From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id UDtiK8XtFmK49wAAgWs5BA (envelope-from ) for ; Thu, 24 Feb 2022 03:30:29 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id gPcYJMXtFmKfGgEAG6o9tA (envelope-from ) for ; Thu, 24 Feb 2022 03:30:29 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 2B32A411A5 for ; Thu, 24 Feb 2022 03:30:29 +0100 (CET) Received: from localhost ([::1]:58686 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nN3tj-00088d-Mg for larch@yhetil.org; Wed, 23 Feb 2022 21:30:27 -0500 Received: from eggs.gnu.org ([209.51.188.92]:41194) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nN3tL-00088U-5e for guix-patches@gnu.org; Wed, 23 Feb 2022 21:30:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:53049) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nN3tK-0002hy-Hh for guix-patches@gnu.org; Wed, 23 Feb 2022 21:30:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nN3tK-0008AM-E6 for guix-patches@gnu.org; Wed, 23 Feb 2022 21:30:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#54135] [PATCH] gnu: webkitgtk: Adjust BubbleWrap wrapper. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 24 Feb 2022 02:30:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 54135 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 54135@debbugs.gnu.org Cc: Maxim Cournoyer X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.164566978731337 (code B ref -1); Thu, 24 Feb 2022 02:30:02 +0000 Received: (at submit) by debbugs.gnu.org; 24 Feb 2022 02:29:47 +0000 Received: from localhost ([127.0.0.1]:46946 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nN3st-000897-2e for submit@debbugs.gnu.org; Wed, 23 Feb 2022 21:29:47 -0500 Received: from lists.gnu.org ([209.51.188.17]:49148) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nN3sr-000890-8J for submit@debbugs.gnu.org; Wed, 23 Feb 2022 21:29:34 -0500 Received: from eggs.gnu.org ([209.51.188.92]:41162) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nN3sq-00086T-VT for guix-patches@gnu.org; Wed, 23 Feb 2022 21:29:33 -0500 Received: from [2607:f8b0:4864:20::f33] (port=40489 helo=mail-qv1-xf33.google.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nN3so-0002at-A0 for guix-patches@gnu.org; Wed, 23 Feb 2022 21:29:32 -0500 Received: by mail-qv1-xf33.google.com with SMTP id fc19so1433424qvb.7 for ; Wed, 23 Feb 2022 18:29:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=s/qTmNeJrsaTak0m4se+YcFOy8u6ID42qwo8ISlLZeo=; b=Cw8uexaUbZax6EenEGwvg0U91+fHML0iIMuKEVHAsOgHLRpnz5refoAq56OZU7l4fS LFV3SO8h5vRDrlJ89he/BX+wlcHOTwWUSiF64JNRpfqoLJqlqs9c/IZosonfm5BnwfLE /HDhuaxx4PYrjxGzebpjI0XblVMIz7oAl9S+O0ajkiUY2Z+NrvBXde6msN2WWwT1SHdf 1tfZ9iAXgcViRtp0jvlf/g9Uhmlp8isL/Z7qozwyinXB+e3VQFmIjAZZdtDlXlMSa4bq nEWA8ME5bp2T1E2jpVIdYElOBX+1jlnjy/48RR0Zy87XpMR6GCs3sWRy/yMuS3TSHTLG mVDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=s/qTmNeJrsaTak0m4se+YcFOy8u6ID42qwo8ISlLZeo=; b=CKTmZltqeNXydI08ATfpVFNyjFbuqB9ihWc8G/i8HnqG2NcKJam6hxLAIQoRjxHunY P/6ONgeRRTLAQnjpukuBhFfsknR6rLiK2nTSliufNVXOOr5HfcDNN9gIhpYvnCiUOuJ+ ZcLGLP/oUU4W24/Ag51hAvo8lOtOqaQg/8yKl6BUYu3SZVebHqjc1N8S68WbvLfZ2xHt 9JlT1+FR8Q11/49xUg/L21U0Crm2S5UmqTQTA6mMZDlQ4DcODkRhrO0TmKmvjX57pX73 j7UaMr/fCUVrXV8+B7aT909P2TVMsmgKsFmiS/d/84AZoS26NmBOq3pdZDz74giRmOui RAfg== X-Gm-Message-State: AOAM5331s3bhsFlk1nz6NATcTKIm0qgjAfFwyHbywpfVZ3/6ISRUcT/9 mtFF3rpcbZfyIH9/J4hJF+7wYuXx3oI= X-Google-Smtp-Source: ABdhPJzzrN+JFOkWzUrtKROJFsF5biBaQfHkwScYy6z+SwiR04ILtw6RpOe0MbGTgAbASKHZGbETjQ== X-Received: by 2002:a0c:be89:0:b0:42c:35f0:3f39 with SMTP id n9-20020a0cbe89000000b0042c35f03f39mr402147qvi.106.1645669768941; Wed, 23 Feb 2022 18:29:28 -0800 (PST) Received: from localhost.localdomain (dsl-156-1.b2b2c.ca. [66.158.156.1]) by smtp.gmail.com with ESMTPSA id p70sm704094qka.62.2022.02.23.18.29.