* [bug#70446] [PATCH gnome-team] gnu: webkitgtk: Add system locale, dri access, and user profile access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively.
@ 2024-04-18 2:52 Abhishek Cherath
2024-04-18 3:14 ` [bug#70446] Explanation Abhishek Cherath
` (4 more replies)
0 siblings, 5 replies; 23+ messages in thread
From: Abhishek Cherath @ 2024-04-18 2:52 UTC (permalink / raw)
To: 70446
Cc: Abhishek Cherath, Liliana Marie Prikler, Maxim Cournoyer,
Vivien Kraus
* gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch:
Add @dridir@ and @localedir@ to bubblewrap gtk sandbox
Add ~/.guix-profile to bubblewrap gtk sandbox
* gnu/packages/webkit.scm (webkitgtk)[arguments]: In the
'configure-bubblewrap-store-directory' phase, also supply locale
and dri directory paths to webkitgtk-adjust-bubblewrap-paths.patch
template.
---
.../webkitgtk-adjust-bubblewrap-paths.patch | 28 +++++++++++++++++--
gnu/packages/webkit.scm | 11 +++++++-
2 files changed, 35 insertions(+), 4 deletions(-)
diff --git a/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch b/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch
index 18ddb645ad..2b6f54c912 100644
--- a/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch
+++ b/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch
@@ -1,11 +1,21 @@
Share /gnu/store in the BubbleWrap container and remove FHS mounts.
+Also share user profile directory.
This is a Guix-specific patch not meant to be upstreamed.
diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
-index f0a5e4b05dff..88b11f806968 100644
+index 99395d6..3604730 100644
--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
-@@ -854,27 +854,12 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
+@@ -765,1 +765,1 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
+ return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error));
+
+ const char* runDir = g_get_user_runtime_dir();
++ const char* homeDir = g_get_home_dir();
++ char* profileDir = g_strconcat(homeDir, "/.guix-profile", NULL);
+ Vector<CString> sandboxArgs = {
+ "--die-with-parent",
+ "--unshare-uts",
+@@ -786,28 +788,24 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
"--ro-bind", "/sys/dev", "/sys/dev",
"--ro-bind", "/sys/devices", "/sys/devices",
@@ -33,6 +43,18 @@ index f0a5e4b05dff..88b11f806968 100644
+
+ // Bind mount the store inside the WebKitGTK sandbox.
+ "--ro-bind", "@storedir@", "@storedir@",
++
++ // Bind mount the guix profile directory
++ "--ro-bind", profileDir, profileDir,
++
++ // This is needed for locales if not in profile
++ "--ro-bind-try", "@localedir@", "@localedir@",
++
++ // This is needed for video hardware acceleration (va-api)
++ // via /lib/dri if not in profile
++ "--ro-bind-try", "@dridir@", "@dridir@",
};
++ free(profileDir);
- if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) {
+ if (enableDebugPermissions()) {
+ const char* dataDir = g_get_user_data_dir();
diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm
index bf24a65e83..a0d04f31d3 100644
--- a/gnu/packages/webkit.scm
+++ b/gnu/packages/webkit.scm
@@ -8,6 +8,7 @@
;;; Copyright © 2019 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2021, 2022, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022, 2023 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2024 Abhishek Cherath <abhi@quic.us>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -190,7 +191,15 @@ (define-public webkitgtk
(let ((store-directory (%store-directory)))
(substitute*
"Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp"
- (("@storedir@") store-directory)))))
+ (("@storedir@") store-directory)
+ ;; this adds access to drivers for va-api
+ ;; for hardware accelerated video
+ (("@dridir@") "/run/current-system/profile/lib/dri")
+ ;; this silences gtk locale errors
+ ;; Unfortunately, simply bind mounting /run/current-system
+ ;; does not work since it leads to weird issues
+ ;; with symlinks that confuse bubblewrap.
+ (("@localedir@") "/run/current-system/locale")))))
(add-after 'unpack 'do-not-disable-new-dtags
;; Ensure the linker uses new dynamic tags as this is what Guix
;; uses and validates in the validate-runpath phase.
base-commit: b05bb6608c7f25ddce6b563194ba5a3007009282
--
2.41.0
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [bug#70446] Explanation
2024-04-18 2:52 [bug#70446] [PATCH gnome-team] gnu: webkitgtk: Add system locale, dri access, and user profile access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively Abhishek Cherath
@ 2024-04-18 3:14 ` Abhishek Cherath
2024-04-18 4:06 ` [bug#70446] [PATCH v2] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile Abhishek Cherath
` (3 subsequent siblings)
4 siblings, 0 replies; 23+ messages in thread
From: Abhishek Cherath @ 2024-04-18 3:14 UTC (permalink / raw)
To: 70446
This is to resubmit to gnome-team, along with adding the profile dir, as
recommended in https://issues.guix.gnu.org/69971
^ permalink raw reply [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH v2] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile.
2024-04-18 2:52 [bug#70446] [PATCH gnome-team] gnu: webkitgtk: Add system locale, dri access, and user profile access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively Abhishek Cherath
2024-04-18 3:14 ` [bug#70446] Explanation Abhishek Cherath
@ 2024-04-18 4:06 ` Abhishek Cherath
2024-04-19 18:53 ` Liliana Marie Prikler
2024-04-18 5:02 ` [bug#70446] [PATCH gnome-team] gnu: webkitgtk: Add system locale, dri access, and user profile access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively John Kehayias via Guix-patches via
` (2 subsequent siblings)
4 siblings, 1 reply; 23+ messages in thread
From: Abhishek Cherath @ 2024-04-18 4:06 UTC (permalink / raw)
To: 70446
Cc: Abhishek Cherath, Liliana Marie Prikler, Maxim Cournoyer,
Vivien Kraus
* gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch:
Add @dridir@ and @localedir@ to bubblewrap gtk sandbox
Add ~/.guix-profile to bubblewrap gtk sandbox
* gnu/packages/webkit.scm (webkitgtk)[arguments]: In the
'configure-bubblewrap-store-directory' phase, also supply locale
and dri directory paths to webkitgtk-adjust-bubblewrap-paths.patch
template.
Change-Id: I6be0c473ebaa6c04ebb00a2b4afcae2c89396e4f
---
apparently the space on the second line of the patch is significant,
doesn't apply otherwise
.../webkitgtk-adjust-bubblewrap-paths.patch | 28 +++++++++++++++++--
gnu/packages/webkit.scm | 11 +++++++-
2 files changed, 35 insertions(+), 4 deletions(-)
diff --git a/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch b/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch
index 18ddb645ad..c81916279e 100644
--- a/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch
+++ b/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch
@@ -1,11 +1,21 @@
Share /gnu/store in the BubbleWrap container and remove FHS mounts.
