths required by the
> consumers instead of all of /gnu/store, but not sure how to achieve
> that.

I've tested the updated patch by applying it to master and merging into
core-updates. I'm happy to report that everything seems to be working for
me after doing so!

Sharing less than the whole store sounds like a great aspiration, but I
think we'd have to teach WebKitGTK how to ask Guix for its closure to do
so. On FHS-compliant systems, all of the various /usr/lib and /usr/share
directories are bind-mounted into the new namespace, so I don't think
we're providing too much more. It's nice that our setuid binaries reside
outside of the store :)

Best,
Jack
M
M
Marius Bakke wrote on 6 May 2020 22:53
(name . Jack Hill)(address . jackhill@jackhill.us)
87v9l83hvb.fsf@devup.no
Jack Hill <jackhill@jackhill.us> writes:

Toggle quote (36 lines)
> On Wed, 6 May 2020, Marius Bakke wrote:
>
>> Hello Jack,
>>
>> Thanks a lot for this work.
>
> You're welcome. I'm happy that we seem to be making good progress.
>
>> Jack Hill <jackhill@jackhill.us> writes:
>>
>>> Some additional observations:
>>>
>>> With my patched webkitgtk, if I set:
>>>
>>> PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf
>>>
>>> it does work, which is an improvement compared to without the patch.
>>
>> Great. I have attached a patch for Guix that stops using /etc for these
>> variables.
>
> Good idea! That way we won't have to wait for WebKitGTK to canonicalize
> all paths :)
>
>>> [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch
>>>
>>> so I wonder if I didn't do the mounts in the right place and or if it is
>>> becasue I missed /run/current-system.
>>>
>>> I'm going to try to adapt the Nix patch to see if that helps.
>>
>> Were you able to verify whether /run/current-system is required inside
>> the sandbox?
>
> I don't think /run/current-system is needed.

Excellent. I tested Epiphany with these patches on a popular video
streaming site and everything seemed fine.

Toggle quote (21 lines)
>> I cleaned up your patch a bit and rebased it on the latest master
>> branch, available as patch 2/2 below. Currently building it on
>> 'core-updates' to verify that it works. It takes a while on my dinky
>> quad-core server though. :-)
>>
>> It does not bind /run/current-system, and I think we should avoid it if
>> possible. Ideally we would only mount the store paths required by the
>> consumers instead of all of /gnu/store, but not sure how to achieve
>> that.
>
> I've tested the updated patch by applying it to master and merging into
> core-updates. I'm happy to report that everything seems to be working for
> me after doing so!
>
> Sharing less than the whole store sounds like a great aspiration, but I
> think we'd have to teach WebKitGTK how to ask Guix for its closure to do
> so. On FHS-compliant systems, all of the various /usr/lib and /usr/share
> directories are bind-mounted into the new namespace, so I don't think
> we're providing too much more. It's nice that our setuid binaries reside
> outside of the store :)

Indeed, thanks for testing and confirming.

I added a little more context in the patch description and finally
pushed it as a6919866b07e9ed3986abde7ae48d0c69ff3deed.

Again, thank you very much for taking care of this. :-)
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl6zI8gACgkQoqBt8qM6
VPopngf+MY+1+C9Gj3c8fxIh6y+VxoYv1p5K3C55cezAncASmlIttmaYZEzdwSJj
TCbl18aY/5lRTjQurPR+3WSImsTXmX7gqEDtiMLZvNfzV2bQoWYLNmCvsfoF2vtb
ReWgUClr8j7QaFgqN05Wtqbyxc30bX3Tsp3UdfoNhQEG/dUVLJ/yQFt3NndFmRd2
qPXa6e4dDFvEwKAIdQUBpri7XY90Nu85V9CKOaMsI8Gm1KDGAPO94UZWGn7PzDJy
nvcps3/B/2c8AhrEtDcFpdzfk3u73FUi3TkU2hrF0fZoAnasmF4urvHOyKvOSuX/
1p8cMILAgIpAzN1cqj134dVWvmUSmA==
=/X50
-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 40837@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 40837
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch