unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update
@ 2021-04-06 22:46 Mark H Weaver
  2021-04-06 23:04 ` bug#47628: webkitgtk-2.32.0 is broken on my system (was Re: bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update) Mark H Weaver
  0 siblings, 1 reply; 11+ messages in thread
From: Mark H Weaver @ 2021-04-06 22:46 UTC (permalink / raw)
  To: 47628

FYI, since updating to webkitgtk-2.32.0 (commit
3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no
window appears, although GNOME Shell shows an empty outline in overview
mode, as if there's a window but it has never been painted.

When running 'epiphany' from the command line, I see the followin
warning from 'bwrap', which indicates that it's looking in /usr/bin:

--8<---------------cut here---------------start------------->8---
mhw@jojen ~$ epiphany

** (epiphany:1016): WARNING **: 18:36:48.495: Registering special URI scheme ftp is no longer allowed
bwrap: Can't find source path /usr/bin: No such file or directory
--8<---------------cut here---------------end--------------->8---

I wonder if this only works when Guix is run on top of a more
traditional OS that has /usr/bin.

Is anyone successfully able to use Epiphany on a pure Guix system
(without /usr/bin) with Webkitgtk-2.32.0?  (The Webkitgtk version is
shown in the "About Web" window, which is accessible from the hamburger
menu.

      Mark




^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#47628: webkitgtk-2.32.0 is broken on my system (was Re: bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update)
  2021-04-06 22:46 bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update Mark H Weaver
@ 2021-04-06 23:04 ` Mark H Weaver
  2021-04-07  7:35   ` bug#47628: webkitgtk-2.32.0 is broken on my system Guillaume Le Vaillant
  0 siblings, 1 reply; 11+ messages in thread
From: Mark H Weaver @ 2021-04-06 23:04 UTC (permalink / raw)
  To: 47628

retitle 47628 webkitgtk-2.32.0 is broken on my system
thanks

Mark H Weaver <mhw@netris.org> writes:

> FYI, since updating to webkitgtk-2.32.0 (commit
> 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no
> window appears, although GNOME Shell shows an empty outline in overview
> mode, as if there's a window but it has never been painted.
>
> When running 'epiphany' from the command line, I see the followin
> warning from 'bwrap', which indicates that it's looking in /usr/bin:

I see exactly the same behavior with 'eolie': the window never appears,
(except for an outline in GNOME Shell's overview mode), and I see the
same warning:

  "bwrap: Can't find source path /usr/bin: No such file or directory"

In both cases, if I try to close the phantom window from overview mode,
it informs me that the application is not responding, and I have to
force quit to make the phantom window go away.

       Mark




^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#47628: webkitgtk-2.32.0 is broken on my system
  2021-04-06 23:04 ` bug#47628: webkitgtk-2.32.0 is broken on my system (was Re: bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update) Mark H Weaver
@ 2021-04-07  7:35   ` Guillaume Le Vaillant
  2021-04-08  8:22     ` Efraim Flashner
  0 siblings, 1 reply; 11+ messages in thread
From: Guillaume Le Vaillant @ 2021-04-07  7:35 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: 47628

[-- Attachment #1: Type: text/plain, Size: 1330 bytes --]

Mark H Weaver <mhw@netris.org> skribis:

> retitle 47628 webkitgtk-2.32.0 is broken on my system
> thanks
>
> Mark H Weaver <mhw@netris.org> writes:
>
>> FYI, since updating to webkitgtk-2.32.0 (commit
>> 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no
>> window appears, although GNOME Shell shows an empty outline in overview
>> mode, as if there's a window but it has never been painted.
>>
>> When running 'epiphany' from the command line, I see the followin
>> warning from 'bwrap', which indicates that it's looking in /usr/bin:
>
> I see exactly the same behavior with 'eolie': the window never appears,
> (except for an outline in GNOME Shell's overview mode), and I see the
> same warning:
>
>   "bwrap: Can't find source path /usr/bin: No such file or directory"
>
> In both cases, if I try to close the phantom window from overview mode,
> it informs me that the application is not responding, and I have to
> force quit to make the phantom window go away.
>
>        Mark

On my Guix system, epiphany with webkitgtk-2.32.0 seems to work fine
(with Guix at commit 14392c77896561c5846c0f3a0588720792d61e95).
The window appears and I can browse websites, and it doesn't print any
error about 'bwrap'.
I'm using StumpWM and not Gnome Shell; I don't know if it has an impact
on epiphany's behavior.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#47628: webkitgtk-2.32.0 is broken on my system
  2021-04-07  7:35   ` bug#47628: webkitgtk-2.32.0 is broken on my system Guillaume Le Vaillant
@ 2021-04-08  8:22     ` Efraim Flashner
  2021-04-08 14:19       ` bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin/env Mark H Weaver
  0 siblings, 1 reply; 11+ messages in thread
From: Efraim Flashner @ 2021-04-08  8:22 UTC (permalink / raw)
  To: Guillaume Le Vaillant; +Cc: 47628

[-- Attachment #1: Type: text/plain, Size: 2011 bytes --]

On Wed, Apr 07, 2021 at 09:35:48AM +0200, Guillaume Le Vaillant wrote:
> Mark H Weaver <mhw@netris.org> skribis:
> 
> > retitle 47628 webkitgtk-2.32.0 is broken on my system
> > thanks
> >
> > Mark H Weaver <mhw@netris.org> writes:
> >
> >> FYI, since updating to webkitgtk-2.32.0 (commit
> >> 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no
> >> window appears, although GNOME Shell shows an empty outline in overview
> >> mode, as if there's a window but it has never been painted.
> >>
> >> When running 'epiphany' from the command line, I see the followin
> >> warning from 'bwrap', which indicates that it's looking in /usr/bin:
> >
> > I see exactly the same behavior with 'eolie': the window never appears,
> > (except for an outline in GNOME Shell's overview mode), and I see the
> > same warning:
> >
> >   "bwrap: Can't find source path /usr/bin: No such file or directory"
> >
> > In both cases, if I try to close the phantom window from overview mode,
> > it informs me that the application is not responding, and I have to
> > force quit to make the phantom window go away.
> >
> >        Mark
> 
> On my Guix system, epiphany with webkitgtk-2.32.0 seems to work fine
> (with Guix at commit 14392c77896561c5846c0f3a0588720792d61e95).
> The window appears and I can browse websites, and it doesn't print any
> error about 'bwrap'.
> I'm using StumpWM and not Gnome Shell; I don't know if it has an impact
> on epiphany's behavior.

It "works" for me on bb4f47a7f614eea78a8c8a0d3e5fc55bf4e52646, using Guix
System with Enlightenment. I get errors about not committing changes to
dconf and I'm unable to change settings in preferences. Does your system
have /bin/sh or /usr/bin/env? That's the only thing I have in /usr/bin.

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin/env
  2021-04-08  8:22     ` Efraim Flashner
@ 2021-04-08 14:19       ` Mark H Weaver
  2021-04-08 14:32         ` bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin Mark H Weaver
  0 siblings, 1 reply; 11+ messages in thread
From: Mark H Weaver @ 2021-04-08 14:19 UTC (permalink / raw)
  To: Efraim Flashner, Guillaume Le Vaillant; +Cc: 47628

retitle 47628 webkitgtk-2.32.0 fails to launch without /usr/bin/env
thanks

Hi Efraim,

Efraim Flashner <efraim@flashner.co.il> writes:
> It "works" for me on bb4f47a7f614eea78a8c8a0d3e5fc55bf4e52646, using Guix
> System with Enlightenment. I get errors about not committing changes to
> dconf and I'm unable to change settings in preferences. Does your system
> have /bin/sh or /usr/bin/env? That's the only thing I have in /usr/bin.

That's it!  I have /bin/sh but not /usr/bin/env.  Adding /usr/bin/env
fixes the problem for me.

It would be good to eliminate that dependency.  If webkitgtk is using
/usr/bin/env from within its sandbox, that's worrisome.  I want it using
software components determined at build time.  I do *not* want it
searching in PATH for things.

To be continued...

