* bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update
@ 2021-04-06 22:46 Mark H Weaver
2021-04-06 23:04 ` bug#47628: webkitgtk-2.32.0 is broken on my system (was Re: bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update) Mark H Weaver
0 siblings, 1 reply; 11+ messages in thread
From: Mark H Weaver @ 2021-04-06 22:46 UTC (permalink / raw)
To: 47628
FYI, since updating to webkitgtk-2.32.0 (commit
3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no
window appears, although GNOME Shell shows an empty outline in overview
mode, as if there's a window but it has never been painted.
When running 'epiphany' from the command line, I see the followin
warning from 'bwrap', which indicates that it's looking in /usr/bin:
--8<---------------cut here---------------start------------->8---
mhw@jojen ~$ epiphany
** (epiphany:1016): WARNING **: 18:36:48.495: Registering special URI scheme ftp is no longer allowed
bwrap: Can't find source path /usr/bin: No such file or directory
--8<---------------cut here---------------end--------------->8---
I wonder if this only works when Guix is run on top of a more
traditional OS that has /usr/bin.
Is anyone successfully able to use Epiphany on a pure Guix system
(without /usr/bin) with Webkitgtk-2.32.0? (The Webkitgtk version is
shown in the "About Web" window, which is accessible from the hamburger
menu.
Mark
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 is broken on my system (was Re: bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update)
2021-04-06 22:46 bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update Mark H Weaver
@ 2021-04-06 23:04 ` Mark H Weaver
2021-04-07 7:35 ` bug#47628: webkitgtk-2.32.0 is broken on my system Guillaume Le Vaillant
0 siblings, 1 reply; 11+ messages in thread
From: Mark H Weaver @ 2021-04-06 23:04 UTC (permalink / raw)
To: 47628
retitle 47628 webkitgtk-2.32.0 is broken on my system
thanks
Mark H Weaver <mhw@netris.org> writes:
> FYI, since updating to webkitgtk-2.32.0 (commit
> 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no
> window appears, although GNOME Shell shows an empty outline in overview
> mode, as if there's a window but it has never been painted.
>
> When running 'epiphany' from the command line, I see the followin
> warning from 'bwrap', which indicates that it's looking in /usr/bin:
I see exactly the same behavior with 'eolie': the window never appears,
(except for an outline in GNOME Shell's overview mode), and I see the
same warning:
"bwrap: Can't find source path /usr/bin: No such file or directory"
In both cases, if I try to close the phantom window from overview mode,
it informs me that the application is not responding, and I have to
force quit to make the phantom window go away.
Mark
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 is broken on my system
2021-04-06 23:04 ` bug#47628: webkitgtk-2.32.0 is broken on my system (was Re: bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update) Mark H Weaver
@ 2021-04-07 7:35 ` Guillaume Le Vaillant
2021-04-08 8:22 ` Efraim Flashner
0 siblings, 1 reply; 11+ messages in thread
From: Guillaume Le Vaillant @ 2021-04-07 7:35 UTC (permalink / raw)
To: Mark H Weaver; +Cc: 47628
[-- Attachment #1: Type: text/plain, Size: 1330 bytes --]
Mark H Weaver <mhw@netris.org> skribis:
> retitle 47628 webkitgtk-2.32.0 is broken on my system
> thanks
>
> Mark H Weaver <mhw@netris.org> writes:
>
>> FYI, since updating to webkitgtk-2.32.0 (commit
>> 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no
>> window appears, although GNOME Shell shows an empty outline in overview
>> mode, as if there's a window but it has never been painted.
>>
>> When running 'epiphany' from the command line, I see the followin
>> warning from 'bwrap', which indicates that it's looking in /usr/bin:
>
> I see exactly the same behavior with 'eolie': the window never appears,
> (except for an outline in GNOME Shell's overview mode), and I see the
> same warning:
>
> "bwrap: Can't find source path /usr/bin: No such file or directory"
>
> In both cases, if I try to close the phantom window from overview mode,
> it informs me that the application is not responding, and I have to
> force quit to make the phantom window go away.