+Also share user profile directory.
This is a Guix-specific patch not meant to be upstreamed.
diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
-index f0a5e4b05dff..88b11f806968 100644
+index 99395d6..3604730 100644
--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
-@@ -854,27 +854,12 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
+@@ -765,6 +765,8 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
+ return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error));
+
+ const char* runDir = g_get_user_runtime_dir();
++ const char* homeDir = g_get_home_dir();
++ char* profileDir = g_strconcat(homeDir, "/.guix-profile", NULL);
+ Vector<CString> sandboxArgs = {
+ "--die-with-parent",
+ "--unshare-uts",
+@@ -786,28 +788,24 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
"--ro-bind", "/sys/dev", "/sys/dev",
"--ro-bind", "/sys/devices", "/sys/devices",
@@ -33,6 +43,18 @@ index f0a5e4b05dff..88b11f806968 100644
+
+ // Bind mount the store inside the WebKitGTK sandbox.
+ "--ro-bind", "@storedir@", "@storedir@",
++
++ // Bind mount the guix profile directory
++ "--ro-bind", profileDir, profileDir,
++
++ // This is needed for locales if not in profile
++ "--ro-bind-try", "@localedir@", "@localedir@",
++
++ // This is needed for video hardware acceleration (va-api)
++ // via /lib/dri if not in profile
++ "--ro-bind-try", "@dridir@", "@dridir@",
};
++ free(profileDir);
- if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) {
+ if (enableDebugPermissions()) {
+ const char* dataDir = g_get_user_data_dir();
diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm
index bf24a65e83..a0d04f31d3 100644
--- a/gnu/packages/webkit.scm
+++ b/gnu/packages/webkit.scm
@@ -8,6 +8,7 @@
;;; Copyright © 2019 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2021, 2022, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022, 2023 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2024 Abhishek Cherath <abhi@quic.us>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -190,7 +191,15 @@ (define-public webkitgtk
(let ((store-directory (%store-directory)))
(substitute*
"Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp"
- (("@storedir@") store-directory)))))
+ (("@storedir@") store-directory)
+ ;; this adds access to drivers for va-api
+ ;; for hardware accelerated video
+ (("@dridir@") "/run/current-system/profile/lib/dri")
+ ;; this silences gtk locale errors
+ ;; Unfortunately, simply bind mounting /run/current-system
+ ;; does not work since it leads to weird issues
+ ;; with symlinks that confuse bubblewrap.
+ (("@localedir@") "/run/current-system/locale")))))
(add-after 'unpack 'do-not-disable-new-dtags
;; Ensure the linker uses new dynamic tags as this is what Guix
;; uses and validates in the validate-runpath phase.
base-commit: b05bb6608c7f25ddce6b563194ba5a3007009282
--
2.41.0
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH gnome-team] gnu: webkitgtk: Add system locale, dri access, and user profile access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively.
2024-04-18 2:52 [bug#70446] [PATCH gnome-team] gnu: webkitgtk: Add system locale, dri access, and user profile access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively Abhishek Cherath
2024-04-18 3:14 ` [bug#70446] Explanation Abhishek Cherath
2024-04-18 4:06 ` [bug#70446] [PATCH v2] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile Abhishek Cherath
@ 2024-04-18 5:02 ` John Kehayias via Guix-patches via
2024-04-18 13:50 ` Abhishek Cherath
2024-04-19 21:55 ` [bug#70446] [PATCH v3] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile locale and dri directories Abhishek Cherath
2024-04-20 13:44 ` [bug#70446] [PATCH v4] gnu: webkitgtk: Add access to system locale path and to paths from GUIX_LOCPATH, LOCPATH, and LIBVA_DRIVERS_PATH to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video Abhishek Cherath
4 siblings, 1 reply; 23+ messages in thread
From: John Kehayias via Guix-patches via @ 2024-04-18 5:02 UTC (permalink / raw)
To: Abhishek Cherath
Cc: Vivien Kraus, Maxim Cournoyer, Liliana Marie Prikler, 70446
On Wed, Apr 17, 2024 at 10:52 PM, Abhishek Cherath wrote:
> * gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch:
> Add @dridir@ and @localedir@ to bubblewrap gtk sandbox
> Add ~/.guix-profile to bubblewrap gtk sandbox
> * gnu/packages/webkit.scm (webkitgtk)[arguments]: In the
> 'configure-bubblewrap-store-directory' phase, also supply locale
> and dri directory paths to webkitgtk-adjust-bubblewrap-paths.patch
> template.
> ---
Perhaps combine with update for security issues as in
https://issues.guix.gnu.org/70404 ?
^ permalink raw reply [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH gnome-team] gnu: webkitgtk: Add system locale, dri access, and user profile access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively.
2024-04-18 5:02 ` [bug#70446] [PATCH gnome-team] gnu: webkitgtk: Add system locale, dri access, and user profile access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively John Kehayias via Guix-patches via
@ 2024-04-18 13:50 ` Abhishek Cherath
2024-04-19 15:24 ` Maxim Cournoyer
0 siblings, 1 reply; 23+ messages in thread
From: Abhishek Cherath @ 2024-04-18 13:50 UTC (permalink / raw)
To: John Kehayias; +Cc: Vivien Kraus, Maxim Cournoyer, Liliana Marie Prikler, 70446
> Perhaps combine with update for security issues as in
> https://issues.guix.gnu.org/70404 ?
In this patch?
^ permalink raw reply [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH gnome-team] gnu: webkitgtk: Add system locale, dri access, and user profile access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively.
2024-04-18 13:50 ` Abhishek Cherath
@ 2024-04-19 15:24 ` Maxim Cournoyer
0 siblings, 0 replies; 23+ messages in thread
From: Maxim Cournoyer @ 2024-04-19 15:24 UTC (permalink / raw)
To: Abhishek Cherath
Cc: John Kehayias, Vivien Kraus, Liliana Marie Prikler, 70446
Hi,
Abhishek Cherath <abhi@quic.us> writes:
>> Perhaps combine with update for security issues as in
>> https://issues.guix.gnu.org/70404 ?
>
> In this patch?
No, patches should remain separated, but I think John meant combining as
in merging at the same time, to avoid large rebuilds twice.
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH v2] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile.
