GNU bug report logs - #40837
core-updates: webkitgtk web process sandbox incomplete

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 40837 in the body.
You can then email your comments to 40837 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jack Hill <jackhill <at> jackhill.us>
To: bug-guix <at> gnu.org
Subject: core-updates: epiphany web process crashes
Date: Fri, 24 Apr 2020 22:55:26 -0400 (EDT)

[Message part 1 (text/plain, inline)]

Hi Guix,

On Guix System with the current core-updates branch, epiphany/GNOME-Web 
starts, but doesn't work because the web process crash in a loop.

When I run epiphany from the terminal I see

"""
$ epiphany

** (epiphany:29457): CRITICAL **: 22:37:21.415: void webkit_web_context_register_uri_scheme(WebKitWebContext*, const char*, WebKitURISchemeRequestCallback, gpointer, GDestroyNotify): assertion 'g_ascii_strcasecmp(scheme, "ftp") != 0' failed
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory

** (epiphany:29457): WARNING **: 22:37:21.866: Web process crashed
"""

The bwrap… and …Web process crashed lines then continue to print 
alternating.

Windows and tabs are created, but no content is ever drawn in them.

/etc/pulse/client.conf exists on the host, but maybe not in the namespaces 
created by bwrap?

Could this be related to WebKitGTK sandboxing: 
https://blogs.gnome.org/mcatanzaro/2020/03/31/sandboxing-webkitgtk-apps/

Best,
Jack

Message #8 received at 40837 <at> debbugs.gnu.org (full text, mbox):

From: Jack Hill <jackhill <at> jackhill.us>
To: 40837 <at> debbugs.gnu.org
Subject: Re: bug#40837: core-updates: epiphany web process crashes
Date: Fri, 24 Apr 2020 23:19:55 -0400 (EDT)

I expericne the problem with epiphany installed both in the system profile 
and in an ad-hoc environment.

Best,
Jack

Message #11 received at 40837 <at> debbugs.gnu.org (full text, mbox):

From: sirgazil <sirgazil <at> zoho.com>
To: "40837" <40837 <at> debbugs.gnu.org>
Subject: core-updates: epiphany web process crashes
Date: Sat, 25 Apr 2020 21:55:45 +0000

I can reproduce this bug. I can't load any page and see the same messages in the terminal.

Message #14 received at 40837 <at> debbugs.gnu.org (full text, mbox):

From: Jack Hill <jackhill <at> jackhill.us>
To: sirgazil <sirgazil <at> zoho.com>
Cc: 40837 <40837 <at> debbugs.gnu.org>
Subject: Re: bug#40837: core-updates: epiphany web process crashes
Date: Sat, 25 Apr 2020 21:23:09 -0400 (EDT)

[Message part 1 (text/plain, inline)]

On Sat, 25 Apr 2020, sirgazil via Bug reports for GNU Guix wrote:

> I can reproduce this bug. I can't load any page and see the same messages in the terminal.

Thanks, as a fist step it is helpful to know that the problem can be 
reproduced.

The second step is to figure out why this is happening. My suspicion is 
that the bwrap invocation by webkitgtk is not sharing some paths into the 
new namespace it creates that it should be, because the paths are 
different on Guix System than they are on FHS systems.

Stracing epiphany, I've turned up the bwrap invocation to be:

execve("/gnu/store/kzq4v5fvjbdbbwah74k10pf698xkbdpr-bubblewrap-0.4.1/bin/bwrap", 
["/gnu/store/kzq4v5fvjbdbbwah74k10pf698xkbdpr-bubblewrap-0.4.1/bin/bwrap", 
"--args", "36", "--", 
"/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0/WebKitWebProcess", 
"11", "31"]