>
> Mark
On my Guix system, epiphany with webkitgtk-2.32.0 seems to work fine
(with Guix at commit 14392c77896561c5846c0f3a0588720792d61e95).
The window appears and I can browse websites, and it doesn't print any
error about 'bwrap'.
I'm using StumpWM and not Gnome Shell; I don't know if it has an impact
on epiphany's behavior.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 is broken on my system
2021-04-07 7:35 ` bug#47628: webkitgtk-2.32.0 is broken on my system Guillaume Le Vaillant
@ 2021-04-08 8:22 ` Efraim Flashner
2021-04-08 14:19 ` bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin/env Mark H Weaver
0 siblings, 1 reply; 11+ messages in thread
From: Efraim Flashner @ 2021-04-08 8:22 UTC (permalink / raw)
To: Guillaume Le Vaillant; +Cc: 47628
[-- Attachment #1: Type: text/plain, Size: 2011 bytes --]
On Wed, Apr 07, 2021 at 09:35:48AM +0200, Guillaume Le Vaillant wrote:
> Mark H Weaver <mhw@netris.org> skribis:
>
> > retitle 47628 webkitgtk-2.32.0 is broken on my system
> > thanks
> >
> > Mark H Weaver <mhw@netris.org> writes:
> >
> >> FYI, since updating to webkitgtk-2.32.0 (commit
> >> 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no
> >> window appears, although GNOME Shell shows an empty outline in overview
> >> mode, as if there's a window but it has never been painted.
> >>
> >> When running 'epiphany' from the command line, I see the followin
> >> warning from 'bwrap', which indicates that it's looking in /usr/bin:
> >
> > I see exactly the same behavior with 'eolie': the window never appears,
> > (except for an outline in GNOME Shell's overview mode), and I see the
> > same warning:
> >
> > "bwrap: Can't find source path /usr/bin: No such file or directory"
> >
> > In both cases, if I try to close the phantom window from overview mode,
> > it informs me that the application is not responding, and I have to
> > force quit to make the phantom window go away.
> >
> > Mark
>
> On my Guix system, epiphany with webkitgtk-2.32.0 seems to work fine
> (with Guix at commit 14392c77896561c5846c0f3a0588720792d61e95).
> The window appears and I can browse websites, and it doesn't print any
> error about 'bwrap'.
> I'm using StumpWM and not Gnome Shell; I don't know if it has an impact
> on epiphany's behavior.
It "works" for me on bb4f47a7f614eea78a8c8a0d3e5fc55bf4e52646, using Guix
System with Enlightenment. I get errors about not committing changes to
dconf and I'm unable to change settings in preferences. Does your system
have /bin/sh or /usr/bin/env? That's the only thing I have in /usr/bin.
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin/env
2021-04-08 8:22 ` Efraim Flashner
@ 2021-04-08 14:19 ` Mark H Weaver
2021-04-08 14:32 ` bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin Mark H Weaver
0 siblings, 1 reply; 11+ messages in thread
From: Mark H Weaver @ 2021-04-08 14:19 UTC (permalink / raw)
To: Efraim Flashner, Guillaume Le Vaillant; +Cc: 47628
retitle 47628 webkitgtk-2.32.0 fails to launch without /usr/bin/env
thanks
Hi Efraim,
Efraim Flashner <efraim@flashner.co.il> writes:
> It "works" for me on bb4f47a7f614eea78a8c8a0d3e5fc55bf4e52646, using Guix
> System with Enlightenment. I get errors about not committing changes to
> dconf and I'm unable to change settings in preferences. Does your system
> have /bin/sh or /usr/bin/env? That's the only thing I have in /usr/bin.
That's it! I have /bin/sh but not /usr/bin/env. Adding /usr/bin/env
fixes the problem for me.
It would be good to eliminate that dependency. If webkitgtk is using
/usr/bin/env from within its sandbox, that's worrisome. I want it using
software components determined at build time. I do *not* want it
searching in PATH for things.
To be continued...
