On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote: > I suspect that the relevant bit that needs to be changed is line 779 of > the following file in the webkitgtk-2.32.0 source code: > > Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp > > Most likely, that line can simply be deleted. Here's the relevant > excerpt, with line 779 marked by "==>": Looking at the other lines above it, we could just change it from ro-bind to ro-bind-try. > > --8<---------------cut here---------------start------------->8--- > GRefPtr bubblewrapSpawn(GSubprocessLauncher* launcher, const ProcessLauncher::LaunchOptions& launchOptions, char** argv, GError **error) > { > ASSERT(launcher); > > // For now we are just considering the network process trusted as it > // requires a lot of access but doesn't execute arbitrary code like > // the WebProcess where our focus lies. > if (launchOptions.processType == ProcessLauncher::ProcessType::Network) > return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error)); > > const char* runDir = g_get_user_runtime_dir(); > Vector sandboxArgs = { > "--die-with-parent", > "--unshare-pid", > "--unshare-uts", > > // We assume /etc has safe permissions. > // At a later point we can start masking privacy-concerning files. > "--ro-bind", "/etc", "/etc", > "--dev", "/dev", > "--proc", "/proc", > "--tmpfs", "/tmp", > "--unsetenv", "TMPDIR", > "--dir", runDir, > "--setenv", "XDG_RUNTIME_DIR", runDir, > "--symlink", "../run", "/var/run", > "--symlink", "../tmp", "/var/tmp", > "--ro-bind", "/sys/block", "/sys/block", > "--ro-bind", "/sys/bus", "/sys/bus", > "--ro-bind", "/sys/class", "/sys/class", > "--ro-bind", "/sys/dev", "/sys/dev", > "--ro-bind", "/sys/devices", "/sys/devices", > > "--ro-bind-try", "/usr/share", "/usr/share", > "--ro-bind-try", "/usr/local/share", "/usr/local/share", > "--ro-bind-try", DATADIR, DATADIR, > > // Bind mount the store inside the WebKitGTK sandbox. > "--ro-bind", "@storedir@", "@storedir@", > > // We only grant access to the libdirs webkit is built with and > // guess system libdirs. This will always have some edge cases. > "--ro-bind-try", "/lib", "/lib", > "--ro-bind-try", "/usr/lib", "/usr/lib", > "--ro-bind-try", "/usr/local/lib", "/usr/local/lib", > "--ro-bind-try", LIBDIR, LIBDIR, > "--ro-bind-try", "/lib64", "/lib64", > "--ro-bind-try", "/usr/lib64", "/usr/lib64", > "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64", > > "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR, > }; > > if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) { > sandboxArgs.appendVector(Vector({ > ==> "--ro-bind", "/usr/bin", "/usr/bin", > // This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed > // only because we have to mount .flatpak-info in its mount namespace. The user rundir > // is where we mount our proxy socket. > "--bind", runDir, runDir, > })); > } else { > // xdg-dbus-proxy needs access to host abstract sockets to connect to the a11y bus. Secure > // host services must not use abstract sockets. Otherwise, only the network process should > // have network access, and the network process is not sandboxed at all. > sandboxArgs.appendVector(Vector({ > "--unshare-net" > })); > } > --8<---------------cut here---------------end--------------->8--- > > Mark -- Efraim Flashner אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted