* bug#40837: core-updates: epiphany web process crashes @ 2020-04-25 2:55 Jack Hill 2020-04-25 3:19 ` Jack Hill ` (2 more replies) 0 siblings, 3 replies; 15+ messages in thread From: Jack Hill @ 2020-04-25 2:55 UTC (permalink / raw) To: 40837 [-- Attachment #1: Type: text/plain, Size: 1451 bytes --] Hi Guix, On Guix System with the current core-updates branch, epiphany/GNOME-Web starts, but doesn't work because the web process crash in a loop. When I run epiphany from the terminal I see """ $ epiphany ** (epiphany:29457): CRITICAL **: 22:37:21.415: void webkit_web_context_register_uri_scheme(WebKitWebContext*, const char*, WebKitURISchemeRequestCallback, gpointer, GDestroyNotify): assertion 'g_ascii_strcasecmp(scheme, "ftp") != 0' failed bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory ** (epiphany:29457): WARNING **: 22:37:21.866: Web process crashed """ The bwrap… and …Web process crashed lines then continue to print alternating. Windows and tabs are created, but no content is ever drawn in them. /etc/pulse/client.conf exists on the host, but maybe not in the namespaces created by bwrap? Could this be related to WebKitGTK sandboxing: https://blogs.gnome.org/mcatanzaro/2020/03/31/sandboxing-webkitgtk-apps/ Best, Jack ^ permalink raw reply [flat|nested] 15+ messages in thread
* bug#40837: core-updates: epiphany web process crashes 2020-04-25 2:55 bug#40837: core-updates: epiphany web process crashes Jack Hill @ 2020-04-25 3:19 ` Jack Hill 2020-04-25 21:55 ` sirgazil via Bug reports for GNU Guix 2020-05-04 19:27 ` bug#40837: (no subject) sirgazil via web 2 siblings, 0 replies; 15+ messages in thread From: Jack Hill @ 2020-04-25 3:19 UTC (permalink / raw) To: 40837 I expericne the problem with epiphany installed both in the system profile and in an ad-hoc environment. Best, Jack ^ permalink raw reply [flat|nested] 15+ messages in thread
* bug#40837: core-updates: epiphany web process crashes 2020-04-25 2:55 bug#40837: core-updates: epiphany web process crashes Jack Hill 2020-04-25 3:19 ` Jack Hill @ 2020-04-25 21:55 ` sirgazil via Bug reports for GNU Guix 2020-04-26 1:23 ` Jack Hill 2020-05-04 19:27 ` bug#40837: (no subject) sirgazil via web 2 siblings, 1 reply; 15+ messages in thread From: sirgazil via Bug reports for GNU Guix @ 2020-04-25 21:55 UTC (permalink / raw) To: 40837 I can reproduce this bug. I can't load any page and see the same messages in the terminal. ^ permalink raw reply [flat|nested] 15+ messages in thread
* bug#40837: core-updates: epiphany web process crashes 2020-04-25 21:55 ` sirgazil via Bug reports for GNU Guix @ 2020-04-26 1:23 ` Jack Hill 2020-04-26 1:46 ` Jack Hill 0 siblings, 1 reply; 15+ messages in thread From: Jack Hill @ 2020-04-26 1:23 UTC (permalink / raw) To: sirgazil; +Cc: 40837 [-- Attachment #1: Type: text/plain, Size: 12476 bytes --] On Sat, 25 Apr 2020, sirgazil via Bug reports for GNU Guix wrote: > I can reproduce this bug. I can't load any page and see the same messages in the terminal. Thanks, as a fist step it is helpful to know that the problem can be reproduced. The second step is to figure out why this is happening. My suspicion is that the bwrap invocation by webkitgtk is not sharing some paths into the new namespace it creates that it should be, because the paths are different on Guix System than they are on FHS systems. Stracing epiphany, I've turned up the bwrap invocation to be: execve("/gnu/store/kzq4v5fvjbdbbwah74k10pf698xkbdpr-bubblewrap-0.4.1/bin/bwrap", ["/gnu/store/kzq4v5fvjbdbbwah74k10pf698xkbdpr-bubblewrap-0.4.1/bin/bwrap", "--args", "36", "--", "/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0/WebKitWebProcess", "11", "31"] File descriptor 36, which hold the bwrap arguments is write(36, "--die-with-parent\0--unshare-pid\0--unshare-uts\0--unshare-net\0--ro-bind\0/etc\0/etc\0--dev\0/dev\0--proc\0/proc\0--tmpfs\0/tmp\0--unsetenv\0TMPDIR\0--dir\0/run\0--symlink\0../run\0/var/run\0--symlink\0../tmp\0/var/tmp\0--ro-bind\0/sys/block\0/sys/block\0--ro-bind\0/sys/bus\0/sys/bus\0--ro-bind\0/sys/class\0/sys/class\0--ro-bind\0/sys/dev\0/sys/dev\0--ro-bind\0/sys/devices\0/sys/devices\0--ro-bind-try\0/usr/share\0/usr/share\0--ro-bind-try\0/usr/local/share\0/usr/local/share\0--ro-bind-try\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share\0--ro-bind-try\0/lib\0/lib\0--ro-bind-try\0/usr/lib\0/usr/lib\0--ro-bind-try\0/usr/local/lib\0/usr/local/lib\0--ro-bind-try\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa 6-webkitgtk-2.28.1/lib\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/lib\0--ro-bind-try\0/lib64\0/lib64\0--ro-bind-try\0/usr/lib64\0/usr/lib64\0--ro-bind-try\0/usr/local/lib64\0/usr/local/lib64\0--ro-bind-try\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0\0--ro-bind-try\0/gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib\0/gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib\0--ro-bind-try\0/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib\0/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib\0--ro-bind-try\0/gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib\0/gnu/s