core-updates: webkitgtk web process sandbox incomplete

Done

Details

4 participants

sirgazil via web
Jack Hill
Marius Bakke
sirgazil

Owner: unassigned

Submitted by: Jack Hill

Severity: normal

Jack Hill wrote on 25 Apr 2020 04:55

core-updates: epiphany web process crashes

Recipients:(address . bug-guix@gnu.org)

Message-ID:alpine.DEB.2.20.2004242240420.5735@marsh.hcoop.net

Hi Guix,

On Guix System with the current core-updates branch, epiphany/GNOME-Web

starts, but doesn't work because the web process crash in a loop.

When I run epiphany from the terminal I see

"""

$ epiphany

** (epiphany:29457): CRITICAL **: 22:37:21.415: void webkit_web_context_register_uri_scheme(WebKitWebContext*, const char*, WebKitURISchemeRequestCallback, gpointer, GDestroyNotify): assertion 'g_ascii_strcasecmp(scheme, "ftp") != 0' failed

bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory

** (epiphany:29457): WARNING **: 22:37:21.866: Web process crashed

"""

The bwrap… and …Web process crashed lines then continue to print

alternating.

Windows and tabs are created, but no content is ever drawn in them.

/etc/pulse/client.conf exists on the host, but maybe not in the namespaces

created by bwrap?

Could this be related to WebKitGTK sandboxing:

https://blogs.gnome.org/mcatanzaro/2020/03/31/sandboxing-webkitgtk-apps/

Best,

Jack

Jack Hill wrote on 25 Apr 2020 05:19

Recipients:(address . 40837@debbugs.gnu.org)

Message-ID:alpine.DEB.2.20.2004242319160.5735@marsh.hcoop.net

I expericne the problem with epiphany installed both in the system profile

and in an ad-hoc environment.

Best,

Jack

sirgazil wrote on 25 Apr 2020 23:55

core-updates: epiphany web process crashes

Recipients:(name . 40837)(address . 40837@debbugs.gnu.org)

Message-ID:171b356d9e2.1154aefce15638.8921669740072490388@zoho.com

I can reproduce this bug. I can't load any page and see the same messages in the terminal.

Jack Hill wrote on 26 Apr 2020 03:23

Recipients:(name . sirgazil)(address . sirgazil@zoho.com)(name . 40837)(address . 40837@debbugs.gnu.org)

Message-ID:alpine.DEB.2.20.2004252059380.5735@marsh.hcoop.net

On Sat, 25 Apr 2020, sirgazil via Bug reports for GNU Guix wrote:

Toggle quote (2 lines)

> I can reproduce this bug. I can't load any page and see the same messages in the terminal.

Thanks, as a fist step it is helpful to know that the problem can be 
reproduced.

The second step is to figure out why this is happening. My suspicion is 
that the bwrap invocation by webkitgtk is not sharing some paths into the 
new namespace it creates that it should be, because the paths are 
different on Guix System than they are on FHS systems.

Stracing epiphany, I've turned up the bwrap invocation to be:

execve("/gnu/store/kzq4v5fvjbdbbwah74k10pf698xkbdpr-bubblewrap-0.4.1/bin/bwrap", 
["/gnu/store/kzq4v5fvjbdbbwah74k10pf698xkbdpr-bubblewrap-0.4.1/bin/bwrap", 
"--args", "36", "--", 
"/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0/WebKitWebProcess", 
"11", "31"]

