On Tue, Apr 13, 2021 at 03:22:47PM -0400, Mark H Weaver wrote: > Hi Efraim, > > Efraim Flashner writes: > > > On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote: > >> I suspect that the relevant bit that needs to be changed is line 779 of > >> the following file in the webkitgtk-2.32.0 source code: > >> > >> Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp > >> > >> Most likely, that line can simply be deleted. Here's the relevant > >> excerpt, with line 779 marked by "==>": > > > > Looking at the other lines above it, we could just change it from > > ro-bind to ro-bind-try. > > I expect that would work, but why should we give the sandbox access to > /usr/bin at all? I took a different approach: I removed access to *all* > of the FHS directories, since they should not be needed for a > Guix-compiled package. > > Below, I've attached the patch that I'm currently using successfully on > my private branch of Guix. > > What do you think? > Since we should be linking to any libraries we need anyway and patching any calls out to other binaries then I suppose this should work. I suggested ro-bind-try to minimize the patch size. -- Efraim Flashner אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted