From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id KGY+GgSTUGBXcAAA0tVLHw (envelope-from ) for ; Tue, 16 Mar 2021 11:14:12 +0000 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 6D4EFgSTUGCEYgAAB5/wlQ (envelope-from ) for ; Tue, 16 Mar 2021 11:14:12 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 88243270B4 for ; Tue, 16 Mar 2021 12:14:11 +0100 (CET) Received: from localhost ([::1]:47082 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lM7eM-0006Mo-Nm for larch@yhetil.org; Tue, 16 Mar 2021 07:14:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:54522) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lM7eE-0006MI-Tt for bug-guix@gnu.org; Tue, 16 Mar 2021 07:14:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:55018) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lM7eE-0006pY-MD for bug-guix@gnu.org; Tue, 16 Mar 2021 07:14:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lM7eE-0002PT-HO for bug-guix@gnu.org; Tue, 16 Mar 2021 07:14:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47106: Bubblewrap hates Guix containers =?UTF-8?Q?=F0=9F=98=9E?= Resent-From: Leo Prikler Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 16 Mar 2021 11:14:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47106 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Bengt Richter Received: via spool by 47106-submit@debbugs.gnu.org id=B47106.16158931969174 (code B ref 47106); Tue, 16 Mar 2021 11:14:02 +0000 Received: (at 47106) by debbugs.gnu.org; 16 Mar 2021 11:13:16 +0000 Received: from localhost ([127.0.0.1]:38324 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lM7dT-0002Nt-PU for submit@debbugs.gnu.org; Tue, 16 Mar 2021 07:13:16 -0400 Received: from mailrelay.tugraz.at ([129.27.2.202]:18685) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lM7dS-0002Nl-5y for 47106@debbugs.gnu.org; Tue, 16 Mar 2021 07:13:15 -0400 Received: from nijino.local (217-149-164-20.nat.highway.telekom.at [217.149.164.20]) by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4F09d24vNDz1LBRw; Tue, 16 Mar 2021 12:13:10 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 mailrelay.tugraz.at 4F09d24vNDz1LBRw DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at; s=mailrelay; t=1615893191; bh=vQ4FzedacoiPN54T91fdSO6VVFyp5VyAe9AwNNUADio=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=q39sBAv4NmGtcG/9e4yjPIZY4fcaLuV16XChLALduGdrd1Mdzw3+HzzRvxbV9r20Z XMe8dbkjI6e9FJdWg6McAfu4orHrFyP1wd65AWYpjrr9D3eZkjh6hZ/5BJZU+c1YBy 72DdSVzf9rbHZ0B0HKoXGUOoyZKGQgO/P3ZKP1eo= Message-ID: <65e3ddcc4b625ed496222f6072542cd250b08a76.camel@student.tugraz.at> From: Leo Prikler Date: Tue, 16 Mar 2021 12:13:10 +0100 In-Reply-To: <20210316105442.GA3903@LionPure> References: <87r1kjpbvx.fsf@gnu.org> <2922127e61435e64f95d3d398ef6932a02336188.camel@student.tugraz.at> <20210313122718.GA11708@LionPure> <20210313170704.GA3712@LionPure> <20210314174539.GA10548@LionPure> <20210316105442.GA3903@LionPure> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TUG-Backscatter-control: bt4lQm5Tva3SBgCuw0EnZw X-Spam-Scanner: SpamAssassin 3.003001 X-Spam-Score-relay: -1.9 X-Scanned-By: MIMEDefang 2.74 on 129.27.10.116 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 47106@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615893251; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=vQ4FzedacoiPN54T91fdSO6VVFyp5VyAe9AwNNUADio=; b=ql/rUjIuU7qwuwSaPdFmTygPzs8H5YvePgkBXTlNx1JOrqk7lULDp4KRyw6H/OFpagBm8k n0WEY59Z4wlmwKHRbueYuuRMchRTR0M0zPxOTdidoG/anxUfCWPTouTaLTB255hjCrf7/U 70kqsEjAPOAHDpYZcxVrtw0ymJivKleA2h8K8loX5TMIDQEwZMxf/nIWsQtpRT8Kg10SWO S7X5nj5VKmTyB8FhqB9IR4fCsjKtHQH4on1FxSVFZW98ktZPrXT3e7vJ1JR4Tk2WJibDVv M2WXq7xANIKUE2yHm0heI2rJynN2dQJJL4AO0gR8KLWpdDqm0PAJPK3zYMY23A== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615893251; a=rsa-sha256; cv=none; b=T+t8yb2Bl0p1bf8C3peS4K92WbrcwAEt7oin0Hf7msTRsXq5je864VD4gyMpGUHfop6eEp 46Lx51CC+xiXgN7ZIvF3NxZXRQVFSk5SEFXYFCmoHzEmS+8GRUw8mRdTIUJ7W80zi5Vu+u UBHcLVqLWOk+xRv2pUBhBSb61aQ8HG7Z2Z8D3A0QgiQL0NNkQITdxCXdoQeuTbAeU+ktJ5 oQXyc5JDOVDxX5Dr1XUD3gAilsv6P0aLXuGqL5QKG4poZcTKIT7MlOKZpD3Hfw9/NQrgs5 lZPFwrz6FmgnWKHUd5mnbcK1nKwFF3T1jlZ33Ax0/sxZD4tjLbXEmQYvYL07dQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tugraz.at header.s=mailrelay header.b=q39sBAv4; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -1.30 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tugraz.at header.s=mailrelay header.b=q39sBAv4; dmarc=fail reason="SPF not aligned (relaxed)" header.from=student.tugraz.at (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 88243270B4 