From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id oIIBDm/osl5KMwAA0tVLHw (envelope-from ) for ; Wed, 06 May 2020 16:40:15 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id YLzABHvosl4jFwAAB5/wlQ (envelope-from ) for ; Wed, 06 May 2020 16:40:27 +0000 Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:470:142::17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A9873941128 for ; Wed, 6 May 2020 16:40:16 +0000 (UTC) Received: from localhost ([::1]:59936 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jWN5j-0003jP-DI for larch@yhetil.org; Wed, 06 May 2020 12:40:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59354) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jWN5X-0003j8-Kj for bug-guix@gnu.org; Wed, 06 May 2020 12:40:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:57635) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jWN5W-0000Oj-6G for bug-guix@gnu.org; Wed, 06 May 2020 12:40:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jWN5W-0005rX-0z for bug-guix@gnu.org; Wed, 06 May 2020 12:40:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#40837: core-updates: webkitgtk web process sandbox incomplete Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 06 May 2020 16:40:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 40837 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Jack Hill , 40837 <40837@debbugs.gnu.org> Received: via spool by 40837-submit@debbugs.gnu.org id=B40837.158878318422507 (code B ref 40837); Wed, 06 May 2020 16:40:01 +0000 Received: (at 40837) by debbugs.gnu.org; 6 May 2020 16:39:44 +0000 Received: from localhost ([127.0.0.1]:40948 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jWN56-0005qp-EM for submit@debbugs.gnu.org; Wed, 06 May 2020 12:39:44 -0400 Received: from wout3-smtp.messagingengine.com ([64.147.123.19]:39465) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jWN51-0005qT-H0 for 40837@debbugs.gnu.org; Wed, 06 May 2020 12:39:35 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 8FA62993; Wed, 6 May 2020 12:39:23 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Wed, 06 May 2020 12:39:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= from:to:cc:subject:in-reply-to:references:date:message-id :mime-version:content-type; s=fm2; bh=v2hhXML3VU9G3390i6Y3PG5HYz snOq9FmgXuw2ySw2o=; b=UlJX4JhYecRSFw8HrryIsdAn9tDtR3RakbacURls+T Bj6jOPzXYGEvY2pIBj05YKehsLJGcUzK/N+EyTWxvnUpjV/vR8gc5dg9zchosMwe yF7tTc8+IukQircrFRVMZZNm7pjyZsCHsskGCIWt4KsSslLiNz3b537gRAaC5FnM IBj5OmDU+SjCRb4XIFMayNDlVyf3R++zoodGSRt+lT9iBlFeshNrWsQjDQzv+sjO aKHU2SzucC2cz64YI9cTHn9Fkv7B6a5M7BWE++nIt3GbsaMQ2Q6BEjQdjYw/ukQb S5fXKjt2wN3Megu4QeyhBaQWNw+cf+gzCdx4ZLPD007A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=v2hhXM L3VU9G3390i6Y3PG5HYzsnOq9FmgXuw2ySw2o=; b=bkurdDKAO/D4Jh48RfyBe/ pT2p/2NZDTHphK6GaWjash5cdq1l5kWD06WI4CV4df1y528D2wEJJsjSHnhrCXKh 2MHbDwHPCa4IH8bKw/tHrQ1B63q/5RPHaxuQqgu1OECaONOU/MgjnPWcJppJgFIF m8pfjq8r+TwzyiKenlXpeKI5mLz1WoJs6tklDkcxHzrg1RBX5f2U/slR08NKjpwr n7VIlvLxgUB1niigCm7TApZz2MpSKUtYRsBrTlza/x0aQX/fxVfZhwmmJ/PmbBVb na3ntojbzxXVyrmP123AvHmb5VY5776QqT20nTThElMofcAzdQWBP2h+KwkVLPiw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrjeekgddutddtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvufgjfhgffffkgggtsehgtderredtredtnecuhfhrohhmpeforghrihhu shcuuegrkhhkvgcuoehmsggrkhhkvgesfhgrshhtmhgrihhlrdgtohhmqeenucggtffrrg htthgvrhhnpeejkeefkeelgeevjeetheeljeeuteduueelvdffvedufeevtddvfeevieef heevtdenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeekgedrvddtvddrie ekrdejheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhm pehmsggrkhhkvgesfhgrshhtmhgrihhlrdgtohhm X-ME-Proxy: Received: from localhost (ti0006q161-2604.bb.online.no [84.202.68.75]) by mail.messagingengine.com (Postfix) with ESMTPA id 63AF73066120; Wed, 