From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jack Hill <jackhill@jackhill.us>
Subject: bug#40837: core-updates: webkitgtk web process sandbox incomplete
Date: Mon, 27 Apr 2020 23:03:52 -0400 (EDT)
Message-ID: <alpine.DEB.2.20.2004272247330.5735@marsh.hcoop.net>
References: <alpine.DEB.2.20.2004242240420.5735@marsh.hcoop.net>
 <171b356d9e2.1154aefce15638.8921669740072490388@zoho.com>
 <alpine.DEB.2.20.2004252059380.5735@marsh.hcoop.net>
 <alpine.DEB.2.20.2004252139570.5735@marsh.hcoop.net>
 <alpine.DEB.2.20.2004252257540.5735@marsh.hcoop.net>
 <alpine.DEB.2.20.2004261638070.5735@marsh.hcoop.net>
 <alpine.DEB.2.20.2004271759320.5735@marsh.hcoop.net>
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:46762)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1jTGXY-0002Bd-Ca
 for bug-guix@gnu.org; Mon, 27 Apr 2020 23:04:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1jTGXX-0005Np-PV
 for bug-guix@gnu.org; Mon, 27 Apr 2020 23:04:08 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:55232)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1jTGXT-0005Nb-Hk
 for bug-guix@gnu.org; Mon, 27 Apr 2020 23:04:07 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1jTGXS-0007p8-C4
 for bug-guix@gnu.org; Mon, 27 Apr 2020 23:04:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.40837.B40837.158804304130067@debbugs.gnu.org>
In-Reply-To: <alpine.DEB.2.20.2004271759320.5735@marsh.hcoop.net>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org>
To: 40837 <40837@debbugs.gnu.org>
Cc: sirgazil <sirgazil@zoho.com>

I'm a little bit unstuck now. I found a bubblwrap issue [0], which I 
believe is the one that we're running into.

[0] https://github.com/containers/bubblewrap/issues/195 "Errors when 
--bind used with a symlinked path"

With insight gained there, I've determined that the following simplified 
bwrap invocation succeeds:

"""
$ bwrap  --ro-bind-try /etc/pulse/client.conf /etc/pulse/client.conf 
--ro-bind /gnu /gnu --ro-bind /run/current-system /run/current-system -- 
/run/current-system/profile/bin/bash
"""

while the following invocation fails:

"""
$ bwrap --ro-bind /etc /etc --ro-bind-try /etc/pulse/client.conf 
/etc/pulse/client.conf --ro-bind /gnu /gnu --ro-bind /run/current-system 
/run/current-system -- /run/current-system/profile/bin/bash

bwrap: Can't create file at /etc/pulse/client.conf: No such file or 
directory
"""

The difference between the working and non-working invocations in that in 
the non-working invocation, /etc is already mounted withing the new 
namespace, which includes symlinks at /etc/pulse and 
/etc/pulse/client.conf, and the later mount of the /etc/pulse/client.conf 
symlink causese the problem.

Now to figure out what the solution is, and if it is best fixed in 
webkitgtk or bubblewrap :)

Ideas welcome!

Best,
Jack