File descriptor 36, which hold the bwrap arguments is

write(36, 
"--die-with-parent\0--unshare-pid\0--unshare-uts\0--unshare-net\0--ro-bind\0/etc\0/etc\0--dev\0/dev\0--proc\0/proc\0--tmpfs\0/tmp\0--unsetenv\0TMPDIR\0--dir\0/run\0--symlink\0../run\0/var/run\0--symlink\0../tmp\0/var/tmp\0--ro-bind\0/sys/block\0/sys/block\0--ro-bind\0/sys/bus\0/sys/bus\0--ro-bind\0/sys/class\0/sys/class\0--ro-bind\0/sys/dev\0/sys/dev\0--ro-bind\0/sys/devices\0/sys/devices\0--ro-bind-try\0/usr/share\0/usr/share\0--ro-bind-try\0/usr/local/share\0/usr/local/share\0--ro-bind-try\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share\0--ro-bind-try\0/lib\0/lib\0--ro-bind-try\0/usr/lib\0/usr/lib\0--ro-bind-try\0/usr/local/lib\0/usr/local/lib\0--ro-bind-try\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/lib\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/lib\0--ro-bind-try\0/lib64\0/lib64\0--ro-bind-try\0/usr/lib64\0/usr/lib64\0--ro-bind-try\0/usr/local/lib64\0/usr/local/lib64\0--ro-bind-try\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0\0--ro-bind-try\0/gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib\0/gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib\0--ro-bind-try\0/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib\0/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib\0--ro-bind-try\0/gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib\0/gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib\0--ro-bind-try\0/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib\0/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib\0--setenv\0LD_LIBRARY_PATH\0/gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib:/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib:/gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib:/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib\0--ro-bind-data\00033\0/.flatpak-info\0--bind-try\0/tmp/.X11-unix/X1\0/tmp/.X11-unix/X1\0--ro-bind-try\0/run/user/1000/gdm/Xauthority\0/run/user/1000/gdm/Xauthority\0--ro-bind-try\0/tmp/epiphany-jackhill-hoj0lD\0/tmp/epiphany-jackhill-hoj0lD\0--ro-bind-try\0/home/jackhill/.local/share/epiphany\0/home/jackhill/.local/share/epiphany\0--ro-bind-try\0/home/jackhill/.cache/epiphany\0/home/jackhill/.cache/epiphany\0--ro-bind-try\0/home/jackhill/.config/epiphany\0/home/jackhill/.config/epiphany\0--bind-try\0/home/jackhill/.cache/epiphany/applications\0/home/jackhill/.cache/epiphany/applications\0--bind-try\0/home/jackhill/.local/share/webkitgtk/mediakeys\0/home/jackhill/.local/share/webkitgtk/mediakeys\0--bind-try\0/home/jackhill/.local/share/epiphany/databases\0/home/jackhill/.local/share/epiphany/databases\0--bind-try\0/run/user/1000/pulse\0/run/user/1000/pulse\0--ro-bind-try\0/etc/pulse/client.conf\0/etc/pulse/client.conf\0--ro-bind-try\0/home/jackhill/.config/pulse\0/home/jackhill/.config/pulse\0--ro-bind-try\0/home/jackhill/.pulse\0/home/jackhill/.pulse\0--ro-bind-try\0/home/jackhill/.asoundrc\0/home/jackhill/.asoundrc\0--dev-bind-try\0/dev/snd\0/dev/snd\0--ro-bind-try\0/home/jackhill/.config/fontconfig\0/home/jackhill/.config/fontconfig\0--ro-bind-try\0/home/jackhill/.fontconfig\0/home/jackhill/.fontconfig\0--bind-try\0/home/jackhill/.cache/fontconfig\0/home/jackhill/.cache/fontconfig\0--ro-bind-try\0/home/jackhill/.fonts.conf\0/home/jackhill/.fonts.conf\0--ro-bind-try\0/home/jackhill/.config/.fonts.conf.d\0/home/jackhill/.config/.fonts.conf.d\0--ro-bind-try\0/home/jackhill/.local/share/fonts\0/home/jackhill/.local/share/fonts\0--ro-bind-try\0/home/jackhill/.fonts\0/home/jackhill/.fonts\0--ro-bind-try\0/var/cache/fontconfig\0/var/cache/fontconfig\0--ro-bind-try\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0--ro-bind-try\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0--ro-bind-try\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0--ro-bind-try\0/run/current-system/profile/lib/gstreamer-1.0\0/run/current-system/profile/lib/gstreamer-1.0\0--bind-try\0/home/jackhill/.cache/gstreamer-1.0\0/home/jackhill/.cache/gstreamer-1.0\0--ro-bind-try\0/usr/libexec/gstreamer-1.0/gst-plugin-scanner\0/usr/libexec/gstreamer-1.0/gst-plugin-scanner\0--ro-bind-try\0/usr/libexec/gst-install-plugins-helper\0/usr/libexec/gst-install-plugins-helper\0--dev-bind-try\0/dev/dri\0/dev/dri\0--dev-bind-try\0/dev/mali\0/dev/mali\0--dev-bind-try\0/dev/mali0\0/dev/mali0\0--dev-bind-try\0/dev/umplock\0/dev/umplock\0--dev-bind-try\0/dev/nvidiactl\0/dev/nvidiactl\0--dev-bind-try\0/dev/nvidia0\0/dev/nvidia0\0--dev-bind-try\0/dev/nvidia\0/dev/nvidia\0--dev-bind-try\0/dev/kgsl-3d0\0/dev/kgsl-3d0\0--dev-bind-try\0/dev/ion\0/dev/ion\0--dev-bind-try\0/dev/v4l\0/dev/v4l\0--dev-bind-try\0/dev/video0\0/dev/video0\0--dev-bind-try\0/dev/video1\0/dev/video1\0--ro-bind\0/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0\0/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0\0--setenv\0AT_SPI_BUS_ADDRESS\0unix:path=/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0\0--ro-bind-try\0/home/jackhill/.config/gtk-3.0\0/home/jackhill/.config/gtk-3.0\0--ro-bind-try\0/home/jackhill/.local/share/themes\0/home/jackhill/.local/share/themes\0--ro-bind-try\0/home/jackhill/.themes\0/home/jackhill/.themes\0--ro-bind-try\0/home/jackhill/.icons\0/home/jackhill/.icons\0--seccomp\00035\0"