tore/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib\0--ro-bind-try\0/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib\0/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib\0--setenv\0LD_LIBRARY_PATH\0/gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib:/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib:/gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib:/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib\0--ro-bind-data\00033\0/.flatpak-info\0--bind-try\0/tmp/.X11-unix/X1\0/tmp/.X11-unix/X1\0--ro-bind-try\0/run/user/1000/gdm/Xauthority\0/run/user/1000/gdm/Xauthority\0--ro-bind-try\0/tmp/epiphany-jackhill-hoj0lD\0/tmp/epiphany-jackhill-hoj0lD\0--ro-bind-try\0/home/jackhill/.local/share/epi phany\0/home/jackhill/.local/share/epiphany\0--ro-bind-try\0/home/jackhill/.cache/epiphany\0/home/jackhill/.cache/epiphany\0--ro-bind-try\0/home/jackhill/.config/epiphany\0/home/jackhill/.config/epiphany\0--bind-try\0/home/jackhill/.cache/epiphany/applications\0/home/jackhill/.cache/epiphany/applications\0--bind-try\0/home/jackhill/.local/share/webkitgtk/mediakeys\0/home/jackhill/.local/share/webkitgtk/mediakeys\0--bind-try\0/home/jackhill/.local/share/epiphany/databases\0/home/jackhill/.local/share/epiphany/databases\0--bind-try\0/run/user/1000/pulse\0/run/user/1000/pulse\0--ro-bind-try\0/etc/pulse/client.conf\0/etc/pulse/client.conf\0--ro-bind-try\0/home/jackhill/.config/pulse\0/home/jackhill/.config/pulse\0--ro-bind-try\0/home/jackhill/.pulse\0/home/jackhill/.pulse\0--ro-bind-try\0/ho me/jackhill/.asoundrc\0/home/jackhill/.asoundrc\0--dev-bind-try\0/dev/snd\0/dev/snd\0--ro-bind-try\0/home/jackhill/.config/fontconfig\0/home/jackhill/.config/fontconfig\0--ro-bind-try\0/home/jackhill/.fontconfig\0/home/jackhill/.fontconfig\0--bind-try\0/home/jackhill/.cache/fontconfig\0/home/jackhill/.cache/fontconfig\0--ro-bind-try\0/home/jackhill/.fonts.conf\0/home/jackhill/.fonts.conf\0--ro-bind-try\0/home/jackhill/.config/.fonts.conf.d\0/home/jackhill/.config/.fonts.conf.d\0--ro-bind-try\0/home/jackhill/.local/share/fonts\0/home/jackhill/.local/share/fonts\0--ro-bind-try\0/home/jackhill/.fonts\0/home/jackhill/.fonts\0--ro-bind-try\0/var/cache/fontconfig\0/var/cache/fontconfig\0--ro-bind-try\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0/home/jackhill/.guix-profile/lib/gstreamer-1. 0\0--ro-bind-try\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0--ro-bind-try\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0--ro-bind-try\0/run/current-system/profile/lib/gstreamer-1.0\0/run/current-system/profile/lib/gstreamer-1.0\0--bind-try\0/home/jackhill/.cache/gstreamer-1.0\0/home/jackhill/.cache/gstreamer-1.0\0--ro-bind-try\0/usr/libexec/gstreamer-1.0/gst-plugin-scanner\0/usr/libexec/gstreamer-1.0/gst-plugin-scanner\0--ro-bind-try\0/usr/libexec/gst-install-plugins-helper\0/usr/libexec/gst-install-plugins-helper\0--dev-bind-try\0/dev/dri\0/dev/dri\0--dev-bind-try\0/dev/mali\0/dev/mali\0--dev-bind-try\0/dev/mali0\0/dev/mali0\0--dev-bind-try\0/dev/umplock\0/dev/umplock\0--dev-bind-try \0/dev/nvidiactl\0/dev/nvidiactl\0--dev-bind-try\0/dev/nvidia0\0/dev/nvidia0\0--dev-bind-try\0/dev/nvidia\0/dev/nvidia\0--dev-bind-try\0/dev/kgsl-3d0\0/dev/kgsl-3d0\0--dev-bind-try\0/dev/ion\0/dev/ion\0--dev-bind-try\0/dev/v4l\0/dev/v4l\0--dev-bind-try\0/dev/video0\0/dev/video0\0--dev-bind-try\0/dev/video1\0/dev/video1\0--ro-bind\0/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0\0/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0\0--setenv\0AT_SPI_BUS_ADDRESS\0unix:path=/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0\0--ro-bind-try\0/home/jackhill/.config/gtk-3.0\0/home/jackhill/.config/gtk-3.0\0--ro-bind-try\0/home/jackhill/.local/share/themes\0/home/jackhill/.local/share/themes\0--ro-bind-try\0/home/jackhill/.themes\0/home/jackhill/.themes\0--ro-bind-try\0/home/jackhill/.icons\0/home/jackhill/.icons\0--s eccomp\00035\0" For readability, here is is removing the null bytes, and using newlines: --die-with-parent --unshare-pid --unshare-uts --unshare-net --ro-bind /etc /etc --dev /dev --proc /proc --tmpfs /tmp --unsetenv TMPDIR --dir /run --symlink ../run /var/run --symlink ../tmp /var/tmp --ro-bind /sys/block /sys/block --ro-bind /sys/bus /sys/bus --ro-bind /sys/class /sys/class --ro-bind /sys/dev /sys/dev --ro-bind /sys/devices /sys/devices --ro-bind-try /usr/share /usr/share --ro-bind-try /usr/local/share /usr/local/share --ro-bind-try /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share --ro-bind-try /lib /lib --ro-bind-try /usr/lib /usr/lib --ro-bind-try /usr/local/lib /usr/local/lib --ro-bind-try /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/lib /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/lib --ro-bind-try /lib64 /lib64 --ro-bind-try /usr/lib64 /usr/lib64 --ro-bind-try /usr/local/lib64 /usr/local/lib64 --ro-bind-try /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0 /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0 --ro-bind-try /gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib /gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib --ro-bind-try /gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib /gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib --ro-bind-try /gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib /gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib --ro-bind-try /gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib /gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib --setenv LD_LIBRARY_PATH /gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib:/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib:/gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib:/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib --ro-bind-data 0033 /.flatpak-info --bind-try /tmp/.X11-unix/X1 /tmp/.X11-unix/X1 --ro-bind-try /run/user/1000/gdm/Xauthority /run/user/1000/gdm/Xauthority --ro-bind-try /tmp/epiphany-jackhill-hoj0lD /tmp/epiphany-jackhill-hoj0lD --ro-bind-try /home/jackhill/.local/share/epiphany /home/jackhill/.local/share/epiphany --ro-bind-try /home/jackhill/.cache/epiphany /home/jackhill/.cache/epiphany --ro-bind-try /home/jackhill/.config/epiphany /home/jackhill/.config/epiphany --bind-try /home/jackhill/.cache/epiphany/applications /home/jackhill/.cache/epiphany/applications --bind-try /home/jackhill/.local/share/webkitgtk/mediakeys /home/jackhill/.local/share/webkitgtk/mediakeys --bind-try /home/jackhill/.local/share/epiphany/databases /home/jackhill/.local/share/epiphany/databases --bind-try /run/user/1000/pulse /run/user/1000/pulse --ro-bind-try /etc/pulse/client.conf /etc/pulse/client.conf --ro-bind-try /home/jackhill/.config/pulse /home/jackhill/.config/pulse --ro-bind-try /home/jackhill/.pulse /home/jackhill/.pulse --ro-bind-try /home/jackhill/.asoundrc /home/jackhill/.asoundrc --dev-bind-try /dev/snd /dev/snd --ro-bind-try /home/jackhill/.config/fontconfig /home/jackhill/.config/fontconfig --ro-bind-try /home/jackhill/.fontconfig /home/jackhill/.fontconfig --bind-try /home/jackhill/.cache/fontconfig /home/jackhill/.cache/fontconfig --ro-bind-try /home/jackhill/.fonts.conf /home/jackhill/.fonts.conf --ro-bind-try /home/jackhill/.config/.fonts.conf.d /home/jackhill/.config/.fonts.conf.d --ro-bind-try /home/jackhill/.local/share/fonts /home/jackhill/.local/share/fonts --ro-bind-try /home/jackhill/.fonts /home/jackhill/.fonts --ro-bind-try /var/cache/fontconfig /var/cache/fontconfig --ro-bind-try /home/jackhill/.guix-profile/lib/gstreamer-1.0 /home/jackhill/.guix-profile/lib/gstreamer-1.0 --ro-bind-try /home/jackhill/.guix-profile/lib/gstreamer-1.0 /home/jackhill/.guix-profile/lib/gstreamer-1.0 --ro-bind-try /home/jackhill/.guix-profile/lib/gstreamer-1.0 /home/jackhill/.guix-profile/lib/gstreamer-1.0 --ro-bind-try /run/current-system/profile/lib/gstreamer-1.0 /run/current-system/profile/lib/gstreamer-1.0 --bind-try /home/jackhill/.cache/gstreamer-1.0 /home/jackhill/.cache/gstreamer-1.0 --ro-bind-try /usr/libexec/gstreamer-1.0/gst-plugin-scanner /usr/libexec/gstreamer-1.0/gst-plugin-scanner --ro-bind-try /usr/libexec/gst-install-plugins-helper /usr/libexec/gst-install-plugins-helper --dev-bind-try /dev/dri /dev/dri --dev-bind-try /dev/mali /dev/mali --dev-bind-try /dev/mali0 /dev/mali0 --dev-bind-try /dev/umplock /dev/umplock --dev-bind-try /dev/nvidiactl /dev/nvidiactl --dev-bind-try /dev/nvidia0 /dev/nvidia0 --dev-bind-try /dev/nvidia /dev/nvidia --dev-bind-try /dev/kgsl-3d0 /dev/kgsl-3d0 --dev-bind-try /dev/ion /dev/ion --dev-bind-try /dev/v4l /dev/v4l --dev-bind-try /dev/video0 /dev/video0 --dev-bind-try /dev/video1 /dev/video1 --ro-bind /run/user/1000/webkitgtk/dbus-proxy-SQHVJ0 /run/user/1000/webkitgtk/dbus-proxy-SQHVJ0 --setenv AT_SPI_BUS_ADDRESS unix:path=/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0 --ro-bind-try /home/jackhill/.config/gtk-3.0 /home/jackhill/.config/gtk-3.0 --ro-bind-try /home/jackhill/.local/share/themes /home/jackhill/.local/share/themes --ro-bind-try /home/jackhill/.themes /home/jackhill/.themes --ro-bind-try /home/jackhill/.icons /home/jackhill/.icons --seccomp 0035 On my system, /etc/pulse/client.conf is a symlink to the store item /gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf, which is not shared into the new mount namespace created by bubblewrap. It seems like the right way to solve this is for webkitgtk or bubblewrap resolve the symlinks at runtime. As a workaround/test perhaps we can share all of /gnu/store All that said, I could be on the wrong track as well, since I haven't tested a solution yet. Best, Jack ^ permalink raw reply [flat|nested] 15+ messages in thread
* bug#40837: core-updates: epiphany web process crashes 2020-04-26 1:23 ` Jack Hill @ 2020-04-26 1:46 ` Jack Hill 2020-04-26 3:03 ` Jack Hill 0 siblings, 1 reply; 15+ messages in thread From: Jack Hill @ 2020-04-26 1:46 UTC (permalink / raw) To: sirgazil; +Cc: 40837 I now think what is being shared with bubblewrap is on the write track. After seeing """ const char* pulseConfig = g_getenv("PULSE_CLIENTCONFIG"); if (pulseConfig) bindIfExists(args, pulseConfig); """ in Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp of WebKitGTK, I set the PULSE_CLIENTCONFIG environemnt variable to the store path rather than /etc/pulse/client.conf, which is what it was set to before. That allowed epiphany to get past the problem with client.conf. However, it then hits another problem with something not being shared as seen in this session: """ $ env |grep PULSE PULSE_CLIENTCONFIG=gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf PULSE_CONFIG=/etc/pulse/daemon.conf $ epiphany ** (epiphany:11528): CRITICAL **: 21:38:10.896: void webkit_web_context_register_uri_scheme(WebKitWebContext*, const char*, WebKitURISchemeRequestCallback, gpointer, GDestroyNotify): assertion 'g_ascii_strcasecmp(scheme, "ftp") != 0' failed bwrap: execvp /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0/WebKitWebProcess: No such file or directory ^C """ Best, Jack ^ permalink raw reply [flat|nested] 15+ messages in thread
