* bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update @ 2021-04-06 22:46 Mark H Weaver 2021-04-06 23:04 ` bug#47628: webkitgtk-2.32.0 is broken on my system (was Re: bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update) Mark H Weaver 0 siblings, 1 reply; 11+ messages in thread From: Mark H Weaver @ 2021-04-06 22:46 UTC (permalink / raw) To: 47628 FYI, since updating to webkitgtk-2.32.0 (commit 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no window appears, although GNOME Shell shows an empty outline in overview mode, as if there's a window but it has never been painted. When running 'epiphany' from the command line, I see the followin warning from 'bwrap', which indicates that it's looking in /usr/bin: --8<---------------cut here---------------start------------->8--- mhw@jojen ~$ epiphany ** (epiphany:1016): WARNING **: 18:36:48.495: Registering special URI scheme ftp is no longer allowed bwrap: Can't find source path /usr/bin: No such file or directory --8<---------------cut here---------------end--------------->8--- I wonder if this only works when Guix is run on top of a more traditional OS that has /usr/bin. Is anyone successfully able to use Epiphany on a pure Guix system (without /usr/bin) with Webkitgtk-2.32.0? (The Webkitgtk version is shown in the "About Web" window, which is accessible from the hamburger menu. Mark ^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 is broken on my system (was Re: bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update) 2021-04-06 22:46 bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update Mark H Weaver @ 2021-04-06 23:04 ` Mark H Weaver 2021-04-07 7:35 ` bug#47628: webkitgtk-2.32.0 is broken on my system Guillaume Le Vaillant 0 siblings, 1 reply; 11+ messages in thread From: Mark H Weaver @ 2021-04-06 23:04 UTC (permalink / raw) To: 47628 retitle 47628 webkitgtk-2.32.0 is broken on my system thanks Mark H Weaver <mhw@netris.org> writes: > FYI, since updating to webkitgtk-2.32.0 (commit > 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no > window appears, although GNOME Shell shows an empty outline in overview > mode, as if there's a window but it has never been painted. > > When running 'epiphany' from the command line, I see the followin > warning from 'bwrap', which indicates that it's looking in /usr/bin: I see exactly the same behavior with 'eolie': the window never appears, (except for an outline in GNOME Shell's overview mode), and I see the same warning: "bwrap: Can't find source path /usr/bin: No such file or directory" In both cases, if I try to close the phantom window from overview mode, it informs me that the application is not responding, and I have to force quit to make the phantom window go away. Mark ^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 is broken on my system 2021-04-06 23:04 ` bug#47628: webkitgtk-2.32.0 is broken on my system (was Re: bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update) Mark H Weaver @ 2021-04-07 7:35 ` Guillaume Le Vaillant 2021-04-08 8:22 ` Efraim Flashner 0 siblings, 1 reply; 11+ messages in thread From: Guillaume Le Vaillant @ 2021-04-07 7:35 UTC (permalink / raw) To: Mark H Weaver; +Cc: 47628 [-- Attachment #1: Type: text/plain, Size: 1330 bytes --] Mark H Weaver <mhw@netris.org> skribis: > retitle 47628 webkitgtk-2.32.0 is broken on my system > thanks > > Mark H Weaver <mhw@netris.org> writes: > >> FYI, since updating to webkitgtk-2.32.0 (commit >> 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no >> window appears, although GNOME Shell shows an empty outline in overview >> mode, as if there's a window but it has never been painted. >> >> When running 'epiphany' from the command line, I see the followin >> warning from 'bwrap', which indicates that it's looking in /usr/bin: > > I see exactly the same behavior with 'eolie': the window never appears, > (except for an outline in GNOME Shell's overview mode), and I see the > same warning: > > "bwrap: Can't find source path /usr/bin: No such file or directory" > > In both cases, if I try to close the phantom window from overview mode, > it informs me that the application is not responding, and I have to > force quit to make the phantom window go away. > > Mark On my Guix system, epiphany with webkitgtk-2.32.0 seems to work fine (with Guix at commit 14392c77896561c5846c0f3a0588720792d61e95). The window appears and I can browse websites, and it doesn't print any error about 'bwrap'. I'm using StumpWM and not Gnome Shell; I don't know if it has an impact on epiphany's behavior. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 247 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 is broken on my system 2021-04-07 7:35 ` bug#47628: webkitgtk-2.32.0 is broken on my system Guillaume Le Vaillant @ 2021-04-08 8:22 ` Efraim Flashner 2021-04-08 14:19 ` bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin/env Mark H Weaver 0 siblings, 1 reply; 11+ messages in thread From: Efraim Flashner @ 2021-04-08 8:22 UTC (permalink / raw) To: Guillaume Le Vaillant; +Cc: 47628 [-- Attachment #1: Type: text/plain, Size: 2011 bytes --] On Wed, Apr 07, 2021 at 09:35:48AM +0200, Guillaume Le Vaillant wrote: > Mark H Weaver <mhw@netris.org> skribis: > > > retitle 47628 webkitgtk-2.32.0 is broken on my system > > thanks > > > > Mark H Weaver <mhw@netris.org> writes: > > > >> FYI, since updating to webkitgtk-2.32.0 (commit > >> 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no > >> window appears, although GNOME Shell shows an empty outline in overview > >> mode, as if there's a window but it has never been painted. > >> > >> When running 'epiphany' from the command line, I see the followin > >> warning from 'bwrap', which indicates that it's looking in /usr/bin: > > > > I see exactly the same behavior with 'eolie': the window never appears, > > (except for an outline in GNOME Shell's overview mode), and I see the > > same warning: > > > > "bwrap: Can't find source path /usr/bin: No such file or directory" > > > > In both cases, if I try to close the phantom window from overview mode, > > it informs me that the application is not responding, and I have to > > force quit to make the phantom window go away. > > > > Mark > > On my Guix system, epiphany with webkitgtk-2.32.0 seems to work fine > (with Guix at commit 14392c77896561c5846c0f3a0588720792d61e95). > The window appears and I can browse websites, and it doesn't print any > error about 'bwrap'. > I'm using StumpWM and not Gnome Shell; I don't know if it has an impact > on epiphany's behavior. It "works" for me on bb4f47a7f614eea78a8c8a0d3e5fc55bf4e52646, using Guix System with Enlightenment. I get errors about not committing changes to dconf and I'm unable to change settings in preferences. Does your system have /bin/sh or /usr/bin/env? That's the only thing I have in /usr/bin. -- Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin/env 2021-04-08 8:22 ` Efraim Flashner @ 2021-04-08 14:19 ` Mark H Weaver 2021-04-08 14:32 ` bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin Mark H Weaver 0 siblings, 1 reply; 11+ messages in thread From: Mark H Weaver @ 2021-04-08 14:19 UTC (permalink / raw) To: Efraim Flashner, Guillaume Le Vaillant; +Cc: 47628 retitle 47628 webkitgtk-2.32.0 fails to launch without /usr/bin/env thanks Hi Efraim, Efraim Flashner <efraim@flashner.co.il> writes: > It "works" for me on bb4f47a7f614eea78a8c8a0d3e5fc55bf4e52646, using Guix > System with Enlightenment. I get errors about not committing changes to > dconf and I'm unable to change settings in preferences. Does your system > have /bin/sh or /usr/bin/env? That's the only thing I have in /usr/bin. That's it! I have /bin/sh but not /usr/bin/env. Adding /usr/bin/env fixes the problem for me. It would be good to eliminate that dependency. If webkitgtk is using /usr/bin/env from within its sandbox, that's worrisome. I want it using software components determined at build time. I do *not* want it searching in PATH for things. To be continued... Mark ^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin 2021-04-08 14:19 ` bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin/env Mark H Weaver @ 2021-04-08 14:32 ` Mark H Weaver 2021-04-08 15:07 ` Mark H Weaver 0 siblings, 1 reply; 11+ messages in thread From: Mark H Weaver @ 2021-04-08 14:32 UTC (permalink / raw) To: Efraim Flashner, Guillaume Le Vaillant; +Cc: 47628 retitle 47628 webkitgtk-2.32.0 fails to launch without /usr/bin thanks Earlier, I wrote: > That's it! I have /bin/sh but not /usr/bin/env. Adding /usr/bin/env > fixes the problem for me. Actually, it suffices for /usr/bin to exist as an empty directory. /usr/bin/env is never actually used. Mark ^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin 2021-04-08 14:32 ` bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin Mark H Weaver @ 2021-04-08 15:07 ` Mark H Weaver 2021-04-09 10:09 ` Efraim Flashner 0 siblings, 1 reply; 11+ messages in thread From: Mark H Weaver @ 2021-04-08 15:07 UTC (permalink / raw) To: Efraim Flashner, Guillaume Le Vaillant; +Cc: 47628 I suspect that the relevant bit that needs to be changed is line 779 of the following file in the webkitgtk-2.32.0 source code: Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp Most likely, that line can simply be deleted. Here's the relevant excerpt, with line 779 marked by "==>": --8<---------------cut here---------------start------------->8--- GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const ProcessLauncher::LaunchOptions& launchOptions, char** argv, GError **error) { ASSERT(launcher); // For now we are just considering the network process trusted as it // requires a lot of access but doesn't execute arbitrary code like // the WebProcess where our focus lies. if (launchOptions.processType == ProcessLauncher::ProcessType::Network) return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error)); const char* runDir = g_get_user_runtime_dir(); Vector<CString> sandboxArgs = { "--die-with-parent", "--unshare-pid", "--unshare-uts", // We assume /etc has safe permissions. // At a later point we can start masking privacy-concerning files. "--ro-bind", "/etc", "/etc", "--dev", "/dev", "--proc", "/proc", "--tmpfs", "/tmp", "--unsetenv", "TMPDIR", "--dir", runDir, "--setenv", "XDG_RUNTIME_DIR", runDir, "--symlink", "../run", "/var/run", "--symlink", "../tmp", "/var/tmp", "--ro-bind", "/sys/block", "/sys/block", "--ro-bind", "/sys/bus", "/sys/bus", "--ro-bind", "/sys/class", "/sys/class", "--ro-bind", "/sys/dev", "/sys/dev", "--ro-bind", "/sys/devices", "/sys/devices", "--ro-bind-try", "/usr/share", "/usr/share", "--ro-bind-try", "/usr/local/share", "/usr/local/share", "--ro-bind-try", DATADIR, DATADIR, // Bind mount the store inside the WebKitGTK sandbox. "--ro-bind", "@storedir@", "@storedir@", // We only grant access to the libdirs webkit is built with and // guess system libdirs. This will always have some edge cases. "--ro-bind-try", "/lib", "/lib", "--ro-bind-try", "/usr/lib", "/usr/lib", "--ro-bind-try", "/usr/local/lib", "/usr/local/lib", "--ro-bind-try", LIBDIR, LIBDIR, "--ro-bind-try", "/lib64", "/lib64", "--ro-bind-try", "/usr/lib64", "/usr/lib64", "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64", "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR, }; if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) { sandboxArgs.appendVector(Vector<CString>({ ==> "--ro-bind", "/usr/bin", "/usr/bin", // This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed // only because we have to mount .flatpak-info in its mount namespace. The user rundir // is where we mount our proxy socket. "--bind", runDir, runDir, })); } else { // xdg-dbus-proxy needs access to host abstract sockets to connect to the a11y bus. Secure // host services must not use abstract sockets. Otherwise, only the network process should // have network access, and the network process is not sandboxed at all. sandboxArgs.appendVector(Vector<CString>({ "--unshare-net" })); } --8<---------------cut