File descriptor 36, which hold the bwrap arguments is

write(36, 
"--die-with-parent\0--unshare-pid\0--unshare-uts\0--unshare-net\0--ro-bind\0/etc\0/etc\0--dev\0/dev\0--proc\0/proc\0--tmpfs\0/tmp\0--unsetenv\0TMPDIR\0--dir\0/run\0--symlink\0../run\0/var/run\0--symlink\0../tmp\0/var/tmp\0--ro-bind\0/sys/block\0/sys/block\0--ro-bind\0/sys/bus\0/sys/bus\0--ro-bind\0/sys/class\0/sys/class\0--ro-bind\0/sys/dev\0/sys/dev\0--ro-bind\0/sys/devices\0/sys/devices\0--ro-bind-try\0/usr/share\0/usr/share\0--ro-bind-try\0/usr/local/share\0/usr/local/share\0--ro-bind-try\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share\0--ro-bind-try\0/lib\0/lib\0--ro-bind-try\0/usr/lib\0/usr/lib\0--ro-bind-try\0/usr/local/lib\0/usr/local/lib\0--ro-bind-try\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/lib\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/lib\0--ro-bind-try\0/lib64\0/lib64\0--ro-bind-try\0/usr/lib64\0/usr/lib64\0--ro-bind-try\0/usr/local/lib64\0/usr/local/lib64\0--ro-bind-try\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0\0--ro-bind-try\0/gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib\0/gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib\0--ro-bind-try\0/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib\0/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib\0--ro-bind-try\0/gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib\0/gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib\0--ro-bind-try\0/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib\0/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib\0--setenv\0LD_LIBRARY_PATH\0/gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib:/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib:/gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib:/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib\0--ro-bind-data\00033\0/.flatpak-info\0--bind-try\0/tmp/.X11-unix/X1\0/tmp/.X11-unix/X1\0--ro-bind-try\0/run/user/1000/gdm/Xauthority\0/run/user/1000/gdm/Xauthority\0--ro-bind-try\0/tmp/epiphany-jackhill-hoj0lD\0/tmp/epiphany-jackhill-hoj0lD\0--ro-bind-try\0/home/jackhill/.local/share/epiphany\0/home/jackhill/.local/share/epiphany\0--ro-bind-try\0/home/jackhill/.cache/epiphany\0/home/jackhill/.cache/epiphany\0--ro-bind-try\0/home/jackhill/.config/epiphany\0/home/jackhill/.config/epiphany\0--bind-try\0/home/jackhill/.cache/epiphany/applications\0/home/jackhill/.cache/epiphany/applications\0--bind-try\0/home/jackhill/.local/share/webkitgtk/mediakeys\0/home/jackhill/.local/share/webkitgtk/mediakeys\0--bind-try\0/home/jackhill/.local/share/epiphany/databases\0/home/jackhill/.local/share/epiphany/databases\0--bind-try\0/run/user/1000/pulse\0/run/user/1000/pulse\0--ro-bind-try\0/etc/pulse/client.conf\0/etc/pulse/client.conf\0--ro-bind-try\0/home/jackhill/.config/pulse\0/home/jackhill/.config/pulse\0--ro-bind-try\0/home/jackhill/.pulse\0/home/jackhill/.pulse\0--ro-bind-try\0/home/jackhill/.asoundrc\0/home/jackhill/.asoundrc\0--dev-bind-try\0/dev/snd\0/dev/snd\0--ro-bind-try\0/home/jackhill/.config/fontconfig\0/home/jackhill/.config/fontconfig\0--ro-bind-try\0/home/jackhill/.fontconfig\0/home/jackhill/.fontconfig\0--bind-try\0/home/jackhill/.cache/fontconfig\0/home/jackhill/.cache/fontconfig\0--ro-bind-try\0/home/jackhill/.fonts.conf\0/home/jackhill/.fonts.conf\0--ro-bind-try\0/home/jackhill/.config/.fonts.conf.d\0/home/jackhill/.config/.fonts.conf.d\0--ro-bind-try\0/home/jackhill/.local/share/fonts\0/home/jackhill/.local/share/fonts\0--ro-bind-try\0/home/jackhill/.fonts\0/home/jackhill/.fonts\0--ro-bind-try\0/var/cache/fontconfig\0/var/cache/fontconfig\0--ro-bind-try\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0--ro-bind-try\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0--ro-bind-try\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0--ro-bind-try\0/run/current-system/profile/lib/gstreamer-1.0\0/run/current-system/profile/lib/gstreamer-1.0\0--bind-try\0/home/jackhill/.cache/gstreamer-1.0\0/home/jackhill/.cache/gstreamer-1.0\0--ro-bind-try\0/usr/libexec/gstreamer-1.0/gst-plugin-scanner\0/usr/libexec/gstreamer-1.0/gst-plugin-scanner\0--ro-bind-try\0/usr/libexec/gst-install-plugins-helper\0/usr/libexec/gst-install-plugins-helper\0--dev-bind-try\0/dev/dri\0/dev/dri\0--dev-bind-try\0/dev/mali\0/dev/mali\0--dev-bind-try\0/dev/mali0\0/dev/mali0\0--dev-bind-try\0/dev/umplock\0/dev/umplock\0--dev-bind-try\0/dev/nvidiactl\0/dev/nvidiactl\0--dev-bind-try\0/dev/nvidia0\0/dev/nvidia0\0--dev-bind-try\0/dev/nvidia\0/dev/nvidia\0--dev-bind-try\0/dev/kgsl-3d0\0/dev/kgsl-3d0\0--dev-bind-try\0/dev/ion\0/dev/ion\0--dev-bind-try\0/dev/v4l\0/dev/v4l\0--dev-bind-try\0/dev/video0\0/dev/video0\0--dev-bind-try\0/dev/video1\0/dev/video1\0--ro-bind\0/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0\0/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0\0--setenv\0AT_SPI_BUS_ADDRESS\0unix:path=/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0\0--ro-bind-try\0/home/jackhill/.config/gtk-3.0\0/home/jackhill/.config/gtk-3.0\0--ro-bind-try\0/home/jackhill/.local/share/themes\0/home/jackhill/.local/share/themes\0--ro-bind-try\0/home/jackhill/.themes\0/home/jackhill/.themes\0--ro-bind-try\0/home/jackhill/.icons\0/home/jackhill/.icons\0--seccomp\00035\0"

For readability, here is is removing the null bytes, and using newlines:

--die-with-parent
--unshare-pid
--unshare-uts
--unshare-net
--ro-bind /etc /etc
--dev /dev
--proc /proc
--tmpfs /tmp
--unsetenv TMPDIR
--dir /run
--symlink ../run /var/run
--symlink ../tmp /var/tmp
--ro-bind /sys/block /sys/block
--ro-bind /sys/bus /sys/bus
--ro-bind /sys/class /sys/class
--ro-bind /sys/dev /sys/dev
--ro-bind /sys/devices /sys/devices
--ro-bind-try /usr/share /usr/share
--ro-bind-try /usr/local/share /usr/local/share
--ro-bind-try /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share
--ro-bind-try /lib /lib
--ro-bind-try /usr/lib /usr/lib
--ro-bind-try /usr/local/lib /usr/local/lib
--ro-bind-try /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/lib /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/lib
--ro-bind-try /lib64 /lib64
--ro-bind-try /usr/lib64 /usr/lib64
--ro-bind-try /usr/local/lib64 /usr/local/lib64
--ro-bind-try /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0 /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0
--ro-bind-try /gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib /gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib
--ro-bind-try /gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib /gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib
--ro-bind-try /gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib /gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib
--ro-bind-try /gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib /gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib
--setenv LD_LIBRARY_PATH /gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib:/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib:/gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib:/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib
--ro-bind-data 0033 /.flatpak-info
--bind-try /tmp/.X11-unix/X1 /tmp/.X11-unix/X1
--ro-bind-try /run/user/1000/gdm/Xauthority /run/user/1000/gdm/Xauthority
--ro-bind-try /tmp/epiphany-jackhill-hoj0lD /tmp/epiphany-jackhill-hoj0lD
--ro-bind-try /home/jackhill/.local/share/epiphany /home/jackhill/.local/share/epiphany
--ro-bind-try /home/jackhill/.cache/epiphany /home/jackhill/.cache/epiphany
--ro-bind-try /home/jackhill/.config/epiphany /home/jackhill/.config/epiphany
--bind-try /home/jackhill/.cache/epiphany/applications /home/jackhill/.cache/epiphany/applications
--bind-try /home/jackhill/.local/share/webkitgtk/mediakeys /home/jackhill/.local/share/webkitgtk/mediakeys
--bind-try /home/jackhill/.local/share/epiphany/databases /home/jackhill/.local/share/epiphany/databases
--bind-try /run/user/1000/pulse /run/user/1000/pulse
--ro-bind-try /etc/pulse/client.conf /etc/pulse/client.conf
--ro-bind-try /home/jackhill/.config/pulse /home/jackhill/.config/pulse
--ro-bind-try /home/jackhill/.pulse /home/jackhill/.pulse
--ro-bind-try /home/jackhill/.asoundrc /home/jackhill/.asoundrc
--dev-bind-try /dev/snd /dev/snd
--ro-bind-try /home/jackhill/.config/fontconfig /home/jackhill/.config/fontconfig
--ro-bind-try /home/jackhill/.fontconfig /home/jackhill/.fontconfig
--bind-try /home/jackhill/.cache/fontconfig /home/jackhill/.cache/fontconfig
--ro-bind-try /home/jackhill/.fonts.conf /home/jackhill/.fonts.conf
--ro-bind-try /home/jackhill/.config/.fonts.conf.d /home/jackhill/.config/.fonts.conf.d
--ro-bind-try /home/jackhill/.local/share/fonts /home/jackhill/.local/share/fonts
--ro-bind-try /home/jackhill/.fonts /home/jackhill/.fonts
--ro-bind-try /var/cache/fontconfig /var/cache/fontconfig
--ro-bind-try /home/jackhill/.guix-profile/lib/gstreamer-1.0 /home/jackhill/.guix-profile/lib/gstreamer-1.0
--ro-bind-try /home/jackhill/.guix-profile/lib/gstreamer-1.0 /home/jackhill/.guix-profile/lib/gstreamer-1.0
--ro-bind-try /home/jackhill/.guix-profile/lib/gstreamer-1.0 /home/jackhill/.guix-profile/lib/gstreamer-1.0
--ro-bind-try /run/current-system/profile/lib/gstreamer-1.0 /run/current-system/profile/lib/gstreamer-1.0
--bind-try /home/jackhill/.cache/gstreamer-1.0 /home/jackhill/.cache/gstreamer-1.0
--ro-bind-try /usr/libexec/gstreamer-1.0/gst-plugin-scanner /usr/libexec/gstreamer-1.0/gst-plugin-scanner
--ro-bind-try /usr/libexec/gst-install-plugins-helper /usr/libexec/gst-install-plugins-helper
--dev-bind-try /dev/dri /dev/dri
--dev-bind-try /dev/mali /dev/mali
--dev-bind-try /dev/mali0 /dev/mali0
--dev-bind-try /dev/umplock /dev/umplock
--dev-bind-try /dev/nvidiactl /dev/nvidiactl
--dev-bind-try /dev/nvidia0 /dev/nvidia0
--dev-bind-try /dev/nvidia /dev/nvidia
--dev-bind-try /dev/kgsl-3d0 /dev/kgsl-3d0
--dev-bind-try /dev/ion /dev/ion
--dev-bind-try /dev/v4l /dev/v4l
--dev-bind-try /dev/video0 /dev/video0
--dev-bind-try /dev/video1 /dev/video1
--ro-bind /run/user/1000/webkitgtk/dbus-proxy-SQHVJ0 /run/user/1000/webkitgtk/dbus-proxy-SQHVJ0
--setenv AT_SPI_BUS_ADDRESS unix:path=/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0
--ro-bind-try /home/jackhill/.config/gtk-3.0 /home/jackhill/.config/gtk-3.0
--ro-bind-try /home/jackhill/.local/share/themes /home/jackhill/.local/share/themes
--ro-bind-try /home/jackhill/.themes /home/jackhill/.themes
--ro-bind-try /home/jackhill/.icons /home/jackhill/.icons
--seccomp 0035

On my system, /etc/pulse/client.conf is a symlink to the store item
/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf, which is not 
shared into the new mount namespace created by bubblewrap. It seems like 
the right way to solve this is for webkitgtk or bubblewrap resolve the 
symlinks at runtime.

As a workaround/test perhaps we can share all of /gnu/store

All that said, I could be on the wrong track as well, since I haven't 
tested a solution yet.

Best,
Jack

Jack Hill wrote on 26 Apr 2020 03:46

Recipients:(name . sirgazil)(address . sirgazil@zoho.com)(name . 40837)(address . 40837@debbugs.gnu.org)

Message-ID:alpine.DEB.2.20.2004252139570.5735@marsh.hcoop.net

I now think what is being shared with bubblewrap is on the write track.

After seeing

"""

const char* pulseConfig = g_getenv("PULSE_CLIENTCONFIG");

if (pulseConfig)

bindIfExists(args, pulseConfig);

"""

in Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp of

WebKitGTK, I set the PULSE_CLIENTCONFIG environemnt variable to the store

path rather than /etc/pulse/client.conf, which is what it was set to

before.

That allowed epiphany to get past the problem with client.conf. However,

it then hits another problem with something not being shared as seen in

this session:

"""

$ env |grep PULSE

PULSE_CLIENTCONFIG=gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf

PULSE_CONFIG=/etc/pulse/daemon.conf

$ epiphany

** (epiphany:11528): CRITICAL **: 21:38:10.896: void webkit_web_context_register_uri_scheme(WebKitWebContext*, const char*, WebKitURISchemeRequestCallback, gpointer, GDestroyNotify): assertion 'g_ascii_strcasecmp(scheme, "ftp") != 0' failed

bwrap: execvp /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0/WebKitWebProcess: No such file or directory

"""

Best,

Jack

Jack Hill wrote on 26 Apr 2020 05:03

Recipients:(name . 40837)(address . 40837@debbugs.gnu.org)(name . sirgazil)(address . sirgazil@zoho.com)

Message-ID:alpine.DEB.2.20.2004252257540.5735@marsh.hcoop.net

On Sat, 25 Apr 2020, Jack Hill wrote:

Toggle quote (8 lines)

> in Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp of WebKitGTK,

> I set the PULSE_CLIENTCONFIG environemnt variable to the store path rather

> than /etc/pulse/client.conf, which is what it was set to before.

> That allowed epiphany to get past the problem with client.conf. However, it

> then hits another problem with something not being shared as seen in this

> session:

I tried patching webkitgtk to share the whole /gnu/store in the new mount 
namespace (see attached patch). Unfortunately, when I ran epiphany with 
that patch applied and PULSE_CLIENTCONFIG set to /etc/pulse/client.conf, 
the "bwrap: Can't create file at /etc/pulse/client.conf: No such file or 
directory" error returned.

Via strace, I saw that my patch was having an effect on the arguments to 
bwrap. Could it be that the order of the --bind/--ro-bind arguments 
matters?

Thoughts?
Jack

From f8901a83e2abc2c6ab34f5883663315b8d715e2f Mon Sep 17 00:00:00 2001
From: Jack Hill <jackhill@jackhill.us>
Date: Sat, 25 Apr 2020 22:03:48 -0400
Subject: [PATCH] gnu: webkitgtk: Patch to share store via bwarp

* gnu/packages/patches/webkitgtk-share-store.patch: New File.
* gnu/local.mk: Add here.
* gnu/packages/webkit.scm (webkitgtk)[source]: Apply patch.
---
 gnu/local.mk                                   |  1 +
 .../patches/webkitgtk-share-store.patch        | 18 ++++++++++++++++++
 gnu/packages/webkit.scm                        |  4 +++-
 3 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/webkitgtk-share-store.patch

Toggle diff (53 lines)diff --git a/gnu/local.mk b/gnu/local.mk
index 2780434455..6c11a07c24 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1554,6 +1554,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/vte-CVE-2012-2738-pt1.patch			\
   %D%/packages/patches/vte-CVE-2012-2738-pt2.patch			\
   %D%/packages/patches/weasyprint-library-paths.patch		\
+  %D%/packages/patches/webkitgtk-share-store.patch		\
   %D%/packages/patches/websocketpp-fix-for-boost-1.70.patch	\
   %D%/packages/patches/wicd-bitrate-none-fix.patch		\
   %D%/packages/patches/wicd-get-selected-profile-fix.patch	\
diff --git a/gnu/packages/patches/webkitgtk-share-store.patch b/gnu/packages/patches/webkitgtk-share-store.patch
new file mode 100644
index 0000000000..b927ab7b0a
--- /dev/null
+++ b/gnu/packages/patches/webkitgtk-share-store.patch
@@ -0,0 +1,18 @@
+Author: Jack Hill <jackhill@jackhill.us>
+Tell bubblewrap to share the store
+---
+diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+index ad301ab2..d53b680e 100644
+--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
++++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+@@ -737,6 +737,10 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
+         "--ro-bind-try", "/usr/local/share", "/usr/local/share",
+         "--ro-bind-try", DATADIR, DATADIR,
+ 
++       // TESTING: bind moutn /gnu/store
++       // This should be improved
++       "--ro-bind", "/gnu/store", "/gnu/store",
++
+         // We only grant access to the libdirs webkit is built with and
+         // guess system libdirs. This will always have some edge cases.
+         "--ro-bind-try", "/lib", "/lib",
diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm
index 377fc0dfaf..fcfd28666b 100644
--- a/gnu/packages/webkit.scm
+++ b/gnu/packages/webkit.scm
@@ -128,7 +128,9 @@ engine that uses Wayland for graphics output.")
                                   "webkitgtk-" version ".tar.xz"))
               (sha256
                (base32
-                "1n7k4yriqhr38f4fgy8pzdn1nm60m53z8p478sgg64swxnijdg5c"))))
+                "1n7k4yriqhr38f4fgy8pzdn1nm60m53z8p478sgg64swxnijdg5c"))
+              (patches
+               (search-patches "webkitgtk-share-store.patch"))))
     (build-system cmake-build-system)
     (outputs '("out" "doc"))
     (arguments
-- 
2.26.2