2024-04-18 4:06 ` [bug#70446] [PATCH v2] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile Abhishek Cherath
@ 2024-04-19 18:53 ` Liliana Marie Prikler
2024-04-19 20:24 ` Abhishek Cherath
0 siblings, 1 reply; 23+ messages in thread
From: Liliana Marie Prikler @ 2024-04-19 18:53 UTC (permalink / raw)
To: Abhishek Cherath, 70446; +Cc: Vivien Kraus, Maxim Cournoyer
Am Donnerstag, dem 18.04.2024 um 00:06 -0400 schrieb Abhishek Cherath:
> * gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch:
> Add @dridir@ and @localedir@ to bubblewrap gtk sandbox
> Add ~/.guix-profile to bubblewrap gtk sandbox
> * gnu/packages/webkit.scm (webkitgtk)[arguments]: In the
> 'configure-bubblewrap-store-directory' phase, also supply locale
> and dri directory paths to webkitgtk-adjust-bubblewrap-paths.patch
> template.
>
> Change-Id: I6be0c473ebaa6c04ebb00a2b4afcae2c89396e4f
> ---
> apparently the space on the second line of the patch is significant,
> doesn't apply otherwise
Wrapping the entire user profile looks evil. Why?
^ permalink raw reply [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH v2] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile.
2024-04-19 18:53 ` Liliana Marie Prikler
@ 2024-04-19 20:24 ` Abhishek Cherath
2024-04-19 20:33 ` Abhishek Cherath
2024-04-19 21:19 ` Liliana Marie Prikler
0 siblings, 2 replies; 23+ messages in thread
From: Abhishek Cherath @ 2024-04-19 20:24 UTC (permalink / raw)
To: Liliana Marie Prikler, 70446; +Cc: Vivien Kraus, Maxim Cournoyer
Could just add the locale and dri dir, but afaik the user profile is just stuff in the store, right? And the thing has access to the whole store anyhow, so no change, right?
^ permalink raw reply [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH v2] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile.
2024-04-19 20:24 ` Abhishek Cherath
@ 2024-04-19 20:33 ` Abhishek Cherath
2024-04-19 21:19 ` Liliana Marie Prikler
1 sibling, 0 replies; 23+ messages in thread
From: Abhishek Cherath @ 2024-04-19 20:33 UTC (permalink / raw)
To: Liliana Marie Prikler, 70446; +Cc: Vivien Kraus, Maxim Cournoyer
Will say, I thought it was kinda odd to begin with that it has access to the whole store, though.
On 19 April 2024 4:24:56 pm GMT-04:00, Abhishek Cherath <abhi@quic.us> wrote:
>Could just add the locale and dri dir, but afaik the user profile is just stuff in the store, right? And the thing has access to the whole store anyhow, so no change, right?
^ permalink raw reply [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH v2] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile.
2024-04-19 20:24 ` Abhishek Cherath
2024-04-19 20:33 ` Abhishek Cherath
@ 2024-04-19 21:19 ` Liliana Marie Prikler
2024-04-19 21:59 ` Abhishek Cherath
1 sibling, 1 reply; 23+ messages in thread
From: Liliana Marie Prikler @ 2024-04-19 21:19 UTC (permalink / raw)
To: Abhishek Cherath, 70446; +Cc: Vivien Kraus, Maxim Cournoyer
Am Freitag, dem 19.04.2024 um 16:24 -0400 schrieb Abhishek Cherath:
> Could just add the locale and dri dir, but afaik the user profile is
> just stuff in the store, right? And the thing has access to the whole
> store anyhow, so no change, right?
The user dir *is* just stuff in the store, but it is particularly stuff
in the store that's linked to the currently logged-in user. That is,
you're giving the sandbox extra information by exposing it, and I don't
think it'd be solely (or even largely) useful for beneficial purposes.
Cheers
^ permalink raw reply [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH v3] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile locale and dri directories.
2024-04-18 2:52 [bug#70446] [PATCH gnome-team] gnu: webkitgtk: Add system locale, dri access, and user profile access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively Abhishek Cherath
` (2 preceding siblings ...)
2024-04-18 5:02 ` [bug#70446] [PATCH gnome-team] gnu: webkitgtk: Add system locale, dri access, and user profile access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively John Kehayias via Guix-patches via
@ 2024-04-19 21:55 ` Abhishek Cherath
2024-04-19 22:43 ` Liliana Marie Prikler
2024-04-20 13:44 ` [bug#70446] [PATCH v4] gnu: webkitgtk: Add access to system locale path and to paths from GUIX_LOCPATH, LOCPATH, and LIBVA_DRIVERS_PATH to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video Abhishek Cherath
4 siblings, 1 reply; 23+ messages in thread
From: Abhishek Cherath @ 2024-04-19 21:55 UTC (permalink / raw)
To: 70446
Cc: Abhishek Cherath, Liliana Marie Prikler, Maxim Cournoyer,
Vivien Kraus
* gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch:
Add @dridir@ and @localedir@ to bubblewrap gtk sandbox
Add ~/.guix-profile/lib/dri and ~/.guix-profile/share/locale
to bubblewrap gtk sandbox.
* gnu/packages/webkit.scm (webkitgtk)[arguments]: In the
'configure-bubblewrap-store-directory' phase, also supply locale
and dri directory paths to webkitgtk-adjust-bubblewrap-paths.patch
template.
Change-Id: I6be0c473ebaa6c04ebb00a2b4afcae2c89396e4f
---
Only shares user profile locale and dri folders.
.../webkitgtk-adjust-bubblewrap-paths.patch | 33 +++++++++++++++++--
gnu/packages/webkit.scm | 11 ++++++-
2 files changed, 40 insertions(+), 4 deletions(-)
diff --git a/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch b/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch
index 18ddb645ad..0cf1498b92 100644
--- a/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch
+++ b/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch
@@ -1,11 +1,22 @@
Share /gnu/store in the BubbleWrap container and remove FHS mounts.
+Also share locale and dri directories (user and system.)
This is a Guix-specific patch not meant to be upstreamed.
diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
-index f0a5e4b05dff..88b11f806968 100644
+index 99395d6..3604730 100644
--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
-@@ -854,27 +854,12 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
+@@ -765,6 +765,9 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
+ return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error));
+
+ const char* runDir = g_get_user_runtime_dir();
++ const char* homeDir = g_get_home_dir();
++ char* userDriDir = g_strconcat(homeDir, "/.guix-profile/lib/dri", NULL);
++ char* userLocaleDir = g_strconcat(homeDir, "/.guix-profile/share/locale", NULL);
+ Vector<CString> sandboxArgs = {
+ "--die-with-parent",
+ "--unshare-uts",
+@@ -786,28 +788,28 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
"--ro-bind", "/sys/dev", "/sys/dev",
"--ro-bind", "/sys/devices", "/sys/devices",
@@ -33,6 +44,22 @@ index f0a5e4b05dff..88b11f806968 100644
+
+ // Bind mount the store inside the WebKitGTK sandbox.
