From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id SIL6A70bs14FWAAA0tVLHw (envelope-from ) for ; Wed, 06 May 2020 20:19:09 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id UHjpOcgbs17ILgAAB5/wlQ (envelope-from ) for ; Wed, 06 May 2020 20:19:20 +0000 Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:470:142::17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A4D7F94001A for ; Wed, 6 May 2020 20:19:18 +0000 (UTC) Received: from localhost ([::1]:47360 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jWQVi-00074L-0V for larch@yhetil.org; Wed, 06 May 2020 16:19:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58162) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jWQVT-00073r-F4 for bug-guix@gnu.org; Wed, 06 May 2020 16:19:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:57967) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jWQVS-00052Z-6f for bug-guix@gnu.org; Wed, 06 May 2020 16:19:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jWQVS-0002yn-3F for bug-guix@gnu.org; Wed, 06 May 2020 16:19:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#40837: core-updates: webkitgtk web process sandbox incomplete Resent-From: Jack Hill Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 06 May 2020 20:19:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 40837 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Marius Bakke Received: via spool by 40837-submit@debbugs.gnu.org id=B40837.158879628811353 (code B ref 40837); Wed, 06 May 2020 20:19:02 +0000 Received: (at 40837) by debbugs.gnu.org; 6 May 2020 20:18:08 +0000 Received: from localhost ([127.0.0.1]:41262 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jWQUa-0002x3-60 for submit@debbugs.gnu.org; Wed, 06 May 2020 16:18:08 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:58414) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jWQUX-0002wY-SI for 40837@debbugs.gnu.org; Wed, 06 May 2020 16:18:06 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jWQUQ-0006qM-R6; Wed, 06 May 2020 16:17:59 -0400 Date: Wed, 6 May 2020 16:17:58 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net In-Reply-To: <87h7wt3tmv.fsf@devup.no> Message-ID: References: <171b356d9e2.1154aefce15638.8921669740072490388@zoho.com> <87h7wt3tmv.fsf@devup.no> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.0 (-) X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: sirgazil , 40837 <40837@debbugs.gnu.org> Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 X-Spam-Score: -1.01 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 2001:470:142::17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Scan-Result: default: False [-1.01 / 13.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; GENERIC_REPUTATION(0.00)[-0.49692744025236]; DWL_DNSWL_FAIL(0.00)[2001:470:142::17:server fail]; R_SPF_ALLOW(-0.20)[+ip6:2001:470:142::/48:c]; IP_REPUTATION_HAM(0.00)[asn: 22989(0.11), country: US(-0.00), ip: 2001:470:142::17(-0.50)]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.50)[cached: eggs.gnu.org]; MAILLIST(-0.20)[mailman]; FREEMAIL_TO(0.00)[fastmail.com]; RCVD_IN_DNSWL_FAIL(0.00)[2001:470:142::17:server fail]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:22989, ipnet:2001:470:142::/48, country:US]; TAGGED_FROM(0.00)[larch=yhetil.org]; ARC_NA(0.00)[]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; FROM_NEQ_ENVFROM(0.00)[jackhill@jackhill.us,bug-guix-bounces@gnu.org]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; URIBL_BLOCKED(0.00)[jackhill.us:email]; MIME_GOOD(-0.10)[text/plain]; R_DKIM_NA(0.00)[]; DMARC_NA(0.00)[jackhill.us]; HAS_LIST_UNSUB(-0.01)[]; FREEMAIL_CC(0.00)[zoho.com,debbugs.gnu.org]; RCVD_COUNT_SEVEN(0.00)[8]; FORGED_SENDER_MAILLIST(0.00)[] X-TUID: hUEKTe9mUGST On Wed, 6 May 2020, Marius Bakke wrote: > Hello Jack, > > Thanks a lot for this work. You're welcome. I'm happy that we seem to be making good progress. > Jack Hill writes: > >> Some additional observations: >> >> With my patched webkitgtk, if I set: >> >> PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf >> >> it does work, which is an improvement compared to without the patch. > > Great. I have attached a patch for Guix that stops using /etc for these > variables. Good idea! That way we won't have to wait for WebKitGTK to canonicalize all paths :) >> [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch >> >> so I wonder if I didn't do the mounts in the right place and or if it is >> becasue I missed /run/current-system. >> >> I'm going to try to adapt the Nix patch to see if that helps. > > Were you able to verify whether /run/current-system is required inside > the sandbox? I don't think /run/current-system is needed. > I cleaned up your patch a bit and rebased it on the latest master > branch, available as patch 2/2 below. Currently building it on > 'core-updates' to verify that it works. It takes a while on my dinky > quad-core server though. :-) > > It does not bind /run/current-system, and I think we should avoid it if > possible. Ideally we would only mount the store paths required by the > consumers instead of all of /gnu/store, but not sure how to achieve > that. I've tested the updated patch by applying it to master and merging into core-updates. I'm happy to report that everything seems to be working for me after doing so! Sharing less than the whole store sounds like a great aspiration, but I think we'd have to teach WebKitGTK how to ask Guix for its closure to do so. On FHS-compliant systems, all of the various /usr/lib and /usr/share directories are bind-mounted into the new namespace, so I don't think we're providing too much more. It's nice that our setuid binaries reside outside of the store :) Best, Jack