6 May 2020 12:39:22 -0400 (EDT) From: Marius Bakke In-Reply-To: References: <171b356d9e2.1154aefce15638.8921669740072490388@zoho.com> User-Agent: Notmuch/0.29.3 (https://notmuchmail.org) Emacs/26.3 (x86_64-pc-linux-gnu) Date: Wed, 06 May 2020 18:39:20 +0200 Message-ID: <87h7wt3tmv.fsf@devup.no> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.0 (-) X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: sirgazil Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 X-Spam-Score: -2.01 Authentication-Results: aspmx1.migadu.com; dkim=fail (rsa verify failed) header.d=fastmail.com header.s=fm2 header.b=UlJX4JhY; dkim=fail (rsa verify failed) header.d=messagingengine.com header.s=fm2 header.b=bkurdDKA; dmarc=fail reason="SPF not aligned (relaxed)" header.from=fastmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 2001:470:142::17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Scan-Result: default: False [-2.01 / 13.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; GENERIC_REPUTATION(0.00)[-0.49655952320607]; DWL_DNSWL_FAIL(0.00)[2001:470:142::17:server fail]; R_SPF_ALLOW(-0.20)[+ip6:2001:470:142::/48:c]; FREEMAIL_FROM(0.00)[fastmail.com]; HAS_ATTACHMENT(0.00)[]; IP_REPUTATION_HAM(0.00)[asn: 22989(0.11), country: US(-0.00), ip: 2001:470:142::17(-0.50)]; R_DKIM_REJECT(1.00)[fastmail.com:s=fm2,messagingengine.com:s=fm2]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.50)[cached: eggs.gnu.org]; DKIM_TRACE(0.00)[fastmail.com:-,messagingengine.com:-]; MAILLIST(-0.20)[mailman]; SIGNED_PGP(-2.00)[]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; RCVD_IN_DNSWL_FAIL(0.00)[2001:470:142::17:server fail]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:+,4:+,5:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:22989, ipnet:2001:470:142::/48, country:US]; TAGGED_FROM(0.00)[larch=yhetil.org]; FROM_NEQ_ENVFROM(0.00)[mbakke@fastmail.com,bug-guix-bounces@gnu.org]; ARC_NA(0.00)[]; URIBL_BLOCKED(0.00)[jackhill.us:email,gnu.org:url,fastmail.com:email,tugraz.at:email]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain,text/x-patch]; HAS_LIST_UNSUB(-0.01)[]; FREEMAIL_CC(0.00)[zoho.com]; RCVD_COUNT_SEVEN(0.00)[10]; FORGED_SENDER_MAILLIST(0.00)[]; DMARC_POLICY_SOFTFAIL(0.10)[fastmail.com : SPF not aligned (relaxed),none] X-TUID: +OQt+kc/CopW --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello Jack, Thanks a lot for this work. Jack Hill writes: > Some additional observations: > > With my patched webkitgtk, if I set: > > PULSE_CLIENTCONFIG=3D/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.c= onf > > it does work, which is an improvement compared to without the patch. Great. I have attached a patch for Guix that stops using /etc for these variables. > I notice that Nix [0] has a similar patch: > > """ > diff -ru old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/Bubbl= ewrapLauncher.cpp webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/Bu= bblewrapLauncher.cpp > --- old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/Bubblewrap= Launcher.cpp 2019-09-09 04:47:07.000000000 -0400 > +++ webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLaun= cher.cpp 2019-09-20 21:14:10.537921173 -0400 > @@ -585,7 +585,7 @@ > { SCMP_SYS(keyctl), nullptr }, > { SCMP_SYS(request_key), nullptr }, > > - // Scary VM/NUMA ops=20 > + // Scary VM/NUMA ops > { SCMP_SYS(move_pages), nullptr }, > { SCMP_SYS(mbind), nullptr }, > { SCMP_SYS(get_mempolicy), nullptr }, > @@ -724,6 +724,10 @@ > "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64", > > "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR, > + > + // Nix Directories > + "--ro-bind", "@storeDir@", "@storeDir@", > + "--ro-bind", "/run/current-system", "/run/current-system", > }; > // We would have to parse ld config files