+ "--ro-bind", "@storedir@", "@storedir@",
++
++ // Bind mount the locales in profile
++ "--ro-bind-try", userLocaleDir, userLocaleDir,
++
++ // Bind mount the dri dir in profile
++ "--ro-bind-try", userDriDir, userDriDir,
++
++ // This is needed for locales if not in profile
++ "--ro-bind-try", "@localedir@", "@localedir@",
++
++ // This is needed for video hardware acceleration (va-api)
++ // via /lib/dri if not in profile
++ "--ro-bind-try", "@dridir@", "@dridir@",
};
++ free(userLocaleDir);
++ free(userDriDir);
- if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) {
+ if (enableDebugPermissions()) {
+ const char* dataDir = g_get_user_data_dir();
diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm
index bf24a65e83..a0d04f31d3 100644
--- a/gnu/packages/webkit.scm
+++ b/gnu/packages/webkit.scm
@@ -8,6 +8,7 @@
;;; Copyright © 2019 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2021, 2022, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022, 2023 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2024 Abhishek Cherath <abhi@quic.us>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -190,7 +191,15 @@ (define-public webkitgtk
(let ((store-directory (%store-directory)))
(substitute*
"Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp"
- (("@storedir@") store-directory)))))
+ (("@storedir@") store-directory)
+ ;; this adds access to drivers for va-api
+ ;; for hardware accelerated video
+ (("@dridir@") "/run/current-system/profile/lib/dri")
+ ;; this silences gtk locale errors
+ ;; Unfortunately, simply bind mounting /run/current-system
+ ;; does not work since it leads to weird issues
+ ;; with symlinks that confuse bubblewrap.
+ (("@localedir@") "/run/current-system/locale")))))
(add-after 'unpack 'do-not-disable-new-dtags
;; Ensure the linker uses new dynamic tags as this is what Guix
;; uses and validates in the validate-runpath phase.
base-commit: b05bb6608c7f25ddce6b563194ba5a3007009282
--
2.41.0
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH v2] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile.
2024-04-19 21:19 ` Liliana Marie Prikler
@ 2024-04-19 21:59 ` Abhishek Cherath
0 siblings, 0 replies; 23+ messages in thread
From: Abhishek Cherath @ 2024-04-19 21:59 UTC (permalink / raw)
To: Liliana Marie Prikler, 70446; +Cc: Vivien Kraus, Maxim Cournoyer
That makes sense. I've modified the patch and sent a v3.
I only used the profile path instead of the specific paths because it's the first thing I got working, and I figured there wasn't really anything sensitive in the profile anyway.
^ permalink raw reply [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH v3] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile locale and dri directories.
2024-04-19 21:55 ` [bug#70446] [PATCH v3] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile locale and dri directories Abhishek Cherath
@ 2024-04-19 22:43 ` Liliana Marie Prikler
2024-04-20 0:22 ` Abhishek Cherath
0 siblings, 1 reply; 23+ messages in thread
From: Liliana Marie Prikler @ 2024-04-19 22:43 UTC (permalink / raw)
To: Abhishek Cherath, 70446; +Cc: Vivien Kraus, Maxim Cournoyer
Am Freitag, dem 19.04.2024 um 17:55 -0400 schrieb Abhishek Cherath:
> * gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch:
> Add @dridir@ and @localedir@ to bubblewrap gtk sandbox
> Add ~/.guix-profile/lib/dri and ~/.guix-profile/share/locale
> to bubblewrap gtk sandbox.
>
> * gnu/packages/webkit.scm (webkitgtk)[arguments]: In the
> 'configure-bubblewrap-store-directory' phase, also supply locale
> and dri directory paths to webkitgtk-adjust-bubblewrap-paths.patch
> template.
>
> Change-Id: I6be0c473ebaa6c04ebb00a2b4afcae2c89396e4f
> ---
> Only shares user profile locale and dri folders.
>
> .../webkitgtk-adjust-bubblewrap-paths.patch | 33
> +++++++++++++++++--
> gnu/packages/webkit.scm | 11 ++++++-
> 2 files changed, 40 insertions(+), 4 deletions(-)
>
> diff --git a/gnu/packages/patches/webkitgtk-adjust-bubblewrap-
> paths.patch b/gnu/packages/patches/webkitgtk-adjust-bubblewrap-
> paths.patch
> index 18ddb645ad..0cf1498b92 100644
> --- a/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch
> +++ b/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch
> @@ -1,11 +1,22 @@
> Share /gnu/store in the BubbleWrap container and remove FHS mounts.
> +Also share locale and dri directories (user and system.)
>
> This is a Guix-specific patch not meant to be upstreamed.
> diff --git
> a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
> b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
> -index f0a5e4b05dff..88b11f806968 100644
> +index 99395d6..3604730 100644
> --- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
> +++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
> -@@ -854,27 +854,12 @@ GRefPtr<GSubprocess>
> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
> +@@ -765,6 +765,9 @@ GRefPtr<GSubprocess>
> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
> + return adoptGRef(g_subprocess_launcher_spawnv(launcher,
> argv, error));
> +
> + const char* runDir = g_get_user_runtime_dir();
> ++ const char* homeDir = g_get_home_dir();
> ++ char* userDriDir = g_strconcat(homeDir, "/.guix-
> profile/lib/dri", NULL);
> ++ char* userLocaleDir = g_strconcat(homeDir, "/.guix-
> profile/share/locale", NULL);
> + Vector<CString> sandboxArgs = {
> + "--die-with-parent",
> + "--unshare-uts",
> +@@ -786,28 +788,28 @@ GRefPtr<GSubprocess>
> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
> "--ro-bind", "/sys/dev", "/sys/dev",
> "--ro-bind", "/sys/devices", "/sys/devices",
>
> @@ -33,6 +44,22 @@ index f0a5e4b05dff..88b11f806968 100644
> +
> + // Bind mount the store inside the WebKitGTK sandbox.
