From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id YKdgH+4js16mTQAA0tVLHw (envelope-from ) for ; Wed, 06 May 2020 20:54:06 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id eAtEGvojs15QOAAA1q6Kng (envelope-from ) for ; Wed, 06 May 2020 20:54:18 +0000 Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:470:142::17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CB3DD940FD9 for ; Wed, 6 May 2020 20:54:15 +0000 (UTC) Received: from localhost ([::1]:46970 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jWR3Y-0004Ij-Bj for larch@yhetil.org; Wed, 06 May 2020 16:54:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38540) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jWR3K-0004Ad-RZ for bug-guix@gnu.org; Wed, 06 May 2020 16:54:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58056) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jWR3K-0000fg-Iu for bug-guix@gnu.org; Wed, 06 May 2020 16:54:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jWR3K-0003sp-Hh for bug-guix@gnu.org; Wed, 06 May 2020 16:54:02 -0400 Subject: bug#40837: core-updates: webkitgtk web process sandbox incomplete Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-To: bug-guix@gnu.org Resent-Date: Wed, 06 May 2020 20:54:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: cc-closed 40837 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Jack Hill Mail-Followup-To: 40837@debbugs.gnu.org, mbakke@fastmail.com, jackhill@jackhill.us Received: via spool by 40837-done@debbugs.gnu.org id=D40837.158879842014878 (code D ref 40837); Wed, 06 May 2020 20:54:02 +0000 Received: (at 40837-done) by debbugs.gnu.org; 6 May 2020 20:53:40 +0000 Received: from localhost ([127.0.0.1]:41366 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jWR2x-0003ru-V7 for submit@debbugs.gnu.org; Wed, 06 May 2020 16:53:40 -0400 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]:51979) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jWR2v-0003rg-Ea for 40837-done@debbugs.gnu.org; Wed, 06 May 2020 16:53:38 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 8AF41487; Wed, 6 May 2020 16:53:31 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Wed, 06 May 2020 16:53:31 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= from:to:cc:subject:in-reply-to:references:date:message-id :mime-version:content-type; s=fm2; bh=tIsgWQfQMFHY6M8usE+1mUgYJz ihub7vlQNF1P6AAIE=; b=AZLyU3gKLWVix/+amR8d0N8GTcJnuowvPACJQbZ8hg PxsfTII2OUfJgPqB+nifRzHa7inG2Lk4Qe49WsyfH7DRFSLqejQ5yW1sKSjriAZC yxvCeSryVdoJ8z/Xel6zbC5BOLP7hDn2tAQwb+QBPXigs5WtVUTZA9F48vKpJDOo Z2VgIoRl0BghHQhAcPG9+jYiQnVxv74vLkpdHTQLvlpMWOYSrIE2LiPJgcq7G2ZM 3A/++416hCk+VTsG3QrpKjx0P3NLH7fuYyz/naYTFg8UEtFM/FehuplCKcfHFtjX 96oI5gc6UYHdM9f+EE6yDnjXv56LAsYBnKepC7dPwp5g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=tIsgWQ fQMFHY6M8usE+1mUgYJzihub7vlQNF1P6AAIE=; b=sAPI6lwsKOhqqbNtYHB9gX QO8AiA5/Wim1OHVgW5qGAKNMBbYNAz9wumJBymamy250PP/rdJBvsOMRokRkt8Rc qi9ZpZm+e9e8gwNAYggk/Esh2SvaL96834sL2aYaabefXUxT35ypdqL8DCZfVl12 H1M+PhutXIHTGAXTRtZtw7vCTPyw2/pgV/CNxiEAXYylXpfxhH6qNx/UxWjCRA/U gWX3ascEFKyDgOHynUMAY8o2jxJ8jehWCYusInJ3upSx/GOa1u0WSOmF1eLqOVoT NQMX8JDekgvQONE0fSaEzI7EN2jlKjOjnaNe55v03zQaEZxG7fPwnMuOJe522v9w == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrjeekgdduheduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvufgjfhgffffkgggtsehgtderredtredtnecuhfhrohhmpeforghrihhu shcuuegrkhhkvgcuoehmsggrkhhkvgesfhgrshhtmhgrihhlrdgtohhmqeenucggtffrrg htthgvrhhnpeejkeefkeelgeevjeetheeljeeuteduueelvdffvedufeevtddvfeevieef heevtdenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeekgedrvddtvddrie ekrdejheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhm pehmsggrkhhkvgesfhgrshhtmhgrihhlrdgtohhm X-ME-Proxy: Received: from localhost (ti0006q161-2604.bb.online.no [84.202.68.75]) by mail.messagingengine.com (Postfix) with ESMTPA id 11B8D328005A; Wed, 6 May 2020 16:53:29 -0400 (EDT) From: Marius Bakke In-Reply-To: References: <171b356d9e2.1154aefce15638.8921669740072490388@zoho.com> <87h7wt3tmv.fsf@devup.no> User-Agent: Notmuch/0.29.3 (https://notmuchmail.org) Emacs/26.3 (x86_64-pc-linux-gnu) Date: Wed, 06 May 2020 22:53:28 +0200 Message-ID: <87v9l83hvb.fsf@devup.no> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.7 (-) X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: sirgazil , 40837 <40837-done@debbugs.gnu.org> Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 X-Spam-Score: 0.49 Authentication-Results: aspmx1.migadu.com; dkim=fail (rsa verify failed) header.d=fastmail.com header.s=fm2 header.b=AZLyU3gK; dkim=fail (rsa verify failed) header.d=messagingengine.com header.s=fm2 header.b=sAPI6lws; dmarc=fail reason="SPF not aligned (relaxed)" header.from=fastmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 2001:470:142::17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Scan-Result: default: False [0.49 / 13.