Tell bubblewrap to share the store, and _not_ to share traditional FHS directories that are not used in Guix. Required for programs that use the sandboxing features such as Epiphany. See and . Authors: Jack Hill and Mark H Weaver . diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp --- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp @@ -749,26 +749,18 @@ "--ro-bind", "/sys/dev", "/sys/dev", "--ro-bind", "/sys/devices", "/sys/devices", - "--ro-bind-try", "/usr/share", "/usr/share", - "--ro-bind-try", "/usr/local/share", "/usr/local/share", "--ro-bind-try", DATADIR, DATADIR, - // We only grant access to the libdirs webkit is built with and - // guess system libdirs. This will always have some edge cases. - "--ro-bind-try", "/lib", "/lib", - "--ro-bind-try", "/usr/lib", "/usr/lib", - "--ro-bind-try", "/usr/local/lib", "/usr/local/lib", - "--ro-bind-try", LIBDIR, LIBDIR, - "--ro-bind-try", "/lib64", "/lib64", - "--ro-bind-try", "/usr/lib64", "/usr/lib64", - "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64", + // Bind mount the store inside the WebKitGTK sandbox. + "--ro-bind", "@storedir@", "@storedir@", + // We only grant access to the libdirs webkit is built with. + "--ro-bind-try", LIBDIR, LIBDIR, "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR, }; if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) { sandboxArgs.appendVector(Vector({ - "--ro-bind", "/usr/bin", "/usr/bin", // This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed // only because we have to mount .flatpak-info in its mount namespace. The user rundir // is where we mount our proxy socket.