     Mark




^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
  2021-04-08 14:19       ` bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin/env Mark H Weaver
@ 2021-04-08 14:32         ` Mark H Weaver
  2021-04-08 15:07           ` Mark H Weaver
  0 siblings, 1 reply; 11+ messages in thread
From: Mark H Weaver @ 2021-04-08 14:32 UTC (permalink / raw)
  To: Efraim Flashner, Guillaume Le Vaillant; +Cc: 47628

retitle 47628 webkitgtk-2.32.0 fails to launch without /usr/bin
thanks

Earlier, I wrote:
> That's it!  I have /bin/sh but not /usr/bin/env.  Adding /usr/bin/env
> fixes the problem for me.

Actually, it suffices for /usr/bin to exist as an empty directory.
/usr/bin/env is never actually used.

       Mark




^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
  2021-04-08 14:32         ` bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin Mark H Weaver
@ 2021-04-08 15:07           ` Mark H Weaver
  2021-04-09 10:09             ` Efraim Flashner
  0 siblings, 1 reply; 11+ messages in thread
From: Mark H Weaver @ 2021-04-08 15:07 UTC (permalink / raw)
  To: Efraim Flashner, Guillaume Le Vaillant; +Cc: 47628

I suspect that the relevant bit that needs to be changed is line 779 of
the following file in the webkitgtk-2.32.0 source code:

  Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp

Most likely, that line can simply be deleted.  Here's the relevant
excerpt, with line 779 marked by "==>":

--8<---------------cut here---------------start------------->8---
GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const ProcessLauncher::LaunchOptions& launchOptions, char** argv, GError **error)
{
    ASSERT(launcher);

    // For now we are just considering the network process trusted as it
    // requires a lot of access but doesn't execute arbitrary code like
    // the WebProcess where our focus lies.
    if (launchOptions.processType == ProcessLauncher::ProcessType::Network)
        return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error));

    const char* runDir = g_get_user_runtime_dir();
    Vector<CString> sandboxArgs = {
        "--die-with-parent",
        "--unshare-pid",
        "--unshare-uts",

        // We assume /etc has safe permissions.
        // At a later point we can start masking privacy-concerning files.
        "--ro-bind", "/etc", "/etc",
        "--dev", "/dev",
        "--proc", "/proc",
        "--tmpfs", "/tmp",
        "--unsetenv", "TMPDIR",
        "--dir", runDir,
        "--setenv", "XDG_RUNTIME_DIR", runDir,
        "--symlink", "../run", "/var/run",
        "--symlink", "../tmp", "/var/tmp",
        "--ro-bind", "/sys/block", "/sys/block",
        "--ro-bind", "/sys/bus", "/sys/bus",
        "--ro-bind", "/sys/class", "/sys/class",
        "--ro-bind", "/sys/dev", "/sys/dev",
        "--ro-bind", "/sys/devices", "/sys/devices",

        "--ro-bind-try", "/usr/share", "/usr/share",
        "--ro-bind-try", "/usr/local/share", "/usr/local/share",
        "--ro-bind-try", DATADIR, DATADIR,

       // Bind mount the store inside the WebKitGTK sandbox.
       "--ro-bind", "@storedir@", "@storedir@",

        // We only grant access to the libdirs webkit is built with and
        // guess system libdirs. This will always have some edge cases.
        "--ro-bind-try", "/lib", "/lib",
        "--ro-bind-try", "/usr/lib", "/usr/lib",
        "--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
        "--ro-bind-try", LIBDIR, LIBDIR,
        "--ro-bind-try", "/lib64", "/lib64",
        "--ro-bind-try", "/usr/lib64", "/usr/lib64",
        "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",

        "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
    };

    if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) {
        sandboxArgs.appendVector(Vector<CString>({
==>         "--ro-bind", "/usr/bin", "/usr/bin",
            // This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed
            // only because we have to mount .flatpak-info in its mount namespace. The user rundir
            // is where we mount our proxy socket.
            "--bind", runDir, runDir,
        }));
    } else {
        // xdg-dbus-proxy needs access to host abstract sockets to connect to the a11y bus. Secure
        // host services must not use abstract sockets. Otherwise, only the network process should
        // have network access, and the network process is not sandboxed at all.
        sandboxArgs.appendVector(Vector<CString>({
            "--unshare-net"
        }));
    }
--8<---------------cut here---------------end--------------->8---