here---------------end--------------->8--- Mark ^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin 2021-04-08 15:07 ` Mark H Weaver @ 2021-04-09 10:09 ` Efraim Flashner 2021-04-13 19:22 ` Mark H Weaver 0 siblings, 1 reply; 11+ messages in thread From: Efraim Flashner @ 2021-04-09 10:09 UTC (permalink / raw) To: Mark H Weaver; +Cc: 47628 [-- Attachment #1: Type: text/plain, Size: 4125 bytes --] On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote: > I suspect that the relevant bit that needs to be changed is line 779 of > the following file in the webkitgtk-2.32.0 source code: > > Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp > > Most likely, that line can simply be deleted. Here's the relevant > excerpt, with line 779 marked by "==>": Looking at the other lines above it, we could just change it from ro-bind to ro-bind-try. > > --8<---------------cut here---------------start------------->8--- > GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const ProcessLauncher::LaunchOptions& launchOptions, char** argv, GError **error) > { > ASSERT(launcher); > > // For now we are just considering the network process trusted as it > // requires a lot of access but doesn't execute arbitrary code like > // the WebProcess where our focus lies. > if (launchOptions.processType == ProcessLauncher::ProcessType::Network) > return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error)); > > const char* runDir = g_get_user_runtime_dir(); > Vector<CString> sandboxArgs = { > "--die-with-parent", > "--unshare-pid", > "--unshare-uts", > > // We assume /etc has safe permissions. > // At a later point we can start masking privacy-concerning files. > "--ro-bind", "/etc", "/etc", > "--dev", "/dev", > "--proc", "/proc", > "--tmpfs", "/tmp", > "--unsetenv", "TMPDIR", > "--dir", runDir, > "--setenv", "XDG_RUNTIME_DIR", runDir, > "--symlink", "../run", "/var/run", > "--symlink", "../tmp", "/var/tmp", > "--ro-bind", "/sys/block", "/sys/block", > "--ro-bind", "/sys/bus", "/sys/bus", > "--ro-bind", "/sys/class", "/sys/class", > "--ro-bind", "/sys/dev", "/sys/dev", > "--ro-bind", "/sys/devices", "/sys/devices", > > "--ro-bind-try", "/usr/share", "/usr/share", > "--ro-bind-try", "/usr/local/share", "/usr/local/share", > "--ro-bind-try", DATADIR, DATADIR, > > // Bind mount the store inside the WebKitGTK sandbox. > "--ro-bind", "@storedir@", "@storedir@", > > // We only grant access to the libdirs webkit is built with and > // guess system libdirs. This will always have some edge cases. > "--ro-bind-try", "/lib", "/lib", > "--ro-bind-try", "/usr/lib", "/usr/lib", > "--ro-bind-try", "/usr/local/lib", "/usr/local/lib", > "--ro-bind-try", LIBDIR, LIBDIR, > "--ro-bind-try", "/lib64", "/lib64", > "--ro-bind-try", "/usr/lib64", "/usr/lib64", > "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64", > > "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR, > }; > > if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) { > sandboxArgs.appendVector(Vector<CString>({ > ==> "--ro-bind", "/usr/bin", "/usr/bin", > // This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed > // only because we have to mount .flatpak-info in its mount namespace. The user rundir > // is where we mount our proxy socket. > "--bind", runDir, runDir, > })); > } else { > // xdg-dbus-proxy needs access to host abstract sockets to connect to the a11y bus. Secure > // host services must not use abstract sockets. Otherwise, only the network process should > // have network access, and the network process is not sandboxed at all. > sandboxArgs.appendVector(Vector<CString>({ > "--unshare-net" > })); > } > --8<---------------cut here---------------end--------------->8--- > > Mark -- Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin 2021-04-09 10:09 ` Efraim Flashner @ 2021-04-13 19:22 ` Mark H Weaver 2021-04-14 15:22 ` Efraim Flashner 2022-03-18 2:47 ` Maxim Cournoyer 0 siblings, 2 replies; 11+ messages in thread From: Mark H Weaver @ 2021-04-13 19:22 UTC (permalink / raw) To: Efraim