Jack Hill wrote on 26 Apr 2020 22:37

(no subject)

Recipients:(address . control@debbugs.gnu.org)

Message-ID:alpine.DEB.2.20.2004261636470.5735@marsh.hcoop.net

retitle 40837 core-updates: webkitgtk web process sandbox incomplete

Jack Hill wrote on 26 Apr 2020 22:42

Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete

Recipients:(name . 40837)(address . 40837@debbugs.gnu.org)(name . sirgazil)(address . sirgazil@zoho.com)

Message-ID:alpine.DEB.2.20.2004261638070.5735@marsh.hcoop.net

Some additional observations:

With my patched webkitgtk, if I set:

PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf

it does work, which is an improvement compared to without the patch.

I notice that Nix [0] has a similar patch:

"""

diff -ru old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp

--- old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp 2019-09-09 04:47:07.000000000 -0400

+++ webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp 2019-09-20 21:14:10.537921173 -0400

@@ -585,7 +585,7 @@

{ SCMP_SYS(keyctl), nullptr },

{ SCMP_SYS(request_key), nullptr },

- // Scary VM/NUMA ops

+ // Scary VM/NUMA ops

{ SCMP_SYS(move_pages), nullptr },

{ SCMP_SYS(mbind), nullptr },

{ SCMP_SYS(get_mempolicy), nullptr },

@@ -724,6 +724,10 @@

"--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",

"--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,

+ // Nix Directories

+ "--ro-bind", "@storeDir@", "@storeDir@",

+ "--ro-bind", "/run/current-system", "/run/current-system",

};

// We would have to parse ld config files for more info.

bindPathVar(sandboxArgs, "LD_LIBRARY_PATH");

"""

[0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch

so I wonder if I didn't do the mounts in the right place and or if it is

becasue I missed /run/current-system.

I'm going to try to adapt the Nix patch to see if that helps.

Best,

Jack

Jack Hill wrote on 28 Apr 2020 00:02

Recipients:(name . 40837)(address . 40837@debbugs.gnu.org)(name . sirgazil)(address . sirgazil@zoho.com)

Message-ID:alpine.DEB.2.20.2004271759320.5735@marsh.hcoop.net

I didn't have any better luck with the Nix patch. I was also unable to any

problems with /etc/pulse/client.conf when calling bwrap manually on the

command line.

I'm afraid that I'm stuck for now. I have asked the WebKit developers for

help: https://lists.webkit.org/pipermail/webkit-dev/2020-April/031184.html

Best,

Jack

Jack Hill wrote on 28 Apr 2020 05:03

Recipients:(name . 40837)(address . 40837@debbugs.gnu.org)(name . sirgazil)(address . sirgazil@zoho.com)

Message-ID:alpine.DEB.2.20.2004272247330.5735@marsh.hcoop.net

I'm a little bit unstuck now. I found a bubblwrap issue [0], which I

believe is the one that we're running into.

[0] https://github.com/containers/bubblewrap/issues/195"Errors when

--bind used with a symlinked path"

With insight gained there, I've determined that the following simplified

bwrap invocation succeeds:

"""

$ bwrap --ro-bind-try /etc/pulse/client.conf /etc/pulse/client.conf

--ro-bind /gnu /gnu --ro-bind /run/current-system /run/current-system --

/run/current-system/profile/bin/bash

"""

while the following invocation fails:

"""

$ bwrap --ro-bind /etc /etc --ro-bind-try /etc/pulse/client.conf

/etc/pulse/client.conf --ro-bind /gnu /gnu --ro-bind /run/current-system

/run/current-system -- /run/current-system/profile/bin/bash

bwrap: Can't create file at /etc/pulse/client.conf: No such file or

directory

"""

The difference between the working and non-working invocations in that in

the non-working invocation, /etc is already mounted withing the new

namespace, which includes symlinks at /etc/pulse and

/etc/pulse/client.conf, and the later mount of the /etc/pulse/client.conf

symlink causese the problem.

Now to figure out what the solution is, and if it is best fixed in

webkitgtk or bubblewrap :)

Ideas welcome!

Best,

Jack

Jack Hill wrote on 28 Apr 2020 18:27

Recipients:(name . 40837)(address . 40837@debbugs.gnu.org)(name . sirgazil)(address . sirgazil@zoho.com)

Message-ID:alpine.DEB.2.20.2004281218560.5735@marsh.hcoop.net

After further discussion on the Bubblewrap issue [0], it was determined

that the problem should be fixed by having WebKitGTK canonicalize paths

before passing them to bwrap. There is now a WebKit issue for that fix [1].