Mark
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
2021-04-08 14:19 ` bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin/env Mark H Weaver
@ 2021-04-08 14:32 ` Mark H Weaver
2021-04-08 15:07 ` Mark H Weaver
0 siblings, 1 reply; 11+ messages in thread
From: Mark H Weaver @ 2021-04-08 14:32 UTC (permalink / raw)
To: Efraim Flashner, Guillaume Le Vaillant; +Cc: 47628
retitle 47628 webkitgtk-2.32.0 fails to launch without /usr/bin
thanks
Earlier, I wrote:
> That's it! I have /bin/sh but not /usr/bin/env. Adding /usr/bin/env
> fixes the problem for me.
Actually, it suffices for /usr/bin to exist as an empty directory.
/usr/bin/env is never actually used.
Mark
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
2021-04-08 14:32 ` bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin Mark H Weaver
@ 2021-04-08 15:07 ` Mark H Weaver
2021-04-09 10:09 ` Efraim Flashner
0 siblings, 1 reply; 11+ messages in thread
From: Mark H Weaver @ 2021-04-08 15:07 UTC (permalink / raw)
To: Efraim Flashner, Guillaume Le Vaillant; +Cc: 47628
I suspect that the relevant bit that needs to be changed is line 779 of
the following file in the webkitgtk-2.32.0 source code:
Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
Most likely, that line can simply be deleted. Here's the relevant
excerpt, with line 779 marked by "==>":
--8<---------------cut here---------------start------------->8---
GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const ProcessLauncher::LaunchOptions& launchOptions, char** argv, GError **error)
{
ASSERT(launcher);
// For now we are just considering the network process trusted as it
// requires a lot of access but doesn't execute arbitrary code like
// the WebProcess where our focus lies.
if (launchOptions.processType == ProcessLauncher::ProcessType::Network)
return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error));
const char* runDir = g_get_user_runtime_dir();
Vector<CString> sandboxArgs = {
"--die-with-parent",
"--unshare-pid",
"--unshare-uts",
// We assume /etc has safe permissions.
// At a later point we can start masking privacy-concerning files.
"--ro-bind", "/etc", "/etc",
"--dev", "/dev",
"--proc", "/proc",
"--tmpfs", "/tmp",
"--unsetenv", "TMPDIR",
"--dir", runDir,
"--setenv", "XDG_RUNTIME_DIR", runDir,
"--symlink", "../run", "/var/run",
"--symlink", "../tmp", "/var/tmp",
"--ro-bind", "/sys/block", "/sys/block",
"--ro-bind", "/sys/bus", "/sys/bus",
"--ro-bind", "/sys/class", "/sys/class",
"--ro-bind", "/sys/dev", "/sys/dev",
"--ro-bind", "/sys/devices", "/sys/devices",
"--ro-bind-try", "/usr/share", "/usr/share",
"--ro-bind-try", "/usr/local/share", "/usr/local/share",
"--ro-bind-try", DATADIR, DATADIR,
// Bind mount the store inside the WebKitGTK sandbox.
"--ro-bind", "@storedir@", "@storedir@",
// We only grant access to the libdirs webkit is built with and
// guess system libdirs. This will always have some edge cases.
"--ro-bind-try", "/lib", "/lib",
"--ro-bind-try", "/usr/lib", "/usr/lib",
"--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
"--ro-bind-try", LIBDIR, LIBDIR,
"--ro-bind-try", "/lib64", "/lib64",
"--ro-bind-try", "/usr/lib64", "/usr/lib64",
"--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",
"--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
};
if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) {
sandboxArgs.appendVector(Vector<CString>({
==> "--ro-bind", "/usr/bin", "/usr/bin",
// This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed
// only because we have to mount .flatpak-info in its mount namespace. The user rundir
// is where we mount our proxy socket.
