From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jack Hill Subject: bug#40837: core-updates: webkitgtk web process sandbox incomplete Date: Sun, 26 Apr 2020 16:42:44 -0400 (EDT) Message-ID: References: <171b356d9e2.1154aefce15638.8921669740072490388@zoho.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:56706) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jSo7D-0003qx-4k for bug-guix@gnu.org; Sun, 26 Apr 2020 16:43:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.90_1) (envelope-from ) id 1jSo7C-00023P-IX for bug-guix@gnu.org; Sun, 26 Apr 2020 16:43:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:51755) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jSo7C-000232-6o for bug-guix@gnu.org; Sun, 26 Apr 2020 16:43:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jSo7C-0005tQ-5A for bug-guix@gnu.org; Sun, 26 Apr 2020 16:43:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org Sender: "bug-Guix" To: 40837 <40837@debbugs.gnu.org> Cc: sirgazil Some additional observations: With my patched webkitgtk, if I set: PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf it does work, which is an improvement compared to without the patch. I notice that Nix [0] has a similar patch: """ diff -ru old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp --- old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp 2019-09-09 04:47:07.000000000 -0400 +++ webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp 2019-09-20 21:14:10.537921173 -0400 @@ -585,7 +585,7 @@ { SCMP_SYS(keyctl), nullptr }, { SCMP_SYS(request_key), nullptr }, - // Scary VM/NUMA ops + // Scary VM/NUMA ops { SCMP_SYS(move_pages), nullptr }, { SCMP_SYS(mbind), nullptr }, { SCMP_SYS(get_mempolicy), nullptr }, @@ -724,6 +724,10 @@ "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64", "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR, + + // Nix Directories + "--ro-bind", "@storeDir@", "@storeDir@", + "--ro-bind", "/run/current-system", "/run/current-system", }; // We would have to parse ld config files for more info. bindPathVar(sandboxArgs, "LD_LIBRARY_PATH"); """ [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch so I wonder if I didn't do the mounts in the right place and or if it is becasue I missed /run/current-system. I'm going to try to adapt the Nix patch to see if that helps. Best, Jack