For readability, here is is removing the null bytes, and using newlines:

--die-with-parent
--unshare-pid
--unshare-uts
--unshare-net
--ro-bind /etc /etc
--dev /dev
--proc /proc
--tmpfs /tmp
--unsetenv TMPDIR
--dir /run
--symlink ../run /var/run
--symlink ../tmp /var/tmp
--ro-bind /sys/block /sys/block
--ro-bind /sys/bus /sys/bus
--ro-bind /sys/class /sys/class
--ro-bind /sys/dev /sys/dev
--ro-bind /sys/devices /sys/devices
--ro-bind-try /usr/share /usr/share
--ro-bind-try /usr/local/share /usr/local/share
--ro-bind-try /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share
--ro-bind-try /lib /lib
--ro-bind-try /usr/lib /usr/lib
--ro-bind-try /usr/local/lib /usr/local/lib
--ro-bind-try /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/lib /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/lib
--ro-bind-try /lib64 /lib64
--ro-bind-try /usr/lib64 /usr/lib64
--ro-bind-try /usr/local/lib64 /usr/local/lib64
--ro-bind-try /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0 /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0
--ro-bind-try /gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib /gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib
--ro-bind-try /gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib /gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib
--ro-bind-try /gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib /gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib
--ro-bind-try /gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib /gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib
--setenv LD_LIBRARY_PATH /gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib:/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib:/gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib:/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib
--ro-bind-data 0033 /.flatpak-info
--bind-try /tmp/.X11-unix/X1 /tmp/.X11-unix/X1
--ro-bind-try /run/user/1000/gdm/Xauthority /run/user/1000/gdm/Xauthority
--ro-bind-try /tmp/epiphany-jackhill-hoj0lD /tmp/epiphany-jackhill-hoj0lD
--ro-bind-try /home/jackhill/.local/share/epiphany /home/jackhill/.local/share/epiphany
--ro-bind-try /home/jackhill/.cache/epiphany /home/jackhill/.cache/epiphany
--ro-bind-try /home/jackhill/.config/epiphany /home/jackhill/.config/epiphany
--bind-try /home/jackhill/.cache/epiphany/applications /home/jackhill/.cache/epiphany/applications
--bind-try /home/jackhill/.local/share/webkitgtk/mediakeys /home/jackhill/.local/share/webkitgtk/mediakeys
--bind-try /home/jackhill/.local/share/epiphany/databases /home/jackhill/.local/share/epiphany/databases
--bind-try /run/user/1000/pulse /run/user/1000/pulse
--ro-bind-try /etc/pulse/client.conf /etc/pulse/client.conf
--ro-bind-try /home/jackhill/.config/pulse /home/jackhill/.config/pulse
--ro-bind-try /home/jackhill/.pulse /home/jackhill/.pulse
--ro-bind-try /home/jackhill/.asoundrc /home/jackhill/.asoundrc
--dev-bind-try /dev/snd /dev/snd
--ro-bind-try /home/jackhill/.config/fontconfig /home/jackhill/.config/fontconfig
--ro-bind-try /home/jackhill/.fontconfig /home/jackhill/.fontconfig
--bind-try /home/jackhill/.cache/fontconfig /home/jackhill/.cache/fontconfig
--ro-bind-try /home/jackhill/.fonts.conf /home/jackhill/.fonts.conf
--ro-bind-try /home/jackhill/.config/.fonts.conf.d /home/jackhill/.config/.fonts.conf.d
--ro-bind-try /home/jackhill/.local/share/fonts /home/jackhill/.local/share/fonts
--ro-bind-try /home/jackhill/.fonts /home/jackhill/.fonts
--ro-bind-try /var/cache/fontconfig /var/cache/fontconfig
--ro-bind-try /home/jackhill/.guix-profile/lib/gstreamer-1.0 /home/jackhill/.guix-profile/lib/gstreamer-1.0
--ro-bind-try /home/jackhill/.guix-profile/lib/gstreamer-1.0 /home/jackhill/.guix-profile/lib/gstreamer-1.0
--ro-bind-try /home/jackhill/.guix-profile/lib/gstreamer-1.0 /home/jackhill/.guix-profile/lib/gstreamer-1.0
--ro-bind-try /run/current-system/profile/lib/gstreamer-1.0 /run/current-system/profile/lib/gstreamer-1.0
--bind-try /home/jackhill/.cache/gstreamer-1.0 /home/jackhill/.cache/gstreamer-1.0
--ro-bind-try /usr/libexec/gstreamer-1.0/gst-plugin-scanner /usr/libexec/gstreamer-1.0/gst-plugin-scanner
--ro-bind-try /usr/libexec/gst-install-plugins-helper /usr/libexec/gst-install-plugins-helper
--dev-bind-try /dev/dri /dev/dri
--dev-bind-try /dev/mali /dev/mali
--dev-bind-try /dev/mali0 /dev/mali0
--dev-bind-try /dev/umplock /dev/umplock
--dev-bind-try /dev/nvidiactl /dev/nvidiactl
--dev-bind-try /dev/nvidia0 /dev/nvidia0
--dev-bind-try /dev/nvidia /dev/nvidia
--dev-bind-try /dev/kgsl-3d0 /dev/kgsl-3d0
--dev-bind-try /dev/ion /dev/ion
--dev-bind-try /dev/v4l /dev/v4l
--dev-bind-try /dev/video0 /dev/video0
--dev-bind-try /dev/video1 /dev/video1
--ro-bind /run/user/1000/webkitgtk/dbus-proxy-SQHVJ0 /run/user/1000/webkitgtk/dbus-proxy-SQHVJ0
--setenv AT_SPI_BUS_ADDRESS unix:path=/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0
--ro-bind-try /home/jackhill/.config/gtk-3.0 /home/jackhill/.config/gtk-3.0
--ro-bind-try /home/jackhill/.local/share/themes /home/jackhill/.local/share/themes
--ro-bind-try /home/jackhill/.themes /home/jackhill/.themes
--ro-bind-try /home/jackhill/.icons /home/jackhill/.icons
--seccomp 0035

On my system, /etc/pulse/client.conf is a symlink to the store item
/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf, which is not 
shared into the new mount namespace created by bubblewrap. It seems like 
the right way to solve this is for webkitgtk or bubblewrap resolve the 
symlinks at runtime.

As a workaround/test perhaps we can share all of /gnu/store

All that said, I could be on the wrong track as well, since I haven't 
tested a solution yet.