[0] https://github.com/containers/bubblewrap/issues/195

[1] https://bugs.webkit.org/show_bug.cgi?id=211131

When the WebKit issue is fixed, that should solve the problem with

/etc/pulse/client.conf. I believe that we will still have work to do in

Guix to make sure the store is available inside the sandbox.

Best,

Jack

sirgazil wrote on 28 Apr 2020 18:33

Recipients:(name . Jack Hill)(address . jackhill@jackhill.us)(name . 40837)(address . 40837@debbugs.gnu.org)

Message-ID:171c1a2ae49.fd191b3320285.7608315760355987557@zoho.com

---- On Tue, 28 Apr 2020 23:27:57 +0000 Jack Hill <jackhill@jackhill.us> wrote ----
 > After further discussion on the Bubblewrap issue [0], it was determined 
 > that the problem should be fixed by having WebKitGTK canonicalize paths 
 > before passing them to bwrap. There is now a WebKit issue for that fix [1].
 > 
 > [0] https://github.com/containers/bubblewrap/issues/195
 > [1] https://bugs.webkit.org/show_bug.cgi?id=211131
 > 
 > When the WebKit issue is fixed, that should solve the problem with 
 > /etc/pulse/client.conf. I believe that we will still have work to do in 
 > Guix to make sure the store is available inside the sandbox.


Thanks for working on this, Jack.

sirgazil via web wrote on 4 May 2020 21:27

(no subject)

Recipients:(address . 40837@debbugs.gnu.org)

Message-ID:7fbdd51a1f10.ac6d83595bb47cb@guile.gnu.org

I can reproduce this problem.

Marius Bakke wrote on 6 May 2020 18:39

Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete

Recipients:(name . sirgazil)(address . sirgazil@zoho.com)

Message-ID:87h7wt3tmv.fsf@devup.no

Hello Jack,

Thanks a lot for this work.

Jack Hill <jackhill@jackhill.us> writes:

Toggle quote (8 lines)

> Some additional observations:

> With my patched webkitgtk, if I set:

> PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf

> it does work, which is an improvement compared to without the patch.

Great. I have attached a patch for Guix that stops using /etc for these

variables.

Toggle quote (35 lines)> I notice that Nix [0] has a similar patch:
>
> """
> diff -ru old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
> --- old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp	2019-09-09 04:47:07.000000000 -0400
> +++ webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp	2019-09-20 21:14:10.537921173 -0400
> @@ -585,7 +585,7 @@
>           { SCMP_SYS(keyctl), nullptr },
>           { SCMP_SYS(request_key), nullptr },
>
> -        // Scary VM/NUMA ops 
> +        // Scary VM/NUMA ops
>           { SCMP_SYS(move_pages), nullptr },
>           { SCMP_SYS(mbind), nullptr },
>           { SCMP_SYS(get_mempolicy), nullptr },
> @@ -724,6 +724,10 @@
>           "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",
>
>           "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
> +
> +        // Nix Directories
> +        "--ro-bind", "@storeDir@", "@storeDir@",
> +        "--ro-bind", "/run/current-system", "/run/current-system",
>       };
>       // We would have to parse ld config files for more info.
>       bindPathVar(sandboxArgs, "LD_LIBRARY_PATH");
> """
>
> [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch
>
> so I wonder if I didn't do the mounts in the right place and or if it is 
> becasue I missed /run/current-system.
>
> I'm going to try to adapt the Nix patch to see if that helps.

Were you able to verify whether /run/current-system is required inside
the sandbox?

I cleaned up your patch a bit and rebased it on the latest master
branch, available as patch 2/2 below.  Currently building it on
'core-updates' to verify that it works.  It takes a while on my dinky
quad-core server though.  :-)

It does not bind /run/current-system, and I think we should avoid it if
possible.  Ideally we would only mount the store paths required by the
consumers instead of all of /gnu/store, but not sure how to achieve
that.

From a2607c8246456460a6bbed62144daf7196a5c9bd Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Wed, 6 May 2020 17:48:42 +0200
Subject: [PATCH 1/2] services: Do not use symbolic links in PulseAudio
 variables.

This addresses https://bugs.gnu.org/40837 by making these configuration
files more easily accessible within the WebKitGTK+ sandbox.

* gnu/services/sound.scm (pulseaudio-environment): Move below
PULSEAUDIO-CONF-ENTRY.  Create PULSE_CONFIG and PULSE_CLIENTCONFIG entries
directly instead of referring to /etc/pulse.
(pulseaudio-etc): Do not create /etc/pulse/client.conf and /etc/pulse/daemon.conf.
---
 gnu/services/sound.scm | 27 ++++++++++++---------------
 1 file changed, 12 insertions(+), 15 deletions(-)

Toggle diff (59 lines)diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm
index a1c928222a..bdf819b422 100644
--- a/gnu/services/sound.scm
+++ b/gnu/services/sound.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2018, 2020 Oleg Pykhalov <go.wigust@gmail.com>
 ;;; Copyright © 2020 Leo Prikler <leo.prikler@student.tugraz.at>
+;;; Copyright © 2020 Marius Bakke <mbakke@fastmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -127,11 +128,6 @@ ctl.!default {
                       (default
                         (file-append pulseaudio "/etc/pulse/system.pa"))))
 
