From unknown Sat Jun 21 05:16:47 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#40837 <40837@debbugs.gnu.org> To: bug#40837 <40837@debbugs.gnu.org> Subject: Status: core-updates: webkitgtk web process sandbox incomplete Reply-To: bug#40837 <40837@debbugs.gnu.org> Date: Sat, 21 Jun 2025 12:16:47 +0000 retitle 40837 core-updates: webkitgtk web process sandbox incomplete reassign 40837 guix submitter 40837 Jack Hill severity 40837 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 24 22:55:32 2020 Received: (at submit) by debbugs.gnu.org; 25 Apr 2020 02:55:32 +0000 Received: from localhost ([127.0.0.1]:58307 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jSAya-0001AC-Iy for submit@debbugs.gnu.org; Fri, 24 Apr 2020 22:55:32 -0400 Received: from lists.gnu.org ([209.51.188.17]:39035) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jSAyZ-0001A5-5E for submit@debbugs.gnu.org; Fri, 24 Apr 2020 22:55:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33686) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jSAyY-0004N8-F2 for bug-guix@gnu.org; Fri, 24 Apr 2020 22:55:30 -0400 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_PASS, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.90_1) (envelope-from ) id 1jSAyX-0004lJ-4e for bug-guix@gnu.org; Fri, 24 Apr 2020 22:55:30 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:52254) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jSAyW-0004cb-Fq for bug-guix@gnu.org; Fri, 24 Apr 2020 22:55:28 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jSAyV-0002XG-9C for bug-guix@gnu.org; Fri, 24 Apr 2020 22:55:27 -0400 Date: Fri, 24 Apr 2020 22:55:26 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: bug-guix@gnu.org Subject: core-updates: epiphany web process crashes Message-ID: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="925712948-391397023-1587783327=:5735" Received-SPF: pass client-ip=104.248.1.95; envelope-from=jackhill@jackhill.us; helo=minsky.hcoop.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/04/24 22:55:27 X-ACL-Warn: Detected OS = Linux 3.11 and newer X-Received-From: 104.248.1.95 X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --925712948-391397023-1587783327=:5735 Content-Type: text/plain; format=flowed; charset=UTF-8 Content-Transfer-Encoding: 8BIT Hi Guix, On Guix System with the current core-updates branch, epiphany/GNOME-Web starts, but doesn't work because the web process crash in a loop. When I run epiphany from the terminal I see """ $ epiphany ** (epiphany:29457): CRITICAL **: 22:37:21.415: void webkit_web_context_register_uri_scheme(WebKitWebContext*, const char*, WebKitURISchemeRequestCallback, gpointer, GDestroyNotify): assertion 'g_ascii_strcasecmp(scheme, "ftp") != 0' failed bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory ** (epiphany:29457): WARNING **: 22:37:21.866: Web process crashed """ The bwrap… and …Web process crashed lines then continue to print alternating. Windows and tabs are created, but no content is ever drawn in them. /etc/pulse/client.conf exists on the host, but maybe not in the namespaces created by bwrap? Could this be related to WebKitGTK sandboxing: https://blogs.gnome.org/mcatanzaro/2020/03/31/sandboxing-webkitgtk-apps/ Best, Jack --925712948-391397023-1587783327=:5735-- From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 24 23:20:01 2020 Received: (at 40837) by debbugs.gnu.org; 25 Apr 2020 03:20:02 +0000 Received: from localhost ([127.0.0.1]:58313 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jSBMH-0001mh-If for submit@debbugs.gnu.org; Fri, 24 Apr 2020 23:20:01 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:43100) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jSBMG-0001mO-KR for 40837@debbugs.gnu.org; Fri, 24 Apr 2020 23:20:01 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jSBMB-0001kz-6W for 40837@debbugs.gnu.org; Fri, 24 Apr 2020 23:19:55 -0400 Date: Fri, 24 Apr 2020 23:19:55 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: 40837@debbugs.gnu.org Subject: Re: bug#40837: core-updates: epiphany web process crashes In-Reply-To: Message-ID: References: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 40837 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) I expericne the problem with epiphany installed both in the system profile and in an ad-hoc environment. Best, Jack From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 25 17:55:55 2020 Received: (at 40837) by debbugs.gnu.org; 25 Apr 2020 21:55:56 +0000 Received: from localhost ([127.0.0.1]:60521 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jSSmB-0008Uv-P7 for submit@debbugs.gnu.org; Sat, 25 Apr 2020 17:55:55 -0400 Received: from sender4-pp-o93.zoho.com ([136.143.188.93]:25364) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jSSm9-0008Um-Vj for 40837@debbugs.gnu.org; Sat, 25 Apr 2020 17:55:54 