Best,
Jack

Message #17 received at 40837 <at> debbugs.gnu.org (full text, mbox):

From: Jack Hill <jackhill <at> jackhill.us>
To: sirgazil <sirgazil <at> zoho.com>
Cc: 40837 <40837 <at> debbugs.gnu.org>
Subject: Re: bug#40837: core-updates: epiphany web process crashes
Date: Sat, 25 Apr 2020 21:46:07 -0400 (EDT)

I now think what is being shared with bubblewrap is on the write track.

After seeing

"""
const char* pulseConfig = g_getenv("PULSE_CLIENTCONFIG");
if (pulseConfig)
    bindIfExists(args, pulseConfig);
"""

in Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp of 
WebKitGTK, I set the PULSE_CLIENTCONFIG environemnt variable to the store 
path rather than /etc/pulse/client.conf, which is what it was set to 
before.

That allowed epiphany to get past the problem with client.conf. However, 
it then hits another problem with something not being shared as seen in 
this session:

"""
$ env |grep PULSE
PULSE_CLIENTCONFIG=gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf
PULSE_CONFIG=/etc/pulse/daemon.conf
$ epiphany

** (epiphany:11528): CRITICAL **: 21:38:10.896: void webkit_web_context_register_uri_scheme(WebKitWebContext*, const char*, WebKitURISchemeRequestCallback, gpointer, GDestroyNotify): assertion 'g_ascii_strcasecmp(scheme, "ftp") != 0' failed
bwrap: execvp /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0/WebKitWebProcess: No such file or directory
^C
"""

Best,
Jack

Message #20 received at 40837 <at> debbugs.gnu.org (full text, mbox):

From: Jack Hill <jackhill <at> jackhill.us>
To: 40837 <40837 <at> debbugs.gnu.org>
Cc: sirgazil <sirgazil <at> zoho.com>
Subject: Re: bug#40837: core-updates: epiphany web process crashes
Date: Sat, 25 Apr 2020 23:03:01 -0400 (EDT)

[Message part 1 (text/plain, inline)]

On Sat, 25 Apr 2020, Jack Hill wrote:

> in Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp of WebKitGTK, 
> I set the PULSE_CLIENTCONFIG environemnt variable to the store path rather 
> than /etc/pulse/client.conf, which is what it was set to before.
>
> That allowed epiphany to get past the problem with client.conf. However, it 
> then hits another problem with something not being shared as seen in this 
> session:

I tried patching webkitgtk to share the whole /gnu/store in the new mount 
namespace (see attached patch). Unfortunately, when I ran epiphany with 
that patch applied and PULSE_CLIENTCONFIG set to /etc/pulse/client.conf, 
the "bwrap: Can't create file at /etc/pulse/client.conf: No such file or 
directory" error returned.

Via strace, I saw that my patch was having an effect on the arguments to 
bwrap. Could it be that the order of the --bind/--ro-bind arguments 
matters?

Thoughts?
Jack

[0001-gnu-webkitgtk-Patch-to-share-store-via-bwarp.patch (text/x-diff, attachment)]

Message #25 received at 40837 <at> debbugs.gnu.org (full text, mbox):

From: Jack Hill <jackhill <at> jackhill.us>
To: 40837 <40837 <at> debbugs.gnu.org>
Cc: sirgazil <sirgazil <at> zoho.com>
Subject: Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete
Date: Sun, 26 Apr 2020 16:42:44 -0400 (EDT)

Some additional observations:

With my patched webkitgtk, if I set:

PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf

it does work, which is an improvement compared to without the patch.

I notice that Nix [0] has a similar patch:

"""
diff -ru old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
--- old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp	2019-09-09 04:47:07.000000000 -0400
+++ webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp	2019-09-20 21:14:10.537921173 -0400
@@ -585,7 +585,7 @@
         { SCMP_SYS(keyctl), nullptr },
         { SCMP_SYS(request_key), nullptr },

-        // Scary VM/NUMA ops 
+        // Scary VM/NUMA ops
         { SCMP_SYS(move_pages), nullptr },
         { SCMP_SYS(mbind), nullptr },
         { SCMP_SYS(get_mempolicy), nullptr },
@@ -724,6 +724,10 @@
         "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",

         "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
+
+        // Nix Directories
+        "--ro-bind", "@storeDir@", "@storeDir@",
+        "--ro-bind", "/run/current-system", "/run/current-system",
     };
     // We would have to parse ld config files for more info.
     bindPathVar(sandboxArgs, "LD_LIBRARY_PATH");
"""

[0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch

so I wonder if I didn't do the mounts in the right place and or if it is 
becasue I missed /run/current-system.