"--bind", runDir, runDir,
}));
} else {
// xdg-dbus-proxy needs access to host abstract sockets to connect to the a11y bus. Secure
// host services must not use abstract sockets. Otherwise, only the network process should
// have network access, and the network process is not sandboxed at all.
sandboxArgs.appendVector(Vector<CString>({
"--unshare-net"
}));
}
--8<---------------cut here---------------end--------------->8---
Mark
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
2021-04-08 15:07 ` Mark H Weaver
@ 2021-04-09 10:09 ` Efraim Flashner
2021-04-13 19:22 ` Mark H Weaver
0 siblings, 1 reply; 11+ messages in thread
From: Efraim Flashner @ 2021-04-09 10:09 UTC (permalink / raw)
To: Mark H Weaver; +Cc: 47628
[-- Attachment #1: Type: text/plain, Size: 4125 bytes --]
On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote:
> I suspect that the relevant bit that needs to be changed is line 779 of
> the following file in the webkitgtk-2.32.0 source code:
>
> Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
>
> Most likely, that line can simply be deleted. Here's the relevant
> excerpt, with line 779 marked by "==>":
Looking at the other lines above it, we could just change it from
ro-bind to ro-bind-try.
>
> --8<---------------cut here---------------start------------->8---
> GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const ProcessLauncher::LaunchOptions& launchOptions, char** argv, GError **error)
> {
> ASSERT(launcher);
>
> // For now we are just considering the network process trusted as it
> // requires a lot of access but doesn't execute arbitrary code like
> // the WebProcess where our focus lies.
> if (launchOptions.processType == ProcessLauncher::ProcessType::Network)
> return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error));
>
> const char* runDir = g_get_user_runtime_dir();
> Vector<CString> sandboxArgs = {
> "--die-with-parent",
> "--unshare-pid",
> "--unshare-uts",
>
> // We assume /etc has safe permissions.
> // At a later point we can start masking privacy-concerning files.
> "--ro-bind", "/etc", "/etc",
> "--dev", "/dev",
> "--proc", "/proc",
> "--tmpfs", "/tmp",
> "--unsetenv", "TMPDIR",
> "--dir", runDir,
> "--setenv", "XDG_RUNTIME_DIR", runDir,
> "--symlink", "../run", "/var/run",
> "--symlink", "../tmp", "/var/tmp",
> "--ro-bind", "/sys/block", "/sys/block",
> "--ro-bind", "/sys/bus", "/sys/bus",
> "--ro-bind", "/sys/class", "/sys/class",
> "--ro-bind", "/sys/dev", "/sys/dev",
> "--ro-bind", "/sys/devices", "/sys/devices",
>
> "--ro-bind-try", "/usr/share", "/usr/share",
> "--ro-bind-try", "/usr/local/share", "/usr/local/share",
> "--ro-bind-try", DATADIR, DATADIR,
>
> // Bind mount the store inside the WebKitGTK sandbox.
> "--ro-bind", "@storedir@", "@storedir@",
>
> // We only grant access to the libdirs webkit is built with and
> // guess system libdirs. This will always have some edge cases.
> "--ro-bind-try", "/lib", "/lib",
> "--ro-bind-try", "/usr/lib", "/usr/lib",
> "--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
> "--ro-bind-try", LIBDIR, LIBDIR,
> "--ro-bind-try", "/lib64", "/lib64",
> "--ro-bind-try", "/usr/lib64", "/usr/lib64",
> "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",
>
> "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
> };
>
> if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) {
> sandboxArgs.appendVector(Vector<CString>({
> ==> "--ro-bind", "/usr/bin", "/usr/bin",
> // This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed
> // only because we have to mount .flatpak-info in its mount namespace. The user rundir
> // is where we mount our proxy socket.
> "--bind", runDir, runDir,
> }));
> } else {
> // xdg-dbus-proxy needs access to host abstract sockets to connect to the a11y bus. Secure
> // host services must not use abstract sockets. Otherwise, only the network process should
> // have network access, and the network process is not sandboxed at all.