> + "--ro-bind", "@storedir@", "@storedir@",
> ++
> ++ // Bind mount the locales in profile
> ++ "--ro-bind-try", userLocaleDir, userLocaleDir,
> ++
> ++ // Bind mount the dri dir in profile
> ++ "--ro-bind-try", userDriDir, userDriDir,
For reference, why are these two needed here? Can't we do this with
the locales and drivers referenced below? Should we perhaps expand
GUIX_LOCPATH here?
> ++
> ++ // This is needed for locales if not in profile
> ++ "--ro-bind-try", "@localedir@", "@localedir@",
> ++
> ++ // This is needed for video hardware acceleration (va-api)
> ++ // via /lib/dri if not in profile
> ++ "--ro-bind-try", "@dridir@", "@dridir@",
> };
> ++ free(userLocaleDir);
> ++ free(userDriDir);
>
> - if (launchOptions.processType ==
> ProcessLauncher::ProcessType::DBusProxy) {
> + if (enableDebugPermissions()) {
> + const char* dataDir = g_get_user_data_dir();
> diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm
> index bf24a65e83..a0d04f31d3 100644
> --- a/gnu/packages/webkit.scm
> +++ b/gnu/packages/webkit.scm
> @@ -8,6 +8,7 @@
> ;;; Copyright © 2019 Marius Bakke <mbakke@fastmail.com>
> ;;; Copyright © 2021, 2022, 2023 Maxim Cournoyer
> <maxim.cournoyer@gmail.com>
> ;;; Copyright © 2022, 2023 Efraim Flashner <efraim@flashner.co.il>
> +;;; Copyright © 2024 Abhishek Cherath <abhi@quic.us>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -190,7 +191,15 @@ (define-public webkitgtk
> (let ((store-directory (%store-directory)))
> (substitute*
>
> "Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp"
> - (("@storedir@") store-directory)))))
> + (("@storedir@") store-directory)
> + ;; this adds access to drivers for va-api
> + ;; for hardware accelerated video
> + (("@dridir@") "/run/current-
> system/profile/lib/dri")
> + ;; this silences gtk locale errors
> + ;; Unfortunately, simply bind mounting
> /run/current-system
> + ;; does not work since it leads to weird issues
> + ;; with symlinks that confuse bubblewrap.
> + (("@localedir@") "/run/current-system/locale")))))
> (add-after 'unpack 'do-not-disable-new-dtags
> ;; Ensure the linker uses new dynamic tags as this is
> what Guix
> ;; uses and validates in the validate-runpath phase.
>
> base-commit: b05bb6608c7f25ddce6b563194ba5a3007009282
Note that any item you add here which references the user home will
fail to be loaded correctly when using `guix shell' in a way that hides
it; or even just using `guix shell' normally with a user who doesn't
have the hardware-accelerated drivers in their home. For system paths,
this is somewhat different, since we can more or less expect them to
exist and mirror the layout of other distros to some extent.
Cheers
^ permalink raw reply [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH v3] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile locale and dri directories.
2024-04-19 22:43 ` Liliana Marie Prikler
@ 2024-04-20 0:22 ` Abhishek Cherath
2024-04-20 0:40 ` Liliana Marie Prikler
0 siblings, 1 reply; 23+ messages in thread
From: Abhishek Cherath @ 2024-04-20 0:22 UTC (permalink / raw)
To: Liliana Marie Prikler; +Cc: Vivien Kraus, Maxim Cournoyer, 70446
Hello,
>> ++ "--ro-bind-try", userLocaleDir, userLocaleDir,
>> ++
>> ++ // Bind mount the dri dir in profile
>> ++ "--ro-bind-try", userDriDir, userDriDir,
> For reference, why are these two needed here? Can't we do this with
> the locales and drivers referenced below? Should we perhaps expand
> GUIX_LOCPATH here?
Initially, I only had the system paths below those. I added these
so that people could have hardware accel by only installing the required
drivers in their local profiles (as recommended in 69971, unless I
entirely misunderstood)
I'm afraid I don't really know what adding stuff to GUIX_LOCPATH would
do. That's for foreign distros, correct? To reiterate, The locale
problem here is that the bubblewrapped process doesn't have access to
the locales, without which it throws warnings.
> Note that any item you add here which references the user home will
> fail to be loaded correctly when using `guix shell' in a way that hides
> it; or even just using `guix shell' normally with a user who doesn't
> have the hardware-accelerated drivers in their home. For system paths,
> this is somewhat different, since we can more or less expect them to
> exist and mirror the layout of other distros to some extent.
Hmm, since it's in an ro-bind-try, that'll cause the drivers not to
work, and fall back to trying the system drivers. Is there a better
solution you could recommend?
Yours sincerely,
Abhishek Cherath.
^ permalink raw reply [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH v3] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile locale and dri directories.
2024-04-20 0:22 ` Abhishek Cherath
@ 2024-04-20 0:40 ` Liliana Marie Prikler
2024-04-20 1:52 ` Abhishek Cherath
0 siblings, 1 reply; 23+ messages in thread
From: Liliana Marie Prikler @ 2024-04-20 0:40 UTC (permalink / raw)
To: Abhishek Cherath; +Cc: Vivien Kraus, Maxim Cournoyer, 70446
Am Freitag, dem 19.04.2024 um 20:22 -0400 schrieb Abhishek Cherath:
> Hello,
>
> > > ++ "--ro-bind-try", userLocaleDir, userLocaleDir,
> > > ++
> > > ++ // Bind mount the dri dir in profile
> > > ++ "--ro-bind-try", userDriDir, userDriDir,
> > For reference, why are these two needed here? Can't we do this
> > with the locales and drivers referenced below? Should we perhaps
> > expand GUIX_LOCPATH here?
>
> Initially, I only had the system paths below those. I added these
> so that people could have hardware accel by only installing the
> required drivers in their local profiles (as recommended in 69971,
> unless I entirely misunderstood)
Ah, yes, Maxim did mention this, but yeah, non-static paths are NG
(nogood) here. There really is no reason that those paths ought to
exist or be useful in a container, for example.
> I'm afraid I don't really know what adding stuff to GUIX_LOCPATH
> would do. That's for foreign distros, correct? To reiterate, The
> locale problem here is that the bubblewrapped process doesn't have
> access to the locales, without which it throws warnings.
Adding stuff *from* GUIX_LOCPATH, the idea being that this is where we
already advocate locales be put.
> > Note that any item you add here which references the user home will
> > fail to be loaded correctly when using `guix shell' in a way that
> > hides it; or even just using `guix shell' normally with a user who
> > doesn't have the hardware-accelerated drivers in their home. For
> > system paths, this is somewhat different, since we can more or less
> > expect them to exist and mirror the layout of other distros to some
> > extent.