* bug#40837: core-updates: epiphany web process crashes 2020-04-26 1:46 ` Jack Hill @ 2020-04-26 3:03 ` Jack Hill 2020-04-26 20:42 ` bug#40837: core-updates: webkitgtk web process sandbox incomplete Jack Hill 0 siblings, 1 reply; 15+ messages in thread From: Jack Hill @ 2020-04-26 3:03 UTC (permalink / raw) To: 40837; +Cc: sirgazil [-- Attachment #1: Type: text/plain, Size: 926 bytes --] On Sat, 25 Apr 2020, Jack Hill wrote: > in Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp of WebKitGTK, > I set the PULSE_CLIENTCONFIG environemnt variable to the store path rather > than /etc/pulse/client.conf, which is what it was set to before. > > That allowed epiphany to get past the problem with client.conf. However, it > then hits another problem with something not being shared as seen in this > session: I tried patching webkitgtk to share the whole /gnu/store in the new mount namespace (see attached patch). Unfortunately, when I ran epiphany with that patch applied and PULSE_CLIENTCONFIG set to /etc/pulse/client.conf, the "bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory" error returned. Via strace, I saw that my patch was having an effect on the arguments to bwrap. Could it be that the order of the --bind/--ro-bind arguments matters? Thoughts? Jack [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: Type: text/x-diff; name=0001-gnu-webkitgtk-Patch-to-share-store-via-bwarp.patch, Size: 3165 bytes --] From f8901a83e2abc2c6ab34f5883663315b8d715e2f Mon Sep 17 00:00:00 2001 From: Jack Hill <jackhill@jackhill.us> Date: Sat, 25 Apr 2020 22:03:48 -0400 Subject: [PATCH] gnu: webkitgtk: Patch to share store via bwarp * gnu/packages/patches/webkitgtk-share-store.patch: New File. * gnu/local.mk: Add here. * gnu/packages/webkit.scm (webkitgtk)[source]: Apply patch. --- gnu/local.mk | 1 + .../patches/webkitgtk-share-store.patch | 18 ++++++++++++++++++ gnu/packages/webkit.scm | 4 +++- 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/webkitgtk-share-store.patch diff --git a/gnu/local.mk b/gnu/local.mk index 2780434455..6c11a07c24 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1554,6 +1554,7 @@ dist_patch_DATA = \ %D%/packages/patches/vte-CVE-2012-2738-pt1.patch \ %D%/packages/patches/vte-CVE-2012-2738-pt2.patch \ %D%/packages/patches/weasyprint-library-paths.patch \ + %D%/packages/patches/webkitgtk-share-store.patch \ %D%/packages/patches/websocketpp-fix-for-boost-1.70.patch \ %D%/packages/patches/wicd-bitrate-none-fix.patch \ %D%/packages/patches/wicd-get-selected-profile-fix.patch \ diff --git a/gnu/packages/patches/webkitgtk-share-store.patch b/gnu/packages/patches/webkitgtk-share-store.patch new file mode 100644 index 0000000000..b927ab7b0a --- /dev/null +++ b/gnu/packages/patches/webkitgtk-share-store.patch @@ -0,0 +1,18 @@ +Author: Jack Hill <jackhill@jackhill.us> +Tell bubblewrap to share the store +--- +diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +index ad301ab2..d53b680e 100644 +--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp ++++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +@@ -737,6 +737,10 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces + "--ro-bind-try", "/usr/local/share", "/usr/local/share", + "--ro-bind-try", DATADIR, DATADIR, + ++ // TESTING: bind moutn /gnu/store ++ // This should be improved ++ "--ro-bind", "/gnu/store", "/gnu/store", ++ + // We only grant access to the libdirs webkit is built with and + // guess system libdirs. This will always have some edge cases. + "--ro-bind-try", "/lib", "/lib", diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm index 377fc0dfaf..fcfd28666b 100644 --- a/gnu/packages/webkit.scm +++ b/gnu/packages/webkit.scm @@ -128,7 +128,9 @@ engine that uses Wayland for graphics output.") "webkitgtk-" version ".tar.xz")) (sha256 (base32 - "1n7k4yriqhr38f4fgy8pzdn1nm60m53z8p478sgg64swxnijdg5c")))) + "1n7k4yriqhr38f4fgy8pzdn1nm60m53z8p478sgg64swxnijdg5c")) + (patches + (search-patches "webkitgtk-share-store.patch")))) (build-system cmake-build-system) (outputs '("out" "doc")) (arguments -- 2.26.2 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* bug#40837: core-updates: webkitgtk web process sandbox incomplete 2020-04-26 3:03 ` Jack Hill @ 2020-04-26 20:42 ` Jack Hill 2020-04-27 22:02 ` Jack Hill 2020-05-06 16:39 ` Marius Bakke 0 siblings, 2 replies; 15+ messages in thread From: Jack Hill @ 2020-04-26 20:42 UTC (permalink / raw) To: 40837; +Cc: sirgazil Some additional observations: With my patched webkitgtk, if I set: PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf it does work, which is an improvement compared to without the patch. I notice that Nix [0] has a similar patch: """ diff -ru