Flashner; +Cc: 47628 [-- Attachment #1: Type: text/plain, Size: 920 bytes --] Hi Efraim, Efraim Flashner <efraim@flashner.co.il> writes: > On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote: >> I suspect that the relevant bit that needs to be changed is line 779 of >> the following file in the webkitgtk-2.32.0 source code: >> >> Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp >> >> Most likely, that line can simply be deleted. Here's the relevant >> excerpt, with line 779 marked by "==>": > > Looking at the other lines above it, we could just change it from > ro-bind to ro-bind-try. I expect that would work, but why should we give the sandbox access to /usr/bin at all? I took a different approach: I removed access to *all* of the FHS directories, since they should not be needed for a Guix-compiled package. Below, I've attached the patch that I'm currently using successfully on my private branch of Guix. What do you think? Thanks, Mark [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: [PATCH] DRAFT: gnu: webkitgtk: Trim system dirs made available to sandbox. --] [-- Type: text/x-patch, Size: 3514 bytes --] From 4a10e1deb63d1b2227a0bcc60a17ddb9af7b8cc3 Mon Sep 17 00:00:00 2001 From: Mark H Weaver <mhw@netris.org> Date: Thu, 8 Apr 2021 11:27:55 -0400 Subject: [PATCH] DRAFT: gnu: webkitgtk: Trim system dirs made available to sandbox. * gnu/packages/patches/webkitgtk-share-store.patch: Adjust patch. --- .../patches/webkitgtk-share-store.patch | 46 ++++++++++++++----- 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/gnu/packages/patches/webkitgtk-share-store.patch b/gnu/packages/patches/webkitgtk-share-store.patch index 053d86fcf4..c02157076e 100644 --- a/gnu/packages/patches/webkitgtk-share-store.patch +++ b/gnu/packages/patches/webkitgtk-share-store.patch @@ -1,19 +1,41 @@ -Tell bubblewrap to share the store. Required for programs that use the +Tell bubblewrap to share the store, and _not_ to share traditional FHS +directories that are not used in Guix. Required for programs that use the sandboxing features such as Epiphany. -See <https://bugs.gnu.org/40837>. -Author: Jack Hill <jackhill@jackhill.us> ---- +See <https://bugs.gnu.org/40837> and <https://bugs.gnu.org/47628>. +Authors: Jack Hill <jackhill@jackhill.us> and Mark H Weaver <mhw@netris.org>. + diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp --- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp -@@ -737,6 +737,9 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces - "--ro-bind-try", "/usr/local/share", "/usr/local/share", +@@ -749,26 +749,18 @@ + "--ro-bind", "/sys/dev", "/sys/dev", + "--ro-bind", "/sys/devices", "/sys/devices", + +- "--ro-bind-try", "/usr/share", "/usr/share", +- "--ro-bind-try", "/usr/local/share", "/usr/local/share", "--ro-bind-try", DATADIR, DATADIR, -+ // Bind mount the store inside the WebKitGTK sandbox. -+ "--ro-bind", "@storedir@", "@storedir@", -+ - // We only grant access to the libdirs webkit is built with and - // guess system libdirs. This will always have some edge cases. - "--ro-bind-try", "/lib", "/lib", +- // We only grant access to the libdirs webkit is built with and +- // guess system libdirs. This will always have some edge cases. +- "--ro-bind-try", "/lib", "/lib", +- "--ro-bind-try", "/usr/lib", "/usr/lib", +- "--ro-bind-try", "/usr/local/lib", "/usr/local/lib", +- "--ro-bind-try", LIBDIR, LIBDIR, +- "--ro-bind-try", "/lib64", "/lib64", +- "--ro-bind-try", "/usr/lib64", "/usr/lib64", +- "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64", ++ // Bind mount the store inside the WebKitGTK sandbox. ++ "--ro-bind", "@storedir@", "@storedir@", + ++ // We only grant access to the libdirs webkit is built with. ++ "--ro-bind-try", LIBDIR, LIBDIR, + "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR, + }; + + if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) { + sandboxArgs.appendVector(Vector<CString>({ +- "--ro-bind", "/usr/bin", "/usr/bin", + // This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed + // only because we have to mount .flatpak-info in its mount namespace. The user rundir + // is where we mount our proxy socket. -- 2.31.1 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin 2021-04-13 19:22 ` Mark H Weaver @ 2021-04-14 15:22 ` Efraim Flashner 2022-03-18 2:47 ` Maxim Cournoyer 1 sibling, 0 replies; 11+ messages in thread From: Efraim Flashner @ 2021-04-14 15:22 UTC (permalink / raw) To: Mark H Weaver; +Cc: 47628 [-- Attachment #1: Type: text/plain, Size: 1445 bytes --] On Tue, Apr 13, 2021 at 03:22:47PM -0400, Mark H Weaver wrote: > Hi Efraim, > > Efraim Flashner <efraim@flashner.co.il> writes: > > > On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote: > >> I suspect that the relevant bit that needs to be changed is line 779 of > >> the following file in the webkitgtk-2.32.0 source code: > >> > >> Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp > >> > >> Most likely, that line can simply be deleted. Here's the relevant > >> excerpt, with line 779 marked by "==>": > > > > Looking at the other lines above it, we could just change it from > > ro-bind to ro-bind-try. > > I expect that would work, but why should we give the sandbox access to > /usr/bin at all? I took a different approach: I removed access to *all* > of the FHS directories, since they should not be needed for a > Guix-compiled package. > > Below, I've attached the patch that I'm currently using successfully on > my private branch of Guix. > > What do you think? > Since we should be linking to any libraries we need anyway and patching any calls out to other binaries then I suppose this should work. I suggested ro-bind-try to minimize the patch size. -- Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin 2021-04-13 19:22 ` Mark H Weaver 2021-04-14 15:22 ` Efraim Flashner @ 2022-03-18 2:47 ` Maxim Cournoyer 1 sibling, 0 replies; 11+ messages in thread From: Maxim Cournoyer @ 2022-03-18 2:47 UTC (permalink / raw) To: Mark H Weaver; +Cc: 47628-done Hi Mark, Mark H Weaver <mhw@netris.org> writes: > Hi Efraim, > > Efraim Flashner <efraim@flashner.co.il> writes: > >> On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote: >>> I suspect that the relevant bit that needs to be changed is line 779 of >>> the following file in the webkitgtk-2.32.0 source code: >>> >>> Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp >>> >>> Most likely, that line can simply be deleted. Here's the relevant >>> excerpt, with line 779 marked by "==>": >> >> Looking at the other lines above it, we could just change it from >> ro-bind to ro-bind-try. > > I expect that would work, but why should we give the sandbox access to > /usr/bin at all? I took a different approach: I removed access to *all* > of the FHS directories, since they should not be needed for a > Guix-compiled package. > > Below, I've attached the patch that I'm currently using successfully on > my private branch of Guix. > > What do you think? Our webkitgtk package is patched in such a way (and more) since commit b9a4705f80e89fff3b65288cbbe8df73a365aee3. Thanks, Maxim ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2022-03-18 2:48 UTC | newest] Thread overview: 11+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-04-06 22:46 bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update Mark H Weaver 2021-04-06 23:04 ` bug#47628: webkitgtk-2.32.0 is broken on my system (was Re: bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update) Mark H Weaver 2021-04-07 7:35 ` bug#47628: webkitgtk-2.32.0 is broken on my system Guillaume Le Vaillant 2021-04-08 8:22 ` Efraim Flashner 2021-04-08 14:19 ` bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin/env Mark H Weaver 2021-04-08 14:32 ` bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin Mark H Weaver 2021-04-08 15:07 ` Mark H Weaver 2021-04-09 10:09 ` Efraim Flashner 2021-04-13 19:22 ` Mark H Weaver 2021-04-14 15:22 ` Efraim Flashner 2022-03-18 2:47 ` Maxim Cournoyer
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).