>
> Hmm, since it's in an ro-bind-try, that'll cause the drivers not to
> work, and fall back to trying the system drivers. Is there a better
> solution you could recommend?
Unless a hard dependency on Mesa is appropriate (which we'd have to
confirm), I think just rolling with the system ones is okay.
Cheers
^ permalink raw reply [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH v3] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile locale and dri directories.
2024-04-20 0:40 ` Liliana Marie Prikler
@ 2024-04-20 1:52 ` Abhishek Cherath
2024-04-20 2:51 ` Liliana Marie Prikler
2024-04-20 21:39 ` Maxim Cournoyer
0 siblings, 2 replies; 23+ messages in thread
From: Abhishek Cherath @ 2024-04-20 1:52 UTC (permalink / raw)
To: Liliana Marie Prikler; +Cc: Vivien Kraus, Maxim Cournoyer, 70446
Hello,
Liliana Marie Prikler <liliana.prikler@gmail.com> writes:
>> Initially, I only had the system paths below those. I added these
>> so that people could have hardware accel by only installing the
>> required drivers in their local profiles (as recommended in 69971,
>> unless I entirely misunderstood)
> Ah, yes, Maxim did mention this, but yeah, non-static paths are NG
> (nogood) here. There really is no reason that those paths ought to
> exist or be useful in a container, for example.
>
Gotcha.
>> I'm afraid I don't really know what adding stuff to GUIX_LOCPATH
>> would do. That's for foreign distros, correct? To reiterate, The
>> locale problem here is that the bubblewrapped process doesn't have
>> access to the locales, without which it throws warnings.
> Adding stuff *from* GUIX_LOCPATH, the idea being that this is where we
> already advocate locales be put.
I see, so something along these lines?
```C
const char* guixLocPath = g_getenv("GUIX_LOCPATH");
char** locPaths = NULL;
if (guixLocPath != NULL) {
locPaths = g_strsplit(guixLocPath,':', 4096);
for (int i = 0; i < g_strv_length(locPaths); i++) {
sandboxArgs.appendVector(Vector<CString>({
"--ro-bind", *locPaths[i], *locPaths[i]
}));
}
g_strfreev(locPaths);
}
```
>> > Note that any item you add here which references the user home will
>> > fail to be loaded correctly when using `guix shell' in a way that
>> > hides it; or even just using `guix shell' normally with a user who
>> > doesn't have the hardware-accelerated drivers in their home. For
>> > system paths, this is somewhat different, since we can more or less
>> > expect them to exist and mirror the layout of other distros to some
>> > extent.
>>
>> Hmm, since it's in an ro-bind-try, that'll cause the drivers not to
>> work, and fall back to trying the system drivers. Is there a better
>> solution you could recommend?
> Unless a hard dependency on Mesa is appropriate (which we'd have to
> confirm), I think just rolling with the system ones is okay.
Sounds good to me! Will send v4 with just that.
^ permalink raw reply [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH v3] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile locale and dri directories.
2024-04-20 1:52 ` Abhishek Cherath
@ 2024-04-20 2:51 ` Liliana Marie Prikler
2024-04-20 21:39 ` Maxim Cournoyer
1 sibling, 0 replies; 23+ messages in thread
From: Liliana Marie Prikler @ 2024-04-20 2:51 UTC (permalink / raw)
To: Abhishek Cherath; +Cc: Vivien Kraus, Maxim Cournoyer, 70446
Am Freitag, dem 19.04.2024 um 21:52 -0400 schrieb Abhishek Cherath:
>
> Hello,
>
> Liliana Marie Prikler <liliana.prikler@gmail.com> writes:
>
> > > Initially, I only had the system paths below those. I added these
> > > so that people could have hardware accel by only installing the
> > > required drivers in their local profiles (as recommended in
> > > 69971,
> > > unless I entirely misunderstood)
> > Ah, yes, Maxim did mention this, but yeah, non-static paths are NG
> > (nogood) here. There really is no reason that those paths ought to
> > exist or be useful in a container, for example.
> >
>
> Gotcha.
>
> > > I'm afraid I don't really know what adding stuff to GUIX_LOCPATH
> > > would do. That's for foreign distros, correct? To reiterate, The
> > > locale problem here is that the bubblewrapped process doesn't
> > > have
> > > access to the locales, without which it throws warnings.
> > Adding stuff *from* GUIX_LOCPATH, the idea being that this is where
> > we already advocate locales be put.
>
> I see, so something along these lines?
> ```C
> const char* guixLocPath = g_getenv("GUIX_LOCPATH");
> char** locPaths = NULL;
> if (guixLocPath != NULL) {
> locPaths = g_strsplit(guixLocPath,':', 4096);
> for (int i = 0; i < g_strv_length(locPaths); i++) {
> sandboxArgs.appendVector(Vector<CString>({
> "--ro-bind", *locPaths[i], *locPaths[i]
> }));
> }
> g_strfreev(locPaths);
> }
> ```
You can (and arguably should) use C++ semantics, and should not attempt
to hardcode any magic numbers here. Historically, there used to be
more patches to deal with e.g. fonts, try to check if a procedure by
the name "bindIfExists" can still be found in the Webkit source.
Cheers
^ permalink raw reply [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH v4] gnu: webkitgtk: Add access to system locale path and to paths from GUIX_LOCPATH, LOCPATH, and LIBVA_DRIVERS_PATH to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video.
2024-04-18 2:52 [bug#70446] [PATCH gnome-team] gnu: webkitgtk: Add system locale, dri access, and user profile access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively Abhishek Cherath
` (3 preceding siblings ...)
2024-04-19 21:55 ` [bug#70446] [PATCH v3] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile locale and dri directories Abhishek Cherath
@ 2024-04-20 13:44 ` Abhishek Cherath
2024-04-20 14:59 ` Liliana Marie Prikler
4 siblings, 1 reply; 23+ messages in thread
From: Abhishek Cherath @ 2024-04-20 13:44 UTC (permalink / raw)
To: 70446
Cc: Abhishek Cherath, Liliana Marie Prikler, Maxim Cournoyer,
Vivien Kraus
* gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch:
Add @dridir@ and @localedir@ to bubblewrap gtk sandbox
Add paths from GUIX_LOCPATH, LOCPATH, and LIBVA_DRIVERS_PATH
to bubblewrap gtk sandbox.
* gnu/packages/webkit.scm (webkitgtk)[arguments]: In the
'configure-bubblewrap-store-directory' phase, also supply system locale to
webkitgtk-adjust-bubblewrap-paths.patch template.