> sandboxArgs.appendVector(Vector<CString>({
> "--unshare-net"
> }));
> }
> --8<---------------cut here---------------end--------------->8---
>
> Mark
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
2021-04-09 10:09 ` Efraim Flashner
@ 2021-04-13 19:22 ` Mark H Weaver
2021-04-14 15:22 ` Efraim Flashner
2022-03-18 2:47 ` Maxim Cournoyer
0 siblings, 2 replies; 11+ messages in thread
From: Mark H Weaver @ 2021-04-13 19:22 UTC (permalink / raw)
To: Efraim Flashner; +Cc: 47628
[-- Attachment #1: Type: text/plain, Size: 920 bytes --]
Hi Efraim,
Efraim Flashner <efraim@flashner.co.il> writes:
> On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote:
>> I suspect that the relevant bit that needs to be changed is line 779 of
>> the following file in the webkitgtk-2.32.0 source code:
>>
>> Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
>>
>> Most likely, that line can simply be deleted. Here's the relevant
>> excerpt, with line 779 marked by "==>":
>
> Looking at the other lines above it, we could just change it from
> ro-bind to ro-bind-try.
I expect that would work, but why should we give the sandbox access to
/usr/bin at all? I took a different approach: I removed access to *all*
of the FHS directories, since they should not be needed for a
Guix-compiled package.
Below, I've attached the patch that I'm currently using successfully on
my private branch of Guix.
What do you think?
Thanks,
Mark
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: [PATCH] DRAFT: gnu: webkitgtk: Trim system dirs made available to sandbox. --]
[-- Type: text/x-patch, Size: 3514 bytes --]
From 4a10e1deb63d1b2227a0bcc60a17ddb9af7b8cc3 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Thu, 8 Apr 2021 11:27:55 -0400
Subject: [PATCH] DRAFT: gnu: webkitgtk: Trim system dirs made available to
sandbox.
* gnu/packages/patches/webkitgtk-share-store.patch: Adjust patch.
---
.../patches/webkitgtk-share-store.patch | 46 ++++++++++++++-----
1 file changed, 34 insertions(+), 12 deletions(-)
diff --git a/gnu/packages/patches/webkitgtk-share-store.patch b/gnu/packages/patches/webkitgtk-share-store.patch
index 053d86fcf4..c02157076e 100644
--- a/gnu/packages/patches/webkitgtk-share-store.patch
+++ b/gnu/packages/patches/webkitgtk-share-store.patch
@@ -1,19 +1,41 @@
-Tell bubblewrap to share the store. Required for programs that use the
+Tell bubblewrap to share the store, and _not_ to share traditional FHS
+directories that are not used in Guix. Required for programs that use the
sandboxing features such as Epiphany.
-See <https://bugs.gnu.org/40837>.
-Author: Jack Hill <jackhill@jackhill.us>
----
+See <https://bugs.gnu.org/40837> and <https://bugs.gnu.org/47628>.
+Authors: Jack Hill <jackhill@jackhill.us> and Mark H Weaver <mhw@netris.org>.
+
diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
-@@ -737,6 +737,9 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
- "--ro-bind-try", "/usr/local/share", "/usr/local/share",
+@@ -749,26 +749,18 @@
+ "--ro-bind", "/sys/dev", "/sys/dev",
+ "--ro-bind", "/sys/devices", "/sys/devices",
+
+- "--ro-bind-try", "/usr/share", "/usr/share",
+- "--ro-bind-try", "/usr/local/share", "/usr/local/share",
"--ro-bind-try", DATADIR, DATADIR,
-+ // Bind mount the store inside the WebKitGTK sandbox.
-+ "--ro-bind", "@storedir@", "@storedir@",
-+
- // We only grant access to the libdirs webkit is built with and
- // guess system libdirs. This will always have some edge cases.
- "--ro-bind-try", "/lib", "/lib",
+- // We only grant access to the libdirs webkit is built with and
+- // guess system libdirs. This will always have some edge cases.
+- "--ro-bind-try", "/lib", "/lib",
+- "--ro-bind-try", "/usr/lib", "/usr/lib",
+- "--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
+- "--ro-bind-try", LIBDIR, LIBDIR,
+- "--ro-bind-try", "/lib64", "/lib64",
+- "--ro-bind-try", "/usr/lib64", "/usr/lib64",
+- "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",
++ // Bind mount the store inside the WebKitGTK sandbox.
++ "--ro-bind", "@storedir@", "@storedir@",
+
++ // We only grant access to the libdirs webkit is built with.