for more info. > bindPathVar(sandboxArgs, "LD_LIBRARY_PATH"); > """ > > [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4cc= c34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch > > so I wonder if I didn't do the mounts in the right place and or if it is= =20 > becasue I missed /run/current-system. > > I'm going to try to adapt the Nix patch to see if that helps. Were you able to verify whether /run/current-system is required inside the sandbox? I cleaned up your patch a bit and rebased it on the latest master branch, available as patch 2/2 below. Currently building it on 'core-updates' to verify that it works. It takes a while on my dinky quad-core server though. :-) It does not bind /run/current-system, and I think we should avoid it if possible. Ideally we would only mount the store paths required by the consumers instead of all of /gnu/store, but not sure how to achieve that. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: attachment; filename=0001-services-Do-not-use-symbolic-links-in-PulseAudio-var.patch Content-Transfer-Encoding: quoted-printable From=20a2607c8246456460a6bbed62144daf7196a5c9bd Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Wed, 6 May 2020 17:48:42 +0200 Subject: [PATCH 1/2] services: Do not use symbolic links in PulseAudio variables. This addresses by making these configuration files more easily accessible within the WebKitGTK+ sandbox. * gnu/services/sound.scm (pulseaudio-environment): Move below PULSEAUDIO-CONF-ENTRY. Create PULSE_CONFIG and PULSE_CLIENTCONFIG entries directly instead of referring to /etc/pulse. (pulseaudio-etc): Do not create /etc/pulse/client.conf and /etc/pulse/daemo= n.conf. =2D-- gnu/services/sound.scm | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm index a1c928222a..bdf819b422 100644 =2D-- a/gnu/services/sound.scm +++ b/gnu/services/sound.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =C2=A9 2018, 2020 Oleg Pykhalov ;;; Copyright =C2=A9 2020 Leo Prikler +;;; Copyright =C2=A9 2020 Marius Bakke ;;; ;;; This file is part of GNU Guix. ;;; @@ -127,11 +128,6 @@ ctl.!default { (default (file-append pulseaudio "/etc/pulse/system.pa")))) =20 =2D(define (pulseaudio-environment config) =2D `(;; Define these variables, so that pulseaudio honors /etc. =2D ("PULSE_CONFIG" . "/etc/pulse/daemon.conf") =2D ("PULSE_CLIENTCONFIG" . "/etc/pulse/client.conf"))) =2D (define (pulseaudio-conf-entry arg) (match arg ((key . value) @@ -139,21 +135,22 @@ ctl.!default { ((? string? _) (string-append arg "\n")))) =20 +(define pulseaudio-environment + (match-lambda + (($ client-conf daemon-conf default-script-= file) + `(("PULSE_CONFIG" . ,(apply mixed-text-file "daemon.conf" + "default-script-file =3D " default-script= -file "\n" + (map pulseaudio-conf-entry daemon-conf))) + ("PULSE_CLIENTCONFIG" . ,(apply mixed-text-file "client.conf" + (map pulseaudio-conf-entry client-c= onf))))))) + (define pulseaudio-etc (match-lambda =2D (($ client-conf daemon-conf =2D default-script-file system-script-fil= e) + (($ _ _ default-script-file system-script-f= ile) `(("pulse" ,(file-union "pulse" =2D `(("client.conf" =2D ,(apply mixed-text-file "client.conf" =2D (map pulseaudio-conf-entry client-conf))) =2D ("daemon.conf" =2D ,(apply mixed-text-file "daemon.conf" =2D "default-script-file =3D " default-script-file "\n" =2D (map pulseaudio-conf-entry daemon-conf))) =2D ("default.pa" ,default-script-file) + `(("default.pa" ,default-script-file) ("system.pa" ,system-script-file)))))))) =20 (define pulseaudio-service-type =2D-=20 2.26.2 --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0002-gnu-webkitgtk-Patch-to-share-store-via-Bubblewrap.patch Content-Transfer-Encoding: quoted-printable From=203864b54f4aadefc600433d3654b0a1a73ab6fa98 Mon Sep 17 00:00:00 2001 From: Jack Hill Date: Sat, 25 Apr 2020 22:03:48 -0400 Subject: [PATCH 2/2] gnu: webkitgtk: Patch to share store via Bubblewrap. Fixes . * gnu/packages/patches/webkitgtk-share-store.