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1587851752; cv=none; d=zohomail.com; s=zohoarc; b=MuaXjOztXCJHTfKVTq9IXoBgwHAj0BFtWy0E1lM5Ld2BvDwIl8tLP4a99nS8RW8iCpomE7OHdloZOIYqk6EKPWyDPb4d/3NYUdLXOAXhAvKoj1g4NMBDm9GEEvwlRdW2oFeZL0H1H+ukWVoNPmL1JoDrKPWwQ9CTEykMGhmzzqU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1587851752; h=Content-Type:Content-Transfer-Encoding:Date:From:MIME-Version:Message-ID:Subject:To; bh=iP5DZpkwIvMVvNuu35uJwFUcxHlSPKAJa3Z8Akzx0Po=; b=eCpHFaC3ol0DaSAXrO0FR5/Jk13SH36towxm8tHV6qW2QRpTly501ZwaNR96cm3ilr07W0EQ50v18uUXE/OOnt/NzRkPqjWBJVsd/G0MR6KGCLYRA451oSHdVVjxYy8q0i4UkBL0ItaieB8+6tnzRwuzRc+C58Op/LE7PHIJZxQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=zoho.com; spf=pass smtp.mailfrom=sirgazil@zoho.com; dmarc=pass header.from= header.from= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=zapps768; d=zoho.com; h=date:from:to:message-id:in-reply-to:subject:mime-version:content-type:user-agent; b=ZaGo2F+U7pDkKzA0Ol8UvbIK/gVLYS6YGUjWdmlS60wjEsas9q6HGDpbZyIAs7ytgPM+OQD9+hmo tZuIJCb95pgXptMLaS3luLCKkF6W9qLdJfPRo44nleaKUWQfyr4a DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1587851752; s=zm2020; d=zoho.com; i=sirgazil@zoho.com; h=Date:From:To:Message-ID:In-Reply-To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding; bh=iP5DZpkwIvMVvNuu35uJwFUcxHlSPKAJa3Z8Akzx0Po=; b=hTcJd8omlIZ/ZyiO7/a1UTqad8i9rui6zOLO21EKqNj0JK+H3ODwQ/sbVuiwQMDZ gK/Q2Z69ehqZtBuiYp2IrpRsdIP/N1VHkhcRtUGPGdO5W//y9U/KWqMm4BMCtC74g0H ebZ6ZEy9ObQGq5D1nHWCOiQn8W4OoinhyC3qPzjY= Received: from mail.zoho.com by mx.zohomail.com with SMTP id 1587851745763166.90461637636736; Sat, 25 Apr 2020 14:55:45 -0700 (PDT) Received: from [179.15.13.185] by mail.zoho.com with HTTP;Sat, 25 Apr 2020 14:55:45 -0700 (PDT) Date: Sat, 25 Apr 2020 21:55:45 +0000 From: sirgazil To: "40837" <40837@debbugs.gnu.org> Message-ID: <171b356d9e2.1154aefce15638.8921669740072490388@zoho.com> In-Reply-To: Subject: core-updates: epiphany web process crashes MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Importance: Medium User-Agent: Zoho Mail X-Mailer: Zoho Mail X-Spam-Score: 3.0 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: I can reproduce this bug. I can't load any page and see the same messages in the terminal. Content analysis details: (3.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: zoho.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [136.143.188.93 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (sirgazil[at]zoho.com) 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.0 PDS_TONAME_EQ_TOLOCAL_VSHORT Very short body and From looks like 2 different emails 2.0 PDS_TONAME_EQ_TOLOCAL_SHORT Short body with To: name matches everything in local email X-Debbugs-Envelope-To: 40837 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: I can reproduce this bug. I can't load any page and see the same messages in the terminal. Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: zoho.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [136.143.188.93 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (sirgazil[at]zoho.com) 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.0 PDS_TONAME_EQ_TOLOCAL_VSHORT Very short body and From looks like 2 different emails -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 2.0 PDS_TONAME_EQ_TOLOCAL_SHORT Short body with To: name matches everything in local email I can reproduce this bug. I can't load any page and see the same messages in the terminal. From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 25 21:23:17 2020 Received: (at 40837) by debbugs.gnu.org; 26 Apr 2020 01:23:17 +0000 Received: from localhost ([127.0.0.1]:60585 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jSW0q-0007Pg-LP for submit@debbugs.gnu.org; Sat, 25 Apr 2020 21:23:17 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:51462) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jSW0p-0007PV-CZ for 40837@debbugs.gnu.org; Sat, 25 Apr 2020 21:23:16 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jSW0j-0003LS-QQ; Sat, 25 Apr 2020 21:23:09 -0400 Date: Sat, 25 Apr 2020 21:23:09 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: sirgazil Subject: Re: bug#40837: core-updates: epiphany web process crashes In-Reply-To: <171b356d9e2.1154aefce15638.8921669740072490388@zoho.com> Message-ID: References: <171b356d9e2.1154aefce15638.8921669740072490388@zoho.com> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="925712948-1794464649-1587864189=:5735" X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Sat, 25 Apr 2020, sirgazil via Bug reports for GNU Guix wrote: > I can reproduce this bug. I can't load any page and see the same messages in the terminal. Thanks, as a fist step it is helpful to know that the problem can be reproduced. Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 2.0 PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE To: name matches everything in local email - LCASE headers X-Debbugs-Envelope-To: 40837 Cc: 40837 <40837@debbugs.gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --925712948-1794464649-1587864189=:5735 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 8BIT On Sat, 25 Apr 2020, sirgazil via Bug reports for GNU Guix wrote: > I can reproduce this bug. I can't load any page and see the same messages in the terminal. Thanks, as a fist step it is helpful to know that the problem can be reproduced. The second step is to figure out why this is happening. My suspicion is that the bwrap invocation by webkitgtk is not sharing some paths into the new namespace it creates that it should be, because the paths are different on Guix System than they are on FHS systems. Stracing epiphany, I've turned up the bwrap invocation to be: execve("/gnu/store/kzq4v5fvjbdbbwah74k10pf698xkbdpr-bubblewrap-0.4.1/bin/bwrap", ["/gnu/store/kzq4v5fvjbdbbwah74k10pf698xkbdpr-bubblewrap-0.4.1/bin/bwrap", "--args", "36", "--", "/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0/WebKitWebProcess", "11", "31"] File descriptor 36, which hold the bwrap arguments is write(36, "--die-with-parent\0--unshare-pid\0--unshare-uts\0--unshare-net\0--ro-bind\0/etc\0/etc\0--dev\0/dev\0--proc\0/proc\0--tmpfs\0/tmp\0--unsetenv\0TMPDIR\0--dir\0/run\0--symlink\0../run\0/var/run\0--symlink\0../tmp\0/var/tmp\0--ro-bind\0/sys/block\0/sys/block\0--ro-bind\0/sys/bus\0/sys/bus\0--ro-bind\0/sys/class\0/sys/class\0--ro-bind\0/sys/dev\0/sys/dev\0--ro-bind\0/sys/devices\0/sys/devices\0--ro-bind-try\0/usr/share\0/usr/share\0--ro-bind-try\0/usr/local/share\0/usr/local/share\0--ro-bind-try\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share\0--ro-bind-try\0/lib\0/lib\0--ro-bind-try\0/usr/lib\0/usr/lib\0--ro-bind-try\0/usr/local/lib\0/usr/local/lib\0--ro-bind-try\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/lib\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/lib\0--ro-bind-try\0/lib64\0/lib64\0--ro-bind-try\0/usr/lib64\0/usr/lib64\0--ro-bind-try\0/usr/local/lib64\0/usr/local/lib64\0--ro-bind-try\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0\0/gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0\0--ro-bind-try\0/gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib\0/gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib\0--ro-bind-try\0/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib\0/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib\0--ro-bind-try\0/gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib\0/gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib\0--ro-bind-try\0/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib\0/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib\0--setenv\0LD_LIBRARY_PATH\0/gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib:/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib:/gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib:/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib\0--ro-bind-data\00033\0/.flatpak-info\0--bind-try\0/tmp/.X11-unix/X1\0/tmp/.X11-unix/X1\0--ro-bind-try\0/run/user/1000/gdm/Xauthority\0/run/user/1000/gdm/Xauthority\0--ro-bind-try\0/tmp/epiphany-jackhill-hoj0lD\0/tmp/epiphany-jackhill-hoj0lD\0--ro-bind-try\0/home/jackhill/.local/share/epiphany\0/home/jackhill/.local/share/epiphany\0--ro-bind-try\0/home/jackhill/.cache/epiphany\0/home/jackhill/.cache/epiphany\0--ro-bind-try\0/home/jackhill/.config/epiphany\0/home/jackhill/.config/epiphany\0--bind-try\0/home/jackhill/.cache/epiphany/applications\0/home/jackhill/.cache/epiphany/applications\0--bind-try\0/home/jackhill/.local/share/webkitgtk/mediakeys\0/home/jackhill/.local/share/webkitgtk/mediakeys\0--bind-try\0/home/jackhill/.local/share/epiphany/databases\0/home/jackhill/.local/share/epiphany/databases\0--bind-try\0/run/user/1000/pulse\0/run/user/1000/pulse\0--ro-bind-try\0/etc/pulse/client.conf\0/etc/pulse/client.conf\0--ro-bind-try\0/home/jackhill/.config/pulse\0/home/jackhill/.config/pulse\0--ro-bind-try\0/home/jackhill/.pulse\0/home/jackhill/.pulse\0--ro-bind-try\0/home/jackhill/.asoundrc\0/home/jackhill/.asoundrc\0--dev-bind-try\0/dev/snd\0/dev/snd\0--ro-bind-try\0/home/jackhill/.config/fontconfig\0/home/jackhill/.config/fontconfig\0--ro-bind-try\0/home/jackhill/.fontconfig\0/home/jackhill/.fontconfig\0--bind-try\0/home/jackhill/.cache/fontconfig\0/home/jackhill/.cache/fontconfig\0--ro-bind-try\0/home/jackhill/.fonts.conf\0/home/jackhill/.fonts.conf\0--ro-bind-try\0/home/jackhill/.config/.fonts.conf.d\0/home/jackhill/.config/.fonts.conf.d\0--ro-bind-try\0/home/jackhill/.local/share/fonts\0/home/jackhill/.local/share/fonts\0--ro-bind-try\0/home/jackhill/.fonts\0/home/jackhill/.fonts\0--ro-bind-try\0/var/cache/fontconfig\0/var/cache/fontconfig\0--ro-bind-try\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0--ro-bind-try\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0--ro-bind-try\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0/home/jackhill/.guix-profile/lib/gstreamer-1.0\0--ro-bind-try\0/run/current-system/profile/lib/gstreamer-1.0\0/run/current-system/profile/lib/gstreamer-1.0\0--bind-try\0/home/jackhill/.cache/gstreamer-1.0\0/home/jackhill/.cache/gstreamer-1.0\0--ro-bind-try\0/usr/libexec/gstreamer-1.0/gst-plugin-scanner\0/usr/libexec/gstreamer-1.0/gst-plugin-scanner\0--ro-bind-try\0/usr/libexec/gst-install-plugins-helper\0/usr/libexec/gst-install-plugins-helper\0--dev-bind-try\0/dev/dri\0/dev/dri\0--dev-bind-try\0/dev/mali\0/dev/mali\0--dev-bind-try\0/dev/mali0\0/dev/mali0\0--dev-bind-try\0/dev/umplock\0/dev/umplock\0--dev-bind-try\0/dev/nvidiactl\0/dev/nvidiactl\0--dev-bind-try\0/dev/nvidia0\0/dev/nvidia0\0--dev-bind-try\0/dev/nvidia\0/dev/nvidia\0--dev-bind-try\0/dev/kgsl-3d0\0/dev/kgsl-3d0\0--dev-bind-try\0/dev/ion\0/dev/ion\0--dev-bind-try\0/dev/v4l\0/dev/v4l\0--dev-bind-try\0/dev/video0\0/dev/video0\0--dev-bind-try\0/dev/video1\0/dev/video1\0--ro-bind\0/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0\0/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0\0--setenv\0AT_SPI_BUS_ADDRESS\0unix:path=/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0\0--ro-bind-try\0/home/jackhill/.config/gtk-3.0\0/home/jackhill/.config/gtk-3.0\0--ro-bind-try\0/home/jackhill/.local/share/themes\0/home/jackhill/.local/share/themes\0--ro-bind-try\0/home/jackhill/.themes\0/home/jackhill/.themes\0--ro-bind-try\0/home/jackhill/.icons\0/home/jackhill/.icons\0--seccomp\00035\0" For