From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id ELCRJhwJd2DWSAAAgWs5BA (envelope-from ) for ; Wed, 14 Apr 2021 17:24:12 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id okqbIBwJd2D9ZwAAbx9fmQ (envelope-from ) for ; Wed, 14 Apr 2021 15:24:12 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 04A19130C3 for ; Wed, 14 Apr 2021 17:24:12 +0200 (CEST) Received: from localhost ([::1]:35820 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lWhND-0004HB-3Z for larch@yhetil.org; Wed, 14 Apr 2021 11:24:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56212) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lWhN3-0004Gu-RV for bug-guix@gnu.org; Wed, 14 Apr 2021 11:24:01 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:52233) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lWhN3-0007Cf-NH for bug-guix@gnu.org; Wed, 14 Apr 2021 11:24:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lWhN3-0007H3-JW for bug-guix@gnu.org; Wed, 14 Apr 2021 11:24:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin Resent-From: Efraim Flashner Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 14 Apr 2021 15:24:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47628 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Mark H Weaver Received: via spool by 47628-submit@debbugs.gnu.org id=B47628.161841380427918 (code B ref 47628); Wed, 14 Apr 2021 15:24:01 +0000 Received: (at 47628) by debbugs.gnu.org; 14 Apr 2021 15:23:24 +0000 Received: from localhost ([127.0.0.1]:35546 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lWhMS-0007GE-6Z for submit@debbugs.gnu.org; Wed, 14 Apr 2021 11:23:24 -0400 Received: from flashner.co.il ([178.62.234.194]:60844) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lWhMP-0007Fy-VG for 47628@debbugs.gnu.org; Wed, 14 Apr 2021 11:23:22 -0400 Received: from localhost (unknown [31.210.177.71]) by flashner.co.il (Postfix) with ESMTPSA id B85DE405BC; Wed, 14 Apr 2021 15:23:15 +0000 (UTC) Date: Wed, 14 Apr 2021 18:22:29 +0300 From: Efraim Flashner Message-ID: Mail-Followup-To: Efraim Flashner , Mark H Weaver , Guillaume Le Vaillant , 47628@debbugs.gnu.org References: <87tuojni9a.fsf@netris.org> <87r1jnnhfi.fsf@netris.org> <87lf9upmwb.fsf@yamatai> <87h7kgoo2z.fsf@netris.org> <87blaoonha.fsf@netris.org> <878s5solv5.fsf@netris.org> <87mtu2rntp.fsf@netris.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="QRLpmdHQ+b+sKZpr" Content-Disposition: inline In-Reply-To: <87mtu2rntp.fsf@netris.org> X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 47628@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1618413852; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post; bh=MXHQiVLSkm9s8GmbmVtOQT5adfNwuS8rJdr/3Du92b4=; b=P7tsvNALFoPs2BZHuI8tjEyQwX6LX8Pkq5Acc/DmmICaJOBphYbigIbB9E/pTIjw3+KQ+x iDKMtqZ7rwCjkSFeeBI1sPrJtLXKQJElObxeFGAOags08GHzYgfw27NvyJ4h/nrkEZAs5o YZ/Z8kq15RhpdjWgzBi8btquwlfdO6nQeJ1qtrgaTyRR/Z1fIgt2AWNzEW5iBdBoClhKm8 jYCuQF5/nNKQPxY6tfAD/tngbh+H098vF+QmkR8QbMm0RYffabFYLMm94WHtMmNy7E5u13 b0B6NVB6VDrkMy6ElQ4aZ1pVVvqiqsA1S6zMpha3pNiWPMf3gMs3nOP410eIUw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1618413852; a=rsa-sha256; cv=none; b=gJDe/4Eemh1ADg7Ron8SXMoL0MfrU/cMxMVdBqplhaX7YZdYJWc7dXM293R7X+ln7AGgYb 2DMk2aLwseDook97JN6o4Zje21Eppe+sh2VBC0Pk/dhwEf9xpjL6uR6se6CcoBfYyPDkDR XlIg1/SFF+wPpecclSt7b73vbjJqY0e/D6HlNV5Nvm+6ShaOqFg24K/0ViQZAShdU390f6 1WcAJuwskX5DD0W9ddSDliztk/kSsg9EUi3WdMBToJxwyIuvattFw8Q1EWOaEqp6RLxWHz A1AQk6KnAO3732PWhL9rMJofIPmDUh3smGajRAdJHVVDnq/CYQFgXh+au3lsmQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -4.04 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 04A19130C3 X-Spam-Score: -4.04 X-Migadu-Scanner: scn0.migadu.com X-TUID: h4sAHBabExhU --QRLpmdHQ+b+sKZpr Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 13, 2021 at 03:22:47PM -0400, Mark H Weaver wrote: > Hi Efraim, >=20 > Efraim Flashner writes: >=20 > > On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote: > >> I suspect that the relevant bit that needs to be changed is line 779 of > >> the following file in the webkitgtk-2.32.0 source code: > >>=20 > >> Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp > >>=20 > >> Most likely, that line can simply be deleted. Here's the relevant > >> excerpt, with line 779 marked by "=3D=3D>": > > > > Looking at the other lines above it, we could just change it from > > ro-bind to ro-bind-try. >=20 > I expect that would work, but why should we give the sandbox access to > /usr/bin at all? I took a different approach: I removed access to *all* > of the FHS directories, since they should not be needed for a > Guix-compiled package. >=20 > Below, I've attached the patch that I'm currently using successfully on > my private branch of Guix. >=20 > What do you think? >=20 Since we should be linking to any libraries we need anyway and patching any calls out to other binaries then I suppose this should work. I suggested ro-bind-try to minimize the patch size. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --QRLpmdHQ+b+sKZpr Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmB3CLUACgkQQarn3Mo9 g1FVQQ//Wz/Ox+482uB9GKdjQFAKxWdEGiR6ESiVvGwYZ7oZkVUsW3bbg84NvB2+ WxvXHrVp7CHR7wg47Ap4N0fsV+u1FHy8waRbCHmTFKBzVewznUkFuxhVrC2+wjGz 6tXyOIq9YYAqbE8KJb6/fA6ix0AFsXKRSKPShmCN0bPI7dvM9lpigspM3mteEPDV 9KkIU5O87WhpfMaAfT3b/RBMwh7SXZngs1PGS9hV8GUDpmYIyuA9C6ewH10ZxYhG lLQf5fLdrqe2z4jtkH/rDP8eVqLtSrJtAhlw0ZELATL3oGj5tdEtA/u3EltFNdL3 JAcRope9zFZzAlFxCp2i/yEXK65llaqXHzy56/aALfSqf9rmeZVZf/sCXltm0s4e 59ryvgOee53z0jlJ+Oq5Et2Gxx2XHLKC3KsxKtzg6vbutAvlmLujUQlYxcTvjIkB wkKW+3FHRFicz8YtzY4PoroM6mBoQ6pfLH+Qkx857a0va2O3DhM1nvYAy/xd//Bv A1T/f/tnZLomT9/R0jcx1BZaenNVQpVFT7QE3DxWAPosDT/JjuLB2PuztEscuakp BlsxtQl+cyAEmh4zi7P1LAHoe7JfqF6o72n7axgbXSZ2blX+Y84U/5w0sNXPE6lE mziDXpHcOhllekwWgsES0caGQ0GBA6TgthF/PnWSPve5YyxuCco= =76HD -----END PGP SIGNATURE----- --QRLpmdHQ+b+sKZpr--