Change-Id: I6be0c473ebaa6c04ebb00a2b4afcae2c89396e4f
---
Thanks @LillianaPrikler@gmail.com for all the help :D, I thought about
this a bit more and looked at all the utility stuff in
BubblewrapLauncher.cpp. I realized that the correct thing to do here
is to simply mount the LIBVA_DRIVERS_PATH paths. I'm wondering if this
shouldn't be part of the gstreamer default mounts even upstream? along
with the LOCPATH mount.
.../patches/webkitgtk-adjust-bubblewrap-paths.patch | 13 ++++++++++++-
gnu/packages/webkit.scm | 8 +++++++-
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch b/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch
index 18ddb645ad..4195aca388 100644
--- a/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch
+++ b/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch
@@ -1,11 +1,13 @@
Share /gnu/store in the BubbleWrap container and remove FHS mounts.
+Also share system locale directory and paths in LOCPATH, GUIX_LOCPATH,
+and LIBVA_DRIVERS_PATH
This is a Guix-specific patch not meant to be upstreamed.
diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
index f0a5e4b05dff..88b11f806968 100644
--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
-@@ -854,27 +854,12 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
+@@ -854,27 +854,21 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
"--ro-bind", "/sys/dev", "/sys/dev",
"--ro-bind", "/sys/devices", "/sys/devices",
@@ -33,6 +35,15 @@ index f0a5e4b05dff..88b11f806968 100644
+
+ // Bind mount the store inside the WebKitGTK sandbox.
+ "--ro-bind", "@storedir@", "@storedir@",
++
++ // This is needed for system locales
++ "--ro-bind-try", "@localedir@", "@localedir@",
};
++ // User specified locale directory
++ bindPathVar(sandboxArgs, "LOCPATH");
++ // Locales in case of foreign system.
++ bindPathVar(sandboxArgs, "GUIX_LOCPATH");
++ // Drivers for video hardware acceleration (va-api)
++ bindPathVar(sandboxArgs, "LIBVA_DRIVERS_PATH");
if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) {
diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm
index bf24a65e83..d057bb3aa2 100644
--- a/gnu/packages/webkit.scm
+++ b/gnu/packages/webkit.scm
@@ -8,6 +8,7 @@
;;; Copyright © 2019 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2021, 2022, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022, 2023 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2024 Abhishek Cherath <abhi@quic.us>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -190,7 +191,12 @@ (define-public webkitgtk
(let ((store-directory (%store-directory)))
(substitute*
"Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp"
- (("@storedir@") store-directory)))))
+ (("@storedir@") store-directory)
+ ;; this silences gtk locale errors
+ ;; Unfortunately, simply bind mounting /run/current-system
+ ;; does not work since it leads to weird issues
+ ;; with symlinks that confuse bubblewrap.
+ (("@localedir@") "/run/current-system/locale")))))
(add-after 'unpack 'do-not-disable-new-dtags
;; Ensure the linker uses new dynamic tags as this is what Guix
;; uses and validates in the validate-runpath phase.
base-commit: b05bb6608c7f25ddce6b563194ba5a3007009282
--
2.41.0
^ permalink raw reply related [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH v4] gnu: webkitgtk: Add access to system locale path and to paths from GUIX_LOCPATH, LOCPATH, and LIBVA_DRIVERS_PATH to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video.
2024-04-20 13:44 ` [bug#70446] [PATCH v4] gnu: webkitgtk: Add access to system locale path and to paths from GUIX_LOCPATH, LOCPATH, and LIBVA_DRIVERS_PATH to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video Abhishek Cherath
@ 2024-04-20 14:59 ` Liliana Marie Prikler
2024-04-20 15:31 ` Abhishek Cherath
0 siblings, 1 reply; 23+ messages in thread
From: Liliana Marie Prikler @ 2024-04-20 14:59 UTC (permalink / raw)
To: Abhishek Cherath, 70446; +Cc: Vivien Kraus, Maxim Cournoyer
Am Samstag, dem 20.04.2024 um 09:44 -0400 schrieb Abhishek Cherath:
> * gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch:
> Add @dridir@ and @localedir@ to bubblewrap gtk sandbox
> Add paths from GUIX_LOCPATH, LOCPATH, and LIBVA_DRIVERS_PATH
> to bubblewrap gtk sandbox.
>
> * gnu/packages/webkit.scm (webkitgtk)[arguments]: In the
> 'configure-bubblewrap-store-directory' phase, also supply system
> locale to webkitgtk-adjust-bubblewrap-paths.patch template.
>
> Change-Id: I6be0c473ebaa6c04ebb00a2b4afcae2c89396e4f
> ---
> Thanks [liliana.prikler@gmail.com] for all the help :D, I thought
> about this a bit more and looked at all the utility stuff in
> BubblewrapLauncher.cpp. I realized that the correct thing to do here
> is to simply mount the LIBVA_DRIVERS_PATH paths. I'm wondering if
> this shouldn't be part of the gstreamer default mounts even upstream?
> along with the LOCPATH mount.
This patch LGTM. I think submitting it upstream sans GUIX_LOCPATH
would be a great idea – that way, we'd have fewer things to patch.
Is @localedir@ still needed with the bindPathVar in place? Otherwise,
as already said, LGTM, and I'll look into forwarding it to/cherry-
picking it from gnome-team once I got new Webkit over there (still need
to wait for CI on that).
Cheers
^ permalink raw reply [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH v4] gnu: webkitgtk: Add access to system locale path and to paths from GUIX_LOCPATH, LOCPATH, and LIBVA_DRIVERS_PATH to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video.
2024-04-20 14:59 ` Liliana Marie Prikler
@ 2024-04-20 15:31 ` Abhishek Cherath
2024-04-20 21:42 ` Maxim Cournoyer
0 siblings, 1 reply; 23+ messages in thread
From: Abhishek Cherath @ 2024-04-20 15:31 UTC (permalink / raw)
To: Liliana Marie Prikler; +Cc: Vivien Kraus, Maxim Cournoyer, 70446
Hello,
>> Thanks [liliana.prikler@gmail.com] for all the help :D, I thought
>> about this a bit more and looked at all the utility stuff in
>> BubblewrapLauncher.cpp. I realized that the correct thing to do here
>> is to simply mount the LIBVA_DRIVERS_PATH paths. I'm wondering if
>> this shouldn't be part of the gstreamer default mounts even upstream?
>> along with the LOCPATH mount.
> This patch LGTM. I think submitting it upstream sans GUIX_LOCPATH
> would be a great idea – that way, we'd have fewer things to patch.