readability, here is is removing the null bytes, and using newlines: --die-with-parent --unshare-pid --unshare-uts --unshare-net --ro-bind /etc /etc --dev /dev --proc /proc --tmpfs /tmp --unsetenv TMPDIR --dir /run --symlink ../run /var/run --symlink ../tmp /var/tmp --ro-bind /sys/block /sys/block --ro-bind /sys/bus /sys/bus --ro-bind /sys/class /sys/class --ro-bind /sys/dev /sys/dev --ro-bind /sys/devices /sys/devices --ro-bind-try /usr/share /usr/share --ro-bind-try /usr/local/share /usr/local/share --ro-bind-try /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/share --ro-bind-try /lib /lib --ro-bind-try /usr/lib /usr/lib --ro-bind-try /usr/local/lib /usr/local/lib --ro-bind-try /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/lib /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/lib --ro-bind-try /lib64 /lib64 --ro-bind-try /usr/lib64 /usr/lib64 --ro-bind-try /usr/local/lib64 /usr/local/lib64 --ro-bind-try /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0 /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0 --ro-bind-try /gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib /gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib --ro-bind-try /gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib /gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib --ro-bind-try /gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib /gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib --ro-bind-try /gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib /gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib --setenv LD_LIBRARY_PATH /gnu/store/h6pd8k3glp23k868i0ij5x2v5kzfgsrv-gdk-pixbuf+svg-2.40.0/lib:/gnu/store/9s7khsp79c223jvbbv0icyn5fdm7v6cb-gnome-bluetooth-3.34.0/lib:/gnu/store/ry4zm4c39nz78h42hmbq6rb6mg6axxzg-librsvg-2.40.21/lib:/gnu/store/y37h19fz5pr3m99aw8g9hksz2pv1xr1f-libgweather-3.34.0/lib --ro-bind-data 0033 /.flatpak-info --bind-try /tmp/.X11-unix/X1 /tmp/.X11-unix/X1 --ro-bind-try /run/user/1000/gdm/Xauthority /run/user/1000/gdm/Xauthority --ro-bind-try /tmp/epiphany-jackhill-hoj0lD /tmp/epiphany-jackhill-hoj0lD --ro-bind-try /home/jackhill/.local/share/epiphany /home/jackhill/.local/share/epiphany --ro-bind-try /home/jackhill/.cache/epiphany /home/jackhill/.cache/epiphany --ro-bind-try /home/jackhill/.config/epiphany /home/jackhill/.config/epiphany --bind-try /home/jackhill/.cache/epiphany/applications /home/jackhill/.cache/epiphany/applications --bind-try /home/jackhill/.local/share/webkitgtk/mediakeys /home/jackhill/.local/share/webkitgtk/mediakeys --bind-try /home/jackhill/.local/share/epiphany/databases /home/jackhill/.local/share/epiphany/databases --bind-try /run/user/1000/pulse /run/user/1000/pulse --ro-bind-try /etc/pulse/client.conf /etc/pulse/client.conf --ro-bind-try /home/jackhill/.config/pulse /home/jackhill/.config/pulse --ro-bind-try /home/jackhill/.pulse /home/jackhill/.pulse --ro-bind-try /home/jackhill/.asoundrc /home/jackhill/.asoundrc --dev-bind-try /dev/snd /dev/snd --ro-bind-try /home/jackhill/.config/fontconfig /home/jackhill/.config/fontconfig --ro-bind-try /home/jackhill/.fontconfig /home/jackhill/.fontconfig --bind-try /home/jackhill/.cache/fontconfig /home/jackhill/.cache/fontconfig --ro-bind-try /home/jackhill/.fonts.conf /home/jackhill/.fonts.conf --ro-bind-try /home/jackhill/.config/.fonts.conf.d /home/jackhill/.config/.fonts.conf.d --ro-bind-try /home/jackhill/.local/share/fonts /home/jackhill/.local/share/fonts --ro-bind-try /home/jackhill/.fonts /home/jackhill/.fonts --ro-bind-try /var/cache/fontconfig /var/cache/fontconfig --ro-bind-try /home/jackhill/.guix-profile/lib/gstreamer-1.0 /home/jackhill/.guix-profile/lib/gstreamer-1.0 --ro-bind-try /home/jackhill/.guix-profile/lib/gstreamer-1.0 /home/jackhill/.guix-profile/lib/gstreamer-1.0 --ro-bind-try /home/jackhill/.guix-profile/lib/gstreamer-1.0 /home/jackhill/.guix-profile/lib/gstreamer-1.0 --ro-bind-try /run/current-system/profile/lib/gstreamer-1.0 /run/current-system/profile/lib/gstreamer-1.0 --bind-try /home/jackhill/.cache/gstreamer-1.0 /home/jackhill/.cache/gstreamer-1.0 --ro-bind-try /usr/libexec/gstreamer-1.0/gst-plugin-scanner /usr/libexec/gstreamer-1.0/gst-plugin-scanner --ro-bind-try /usr/libexec/gst-install-plugins-helper /usr/libexec/gst-install-plugins-helper --dev-bind-try /dev/dri /dev/dri --dev-bind-try /dev/mali /dev/mali --dev-bind-try /dev/mali0 /dev/mali0 --dev-bind-try /dev/umplock /dev/umplock --dev-bind-try /dev/nvidiactl /dev/nvidiactl --dev-bind-try /dev/nvidia0 /dev/nvidia0 --dev-bind-try /dev/nvidia /dev/nvidia --dev-bind-try /dev/kgsl-3d0 /dev/kgsl-3d0 --dev-bind-try /dev/ion /dev/ion --dev-bind-try /dev/v4l /dev/v4l --dev-bind-try /dev/video0 /dev/video0 --dev-bind-try /dev/video1 /dev/video1 --ro-bind /run/user/1000/webkitgtk/dbus-proxy-SQHVJ0 /run/user/1000/webkitgtk/dbus-proxy-SQHVJ0 --setenv AT_SPI_BUS_ADDRESS unix:path=/run/user/1000/webkitgtk/dbus-proxy-SQHVJ0 --ro-bind-try /home/jackhill/.config/gtk-3.0 /home/jackhill/.config/gtk-3.0 --ro-bind-try /home/jackhill/.local/share/themes /home/jackhill/.local/share/themes --ro-bind-try /home/jackhill/.themes /home/jackhill/.themes --ro-bind-try /home/jackhill/.icons /home/jackhill/.icons --seccomp 0035 On my system, /etc/pulse/client.conf is a symlink to the store item /gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf, which is not shared into the new mount namespace created by bubblewrap. It seems like the right way to solve this is for webkitgtk or bubblewrap resolve the symlinks at runtime. As a workaround/test perhaps we can share all of /gnu/store All that said, I could be on the wrong track as well, since I haven't tested a solution yet. Best, Jack --925712948-1794464649-1587864189=:5735-- From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 25 21:46:17 2020 Received: (at 40837) by debbugs.gnu.org; 26 Apr 2020 01:46:17 +0000 Received: from localhost ([127.0.0.1]:60590 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jSWN6-00082y-Th for submit@debbugs.gnu.org; Sat, 25 Apr 2020 21:46:17 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:51536) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jSWN4-00082k-6j for 40837@debbugs.gnu.org; Sat, 25 Apr 2020 21:46:14 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jSWMy-0004R9-0I; Sat, 25 Apr 2020 21:46:08 -0400 Date: Sat, 25 Apr 2020 21:46:07 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: sirgazil Subject: Re: bug#40837: core-updates: epiphany web process crashes In-Reply-To: Message-ID: References: <171b356d9e2.1154aefce15638.8921669740072490388@zoho.com> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: I now think what is being shared with bubblewrap is on the write track. After seeing """ const char* pulseConfig = g_getenv("PULSE_CLIENTCONFIG"); if (pulseConfig) bindIfExists(args, pulseConfig); """ Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 2.0 PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE To: name matches everything in local email - LCASE headers X-Debbugs-Envelope-To: 40837 Cc: 40837 <40837@debbugs.gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) I now think what is being shared with bubblewrap is on the write track. After seeing """ const char* pulseConfig = g_getenv("PULSE_CLIENTCONFIG"); if (pulseConfig) bindIfExists(args, pulseConfig); """ in Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp of WebKitGTK, I set the PULSE_CLIENTCONFIG environemnt variable to the store path rather than /etc/pulse/client.conf, which is what it was set to before. That allowed epiphany to get past the problem with client.conf. However, it then hits another problem with something not being shared as seen in this session: """ $ env |grep PULSE PULSE_CLIENTCONFIG=gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf PULSE_CONFIG=/etc/pulse/daemon.conf $ epiphany ** (epiphany:11528): CRITICAL **: 21:38:10.896: void webkit_web_context_register_uri_scheme(WebKitWebContext*, const char*, WebKitURISchemeRequestCallback, gpointer, GDestroyNotify): assertion 'g_ascii_strcasecmp(scheme, "ftp") != 0' failed bwrap: execvp /gnu/store/1skpd1p64x982c52anh4a5yhlp05paa6-webkitgtk-2.28.1/libexec/webkit2gtk-4.0/WebKitWebProcess: No such file or directory ^C """ Best, Jack From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 25 23:03:12 2020 Received: (at 40837) by debbugs.gnu.org; 26 Apr 2020 03:03:12 +0000 Received: from localhost ([127.0.0.1]:60642 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jSXZY-0001dm-BH for submit@debbugs.gnu.org; Sat, 25 Apr 2020 23:03:12 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:51698) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jSXZT-0001dQ-Lz for 40837@debbugs.gnu.org; Sat, 25 Apr 2020 23:03:10 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jSXZO-0007Iq-6u; Sat, 25 Apr 2020 23:03:02 -0400 Date: Sat, 25 Apr 2020 23:03:01 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: 40837 <40837@debbugs.gnu.org> Subject: Re: bug#40837: core-updates: epiphany web process crashes In-Reply-To: Message-ID: References: <171b356d9e2.1154aefce15638.8921669740072490388@zoho.com> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="925712948-1616578613-1587870182=:5735" X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Sat, 25 Apr 2020, Jack Hill wrote: > in Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp of WebKitGTK, > I set the PULSE_CLIENTCONFIG environemnt variable to the store path rather > than /etc/pulse/client.conf, which is wha [...] Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: jackhill.us] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 2.0 PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE To: name matches everything in local email - LCASE headers X-Debbugs-Envelope-To: 40837 Cc: sirgazil X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --925712948-1616578613-1587870182=:5735 Content-Type: text/plain; charset=US-ASCII; format=flowed On Sat, 25 Apr 2020, Jack Hill wrote: > in Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp of WebKitGTK, > I set the PULSE_CLIENTCONFIG environemnt variable to the store path rather > than /etc/pulse/client.conf, which is what it was set to before. > > That allowed epiphany to get past the problem with client.conf. However, it > then hits another problem with something not being shared as seen in this > session: I tried patching webkitgtk to share the whole /gnu/store in the new mount namespace (see attached patch). Unfortunately, when I ran epiphany with that patch applied and PULSE_CLIENTCONFIG set to /etc/pulse/client.conf, the "bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory" error returned. Via strace, I saw that my patch was having an effect on the arguments to bwrap. Could it be that the order of the --bind/--ro-bind arguments matters? Thoughts? Jack --925712948-1616578613-1587870182=:5735 Content-Type: text/x-diff; name=0001-gnu-webkitgtk-Patch-to-share-store-via-bwarp.patch Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=0001-gnu-webkitgtk-Patch-to-share-store-via-bwarp.patch RnJvbSBmODkwMWE4M2UyYWJjMmM2YWIzNGY1ODgzNjYzMzE1YjhkNzE1ZTJm IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQ0KRnJvbTogSmFjayBIaWxsIDxq YWNraGlsbEBqYWNraGlsbC51cz4NCkRhdGU6IFNhdCwgMjUgQXByIDIwMjAg MjI6MDM6NDggLTA0MDANClN1YmplY3Q6IFtQQVRDSF0gZ251OiB3ZWJraXRn dGs6IFBhdGNoIHRvIHNoYXJlIHN0b3JlIHZpYSBid2FycA0KDQoqIGdudS9w YWNrYWdlcy9wYXRjaGVzL3dlYmtpdGd0ay1zaGFyZS1zdG9yZS5wYXRjaDog TmV3IEZpbGUuDQoqIGdudS9sb2NhbC5tazogQWRkIGhlcmUuDQoqIGdudS9w YWNrYWdlcy93ZWJraXQuc2NtICh3ZWJraXRndGspW3NvdXJjZV06IEFwcGx5 IHBhdGNoLg0KLS0tDQogZ251L2xvY2FsLm1rICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICB8ICAxICsNCiAuLi4vcGF0Y2hlcy93ZWJraXRn dGstc2hhcmUtc3RvcmUucGF0Y2ggICAgICAgIHwgMTggKysrKysrKysrKysr KysrKysrDQogZ251L3BhY2thZ2VzL3dlYmtpdC5zY20gICAgICAgICAgICAg ICAgICAgICAgICB8ICA0ICsrKy0NCiAzIGZpbGVzIGNoYW5nZWQsIDIyIGlu c2VydGlvbnMoKyksIDEgZGVsZXRpb24oLSkNCiBjcmVhdGUgbW9kZSAxMDA2 NDQgZ251L3BhY2thZ2VzL3BhdGNoZXMvd2Via2l0Z3RrLXNoYXJlLXN0b3Jl LnBhdGNoDQoNCmRpZmYgLS1naXQgYS9nbnUvbG9jYWwubWsgYi9nbnUvbG9j YWwubWsNCmluZGV4IDI3ODA0MzQ0NTUuLjZjMTFhMDdjMjQgMTAwNjQ0DQot LS0gYS9nbnUvbG9jYWwubWsNCisrKyBiL2dudS9sb2NhbC5taw0KQEAgLTE1 NTQsNiArMTU1NCw3IEBAIGRpc3RfcGF0Y2hfREFUQSA9CQkJCQkJXA0KICAg JUQlL3BhY2thZ2VzL3BhdGNoZXMvdnRlLUNWRS0yMDEyLTI3MzgtcHQxLnBh dGNoCQkJXA0KICAgJUQlL3BhY2thZ2VzL3BhdGNoZXMvdnRlLUNWRS0yMDEy LTI3MzgtcHQyLnBhdGNoCQkJXA0KICAgJUQlL3BhY2thZ2VzL3BhdGNoZXMv d2Vhc3lwcmludC1saWJyYXJ5LXBhdGhzLnBhdGNoCQlcDQorICAlRCUvcGFj a2FnZXMvcGF0Y2hlcy93ZWJraXRndGstc2hhcmUtc3RvcmUucGF0Y2gJCVwN CiAgICVEJS9wYWNrYWdlcy9wYXRjaGVzL3dlYnNvY2tldHBwLWZpeC1mb3It Ym9vc3QtMS43MC5wYXRjaAlcDQogICAlRCUvcGFja2FnZXMvcGF0Y2hlcy93 aWNkLWJpdHJhdGUtbm9uZS1maXgucGF0Y2gJCVwNCiAgICVEJS9wYWNrYWdl cy9wYXRjaGVzL3dpY2QtZ2V0LXNlbGVjdGVkLXByb2ZpbGUtZml4LnBhdGNo CVwNCmRpZmYgLS1naXQgYS9nbnUvcGFja2FnZXMvcGF0Y2hlcy93ZWJraXRn dGstc2hhcmUtc3RvcmUucGF0Y2ggYi9nbnUvcGFja2FnZXMvcGF0Y2hlcy93 ZWJraXRndGstc2hhcmUtc3RvcmUucGF0Y2gNCm5ldyBmaWxlIG1vZGUgMTAw NjQ0DQppbmRleCAwMDAwMDAwMDAwLi5iOTI3YWI3YjBhDQotLS0gL2Rldi9u dWxsDQorKysgYi9nbnUvcGFja2FnZXMvcGF0Y2hlcy93ZWJraXRndGstc2hh cmUtc3RvcmUucGF0Y2gNCkBAIC0wLDAgKzEsMTggQEANCitBdXRob3I6IEph Y2sgSGlsbCA8amFja2hpbGxAamFja2hpbGwudXM+DQorVGVsbCBidWJibGV3 cmFwIHRvIHNoYXJlIHRoZSBzdG9yZQ0KKy0tLQ0KK2RpZmYgLS1naXQgYS9T b3VyY2UvV2ViS2l0L1VJUHJvY2Vzcy9MYXVuY2hlci9nbGliL0J1YmJsZXdy YXBMYXVuY2hlci5jcHAgYi9Tb3VyY2UvV2ViS2l0L1VJUHJvY2Vzcy9MYXVu Y2hlci9nbGliL0J1YmJsZXdyYXBMYXVuY2hlci5jcHANCitpbmRleCBhZDMw MWFiMi4uZDUzYjY4MGUgMTAwNjQ0DQorLS0tIGEvU291cmNlL1dlYktpdC9V SVByb2Nlc3MvTGF1bmNoZXIvZ2xpYi9CdWJibGV3cmFwTGF1bmNoZXIuY3Bw DQorKysrIGIvU291cmNlL1dlYktpdC9VSVByb2Nlc3MvTGF1bmNoZXIvZ2xp Yi9CdWJibGV3cmFwTGF1bmNoZXIuY3BwDQorQEAgLTczNyw2ICs3MzcsMTAg QEAgR1JlZlB0cjxHU3VicHJvY2Vzcz4gYnViYmxld3JhcFNwYXduKEdTdWJw cm9jZXNzTGF1bmNoZXIqIGxhdW5jaGVyLCBjb25zdCBQcm9jZXMNCisgICAg ICAgICAiLS1yby1iaW5kLXRyeSIsICIvdXNyL2xvY2FsL3NoYXJlIiwgIi91 c3IvbG9jYWwvc2hhcmUiLA0KKyAgICAgICAgICItLXJvLWJpbmQtdHJ5Iiwg REFUQURJUiwgREFUQURJUiwNCisgDQorKyAgICAgICAvLyBURVNUSU5HOiBi aW5kIG1vdXRuIC9nbnUvc3RvcmUNCisrICAgICAgIC8vIFRoaXMgc2hvdWxk IGJlIGltcHJvdmVkDQorKyAgICAgICAiLS1yby1iaW5kIiwgIi9nbnUvc3Rv cmUiLCAiL2dudS9zdG9yZSIsDQorKw0KKyAgICAgICAgIC8vIFdlIG9ubHkg Z3JhbnQgYWNjZXNzIHRvIHRoZSBsaWJkaXJzIHdlYmtpdCBpcyBidWlsdCB3 aXRoIGFuZA0KKyAgICAgICAgIC8vIGd1ZXNzIHN5c3RlbSBsaWJkaXJzLiBU aGlzIHdpbGwgYWx3YXlzIGhhdmUgc29tZSBlZGdlIGNhc2VzLg0KKyAgICAg ICAgICItLXJvLWJpbmQtdHJ5IiwgIi9saWIiLCAiL2xpYiIsDQpkaWZmIC0t Z2l0IGEvZ251L3BhY2thZ2VzL3dlYmtpdC5zY20gYi9nbnUvcGFja2FnZXMv d2Via2l0LnNjbQ0KaW5kZXggMzc3ZmMwZGZhZi4uZmNmZDI4NjY2YiAxMDA2 NDQNCi0tLSBhL2dudS9wYWNrYWdlcy93ZWJraXQuc2NtDQorKysgYi9nbnUv cGFja2FnZXMvd2Via2l0LnNjbQ0KQEAgLTEyOCw3ICsxMjgsOSBAQCBlbmdp bmUgdGhhdCB1c2VzIFdheWxhbmQgZm9yIGdyYXBoaWNzIG91dHB1dC4iKQ0K ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2Via2l0Z3Rr LSIgdmVyc2lvbiAiLnRhci54eiIpKQ0KICAgICAgICAgICAgICAgKHNoYTI1 