-(define (pulseaudio-environment config)
-  `(;; Define these variables, so that pulseaudio honors /etc.
-    ("PULSE_CONFIG" . "/etc/pulse/daemon.conf")
-    ("PULSE_CLIENTCONFIG" . "/etc/pulse/client.conf")))
-
 (define (pulseaudio-conf-entry arg)
   (match arg
     ((key . value)
@@ -139,21 +135,22 @@ ctl.!default {
     ((? string? _)
      (string-append arg "\n"))))
 
+(define pulseaudio-environment
+  (match-lambda
+    (($ <pulseaudio-configuration> client-conf daemon-conf default-script-file)
+     `(("PULSE_CONFIG" . ,(apply mixed-text-file "daemon.conf"
+                                 "default-script-file = " default-script-file "\n"
+                                 (map pulseaudio-conf-entry daemon-conf)))
+       ("PULSE_CLIENTCONFIG" . ,(apply mixed-text-file "client.conf"
+                                       (map pulseaudio-conf-entry client-conf)))))))
+
 (define pulseaudio-etc
   (match-lambda
-    (($ <pulseaudio-configuration> client-conf daemon-conf
-                                   default-script-file system-script-file)
+    (($ <pulseaudio-configuration> _ _ default-script-file system-script-file)
      `(("pulse"
         ,(file-union
           "pulse"
-          `(("client.conf"
-             ,(apply mixed-text-file "client.conf"
-                     (map pulseaudio-conf-entry client-conf)))
-            ("daemon.conf"
-             ,(apply mixed-text-file "daemon.conf"
-                     "default-script-file = " default-script-file "\n"
-                     (map pulseaudio-conf-entry daemon-conf)))
-            ("default.pa" ,default-script-file)
+          `(("default.pa" ,default-script-file)
             ("system.pa" ,system-script-file))))))))
 
 (define pulseaudio-service-type
-- 
2.26.2

From 3864b54f4aadefc600433d3654b0a1a73ab6fa98 Mon Sep 17 00:00:00 2001

Fixes https://bugs.gnu.org/40837.

* gnu/packages/patches/webkitgtk-share-store.patch: New file.

* gnu/local.mk (dist_patch_DATA): Add it.

* gnu/packages/webkit.scm (webkitgtk)[source](patches): Use it.

Co-authored-by: Marius Bakke <mbakke@fastmail.com>

---

gnu/local.mk | 1 +

.../patches/webkitgtk-share-store.patch | 20 +++++++++++++++++++

gnu/packages/webkit.scm | 12 ++++++++++-

3 files changed, 32 insertions(+), 1 deletion(-)

create mode 100644 gnu/packages/patches/webkitgtk-share-store.patch

Toggle diff (70 lines)diff --git a/gnu/local.mk b/gnu/local.mk
index 62eeb39ece..5c06415205 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1542,6 +1542,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/vte-CVE-2012-2738-pt2.patch			\
   %D%/packages/patches/warsow-qfusion-fix-bool-return-type.patch	\
   %D%/packages/patches/weasyprint-library-paths.patch		\
+  %D%/packages/patches/webkitgtk-share-store.patch		\
   %D%/packages/patches/websocketpp-fix-for-boost-1.70.patch	\
   %D%/packages/patches/wicd-bitrate-none-fix.patch		\
   %D%/packages/patches/wicd-get-selected-profile-fix.patch	\
diff --git a/gnu/packages/patches/webkitgtk-share-store.patch b/gnu/packages/patches/webkitgtk-share-store.patch
new file mode 100644
index 0000000000..4174e73b6c
--- /dev/null
+++ b/gnu/packages/patches/webkitgtk-share-store.patch
@@ -0,0 +1,20 @@
+Author: Jack Hill <jackhill@jackhill.us>
+Tell bubblewrap to share the store.
+
+See <https://bugs.gnu.org/40837>.
+
+---
+diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+index ad301ab2..d53b680e 100644
+--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
++++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+@@ -737,6 +737,9 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
+         "--ro-bind-try", "/usr/local/share", "/usr/local/share",
+         "--ro-bind-try", DATADIR, DATADIR,
+ 
++       // Bind mount the store inside the WebKitGTK sandbox.
++       "--ro-bind", "@storedir@", "@storedir@",
++
+         // We only grant access to the libdirs webkit is built with and
+         // guess system libdirs. This will always have some edge cases.
+         "--ro-bind-try", "/lib", "/lib",
diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm
index e52536c279..6035d6c59d 100644
--- a/gnu/packages/webkit.scm
+++ b/gnu/packages/webkit.scm
@@ -128,7 +128,8 @@ engine that uses Wayland for graphics output.")
                                   "webkitgtk-" version ".tar.xz"))
               (sha256
                (base32
-                "1g9hik3bprki5s9d7y5288q5irwckbzajr6rnlvjrlnqrwjkblmr"))))
+                "1g9hik3bprki5s9d7y5288q5irwckbzajr6rnlvjrlnqrwjkblmr"))
+              (patches (search-patches "webkitgtk-share-store.patch"))))
     (build-system cmake-build-system)
     (outputs '("out" "doc"))
     (arguments
@@ -156,6 +157,15 @@ engine that uses Wayland for graphics output.")
                           "-DUSE_WOFF2=OFF")
        #:phases
        (modify-phases %standard-phases
+         (add-after 'unpack 'configure-bubblewrap-store-directory
+           (lambda _
+             ;; This phase is a corollary to 'webkitgtk-share-store.patch' to
+             ;; avoid hard coding /gnu/store, for users with other prefixes.
+             (let ((store-directory (%store-directory)))
+               (substitute*
+                   "Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp"
+                 (("@storedir@") store-directory))
+               #t)))
          (add-after 'unpack 'patch-gtk-doc-scan
            (lambda* (#:key inputs #:allow-other-keys)
              (for-each (lambda (file)
-- 
2.26.2