I'm going to try to adapt the Nix patch to see if that helps.

Best,
Jack

Message #28 received at 40837 <at> debbugs.gnu.org (full text, mbox):

From: Jack Hill <jackhill <at> jackhill.us>
To: 40837 <40837 <at> debbugs.gnu.org>
Cc: sirgazil <sirgazil <at> zoho.com>
Subject: Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete
Date: Mon, 27 Apr 2020 18:02:25 -0400 (EDT)

I didn't have any better luck with the Nix patch. I was also unable to any 
problems with /etc/pulse/client.conf when calling bwrap manually on the 
command line.

I'm afraid that I'm stuck for now. I have asked the WebKit developers for 
help: https://lists.webkit.org/pipermail/webkit-dev/2020-April/031184.html

Best,
Jack

Message #31 received at 40837 <at> debbugs.gnu.org (full text, mbox):

From: Jack Hill <jackhill <at> jackhill.us>
To: 40837 <40837 <at> debbugs.gnu.org>
Cc: sirgazil <sirgazil <at> zoho.com>
Subject: Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete
Date: Mon, 27 Apr 2020 23:03:52 -0400 (EDT)

I'm a little bit unstuck now. I found a bubblwrap issue [0], which I 
believe is the one that we're running into.

[0] https://github.com/containers/bubblewrap/issues/195 "Errors when 
--bind used with a symlinked path"

With insight gained there, I've determined that the following simplified 
bwrap invocation succeeds:

"""
$ bwrap  --ro-bind-try /etc/pulse/client.conf /etc/pulse/client.conf 
--ro-bind /gnu /gnu --ro-bind /run/current-system /run/current-system -- 
/run/current-system/profile/bin/bash
"""

while the following invocation fails:

"""
$ bwrap --ro-bind /etc /etc --ro-bind-try /etc/pulse/client.conf 
/etc/pulse/client.conf --ro-bind /gnu /gnu --ro-bind /run/current-system 
/run/current-system -- /run/current-system/profile/bin/bash

bwrap: Can't create file at /etc/pulse/client.conf: No such file or 
directory
"""

The difference between the working and non-working invocations in that in 
the non-working invocation, /etc is already mounted withing the new 
namespace, which includes symlinks at /etc/pulse and 
/etc/pulse/client.conf, and the later mount of the /etc/pulse/client.conf 
symlink causese the problem.

Now to figure out what the solution is, and if it is best fixed in 
webkitgtk or bubblewrap :)

Ideas welcome!

Best,
Jack

Message #34 received at 40837 <at> debbugs.gnu.org (full text, mbox):

From: Jack Hill <jackhill <at> jackhill.us>
To: 40837 <40837 <at> debbugs.gnu.org>
Cc: sirgazil <sirgazil <at> zoho.com>
Subject: Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete
Date: Tue, 28 Apr 2020 12:27:57 -0400 (EDT)

After further discussion on the Bubblewrap issue [0], it was determined 
that the problem should be fixed by having WebKitGTK canonicalize paths 
before passing them to bwrap. There is now a WebKit issue for that fix [1].

[0] https://github.com/containers/bubblewrap/issues/195
[1] https://bugs.webkit.org/show_bug.cgi?id=211131

When the WebKit issue is fixed, that should solve the problem with 
/etc/pulse/client.conf. I believe that we will still have work to do in 
Guix to make sure the store is available inside the sandbox.