Ng0KICAgICAgICAgICAgICAgIChiYXNlMzINCi0gICAgICAgICAgICAgICAg IjFuN2s0eXJpcWhyMzhmNGZneThwemRuMW5tNjBtNTN6OHA0NzhzZ2c2NHN3 eG5pamRnNWMiKSkpKQ0KKyAgICAgICAgICAgICAgICAiMW43azR5cmlxaHIz OGY0Zmd5OHB6ZG4xbm02MG01M3o4cDQ3OHNnZzY0c3d4bmlqZGc1YyIpKQ0K KyAgICAgICAgICAgICAgKHBhdGNoZXMNCisgICAgICAgICAgICAgICAoc2Vh cmNoLXBhdGNoZXMgIndlYmtpdGd0ay1zaGFyZS1zdG9yZS5wYXRjaCIpKSkp DQogICAgIChidWlsZC1zeXN0ZW0gY21ha2UtYnVpbGQtc3lzdGVtKQ0KICAg ICAob3V0cHV0cyAnKCJvdXQiICJkb2MiKSkNCiAgICAgKGFyZ3VtZW50cw0K LS0gDQoyLjI2LjINCg0K --925712948-1616578613-1587870182=:5735-- From debbugs-submit-bounces@debbugs.gnu.org Sun Apr 26 16:37:52 2020 Received: (at control) by debbugs.gnu.org; 26 Apr 2020 20:37:52 +0000 Received: from localhost ([127.0.0.1]:35058 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jSo2C-0005ks-5G for submit@debbugs.gnu.org; Sun, 26 Apr 2020 16:37:52 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:60704) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jSo2A-0005kf-9i for control@debbugs.gnu.org; Sun, 26 Apr 2020 16:37:50 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jSo24-0007aw-TP for control@debbugs.gnu.org; Sun, 26 Apr 2020 16:37:44 -0400 Date: Sun, 26 Apr 2020 16:37:34 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: control@debbugs.gnu.org Message-ID: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: retitle 40837 core-updates: webkitgtk web process sandbox incomplete Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) retitle 40837 core-updates: webkitgtk web process sandbox incomplete From debbugs-submit-bounces@debbugs.gnu.org Sun Apr 26 16:42:50 2020 Received: (at 40837) by debbugs.gnu.org; 26 Apr 2020 20:42:51 +0000 Received: from localhost ([127.0.0.1]:35063 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jSo70-0005sZ-NN for submit@debbugs.gnu.org; Sun, 26 Apr 2020 16:42:50 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:60758) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jSo6z-0005sN-Gn for 40837@debbugs.gnu.org; Sun, 26 Apr 2020 16:42:49 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jSo6u-0007nb-2r; Sun, 26 Apr 2020 16:42:44 -0400 Date: Sun, 26 Apr 2020 16:42:44 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: 40837 <40837@debbugs.gnu.org> Subject: Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete In-Reply-To: Message-ID: References: <171b356d9e2.1154aefce15638.8921669740072490388@zoho.com> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Some additional observations: With my patched webkitgtk, if I set: PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 2.0 PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE To: name matches everything in local email - LCASE headers X-Debbugs-Envelope-To: 40837 Cc: sirgazil X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Some additional observations: With my patched webkitgtk, if I set: PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf it does work, which is an improvement compared to without the patch. I notice that Nix [0] has a similar patch: """ diff -ru old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp --- old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp 2019-09-09 04:47:07.000000000 -0400 +++ webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp 2019-09-20 21:14:10.537921173 -0400 @@ -585,7 +585,7 @@ { SCMP_SYS(keyctl), nullptr }, { SCMP_SYS(request_key), nullptr }, - // Scary VM/NUMA ops + // Scary VM/NUMA ops { SCMP_SYS(move_pages), nullptr }, { SCMP_SYS(mbind), nullptr }, { SCMP_SYS(get_mempolicy), nullptr }, @@ -724,6 +724,10 @@ "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64", "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR, + + // Nix Directories + "--ro-bind", "@storeDir@", "@storeDir@", + "--ro-bind", "/run/current-system", "/run/current-system", }; // We would have to parse ld config files for more info. bindPathVar(sandboxArgs, "LD_LIBRARY_PATH"); """ [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch so I wonder if I didn't do the mounts in the right place and or if it is becasue I missed /run/current-system. I'm going to try to adapt the Nix patch to see if that helps. Best, Jack From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 27 18:02:33 2020 Received: (at 40837) by debbugs.gnu.org; 27 Apr 2020 22:02:33 +0000 Received: from localhost ([127.0.0.1]:38340 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jTBpg-0004FJ-T4 for submit@debbugs.gnu.org; Mon, 27 Apr 2020 18:02:33 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:43836) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jTBpf-0004F6-6V for 40837@debbugs.gnu.org; Mon, 27 Apr 2020 18:02:31 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jTBpZ-0001Zj-Nd; Mon, 27 Apr 2020 18:02:25 -0400 Date: Mon, 27 Apr 2020 18:02:25 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: 40837 <40837@debbugs.gnu.org> Subject: Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete In-Reply-To: Message-ID: References: <171b356d9e2.1154aefce15638.8921669740072490388@zoho.com> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-Spam-Score: 4.0 (++++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: I didn't have any better luck with the Nix patch. I was also unable to any problems with /etc/pulse/client.conf when calling bwrap manually on the command line. I'm afraid that I'm stuck for now. I have asked the WebKit developers for help: https://lists.webkit.org/pipermail/webkit-dev/2020-April/031184.html Content analysis details: (4.