       Mark




^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
  2021-04-08 15:07           ` Mark H Weaver
@ 2021-04-09 10:09             ` Efraim Flashner
  2021-04-13 19:22               ` Mark H Weaver
  0 siblings, 1 reply; 11+ messages in thread
From: Efraim Flashner @ 2021-04-09 10:09 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: 47628

[-- Attachment #1: Type: text/plain, Size: 4125 bytes --]

On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote:
> I suspect that the relevant bit that needs to be changed is line 779 of
> the following file in the webkitgtk-2.32.0 source code:
> 
>   Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
> 
> Most likely, that line can simply be deleted.  Here's the relevant
> excerpt, with line 779 marked by "==>":

Looking at the other lines above it, we could just change it from
ro-bind to ro-bind-try.

> 
> --8<---------------cut here---------------start------------->8---
> GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const ProcessLauncher::LaunchOptions& launchOptions, char** argv, GError **error)
> {
>     ASSERT(launcher);
> 
>     // For now we are just considering the network process trusted as it
>     // requires a lot of access but doesn't execute arbitrary code like
>     // the WebProcess where our focus lies.
>     if (launchOptions.processType == ProcessLauncher::ProcessType::Network)
>         return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error));
> 
>     const char* runDir = g_get_user_runtime_dir();
>     Vector<CString> sandboxArgs = {
>         "--die-with-parent",
>         "--unshare-pid",
>         "--unshare-uts",
> 
>         // We assume /etc has safe permissions.
>         // At a later point we can start masking privacy-concerning files.
>         "--ro-bind", "/etc", "/etc",
>         "--dev", "/dev",
>         "--proc", "/proc",
>         "--tmpfs", "/tmp",
>         "--unsetenv", "TMPDIR",
>         "--dir", runDir,
>         "--setenv", "XDG_RUNTIME_DIR", runDir,
>         "--symlink", "../run", "/var/run",
>         "--symlink", "../tmp", "/var/tmp",
>         "--ro-bind", "/sys/block", "/sys/block",
>         "--ro-bind", "/sys/bus", "/sys/bus",
>         "--ro-bind", "/sys/class", "/sys/class",
>         "--ro-bind", "/sys/dev", "/sys/dev",
>         "--ro-bind", "/sys/devices", "/sys/devices",
> 
>         "--ro-bind-try", "/usr/share", "/usr/share",
>         "--ro-bind-try", "/usr/local/share", "/usr/local/share",
>         "--ro-bind-try", DATADIR, DATADIR,
> 
>        // Bind mount the store inside the WebKitGTK sandbox.
>        "--ro-bind", "@storedir@", "@storedir@",
> 
>         // We only grant access to the libdirs webkit is built with and
>         // guess system libdirs. This will always have some edge cases.
>         "--ro-bind-try", "/lib", "/lib",
>         "--ro-bind-try", "/usr/lib", "/usr/lib",
>         "--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
>         "--ro-bind-try", LIBDIR, LIBDIR,
>         "--ro-bind-try", "/lib64", "/lib64",
>         "--ro-bind-try", "/usr/lib64", "/usr/lib64",
>         "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",
> 
>         "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
>     };
> 
>     if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) {
>         sandboxArgs.appendVector(Vector<CString>({
> ==>         "--ro-bind", "/usr/bin", "/usr/bin",
>             // This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed
>             // only because we have to mount .flatpak-info in its mount namespace. The user rundir
>             // is where we mount our proxy socket.
>             "--bind", runDir, runDir,
>         }));
>     } else {
>         // xdg-dbus-proxy needs access to host abstract sockets to connect to the a11y bus. Secure
>         // host services must not use abstract sockets. Otherwise, only the network process should
>         // have network access, and the network process is not sandboxed at all.
>         sandboxArgs.appendVector(Vector<CString>({
>             "--unshare-net"
>         }));
>     }
> --8<---------------cut here---------------end--------------->8---
> 
>        Mark

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
  2021-04-09 10:09             ` Efraim Flashner
@ 2021-04-13 19:22               ` Mark H Weaver
  2021-04-14 15:22                 ` Efraim Flashner
  2022-03-18  2:47                 ` Maxim Cournoyer
  0 siblings, 2 replies; 11+ messages in thread
From: Mark H Weaver @ 2021-04-13 19:22 UTC (permalink / raw)
  To: Efraim Flashner; +Cc: 47628