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Feb 2022 18:29:28 -0800 (PST) From: Maxim Cournoyer Date: Wed, 23 Feb 2022 21:29:11 -0500 Message-Id: <20220224022911.6574-1-maxim.cournoyer@gmail.com> X-Mailer: git-send-email 2.34.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Host-Lookup-Failed: Reverse DNS lookup failed for 2607:f8b0:4864:20::f33 (failed) Received-SPF: pass client-ip=2607:f8b0:4864:20::f33; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qv1-xf33.google.com X-Spam_score_int: -6 X-Spam_score: -0.7 X-Spam_bar: / X-Spam_report: (-0.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, PDS_HP_HELO_NORDNS=0.659, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1645669829; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=s/qTmNeJrsaTak0m4se+YcFOy8u6ID42qwo8ISlLZeo=; b=g5NdVZ1nRAxalXcHL7ErvAbU7JYzvkEnO8owdyfqYjdFUx9S2KwCUDcrtjTsuZprEzvOMr eYmhx2r7UnjmdtML0ok9IMfRZV92k4A0hwfRuJ7c5fduMajkjXeCPKfBTD9myF0Wwb3nME Vz9axjuQV0vFJXmKOgJxGnUBIeqD+IW/IEick2rPVZTyq88EJnaNVrBLI1hJzGnKURlsmL xjhazfLUEZxAFsb8hpbp0PZF/2QUkUh0w66JaaoXkOjPUOYkyUhfoDpBs9X568BY0xssU0 nBL7MekmLvWR4OGi21CQRemnzjW1lp/nPVpUGhur9zGd+LX2C7qzTrPyIqhbaQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1645669829; a=rsa-sha256; cv=none; b=pU53z8BUw+dff5d4U8AsLT7iVHe9Krv+9V6NstuMAmyip9+Zizqcp5Exfx+C1eoFQS/uQE NswkpZ71Uehf8K7rPUVFWBomwic24rc0gd0fT0z2Cgxc/4dHBaRGtSVoVK5SvrYKkUIeNs ckmcvJfopntauxzr87zKOMXptLEPb7ZYbmf6AsNS7kBEp2Bc0iI2ssMVxgs9XcCk4Z2+1G ipMKr9jgW3jCnw3KanCviSjaS2wE3Fkb4PfPZ/qYg4NyOfHN2XtOOgtSCDQh1OEIUvl6l3 pGif6wjMTDa2k1SUZvYEB6lifYSx+nuDGD5WIqDdOwBbBotpiYBuTlhf4XZUwQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=Cw8uexaU; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -2.23 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=Cw8uexaU; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 2B32A411A5 X-Spam-Score: -2.23 X-Migadu-Scanner: scn1.migadu.com X-TUID: 4SqSdJ6HChdo This revisits with a fix that doesn't require to have PULSE_CLIENTCONFIG point to an absolute store location, which will allow us to revert to have PULSE_CLIENTCONFIG point to a fixed location under /etc. This would alleviate the need to reboot to have changes to the PulseAudio configuration effected. * gnu/packages/patches/webkitgtk-share-store.patch: Delete file. * gnu/packages/patches/webkitgtk-bubblewrap-paths.patch: Add file. * gnu/packages/patches/webkitgtk-canonicalize-paths.patch: Likewise. * gnu/local.mk (dist_patch_DATA): Update patches list. * gnu/packages/webkit.scm (webkitgtk)[patches]: Adjust accordingly. --- gnu/local.mk | 3 +- .../webkitgtk-adjust-bubblewrap-paths.patch | 38 +++++++++++ .../patches/webkitgtk-bind-all-fonts.patch | 17 +++-- .../webkitgtk-canonicalize-paths.patch | 66 +++++++++++++++++++ .../patches/webkitgtk-share-store.patch | 19 ------ gnu/packages/webkit.scm | 7 +- 6 files changed, 118 insertions(+), 32 deletions(-) create mode 100644 gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch create mode 100644 gnu/packages/patches/webkitgtk-canonicalize-paths.patch delete mode 100644 gnu/packages/patches/webkitgtk-share-store.patch diff --git a/gnu/local.mk b/gnu/local.mk index dcee1611b2..c4869f538c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1925,8 +1925,9 @@ dist_patch_DATA = \ %D%/packages/patches/vte-CVE-2012-2738-pt2.patch \ %D%/packages/patches/vtk-fix-freetypetools-build-failure.patch \ %D%/packages/patches/warsow-qfusion-fix-bool-return-type.patch \ - %D%/packages/patches/webkitgtk-share-store.patch \ %D%/packages/patches/webkitgtk-bind-all-fonts.patch \ + %D%/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch \ + %D%/packages/patches/webkitgtk-canonicalize-paths.patch \ %D%/packages/patches/webrtc-audio-processing-big-endian.patch \ %D%/packages/patches/websocketpp-fix-for-cmake-3.15.patch \ %D%/packages/patches/wicd-bitrate-none-fix.patch \ diff --git a/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch b/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch new file mode 