Best,
Jack

Message #37 received at 40837 <at> debbugs.gnu.org (full text, mbox):

From: sirgazil <sirgazil <at> zoho.com>
To: "Jack Hill" <jackhill <at> jackhill.us>
Cc: 40837 <40837 <at> debbugs.gnu.org>
Subject: Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete
Date: Tue, 28 Apr 2020 16:33:16 +0000

 ---- On Tue, 28 Apr 2020 23:27:57 +0000 Jack Hill <jackhill <at> jackhill.us> wrote ----
 > After further discussion on the Bubblewrap issue [0], it was determined 
 > that the problem should be fixed by having WebKitGTK canonicalize paths 
 > before passing them to bwrap. There is now a WebKit issue for that fix [1].
 > 
 > [0] https://github.com/containers/bubblewrap/issues/195
 > [1] https://bugs.webkit.org/show_bug.cgi?id=211131
 > 
 > When the WebKit issue is fixed, that should solve the problem with 
 > /etc/pulse/client.conf. I believe that we will still have work to do in 
 > Guix to make sure the store is available inside the sandbox.


Thanks for working on this, Jack.

Message #40 received at 40837 <at> debbugs.gnu.org (full text, mbox):

From: sirgazil via web <issues.guix.gnu.org <at> elephly.net>
To: 40837 <at> debbugs.gnu.org
Date: Mon,  4 May 2020 21:27:35 +0200

I can reproduce this problem.

Message #43 received at 40837 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Jack Hill <jackhill <at> jackhill.us>, 40837 <40837 <at> debbugs.gnu.org>
Cc: sirgazil <sirgazil <at> zoho.com>
Subject: Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete
Date: Wed, 06 May 2020 18:39:20 +0200

[Message part 1 (text/plain, inline)]

Hello Jack,

Thanks a lot for this work.

Jack Hill <jackhill <at> jackhill.us> writes:

> Some additional observations:
>
> With my patched webkitgtk, if I set:
>
> PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf
>
> it does work, which is an improvement compared to without the patch.

Great.  I have attached a patch for Guix that stops using /etc for these
variables.

> I notice that Nix [0] has a similar patch:
>
> """
> diff -ru old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
> --- old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp	2019-09-09 04:47:07.000000000 -0400
> +++ webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp	2019-09-20 21:14:10.537921173 -0400
> @@ -585,7 +585,7 @@
>           { SCMP_SYS(keyctl), nullptr },
>           { SCMP_SYS(request_key), nullptr },
>
> -        // Scary VM/NUMA ops 
> +        // Scary VM/NUMA ops
>           { SCMP_SYS(move_pages), nullptr },
>           { SCMP_SYS(mbind), nullptr },
>           { SCMP_SYS(get_mempolicy), nullptr },
> @@ -724,6 +724,10 @@
>           "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",
>
>           "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
> +
> +        // Nix Directories
> +        "--ro-bind", "@storeDir@", "@storeDir@",
> +        "--ro-bind", "/run/current-system", "/run/current-system",
>       };
>       // We would have to parse ld config files for more info.
>       bindPathVar(sandboxArgs, "LD_LIBRARY_PATH");
> """
>
> [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch
>
> so I wonder if I didn't do the mounts in the right place and or if it is 
> becasue I missed /run/current-system.
>
> I'm going to try to adapt the Nix patch to see if that helps.

Were you able to verify whether /run/current-system is required inside
the sandbox?

I cleaned up your patch a bit and rebased it on the latest master
branch, available as patch 2/2 below.  Currently building it on
'core-updates' to verify that it works.  It takes a while on my dinky
quad-core server though.  :-)

It does not bind /run/current-system, and I think we should avoid it if
possible.  Ideally we would only mount the store paths required by the
consumers instead of all of /gnu/store, but not sure how to achieve
that.

[0001-services-Do-not-use-symbolic-links-in-PulseAudio-var.patch (text/x-patch, attachment)]

[0002-gnu-webkitgtk-Patch-to-share-store-via-Bubblewrap.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #46 received at 40837 <at> debbugs.gnu.org (full text, mbox):

From: Jack Hill <jackhill <at> jackhill.us>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: sirgazil <sirgazil <at> zoho.com>, 40837 <40837 <at> debbugs.gnu.org>
Subject: Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete
Date: Wed, 6 May 2020 16:17:58 -0400 (EDT)

On Wed, 6 May 2020, Marius Bakke wrote:

> Hello Jack,
>
> Thanks a lot for this work.

You're welcome. I'm happy that we seem to be making good progress.