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; GENERIC_REPUTATION(0.00)[-0.49699752475203]; DWL_DNSWL_FAIL(0.00)[2001:470:142::17:server fail]; R_SPF_ALLOW(-0.20)[+ip6:2001:470:142::/48:c]; FREEMAIL_FROM(0.00)[fastmail.com]; R_MISSING_CHARSET(2.50)[]; IP_REPUTATION_HAM(0.00)[asn: 22989(0.11), country: US(-0.00), ip: 2001:470:142::17(-0.50)]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.50)[cached: eggs.gnu.org]; DKIM_TRACE(0.00)[fastmail.com:-,messagingengine.com:-]; MAILLIST(-0.20)[mailman]; SIGNED_PGP(-2.00)[]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; RCVD_IN_DNSWL_FAIL(0.00)[2001:470:142::17:server fail]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:22989, ipnet:2001:470:142::/48, country:US]; TAGGED_FROM(0.00)[larch=yhetil.org]; FROM_NEQ_ENVFROM(0.00)[mbakke@fastmail.com,bug-guix-bounces@gnu.org]; ARC_NA(0.00)[]; R_DKIM_REJECT(1.00)[fastmail.com:s=fm2,messagingengine.com:s=fm2]; URIBL_BLOCKED(0.00)[jackhill.us:email]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; HAS_LIST_UNSUB(-0.01)[]; FREEMAIL_CC(0.00)[zoho.com,debbugs.gnu.org]; RCVD_COUNT_SEVEN(0.00)[10]; FORGED_SENDER_MAILLIST(0.00)[]; DMARC_POLICY_SOFTFAIL(0.10)[fastmail.com : SPF not aligned (relaxed),none] X-TUID: xKIDoonIb4jL --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Jack Hill writes: > On Wed, 6 May 2020, Marius Bakke wrote: > >> Hello Jack, >> >> Thanks a lot for this work. > > You're welcome. I'm happy that we seem to be making good progress. > >> Jack Hill writes: >> >>> Some additional observations: >>> >>> With my patched webkitgtk, if I set: >>> >>> PULSE_CLIENTCONFIG=3D/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client= .conf >>> >>> it does work, which is an improvement compared to without the patch. >> >> Great. I have attached a patch for Guix that stops using /etc for these >> variables. > > Good idea! That way we won't have to wait for WebKitGTK to canonicalize=20 > all paths :) > >>> [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4= ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch >>> >>> so I wonder if I didn't do the mounts in the right place and or if it is >>> becasue I missed /run/current-system. >>> >>> I'm going to try to adapt the Nix patch to see if that helps. >> >> Were you able to verify whether /run/current-system is required inside >> the sandbox? > > I don't think /run/current-system is needed. Excellent. I tested Epiphany with these patches on a popular video streaming site and everything seemed fine. >> I cleaned up your patch a bit and rebased it on the latest master >> branch, available as patch 2/2 below. Currently building it on >> 'core-updates' to verify that it works. It takes a while on my dinky >> quad-core server though. :-) >> >> It does not bind /run/current-system, and I think we should avoid it if >> possible. Ideally we would only mount the store paths required by the >> consumers instead of all of /gnu/store, but not sure how to achieve >> that. > > I've tested the updated patch by applying it to master and merging into=20 > core-updates. I'm happy to report that everything seems to be working for= =20 > me after doing so! > > Sharing less than the whole store sounds like a great aspiration, but I=20 > think we'd have to teach WebKitGTK how to ask Guix for its closure to do= =20 > so. On FHS-compliant systems, all of the various /usr/lib and /usr/share= =20 > directories are bind-mounted into the new namespace, so I don't think=20 > we're providing too much more. It's nice that our setuid binaries reside= =20 > outside of the store :) Indeed, thanks for testing and confirming. I added a little more context in the patch description and finally pushed it as a6919866b07e9ed3986abde7ae48d0c69ff3deed. Again, thank you very much for taking care of this. :-) --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl6zI8gACgkQoqBt8qM6 VPopngf+MY+1+C9Gj3c8fxIh6y+VxoYv1p5K3C55cezAncASmlIttmaYZEzdwSJj TCbl18aY/5lRTjQurPR+3WSImsTXmX7gqEDtiMLZvNfzV2bQoWYLNmCvsfoF2vtb ReWgUClr8j7QaFgqN05Wtqbyxc30bX3Tsp3UdfoNhQEG/dUVLJ/yQFt3NndFmRd2 qPXa6e4dDFvEwKAIdQUBpri7XY90Nu85V9CKOaMsI8Gm1KDGAPO94UZWGn7PzDJy nvcps3/B/2c8AhrEtDcFpdzfk3u73FUi3TkU2hrF0fZoAnasmF4urvHOyKvOSuX/ 1p8cMILAgIpAzN1cqj134dVWvmUSmA== =/X50 -----END PGP SIGNATURE----- --=-=-=--