old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp --- old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp 2019-09-09 04:47:07.000000000 -0400 +++ webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp 2019-09-20 21:14:10.537921173 -0400 @@ -585,7 +585,7 @@ { SCMP_SYS(keyctl), nullptr }, { SCMP_SYS(request_key), nullptr }, - // Scary VM/NUMA ops + // Scary VM/NUMA ops { SCMP_SYS(move_pages), nullptr }, { SCMP_SYS(mbind), nullptr }, { SCMP_SYS(get_mempolicy), nullptr }, @@ -724,6 +724,10 @@ "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64", "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR, + + // Nix Directories + "--ro-bind", "@storeDir@", "@storeDir@", + "--ro-bind", "/run/current-system", "/run/current-system", }; // We would have to parse ld config files for more info. bindPathVar(sandboxArgs, "LD_LIBRARY_PATH"); """ [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch so I wonder if I didn't do the mounts in the right place and or if it is becasue I missed /run/current-system. I'm going to try to adapt the Nix patch to see if that helps. Best, Jack ^ permalink raw reply [flat|nested] 15+ messages in thread
* bug#40837: core-updates: webkitgtk web process sandbox incomplete 2020-04-26 20:42 ` bug#40837: core-updates: webkitgtk web process sandbox incomplete Jack Hill @ 2020-04-27 22:02 ` Jack Hill 2020-04-28 3:03 ` Jack Hill 2020-05-06 16:39 ` Marius Bakke 1 sibling, 1 reply; 15+ messages in thread From: Jack Hill @ 2020-04-27 22:02 UTC (permalink / raw) To: 40837; +Cc: sirgazil I didn't have any better luck with the Nix patch. I was also unable to any problems with /etc/pulse/client.conf when calling bwrap manually on the command line. I'm afraid that I'm stuck for now. I have asked the WebKit developers for help: https://lists.webkit.org/pipermail/webkit-dev/2020-April/031184.html Best, Jack ^ permalink raw reply [flat|nested] 15+ messages in thread
* bug#40837: core-updates: webkitgtk web process sandbox incomplete 2020-04-27 22:02 ` Jack Hill @ 2020-04-28 3:03 ` Jack Hill 2020-04-28 16:27 ` Jack Hill 0 siblings, 1 reply; 15+ messages in thread From: Jack Hill @ 2020-04-28 3:03 UTC (permalink / raw) To: 40837; +Cc: sirgazil I'm a little bit unstuck now. I found a bubblwrap issue [0], which I believe is the one that we're running into. [0] https://github.com/containers/bubblewrap/issues/195 "Errors when --bind used with a symlinked path" With insight gained there, I've determined that the following simplified bwrap invocation succeeds: """ $ bwrap --ro-bind-try /etc/pulse/client.conf /etc/pulse/client.conf --ro-bind /gnu /gnu --ro-bind /run/current-system /run/current-system -- /run/current-system/profile/bin/bash """ while the following invocation fails: """ $ bwrap --ro-bind /etc /etc --ro-bind-try /etc/pulse/client.conf /etc/pulse/client.conf --ro-bind /gnu /gnu --ro-bind /run/current-system /run/current-system -- /run/current-system/profile/bin/bash bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory """ The difference between the working and non-working invocations in that in the non-working invocation, /etc is already mounted withing the new namespace, which includes symlinks at /etc/pulse and /etc/pulse/client.conf, and the later mount of the /etc/pulse/client.conf symlink causese the problem. Now to figure out what the solution is, and if it is best fixed in webkitgtk or bubblewrap :) Ideas welcome! Best, Jack ^ permalink raw reply [flat|nested] 15+ messages in thread
* bug#40837: core-updates: webkitgtk web process sandbox incomplete 2020-04-28 3:03 ` Jack Hill @ 2020-04-28 16:27 ` Jack Hill 2020-04-28 16:33 ` sirgazil via Bug reports for GNU Guix 0 siblings, 1 reply; 15+ messages in thread From: Jack Hill @ 2020-04-28 16:27 UTC (permalink / raw) To: 40837; +Cc: sirgazil After further discussion on the Bubblewrap issue [0], it was determined that the problem should be fixed by having WebKitGTK canonicalize paths before passing them to bwrap. There is now a WebKit issue for that fix [1]. [0] https://github.com/containers/bubblewrap/issues/195 [1] https://bugs.webkit.org/show_bug.cgi?id=211131 When the WebKit issue is fixed, that should solve the problem with /etc/pulse/client.conf. I believe that we will still have work to do in Guix to make sure the store is available inside the sandbox. Best, Jack ^ permalink raw reply [flat|nested] 15+ messages in thread
* bug#40837: core-updates: webkitgtk web process sandbox incomplete 2020-04-28 16:27 ` Jack Hill @ 2020-04-28 16:33 ` sirgazil via Bug reports for GNU Guix 0 siblings, 0 replies; 15+ messages in thread From: sirgazil via Bug reports for GNU Guix @ 2020-04-28 16:33 UTC (permalink / raw) To: Jack Hill; +Cc: 40837 ---- On Tue, 28 Apr 2020 23:27:57 +0000 Jack Hill <jackhill@jackhill.us> wrote ---- > After further discussion on the Bubblewrap issue [0], it was determined > that the problem should be fixed by having WebKitGTK canonicalize paths > before passing them to bwrap. There is now a WebKit issue for that fix [1]. > > [0] https://github.com/containers/bubblewrap/issues/195 > [1] https://bugs.webkit.org/show_bug.cgi?id=211131 > > When the WebKit issue is fixed, that should solve the problem with > /etc/pulse/client.conf. I believe that we will still have work to do in > Guix to make sure the store is available inside the sandbox. Thanks for working on this, Jack. ^ permalink raw reply [flat|nested] 15+ messages in thread
* bug#40837: core-updates: webkitgtk web process sandbox incomplete 2020-04-26 20:42 ` bug#40837: core-updates: webkitgtk web process sandbox incomplete Jack Hill 2020-04-27 22:02 ` Jack Hill @ 2020-05-06 16:39 ` Marius Bakke 2020-05-06 20:17 ` Jack Hill 1 sibling, 1 reply; 15+ messages in thread From: Marius Bakke @ 2020-05-06 16:39 UTC (permalink / raw) To: Jack Hill, 40837; +Cc: sirgazil [-- Attachment #1.1: Type: text/plain, Size: 2561 bytes --] Hello Jack, Thanks a lot for this work. Jack Hill <jackhill@jackhill.us> writes: > Some additional observations: > > With my patched webkitgtk, if I set: > > PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf > > it does work, which is an improvement compared to without the patch. Great. I have attached a patch for Guix that stops using /etc for these variables. > I notice that Nix [0] has a similar patch: > > """ > diff -ru old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp > --- old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp 2019-09-09 04:47:07.000000000 -0400 > +++ webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp 2019-09-20 21:14:10.537921173 -0400 > @@ -585,7 +585,7 @@ > { SCMP_SYS(keyctl), nullptr }, > { SCMP_SYS(request_key), nullptr }, > > - // Scary VM/NUMA ops > + // Scary VM/NUMA ops > { SCMP_SYS(move_pages), nullptr }, > { SCMP_SYS(mbind), nullptr }, > { SCMP_SYS(get_mempolicy), nullptr }, > @@ -724,6 +724,10 @@ > "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64", > > "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR, > + > + // Nix Directories > + "--ro-bind", "@storeDir@", "@storeDir@", > + "--ro-bind", "/run/current-system", "/run/current-system", > }; > // We would have to parse ld config files for more info. > bindPathVar(sandboxArgs, "LD_LIBRARY_PATH"); > """ > > [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch > > so I wonder if I didn't do the mounts in the right place and or if it is > becasue I missed /run/current-system. > > I'm going to try to adapt the Nix patch to see if that helps. Were you able to verify whether /run/current-system is required inside the sandbox? I cleaned up your patch a bit and rebased it on the latest master branch, available as patch 2/2 below. Currently building it on 'core-updates' to verify that it works. It takes a while on my dinky quad-core server though. :-) It does not bind /run/current-system, and I think we should avoid it if possible. Ideally we would only mount the store paths required by the consumers instead of all of /gnu/store, but not sure how to achieve that. [-- Attachment #1.2: 0001-services-Do-not-use-symbolic-links-in-PulseAudio-var.patch --] [-- Type: text/x-patch, Size: 3195 bytes --] From a2607c8246456460a6bbed62144daf7196a5c9bd Mon Sep 17 00:00:00 2001 From: Marius Bakke <mbakke@fastmail.com> Date: Wed, 6 May 2020 17:48:42 +0200 Subject: [PATCH 1/2] services: Do not use symbolic links in PulseAudio variables. This addresses <https://bugs.gnu.org/40837> by making these configuration files more easily accessible within the WebKitGTK+ sandbox. * gnu/services/sound.scm (pulseaudio-environment): Move below PULSEAUDIO-CONF-ENTRY. Create PULSE_CONFIG and PULSE_CLIENTCONFIG entries directly instead of referring to /etc/pulse. (pulseaudio-etc): Do not create /etc/pulse/client.conf and /etc/pulse/daemon.conf. --- gnu/services/sound.scm | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm index a1c928222a..bdf819b422 100644 --- a/gnu/services/sound.scm +++ b/gnu/services/sound.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2018, 2020 Oleg Pykhalov <go.wigust@gmail.com> ;;; Copyright © 2020 Leo Prikler <leo.prikler@student.tugraz.at> +;;; Copyright © 2020 Marius Bakke <mbakke@fastmail.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -127,11 +128,6 @@ ctl.!default { (default (file-append pulseaudio "/etc/pulse/system.pa")))) -(define (pulseaudio-environment config) - `(;; Define these variables, so that pulseaudio honors /etc. - ("PULSE_CONFIG" . "/etc/pulse/daemon.conf") - ("PULSE_CLIENTCONFIG" . "/etc/pulse/client.conf"))) - (define (pulseaudio-conf-entry arg) (match arg ((key . value) @@ -139,21 +135,22 @@ ctl.!default { ((? string? _) (string-append arg "\n")))) +(define pulseaudio-environment + (match-lambda + (($ <pulseaudio-configuration> client-conf daemon-conf default-script-file) + `(("PULSE_CONFIG" . ,(apply mixed-text-file "daemon.conf" + "default-script-file = " default-script-file "\n" + (map pulseaudio-conf-entry daemon-conf))) + ("PULSE_CLIENTCONFIG" . ,(apply mixed-text-file "client.conf" + (map pulseaudio-conf-entry client-conf))))))) + (define pulseaudio-etc (match-lambda - (($ <pulseaudio-configuration> client-conf daemon-conf - default-script-file system-script-file) + (($ <pulseaudio-configuration> _ _ default-script-file system-script-file) `(("pulse" ,(file-union "pulse" - `(("client.conf" - ,(apply mixed-text-file "client.conf" - (map pulseaudio-conf-entry client-conf))) - ("daemon.conf" - ,(apply mixed-text-file "daemon.conf" - "default-script-file = " default-script-file "\n" - (map pulseaudio-conf-entry daemon-conf))) - ("default.pa" ,default-script-file) + `(("default.pa" ,default-script-file) ("system.pa" ,system-script-file)))))))) (define pulseaudio-service-type -- 2.26.2 [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #1.3: 0002-gnu-webkitgtk-Patch-to-share-store-via-Bubblewrap.patch --] [-- Type: text/x-patch, Size: 4134 bytes --] From 3864b54f4aadefc600433d3654b0a1a73ab6fa98 Mon Sep 17 00:00:00 2001 From: Jack Hill <jackhill@jackhill.us> Date: Sat, 25 Apr 2020 22:03:48 -0400 Subject: [PATCH 2/2] gnu: webkitgtk: Patch to share store via Bubblewrap. Fixes <https://bugs.gnu.org/40837>. * gnu/packages/patches/webkitgtk-share-store.