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/webkit.scm (webkitgtk)[source](patches): Use it. Co-authored-by: Marius Bakke =2D-- gnu/local.mk | 1 + .../patches/webkitgtk-share-store.patch | 20 +++++++++++++++++++ gnu/packages/webkit.scm | 12 ++++++++++- 3 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/webkitgtk-share-store.patch diff --git a/gnu/local.mk b/gnu/local.mk index 62eeb39ece..5c06415205 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -1542,6 +1542,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/vte-CVE-2012-2738-pt2.patch \ %D%/packages/patches/warsow-qfusion-fix-bool-return-type.patch \ %D%/packages/patches/weasyprint-library-paths.patch \ + %D%/packages/patches/webkitgtk-share-store.patch \ %D%/packages/patches/websocketpp-fix-for-boost-1.70.patch \ %D%/packages/patches/wicd-bitrate-none-fix.patch \ %D%/packages/patches/wicd-get-selected-profile-fix.patch \ diff --git a/gnu/packages/patches/webkitgtk-share-store.patch b/gnu/package= s/patches/webkitgtk-share-store.patch new file mode 100644 index 0000000000..4174e73b6c =2D-- /dev/null +++ b/gnu/packages/patches/webkitgtk-share-store.patch @@ -0,0 +1,20 @@ +Author: Jack Hill +Tell bubblewrap to share the store. + +See . + +--- +diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp = b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +index ad301ab2..d53b680e 100644 +--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp ++++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +@@ -737,6 +737,9 @@ GRefPtr bubblewrapSpawn(GSubprocessLaunch= er* launcher, const Proces + "--ro-bind-try", "/usr/local/share", "/usr/local/share", + "--ro-bind-try", DATADIR, DATADIR, +=20 ++ // Bind mount the store inside the WebKitGTK sandbox. ++ "--ro-bind", "@storedir@", "@storedir@", ++ + // We only grant access to the libdirs webkit is built with and + // guess system libdirs. This will always have some edge cases. + "--ro-bind-try", "/lib", "/lib", diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm index e52536c279..6035d6c59d 100644 =2D-- a/gnu/packages/webkit.scm +++ b/gnu/packages/webkit.scm @@ -128,7 +128,8 @@ engine that uses Wayland for graphics output.") "webkitgtk-" version ".tar.xz")) (sha256 (base32 =2D "1g9hik3bprki5s9d7y5288q5irwckbzajr6rnlvjrlnqrwjkblmr"))= )) + "1g9hik3bprki5s9d7y5288q5irwckbzajr6rnlvjrlnqrwjkblmr")) + (patches (search-patches "webkitgtk-share-store.patch")))) (build-system cmake-build-system) (outputs '("out" "doc")) (arguments @@ -156,6 +157,15 @@ engine that uses Wayland for graphics output.") "-DUSE_WOFF2=3DOFF") #:phases (modify-phases %standard-phases + (add-after 'unpack 'configure-bubblewrap-store-directory + (lambda _ + ;; This phase is a corollary to 'webkitgtk-share-store.patch'= to + ;; avoid hard coding /gnu/store, for users with other prefixe= s. + (let ((store-directory (%store-directory))) + (substitute* + "Source/WebKit/UIProcess/Launcher/glib/BubblewrapLaunch= er.cpp" + (("@storedir@") store-directory)) + #t))) (add-after 'unpack 'patch-gtk-doc-scan (lambda* (#:key inputs #:allow-other-keys) (for-each (lambda (file) =2D-=20 2.26.2 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl6y6DkACgkQoqBt8qM6 VPrkJQf+O74awPVgfywhjJEVTzjA8jvvsJilr/tI+I6OQk9aehdZO4SF6kP0Kyv+ a4OVopKyBRzplvoGrZpbS0smooOhY6DfF8/3T86d6dUv97O+iPP0ctSbfVDEdVsE xpH6GZef7cO+HwXjTpuoB82Zu74c1NLBese4MKNwPlHY4Ft+lGAXqlOewRm1J6x8 jyXy38VdDYiTFurFMbW9aStw1J0BuQ29nblM1nXhN26Nz/P7u3dxIzRSlNcdRJuy 6tL/QsMaegr5zRJ0P0CD1FF/rJv2/gzisyMfEP0DQ3yPYqF3kmEh5rVnMgIB1SLD L5WnIVfjHasYYHm8E2AANOfzDeDekA== =4Siz -----END PGP SIGNATURE----- --==-=-=--