[-- Attachment #1: Type: text/plain, Size: 920 bytes --]

Hi Efraim,

Efraim Flashner <efraim@flashner.co.il> writes:

> On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote:
>> I suspect that the relevant bit that needs to be changed is line 779 of
>> the following file in the webkitgtk-2.32.0 source code:
>> 
>>   Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
>> 
>> Most likely, that line can simply be deleted.  Here's the relevant
>> excerpt, with line 779 marked by "==>":
>
> Looking at the other lines above it, we could just change it from
> ro-bind to ro-bind-try.

I expect that would work, but why should we give the sandbox access to
/usr/bin at all?  I took a different approach: I removed access to *all*
of the FHS directories, since they should not be needed for a
Guix-compiled package.

Below, I've attached the patch that I'm currently using successfully on
my private branch of Guix.

What do you think?

     Thanks,
       Mark


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: [PATCH] DRAFT: gnu: webkitgtk: Trim system dirs made available to sandbox. --]
[-- Type: text/x-patch, Size: 3514 bytes --]

From 4a10e1deb63d1b2227a0bcc60a17ddb9af7b8cc3 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Thu, 8 Apr 2021 11:27:55 -0400
Subject: [PATCH] DRAFT: gnu: webkitgtk: Trim system dirs made available to
 sandbox.

* gnu/packages/patches/webkitgtk-share-store.patch: Adjust patch.
---
 .../patches/webkitgtk-share-store.patch       | 46 ++++++++++++++-----
 1 file changed, 34 insertions(+), 12 deletions(-)

diff --git a/gnu/packages/patches/webkitgtk-share-store.patch b/gnu/packages/patches/webkitgtk-share-store.patch
index 053d86fcf4..c02157076e 100644
--- a/gnu/packages/patches/webkitgtk-share-store.patch
+++ b/gnu/packages/patches/webkitgtk-share-store.patch
@@ -1,19 +1,41 @@
-Tell bubblewrap to share the store.  Required for programs that use the
+Tell bubblewrap to share the store, and _not_ to share traditional FHS
+directories that are not used in Guix.  Required for programs that use the
 sandboxing features such as Epiphany.
 
-See <https://bugs.gnu.org/40837>.
-Author: Jack Hill <jackhill@jackhill.us>
----
+See <https://bugs.gnu.org/40837> and <https://bugs.gnu.org/47628>.
+Authors: Jack Hill <jackhill@jackhill.us> and Mark H Weaver <mhw@netris.org>.
+
 diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
 --- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
 +++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
-@@ -737,6 +737,9 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
-         "--ro-bind-try", "/usr/local/share", "/usr/local/share",
+@@ -749,26 +749,18 @@
+         "--ro-bind", "/sys/dev", "/sys/dev",
+         "--ro-bind", "/sys/devices", "/sys/devices",
+ 
+-        "--ro-bind-try", "/usr/share", "/usr/share",
+-        "--ro-bind-try", "/usr/local/share", "/usr/local/share",
          "--ro-bind-try", DATADIR, DATADIR,
  
-+       // Bind mount the store inside the WebKitGTK sandbox.
-+       "--ro-bind", "@storedir@", "@storedir@",
-+
-         // We only grant access to the libdirs webkit is built with and
-         // guess system libdirs. This will always have some edge cases.
-         "--ro-bind-try", "/lib", "/lib",
+-        // We only grant access to the libdirs webkit is built with and
+-        // guess system libdirs. This will always have some edge cases.
+-        "--ro-bind-try", "/lib", "/lib",
+-        "--ro-bind-try", "/usr/lib", "/usr/lib",
+-        "--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
+-        "--ro-bind-try", LIBDIR, LIBDIR,
+-        "--ro-bind-try", "/lib64", "/lib64",
+-        "--ro-bind-try", "/usr/lib64", "/usr/lib64",
+-        "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",
++        // Bind mount the store inside the WebKitGTK sandbox.
++        "--ro-bind", "@storedir@", "@storedir@",
+ 
++        // We only grant access to the libdirs webkit is built with.
++        "--ro-bind-try", LIBDIR, LIBDIR,
+         "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
+     };
+ 
+     if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) {
+         sandboxArgs.appendVector(Vector<CString>({
+-            "--ro-bind", "/usr/bin", "/usr/bin",
+             // This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed
+             // only because we have to mount .flatpak-info in its mount namespace. The user rundir
+             // is where we mount our proxy socket.
-- 
2.31.1