100644 index 0000000000..18ddb645ad --- /dev/null +++ b/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch @@ -0,0 +1,38 @@ +Share /gnu/store in the BubbleWrap container and remove FHS mounts. + +This is a Guix-specific patch not meant to be upstreamed. +diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +index f0a5e4b05dff..88b11f806968 100644 +--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp ++++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +@@ -854,27 +854,12 @@ GRefPtr bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces + "--ro-bind", "/sys/dev", "/sys/dev", + "--ro-bind", "/sys/devices", "/sys/devices", + +- "--ro-bind-try", "/usr/share", "/usr/share", +- "--ro-bind-try", "/usr/local/share", "/usr/local/share", + "--ro-bind-try", DATADIR, DATADIR, +- +- // We only grant access to the libdirs webkit is built with and +- // guess system libdirs. This will always have some edge cases. +- "--ro-bind-try", "/lib", "/lib", +- "--ro-bind-try", "/usr/lib", "/usr/lib", +- "--ro-bind-try", "/usr/local/lib", "/usr/local/lib", + "--ro-bind-try", LIBDIR, LIBDIR, +-#if CPU(ADDRESS64) +- "--ro-bind-try", "/lib64", "/lib64", +- "--ro-bind-try", "/usr/lib64", "/usr/lib64", +- "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64", +-#else +- "--ro-bind-try", "/lib32", "/lib32", +- "--ro-bind-try", "/usr/lib32", "/usr/lib32", +- "--ro-bind-try", "/usr/local/lib32", "/usr/local/lib32", +-#endif +- + "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR, ++ ++ // Bind mount the store inside the WebKitGTK sandbox. ++ "--ro-bind", "@storedir@", "@storedir@", + }; + + if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) { diff --git a/gnu/packages/patches/webkitgtk-bind-all-fonts.patch b/gnu/packages/patches/webkitgtk-bind-all-fonts.patch index e7b06cc650..27013180c4 100644 --- a/gnu/packages/patches/webkitgtk-bind-all-fonts.patch +++ b/gnu/packages/patches/webkitgtk-bind-all-fonts.patch @@ -1,26 +1,25 @@ -Add fonts from all XDG_DATA_DIRS, not just XDG_DATA_HOME. +Upstream commit: https://github.com/WebKit/WebKit/commit/31ac354cbeecf866f9a38f7b2f8f59f7975d3f6a -See . -Author: Liliana Marie Prikler -Index: webkitgtk-2.28.2/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp -=================================================================== +diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +index ecc804663784..8de174be3c0e 100644 --- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp -@@ -387,6 +387,7 @@ static void bindFonts(Vector& args) +@@ -288,6 +288,7 @@ static void bindFonts(Vector& args) const char* homeDir = g_get_home_dir(); const char* dataDir = g_get_user_data_dir(); const char* cacheDir = g_get_user_cache_dir(); + const char* const * dataDirs = g_get_system_data_dirs(); - + // Configs can include custom dirs but then we have to parse them... GUniquePtr fontConfig(g_build_filename(configDir, "fontconfig", nullptr)); -@@ -403,6 +404,10 @@ static void bindFonts(Vector& args) +@@ -304,6 +305,10 @@ static void bindFonts(Vector& args) bindIfExists(args, fontHomeConfigDir.get()); bindIfExists(args, fontData.get()); bindIfExists(args, fontHomeData.get()); -+ for (auto dataDir = dataDirs; dataDir != nullptr && *dataDir != nullptr; dataDir++) { ++ for (auto* dataDir = dataDirs; dataDir && *dataDir; dataDir++) { + GUniquePtr fontDataDir(g_build_filename(*dataDir, "fonts", nullptr)); + bindIfExists(args, fontDataDir.get()); + } bindIfExists(args, "/var/cache/fontconfig"); // Used by Debian. } + diff --git a/gnu/packages/patches/webkitgtk-canonicalize-paths.patch b/gnu/packages/patches/webkitgtk-canonicalize-paths.patch new file mode 100644 index 0000000000..741d534831 --- /dev/null +++ b/gnu/packages/patches/webkitgtk-canonicalize-paths.patch @@ -0,0 +1,66 @@ +Upstream commit: https://github.com/WebKit/WebKit/commit/6a87eb254ef57a986a1a6ce9a3a4b66928afeb65 + +diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +index ecc804663784..a2a1c9d7a4dd 100644 +--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp ++++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +@@ -27,7 +27,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -165,6 +164,15 @@ enum class BindFlags { + Device, + }; + ++static void bindSymlinksRealPath(Vector& args, const char* path, const char* bindOption = "--ro-bind") ++{ ++ WTF::String realPath = FileSystem::realPath(path); ++ if (path != realPath) { ++ CString rpath = realPath.utf8(); ++ args.appendVector(Vector({ bindOption, rpath.data(), rpath.data() })); ++ } ++} ++ + static void bindIfExists(Vector& args, const char* path, BindFlags bindFlags = BindFlags::ReadOnly) + { + if (!path || path[0] == '\0') +@@ -177,7 +185,16 @@ static void bindIfExists(Vector& args, const char* path, BindFlags bind + bindType = "--ro-bind-try"; + else + bindType = "--bind-try"; +- args.appendVector(Vector({ bindType, path, path })); ++ ++ // Canonicalize the source path, otherwise a symbolic link could ++ // point to a location outside of the namespace. ++ bindSymlinksRealPath(args, path, bindType); ++ ++ // As /etc is exposed wholesale, do not layer extraneous bind ++ // directives on top, which could fail in the presence of symbolic ++ // links. ++ if (!g_str_has_prefix(path, "/etc/")) ++ args.appendVector(Vector({ bindType, path, path })); + } + + static void bindDBusSession(Vector& args, bool allowPortals) +@@ -410,17 +427,6 @@ static void bindV4l(Vector& args) + })); + } + +-static void bindSymlinksRealPath(Vector& args, const char* path) +-{ +- char realPath[PATH_MAX]; +- +- if (realpath(path, realPath) && strcmp(path, realPath)) { +- args.appendVector(Vector({ +- "--ro-bind", realPath, realPath, +- })); +- } +-} +- + // Translate a libseccomp error code into an error message. libseccomp + // mostly returns negative errno values such as -ENOMEM, but some + // standard errno values are used for non-standard purposes where their diff --git a/gnu/packages/patches/webkitgtk-share-store.patch b/gnu/packages/patches/webkitgtk-share-store.patch deleted file mode 100644 index 053d86fcf4..0000000000 --- a/gnu/packages/patches/webkitgtk-share-store.patch +++ /dev/null @@ -1,19 +0,0 @@ -Tell bubblewrap to share the store. Required for programs that use the -sandboxing features such as Epiphany. - -See . -Author: Jack Hill ---- -diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp ---- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp -+++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp -@@ -737,6 +737,9 @@ GRefPtr bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces - "--ro-bind-try", "/usr/local/share", "/usr/local/share", - "--ro-bind-try", DATADIR, DATADIR, - -+ // Bind mount the store inside the WebKitGTK sandbox. -+ "--ro-bind", "@storedir@", "@storedir@", -+ - // We only grant access to the libdirs webkit is built with and - // guess system libdirs. This will always have some edge cases. - "--ro-bind-try", "/lib", "/lib", diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm index 40537f5e0a..72f673b0ca 100644 --- a/gnu/packages/webkit.scm +++ b/gnu/packages/webkit.scm @@ -6,7 +6,7 @@ ;;; Copyright © 2018–2021 Tobias Geerinckx-Rice ;;; Copyright © 2018 Pierre Neidhardt ;;; Copyright © 2019 Marius Bakke -;;; Copyright © 2021 Maxim Cournoyer +;;; Copyright © 2021, 2022 Maxim Cournoyer ;;; ;;; This file is part of GNU Guix. ;;; @@ -247,8 +247,9 @@ (define-public webkitgtk (sha256 (base32 "1xn1hhd0qaxmjf6vy6664i4mmmjsw9zgrr4w8ni3415d981zvj3b")) - (patches (search-patches "webkitgtk-share-store.patch" - "webkitgtk-bind-all-fonts.patch")))) + (patches (search-patches "webkitgtk-bind-all-fonts.patch" + "webkitgtk-adjust-bubblewrap-paths.patch" + "webkitgtk-canonicalize-paths.patch")))) (build-system cmake-build-system) (outputs '("out" "doc" "debug")) (arguments -- 2.34.0