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/webkit.scm (webkitgtk)[source](patches): Use it. Co-authored-by: Marius Bakke <mbakke@fastmail.com> --- gnu/local.mk | 1 + .../patches/webkitgtk-share-store.patch | 20 +++++++++++++++++++ gnu/packages/webkit.scm | 12 ++++++++++- 3 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/webkitgtk-share-store.patch diff --git a/gnu/local.mk b/gnu/local.mk index 62eeb39ece..5c06415205 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1542,6 +1542,7 @@ dist_patch_DATA = \ %D%/packages/patches/vte-CVE-2012-2738-pt2.patch \ %D%/packages/patches/warsow-qfusion-fix-bool-return-type.patch \ %D%/packages/patches/weasyprint-library-paths.patch \ + %D%/packages/patches/webkitgtk-share-store.patch \ %D%/packages/patches/websocketpp-fix-for-boost-1.70.patch \ %D%/packages/patches/wicd-bitrate-none-fix.patch \ %D%/packages/patches/wicd-get-selected-profile-fix.patch \ diff --git a/gnu/packages/patches/webkitgtk-share-store.patch b/gnu/packages/patches/webkitgtk-share-store.patch new file mode 100644 index 0000000000..4174e73b6c --- /dev/null +++ b/gnu/packages/patches/webkitgtk-share-store.patch @@ -0,0 +1,20 @@ +Author: Jack Hill <jackhill@jackhill.us> +Tell bubblewrap to share the store. + +See <https://bugs.gnu.org/40837>. + +--- +diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +index ad301ab2..d53b680e 100644 +--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp ++++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +@@ -737,6 +737,9 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces + "--ro-bind-try", "/usr/local/share", "/usr/local/share", + "--ro-bind-try", DATADIR, DATADIR, + ++ // Bind mount the store inside the WebKitGTK sandbox. ++ "--ro-bind", "@storedir@", "@storedir@", ++ + // We only grant access to the libdirs webkit is built with and + // guess system libdirs. This will always have some edge cases. + "--ro-bind-try", "/lib", "/lib", diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm index e52536c279..6035d6c59d 100644 --- a/gnu/packages/webkit.scm +++ b/gnu/packages/webkit.scm @@ -128,7 +128,8 @@ engine that uses Wayland for graphics output.") "webkitgtk-" version ".tar.xz")) (sha256 (base32 - "1g9hik3bprki5s9d7y5288q5irwckbzajr6rnlvjrlnqrwjkblmr")))) + "1g9hik3bprki5s9d7y5288q5irwckbzajr6rnlvjrlnqrwjkblmr")) + (patches (search-patches "webkitgtk-share-store.patch")))) (build-system cmake-build-system) (outputs '("out" "doc")) (arguments @@ -156,6 +157,15 @@ engine that uses Wayland for graphics output.") "-DUSE_WOFF2=OFF") #:phases (modify-phases %standard-phases + (add-after 'unpack 'configure-bubblewrap-store-directory + (lambda _ + ;; This phase is a corollary to 'webkitgtk-share-store.patch' to + ;; avoid hard coding /gnu/store, for users with other prefixes. + (let ((store-directory (%store-directory))) + (substitute* + "Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp" + (("@storedir@") store-directory)) + #t))) (add-after 'unpack 'patch-gtk-doc-scan (lambda* (#:key inputs #:allow-other-keys) (for-each (lambda (file) -- 2.26.2 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 487 bytes --] ^ permalink raw reply related [flat|nested] 15+ messages in thread
* bug#40837: core-updates: webkitgtk web process sandbox incomplete 2020-05-06 16:39 ` Marius Bakke @ 2020-05-06 20:17 ` Jack Hill 2020-05-06 20:53 ` Marius Bakke 0 siblings, 1 reply; 15+ messages in thread From: Jack Hill @ 2020-05-06 20:17 UTC (permalink / raw) To: Marius Bakke; +Cc: sirgazil, 40837 On Wed, 6 May 2020, Marius Bakke wrote: > Hello Jack, > > Thanks a lot for this work. You're welcome. I'm happy that we seem to be making good progress. > Jack Hill <jackhill@jackhill.us> writes: > >> Some additional observations: >> >> With my patched webkitgtk, if I set: >> >> PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf >> >> it does work, which is an improvement compared to without the patch. > > Great. I have attached a patch for Guix that stops using /etc for these > variables. Good idea! That way we won't have to wait for WebKitGTK to canonicalize all paths :) >> [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch >> >> so I wonder if I didn't do the mounts in the right place and or if it is >> becasue I missed /run/current-system. >> >> I'm going to try to adapt the Nix patch to see if that helps. > > Were you able to verify whether /run/current-system is required inside > the sandbox? I don't think /run/current-system is needed. > I cleaned up your patch a bit and rebased it on the latest master > branch, available as patch 2/2 below. Currently building it on > 'core-updates' to verify that it works. It takes a while on my dinky > quad-core server though. :-) > > It does not bind /run/current-system, and I think we should avoid it if > possible. Ideally we would only mount the store paths required by the > consumers instead of all of /gnu/store, but not sure how to achieve > that. I've tested the updated patch by applying it to master and merging into core-updates. I'm happy to report that everything seems to be working for me after doing so! Sharing less than the whole store sounds like a great aspiration, but I think we'd have to teach WebKitGTK how to ask Guix for its closure to do so. On FHS-compliant systems, all of the various /usr/lib and /usr/share directories are bind-mounted into the new namespace, so I don't think we're providing too much more. It's nice that our setuid binaries reside outside of the store :) Best, Jack ^ permalink raw reply [flat|nested] 15+ messages in thread
* bug#40837: core-updates: webkitgtk web process sandbox incomplete 2020-05-06 20:17 ` Jack Hill @ 2020-05-06 20:53 ` Marius Bakke 0 siblings, 0 replies; 15+ messages in thread From: Marius Bakke @ 2020-05-06 20:53 UTC (permalink / raw) To: Jack Hill; +Cc: sirgazil, 40837 [-- Attachment #1: Type: text/plain, Size: 2626 bytes --] Jack Hill <jackhill@jackhill.us> writes: > On Wed, 6 May 2020, Marius Bakke wrote: > >> Hello Jack, >> >> Thanks a lot for this work. > > You're welcome. I'm happy that we seem to be making good progress. > >> Jack Hill <jackhill@jackhill.us> writes: >> >>> Some additional observations: >>> >>> With my patched webkitgtk, if I set: >>> >>> PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf >>> >>> it does work, which is an improvement compared to without the patch. >> >> Great. I have attached a patch for Guix that stops using /etc for these >> variables. > > Good idea! That way we won't have to wait for WebKitGTK to canonicalize > all paths :) > >>> [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch >>> >>> so I wonder if I didn't do the mounts in the right place and or if it is >>> becasue I missed /run/current-system. >>> >>> I'm going to try to adapt the Nix patch to see if that helps. >> >> Were you able to verify whether /run/current-system is required inside >> the sandbox? > > I don't think /run/current-system is needed. Excellent. I tested Epiphany with these patches on a popular video streaming site and everything seemed fine. >> I cleaned up your patch a bit and rebased it on the latest master >> branch, available as patch 2/2 below. Currently building it on >> 'core-updates' to verify that it works. It takes a while on my dinky >> quad-core server though. :-) >> >> It does not bind /run/current-system, and I think we should avoid it if >> possible. Ideally we would only mount the store paths required by the >> consumers instead of all of /gnu/store, but not sure how to achieve >> that. > > I've tested the updated patch by applying it to master and merging into > core-updates. I'm happy to report that everything seems to be working for > me after doing so! > > Sharing less than the whole store sounds like a great aspiration, but I > think we'd have to teach WebKitGTK how to ask Guix for its closure to do > so. On FHS-compliant systems, all of the various /usr/lib and /usr/share > directories are bind-mounted into the new namespace, so I don't think > we're providing too much more. It's nice that our setuid binaries reside > outside of the store :) Indeed, thanks for testing and confirming. I added a little more context in the patch description and finally pushed it as a6919866b07e9ed3986abde7ae48d0c69ff3deed. Again, thank you very much for taking care of this. :-) [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 487 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* bug#40837: (no subject) 2020-04-25 2:55 bug#40837: core-updates: epiphany web process crashes Jack Hill 2020-04-25 3:19 ` Jack Hill 2020-04-25 21:55 ` sirgazil via Bug reports for GNU Guix @ 2020-05-04 19:27 ` sirgazil via web 2 siblings, 0 replies; 15+ messages in thread From: sirgazil via web @ 2020-05-04 19:27 UTC (permalink / raw) To: 40837 I can reproduce this problem. ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2020-05-06 20:54 UTC | newest] Thread overview: 15+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-04-25 2:55 bug#40837: core-updates: epiphany web process crashes Jack Hill 2020-04-25 3:19 ` Jack Hill 2020-04-25 21:55 ` sirgazil via Bug reports for GNU Guix 2020-04-26 1:23 ` Jack Hill 2020-04-26 1:46 ` Jack Hill 2020-04-26 3:03 ` Jack Hill 2020-04-26 20:42 ` bug#40837: core-updates: webkitgtk web process sandbox incomplete Jack Hill 2020-04-27 22:02 ` Jack Hill 2020-04-28 3:03 ` Jack Hill 2020-04-28 16:27 ` Jack Hill 2020-04-28 16:33 ` sirgazil via Bug reports for GNU Guix 2020-05-06 16:39 ` Marius Bakke 2020-05-06 20:17 ` Jack Hill 2020-05-06 20:53 ` Marius Bakke 2020-05-04 19:27 ` bug#40837: (no subject) sirgazil via web
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.