^ permalink raw reply related	[flat|nested] 11+ messages in thread

* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
  2021-04-13 19:22               ` Mark H Weaver
@ 2021-04-14 15:22                 ` Efraim Flashner
  2022-03-18  2:47                 ` Maxim Cournoyer
  1 sibling, 0 replies; 11+ messages in thread
From: Efraim Flashner @ 2021-04-14 15:22 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: 47628

[-- Attachment #1: Type: text/plain, Size: 1445 bytes --]

On Tue, Apr 13, 2021 at 03:22:47PM -0400, Mark H Weaver wrote:
> Hi Efraim,
> 
> Efraim Flashner <efraim@flashner.co.il> writes:
> 
> > On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote:
> >> I suspect that the relevant bit that needs to be changed is line 779 of
> >> the following file in the webkitgtk-2.32.0 source code:
> >> 
> >>   Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
> >> 
> >> Most likely, that line can simply be deleted.  Here's the relevant
> >> excerpt, with line 779 marked by "==>":
> >
> > Looking at the other lines above it, we could just change it from
> > ro-bind to ro-bind-try.
> 
> I expect that would work, but why should we give the sandbox access to
> /usr/bin at all?  I took a different approach: I removed access to *all*
> of the FHS directories, since they should not be needed for a
> Guix-compiled package.
> 
> Below, I've attached the patch that I'm currently using successfully on
> my private branch of Guix.
> 
> What do you think?
> 

Since we should be linking to any libraries we need anyway and patching
any calls out to other binaries then I suppose this should work. I
suggested ro-bind-try to minimize the patch size.


-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
  2021-04-13 19:22               ` Mark H Weaver
  2021-04-14 15:22                 ` Efraim Flashner
@ 2022-03-18  2:47                 ` Maxim Cournoyer
  1 sibling, 0 replies; 11+ messages in thread
From: Maxim Cournoyer @ 2022-03-18  2:47 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: 47628-done

Hi Mark,

Mark H Weaver <mhw@netris.org> writes:

> Hi Efraim,
>
> Efraim Flashner <efraim@flashner.co.il> writes:
>
>> On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote:
>>> I suspect that the relevant bit that needs to be changed is line 779 of
>>> the following file in the webkitgtk-2.32.0 source code:
>>> 
>>>   Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
>>> 
>>> Most likely, that line can simply be deleted.  Here's the relevant
>>> excerpt, with line 779 marked by "==>":
>>
>> Looking at the other lines above it, we could just change it from
>> ro-bind to ro-bind-try.
>
> I expect that would work, but why should we give the sandbox access to
> /usr/bin at all?  I took a different approach: I removed access to *all*
> of the FHS directories, since they should not be needed for a
> Guix-compiled package.
>
> Below, I've attached the patch that I'm currently using successfully on
> my private branch of Guix.
>
> What do you think?

Our webkitgtk package is patched in such a way (and more) since commit
b9a4705f80e89fff3b65288cbbe8df73a365aee3.

Thanks, 

Maxim




^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2022-03-18  2:48 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-04-06 22:46 bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update Mark H Weaver
2021-04-06 23:04 ` bug#47628: webkitgtk-2.32.0 is broken on my system (was Re: bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update) Mark H Weaver
2021-04-07  7:35   ` bug#47628: webkitgtk-2.32.0 is broken on my system Guillaume Le Vaillant
2021-04-08  8:22     ` Efraim Flashner
2021-04-08 14:19       ` bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin/env Mark H Weaver
2021-04-08 14:32         ` bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin Mark H Weaver
2021-04-08 15:07           ` Mark H Weaver
2021-04-09 10:09             ` Efraim Flashner
2021-04-13 19:22               ` Mark H Weaver
2021-04-14 15:22                 ` Efraim Flashner
2022-03-18  2:47                 ` Maxim Cournoyer

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).