Sweet! I'll get on that sometime next month.
> Is @localedir@ still needed with the bindPathVar in place? Otherwise,
> as already said, LGTM, and I'll look into forwarding it to/cherry-
> picking it from gnome-team once I got new Webkit over there (still need
> to wait for CI on that).
Yes, it's still needed since Guix system doesn't generally set LOCPATH
(or GUIX_LOCPATH.)
Thanks again for the review and suggestions!
Yours sincerely,
Abhishek Cherath.
^ permalink raw reply [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH v3] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile locale and dri directories.
2024-04-20 1:52 ` Abhishek Cherath
2024-04-20 2:51 ` Liliana Marie Prikler
@ 2024-04-20 21:39 ` Maxim Cournoyer
1 sibling, 0 replies; 23+ messages in thread
From: Maxim Cournoyer @ 2024-04-20 21:39 UTC (permalink / raw)
To: Abhishek Cherath; +Cc: Vivien Kraus, Liliana Marie Prikler, 70446
Hi Abhishek,
Abhishek Cherath <abhi@quic.us> writes:
> Hello,
>
> Liliana Marie Prikler <liliana.prikler@gmail.com> writes:
>
>>> Initially, I only had the system paths below those. I added these
>>> so that people could have hardware accel by only installing the
>>> required drivers in their local profiles (as recommended in 69971,
>>> unless I entirely misunderstood)
>> Ah, yes, Maxim did mention this, but yeah, non-static paths are NG
>> (nogood) here. There really is no reason that those paths ought to
>> exist or be useful in a container, for example.
>>
>
> Gotcha.
Sorry for the confusion; I agree with Liliana that honoring GUIX_LOCPATH
is better than hard-coding any specific file name.
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 23+ messages in thread
* [bug#70446] [PATCH v4] gnu: webkitgtk: Add access to system locale path and to paths from GUIX_LOCPATH, LOCPATH, and LIBVA_DRIVERS_PATH to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video.
2024-04-20 15:31 ` Abhishek Cherath
@ 2024-04-20 21:42 ` Maxim Cournoyer
2024-11-11 6:13 ` bug#70446: [PATCH gnome-team] gnu: webkitgtk: Add system locale, dri access, and user profile access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively Maxim Cournoyer
0 siblings, 1 reply; 23+ messages in thread
From: Maxim Cournoyer @ 2024-04-20 21:42 UTC (permalink / raw)
To: Abhishek Cherath; +Cc: Vivien Kraus, Liliana Marie Prikler, 70446
Hi,
Abhishek Cherath <abhi@quic.us> writes:
> Hello,
>
>>> Thanks [liliana.prikler@gmail.com] for all the help :D, I thought
>>> about this a bit more and looked at all the utility stuff in
>>> BubblewrapLauncher.cpp. I realized that the correct thing to do here
>>> is to simply mount the LIBVA_DRIVERS_PATH paths. I'm wondering if
>>> this shouldn't be part of the gstreamer default mounts even upstream?
>>> along with the LOCPATH mount.
>> This patch LGTM. I think submitting it upstream sans GUIX_LOCPATH
>> would be a great idea – that way, we'd have fewer things to patch.
>
> Sweet! I'll get on that sometime next month.
>
>> Is @localedir@ still needed with the bindPathVar in place? Otherwise,
>> as already said, LGTM, and I'll look into forwarding it to/cherry-
>> picking it from gnome-team once I got new Webkit over there (still need
>> to wait for CI on that).
>
> Yes, it's still needed since Guix system doesn't generally set LOCPATH
> (or GUIX_LOCPATH.)
>
> Thanks again for the review and suggestions!
I just finished catching up with the thread. Great to see the review
back and forth converging to an increasingly fancier solution :-).
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 23+ messages in thread
* bug#70446: [PATCH gnome-team] gnu: webkitgtk: Add system locale, dri access, and user profile access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively.
2024-04-20 21:42 ` Maxim Cournoyer
@ 2024-11-11 6:13 ` Maxim Cournoyer
0 siblings, 0 replies; 23+ messages in thread
From: Maxim Cournoyer @ 2024-11-11 6:13 UTC (permalink / raw)
To: Abhishek Cherath; +Cc: Vivien Kraus, Liliana Marie Prikler, 70446-done
Hi,
This is finally pushed to the gnome-team branch, as commit e7d08eeba9.
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 23+ messages in thread
end of thread, other threads:[~2024-11-11 6:15 UTC | newest]
Thread overview: 23+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-18 2:52 [bug#70446] [PATCH gnome-team] gnu: webkitgtk: Add system locale, dri access, and user profile access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively Abhishek Cherath
2024-04-18 3:14 ` [bug#70446] Explanation Abhishek Cherath
2024-04-18 4:06 ` [bug#70446] [PATCH v2] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile Abhishek Cherath
2024-04-19 18:53 ` Liliana Marie Prikler
2024-04-19 20:24 ` Abhishek Cherath
2024-04-19 20:33 ` Abhishek Cherath
2024-04-19 21:19 ` Liliana Marie Prikler
2024-04-19 21:59 ` Abhishek Cherath
2024-04-18 5:02 ` [bug#70446] [PATCH gnome-team] gnu: webkitgtk: Add system locale, dri access, and user profile access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively John Kehayias via Guix-patches via
2024-04-18 13:50 ` Abhishek Cherath
2024-04-19 15:24 ` Maxim Cournoyer
2024-04-19 21:55 ` [bug#70446] [PATCH v3] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile locale and dri directories Abhishek Cherath
2024-04-19 22:43 ` Liliana Marie Prikler
2024-04-20 0:22 ` Abhishek Cherath
2024-04-20 0:40 ` Liliana Marie Prikler
2024-04-20 1:52 ` Abhishek Cherath
2024-04-20 2:51 ` Liliana Marie Prikler
2024-04-20 21:39 ` Maxim Cournoyer
2024-04-20 13:44 ` [bug#70446] [PATCH v4] gnu: webkitgtk: Add access to system locale path and to paths from GUIX_LOCPATH, LOCPATH, and LIBVA_DRIVERS_PATH to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video Abhishek Cherath
2024-04-20 14:59 ` Liliana Marie Prikler
2024-04-20 15:31 ` Abhishek Cherath
2024-04-20 21:42 ` Maxim Cournoyer
2024-11-11 6:13 ` bug#70446: [PATCH gnome-team] gnu: webkitgtk: Add system locale, dri access, and user profile access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively Maxim Cournoyer
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).