Jack Hill wrote on 6 May 2020 22:17

Recipients:(name . Marius Bakke)(address . mbakke@fastmail.com)

Message-ID:alpine.DEB.2.20.2005061607510.5735@marsh.hcoop.net

On Wed, 6 May 2020, Marius Bakke wrote:

Toggle quote (4 lines)

> Hello Jack,

> Thanks a lot for this work.

You're welcome. I'm happy that we seem to be making good progress.

Toggle quote (13 lines)> Jack Hill <jackhill@jackhill.us> writes:
>
>> Some additional observations:
>>
>> With my patched webkitgtk, if I set:
>>
>> PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf
>>
>> it does work, which is an improvement compared to without the patch.
>
> Great.  I have attached a patch for Guix that stops using /etc for these
> variables.

Good idea! That way we won't have to wait for WebKitGTK to canonicalize

all paths :)

Toggle quote (10 lines)>> [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch
>>
>> so I wonder if I didn't do the mounts in the right place and or if it is
>> becasue I missed /run/current-system.
>>
>> I'm going to try to adapt the Nix patch to see if that helps.
>
> Were you able to verify whether /run/current-system is required inside
> the sandbox?

I don't think /run/current-system is needed.

Toggle quote (10 lines)> I cleaned up your patch a bit and rebased it on the latest master
> branch, available as patch 2/2 below.  Currently building it on
> 'core-updates' to verify that it works.  It takes a while on my dinky
> quad-core server though.  :-)
>
> It does not bind /run/current-system, and I think we should avoid it if
> possible.  Ideally we would only mount the store paths required by the
> consumers instead of all of /gnu/store, but not sure how to achieve
> that.

I've tested the updated patch by applying it to master and merging into 
core-updates. I'm happy to report that everything seems to be working for 
me after doing so!

Sharing less than the whole store sounds like a great aspiration, but I 
think we'd have to teach WebKitGTK how to ask Guix for its closure to do 
so. On FHS-compliant systems, all of the various /usr/lib and /usr/share 
directories are bind-mounted into the new namespace, so I don't think 
we're providing too much more. It's nice that our setuid binaries reside 
outside of the store :)

Best,
Jack

Marius Bakke wrote on 6 May 2020 22:53

Recipients:(name . Jack Hill)(address . jackhill@jackhill.us)

Message-ID:87v9l83hvb.fsf@devup.no

Jack Hill <jackhill@jackhill.us> writes:

Toggle quote (36 lines)> On Wed, 6 May 2020, Marius Bakke wrote:
>
>> Hello Jack,
>>
>> Thanks a lot for this work.
>
> You're welcome. I'm happy that we seem to be making good progress.
>
>> Jack Hill <jackhill@jackhill.us> writes:
>>
>>> Some additional observations:
>>>
>>> With my patched webkitgtk, if I set:
>>>
>>> PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf
>>>
>>> it does work, which is an improvement compared to without the patch.
>>
>> Great.  I have attached a patch for Guix that stops using /etc for these
>> variables.
>
> Good idea! That way we won't have to wait for WebKitGTK to canonicalize 
> all paths :)
>
>>> [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch
>>>
>>> so I wonder if I didn't do the mounts in the right place and or if it is
>>> becasue I missed /run/current-system.
>>>
>>> I'm going to try to adapt the Nix patch to see if that helps.
>>
>> Were you able to verify whether /run/current-system is required inside
>> the sandbox?
>
> I don't think /run/current-system is needed.

Excellent. I tested Epiphany with these patches on a popular video

streaming site and everything seemed fine.

Toggle quote (21 lines)>> I cleaned up your patch a bit and rebased it on the latest master
>> branch, available as patch 2/2 below.  Currently building it on
>> 'core-updates' to verify that it works.  It takes a while on my dinky
>> quad-core server though.  :-)
>>
>> It does not bind /run/current-system, and I think we should avoid it if
>> possible.  Ideally we would only mount the store paths required by the
>> consumers instead of all of /gnu/store, but not sure how to achieve
>> that.
>
> I've tested the updated patch by applying it to master and merging into 
> core-updates. I'm happy to report that everything seems to be working for 
> me after doing so!
>
> Sharing less than the whole store sounds like a great aspiration, but I 
> think we'd have to teach WebKitGTK how to ask Guix for its closure to do 
> so. On FHS-compliant systems, all of the various /usr/lib and /usr/share 
> directories are bind-mounted into the new namespace, so I don't think 
> we're providing too much more. It's nice that our setuid binaries reside 
> outside of the store :)

Indeed, thanks for testing and confirming.

I added a little more context in the patch description and finally

pushed it as a6919866b07e9ed3986abde7ae48d0c69ff3deed.

Again, thank you very much for taking care of this. :-)

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 40837@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 40837

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date