> Jack Hill <jackhill <at> jackhill.us> writes:
>
>> Some additional observations:
>>
>> With my patched webkitgtk, if I set:
>>
>> PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf
>>
>> it does work, which is an improvement compared to without the patch.
>
> Great.  I have attached a patch for Guix that stops using /etc for these
> variables.

Good idea! That way we won't have to wait for WebKitGTK to canonicalize 
all paths :)

>> [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch
>>
>> so I wonder if I didn't do the mounts in the right place and or if it is
>> becasue I missed /run/current-system.
>>
>> I'm going to try to adapt the Nix patch to see if that helps.
>
> Were you able to verify whether /run/current-system is required inside
> the sandbox?

I don't think /run/current-system is needed.

> I cleaned up your patch a bit and rebased it on the latest master
> branch, available as patch 2/2 below.  Currently building it on
> 'core-updates' to verify that it works.  It takes a while on my dinky
> quad-core server though.  :-)
>
> It does not bind /run/current-system, and I think we should avoid it if
> possible.  Ideally we would only mount the store paths required by the
> consumers instead of all of /gnu/store, but not sure how to achieve
> that.

I've tested the updated patch by applying it to master and merging into 
core-updates. I'm happy to report that everything seems to be working for 
me after doing so!

Sharing less than the whole store sounds like a great aspiration, but I 
think we'd have to teach WebKitGTK how to ask Guix for its closure to do 
so. On FHS-compliant systems, all of the various /usr/lib and /usr/share 
directories are bind-mounted into the new namespace, so I don't think 
we're providing too much more. It's nice that our setuid binaries reside 
outside of the store :)

Best,
Jack

Message #51 received at 40837-done <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Jack Hill <jackhill <at> jackhill.us>
Cc: sirgazil <sirgazil <at> zoho.com>, 40837 <40837-done <at> debbugs.gnu.org>
Subject: Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete
Date: Wed, 06 May 2020 22:53:28 +0200

[Message part 1 (text/plain, inline)]

Jack Hill <jackhill <at> jackhill.us> writes:

> On Wed, 6 May 2020, Marius Bakke wrote:
>
>> Hello Jack,
>>
>> Thanks a lot for this work.
>
> You're welcome. I'm happy that we seem to be making good progress.
>
>> Jack Hill <jackhill <at> jackhill.us> writes:
>>
>>> Some additional observations:
>>>
>>> With my patched webkitgtk, if I set:
>>>
>>> PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf
>>>
>>> it does work, which is an improvement compared to without the patch.
>>
>> Great.  I have attached a patch for Guix that stops using /etc for these
>> variables.
>
> Good idea! That way we won't have to wait for WebKitGTK to canonicalize 
> all paths :)
>
>>> [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch
>>>
>>> so I wonder if I didn't do the mounts in the right place and or if it is
>>> becasue I missed /run/current-system.
>>>
>>> I'm going to try to adapt the Nix patch to see if that helps.
>>
>> Were you able to verify whether /run/current-system is required inside
>> the sandbox?
>
> I don't think /run/current-system is needed.

Excellent.  I tested Epiphany with these patches on a popular video
streaming site and everything seemed fine.

>> I cleaned up your patch a bit and rebased it on the latest master
>> branch, available as patch 2/2 below.  Currently building it on
>> 'core-updates' to verify that it works.  It takes a while on my dinky
>> quad-core server though.  :-)
>>
>> It does not bind /run/current-system, and I think we should avoid it if
>> possible.  Ideally we would only mount the store paths required by the
>> consumers instead of all of /gnu/store, but not sure how to achieve
>> that.
>
> I've tested the updated patch by applying it to master and merging into 
> core-updates. I'm happy to report that everything seems to be working for 
> me after doing so!
>
> Sharing less than the whole store sounds like a great aspiration, but I 
> think we'd have to teach WebKitGTK how to ask Guix for its closure to do 
> so. On FHS-compliant systems, all of the various /usr/lib and /usr/share 
> directories are bind-mounted into the new namespace, so I don't think 
> we're providing too much more. It's nice that our setuid binaries reside 
> outside of the store :)

Indeed, thanks for testing and confirming.

I added a little more context in the patch description and finally
pushed it as a6919866b07e9ed3986abde7ae48d0c69ff3deed.

Again, thank you very much for taking care of this.  :-)

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.