++ "--ro-bind-try", LIBDIR, LIBDIR,
+ "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
+ };
+
+ if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) {
+ sandboxArgs.appendVector(Vector<CString>({
+- "--ro-bind", "/usr/bin", "/usr/bin",
+ // This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed
+ // only because we have to mount .flatpak-info in its mount namespace. The user rundir
+ // is where we mount our proxy socket.
--
2.31.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
2021-04-13 19:22 ` Mark H Weaver
@ 2021-04-14 15:22 ` Efraim Flashner
2022-03-18 2:47 ` Maxim Cournoyer
1 sibling, 0 replies; 11+ messages in thread
From: Efraim Flashner @ 2021-04-14 15:22 UTC (permalink / raw)
To: Mark H Weaver; +Cc: 47628
[-- Attachment #1: Type: text/plain, Size: 1445 bytes --]
On Tue, Apr 13, 2021 at 03:22:47PM -0400, Mark H Weaver wrote:
> Hi Efraim,
>
> Efraim Flashner <efraim@flashner.co.il> writes:
>
> > On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote:
> >> I suspect that the relevant bit that needs to be changed is line 779 of
> >> the following file in the webkitgtk-2.32.0 source code:
> >>
> >> Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
> >>
> >> Most likely, that line can simply be deleted. Here's the relevant
> >> excerpt, with line 779 marked by "==>":
> >
> > Looking at the other lines above it, we could just change it from
> > ro-bind to ro-bind-try.
>
> I expect that would work, but why should we give the sandbox access to
> /usr/bin at all? I took a different approach: I removed access to *all*
> of the FHS directories, since they should not be needed for a
> Guix-compiled package.
>
> Below, I've attached the patch that I'm currently using successfully on
> my private branch of Guix.
>
> What do you think?
>
Since we should be linking to any libraries we need anyway and patching
any calls out to other binaries then I suppose this should work. I
suggested ro-bind-try to minimize the patch size.
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
2021-04-13 19:22 ` Mark H Weaver
2021-04-14 15:22 ` Efraim Flashner
@ 2022-03-18 2:47 ` Maxim Cournoyer
1 sibling, 0 replies; 11+ messages in thread
From: Maxim Cournoyer @ 2022-03-18 2:47 UTC (permalink / raw)
To: Mark H Weaver; +Cc: 47628-done
Hi Mark,
Mark H Weaver <mhw@netris.org> writes:
> Hi Efraim,
>
> Efraim Flashner <efraim@flashner.co.il> writes:
>
>> On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote:
>>> I suspect that the relevant bit that needs to be changed is line 779 of
>>> the following file in the webkitgtk-2.32.0 source code:
>>>
>>> Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
>>>
>>> Most likely, that line can simply be deleted. Here's the relevant
>>> excerpt, with line 779 marked by "==>":
>>
>> Looking at the other lines above it, we could just change it from
>> ro-bind to ro-bind-try.
>
> I expect that would work, but why should we give the sandbox access to
> /usr/bin at all? I took a different approach: I removed access to *all*
> of the FHS directories, since they should not be needed for a
> Guix-compiled package.
>
> Below, I've attached the patch that I'm currently using successfully on
> my private branch of Guix.
>
> What do you think?
Our webkitgtk package is patched in such a way (and more) since commit
b9a4705f80e89fff3b65288cbbe8df73a365aee3.
Thanks,
Maxim
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2022-03-18 2:48 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-04-06 22:46 bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update Mark H Weaver
2021-04-06 23:04 ` bug#47628: webkitgtk-2.32.0 is broken on my system (was Re: bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update) Mark H Weaver
2021-04-07 7:35 ` bug#47628: webkitgtk-2.32.0 is broken on my system Guillaume Le Vaillant
2021-04-08 8:22 ` Efraim Flashner
2021-04-08 14:19 ` bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin/env Mark H Weaver
2021-04-08 14:32 ` bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin Mark H Weaver
2021-04-08 15:07 ` Mark H Weaver
2021-04-09 10:09 ` Efraim Flashner
2021-04-13 19:22 ` Mark H Weaver
2021-04-14 15:22 ` Efraim Flashner
2022-03-18 2:47 ` Maxim Cournoyer
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).