X-Spam-Score: -1.30 X-Migadu-Scanner: scn0.migadu.com X-TUID: cCCrEt+/mK8L Hi, Am Dienstag, den 16.03.2021, 11:54 +0100 schrieb Bengt Richter: > Hi Leo, > One more favor? ;) > > On +2021-03-14 19:05:24 +0100, Leo Prikler wrote: > > Hi again³ > > > > Am Sonntag, den 14.03.2021, 18:45 +0100 schrieb Bengt Richter: > > > Hi again^2, > > > > > > Maybe > > > pstree -at > > > would show a little more? > > sh > > |-dbus-daemon --syslog-only --fork --print-pid 5 --print-address > > 7 > > --sess > > |-dbus-launch --autolaunch=fa7a4d52637958ddd37547bb5d8bd9d2 > > --binary- > > synt > > `-screen > > `-screen > > |-sh > > | `-.epiphany-real > > | |-WebKitNetworkPr 3 21 > > | | |-{BMScavenger} > > | | |-{ReceiveQueue} > > | | |-{StorageTask} > > | | |-{Storage} > > | | |-{WebStorage} > > | | |-{background} > > | | |-{dconf worker} > > | | |-{erialBackground} > > | | |-{gdbus} > > | | `-{gmain} > > | |-bwrap --args 37 -- > > /gnu/store/hqhxgw0i8xh38h6kwmyrkywcd24q5f1z-webk > > | | `-bwrap --args 37 -- > > /gnu/store/hqhxgw0i8xh38h6kwmyrkywcd24q5f1z-webk > > | | `-WebKitWebProces 1277 28 > > | |-{.epiphany-real} > > | |-{BMScavenger} > > | |-{HashSaltStorage} > > | |-{IconDatabase} > > | |-{PressureMonitor} > > | |-2*[{ReceiveQueue}] > > | |-{dconf worker} > > | |-{e Compile Queue} > > | |-{ebsiteDataStore} > > | |-{gdbus} > > | |-{gmain} > > | |-{re Remove Queue} > > | `-{tore Read Queue} > > `-sh > > `-pstree -at > > > Also, > > > ls -lr /sys/class/drm > > total 0 > > -r--r--r-- 1 65534 overflow 4096 Mar 14 17:59 version > > lrwxrwxrwx 1 65534 overflow 0 Mar 14 17:58 ttm -> > > ../../devices/virtual/drm/ttm > > lrwxrwxrwx 1 65534 overflow 0 Mar 14 17:59 renderD128 -> > > ../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/renderD128 > > lrwxrwxrwx 1 65534 overflow 0 Mar 14 17:59 card0-VGA-1 -> > > ../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/card0/card0- > > VGA- > > 1 > > lrwxrwxrwx 1 65534 overflow 0 Mar 14 17:59 card0-HDMI-A-1 -> > > ../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/card0/card0- > > HDMI-A-1 > > lrwxrwxrwx 1 65534 overflow 0 Mar 14 17:58 card0-DVI-D-1 -> > > ../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/card0/card0- > > DVI- > > D-1 > > lrwxrwxrwx 1 65534 overflow 0 Mar 14 17:58 card0 -> > > ../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/card0 > > > if that's accessible -- I'm wondering if the version of screen > > > in the container is built with libdrm and is bypassing X or ?? > > I doubt it is being built differently than screen normally is. > > > > > Do you have a makefile or a guix something.scm defining > > > what's built/packed into your container? > > Nah, it's a rather ad-hoc definition grown from what should be an > > Eolie > > container from the cookbook (also refer to #47097). > > > > guix environment --preserve='^DISPLAY$' --preserve=XAUTHORITY \ > > --preserve=TERM \ > > --expose=$XAUTHORITY \ > > --expose=/etc/machine-id \ > > --expose=/etc/ssl/certs/ \ > > --expose=/sys/block --expose=/sys/class --expose=/sys/bus \ > > --expose=/sys/dev --expose=/sys/devices \ > > --ad-hoc epiphany nss-certs dbus procps coreutils psmisc > > screen > > > > Given that I expose most of /sys explicitly, you should take the > > above > > with a grain of salt. > > > > > Sorry if my curiosity is making work for you, but I'd like to > > > try containers down the road -- tho right now I'm taking a break > > > from events IRL, so I may disappear for a while... > > I'm not personally impacted by this bug or anything, it's much > > rather a > > follow-up to my attempted fix of #47097. I think there might be > > some > > flaw in trying to run a sandbox inside a sandbox (like bubblewrap > > inside `guix container`), that doesn't actually improve security in > > any > > meaningful way. > > > > Regards, > > Leo > > > > If you can run this inside your container, I think it will be > interesting: > lsof -U|grep -i wayland > > The above ought to show quickly if wayland is running. > > lsof -U shows the open sockets. > > If the above shows nothing, try > lsof -U|grep -i x11 > or > lsof -U|grep X Nothing showed up for either, but this got me thinking. Exposing /tmp/.X11-unix/X1 did do away with the warning, now it's unexposed dbus, missing icons, etc. etc. Exposing all of /tmp instead yields ** (epiphany:2): ERROR **: 11:11:28.855: Failed to start embed shell D- Bus server on unix:dir=(null): Error binding to address: No such file or directory I still think that exposing all of that is perhaps not the wisest idea, but eh… Regards, Leo