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: webkit.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 2.0 PDS_TONAME_EQ_TOLOCAL_SHORT Short body with To: name matches everything in local email 2.0 PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE To: name matches everything in local email - LCASE headers X-Debbugs-Envelope-To: 40837 Cc: sirgazil X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) I didn't have any better luck with the Nix patch. I was also unable to any problems with /etc/pulse/client.conf when calling bwrap manually on the command line. I'm afraid that I'm stuck for now. I have asked the WebKit developers for help: https://lists.webkit.org/pipermail/webkit-dev/2020-April/031184.html Best, Jack From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 27 23:04:01 2020 Received: (at 40837) by debbugs.gnu.org; 28 Apr 2020 03:04:01 +0000 Received: from localhost ([127.0.0.1]:38545 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jTGXQ-0007os-Cx for submit@debbugs.gnu.org; Mon, 27 Apr 2020 23:04:01 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:45260) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jTGXO-0007oZ-FU for 40837@debbugs.gnu.org; Mon, 27 Apr 2020 23:03:58 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jTGXI-0002Tl-JO; Mon, 27 Apr 2020 23:03:52 -0400 Date: Mon, 27 Apr 2020 23:03:52 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: 40837 <40837@debbugs.gnu.org> Subject: Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete In-Reply-To: Message-ID: References: <171b356d9e2.1154aefce15638.8921669740072490388@zoho.com> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: I'm a little bit unstuck now. I found a bubblwrap issue [0], which I believe is the one that we're running into. [0] https://github.com/containers/bubblewrap/issues/195 "Errors when --bind used with a symlinked path" Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 2.0 PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE To: name matches everything in local email - LCASE headers X-Debbugs-Envelope-To: 40837 Cc: sirgazil X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) I'm a little bit unstuck now. I found a bubblwrap issue [0], which I believe is the one that we're running into. [0] https://github.com/containers/bubblewrap/issues/195 "Errors when --bind used with a symlinked path" With insight gained there, I've determined that the following simplified bwrap invocation succeeds: """ $ bwrap --ro-bind-try /etc/pulse/client.conf /etc/pulse/client.conf --ro-bind /gnu /gnu --ro-bind /run/current-system /run/current-system -- /run/current-system/profile/bin/bash """ while the following invocation fails: """ $ bwrap --ro-bind /etc /etc --ro-bind-try /etc/pulse/client.conf /etc/pulse/client.conf --ro-bind /gnu /gnu --ro-bind /run/current-system /run/current-system -- /run/current-system/profile/bin/bash bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory """ The difference between the working and non-working invocations in that in the non-working invocation, /etc is already mounted withing the new namespace, which includes symlinks at /etc/pulse and /etc/pulse/client.conf, and the later mount of the /etc/pulse/client.conf symlink causese the problem. Now to figure out what the solution is, and if it is best fixed in webkitgtk or bubblewrap :) Ideas welcome! Best, Jack From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 28 12:28:18 2020 Received: (at 40837) by debbugs.gnu.org; 28 Apr 2020 16:28:19 +0000 Received: from localhost ([127.0.0.1]:41163 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jTT5Y-0005bV-IV for submit@debbugs.gnu.org; Tue, 28 Apr 2020 12:28:18 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:52090) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jTT5W-0005b2-NJ for 40837@debbugs.gnu.org; Tue, 28 Apr 2020 12:28:03 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jTT5R-0007ae-B4; Tue, 28 Apr 2020 12:27:57 -0400 Date: Tue, 28 Apr 2020 12:27:57 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: 40837 <40837@debbugs.gnu.org> Subject: Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete In-Reply-To: Message-ID: References: <171b356d9e2.1154aefce15638.8921669740072490388@zoho.com> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: After further discussion on the Bubblewrap issue [0], it was determined that the problem should be fixed by having WebKitGTK canonicalize paths before passing them to bwrap. There is now a WebKit issu [...] Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: webkit.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 2.0 PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE To: name matches everything in local email - LCASE headers X-Debbugs-Envelope-To: 40837 Cc: sirgazil X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) After further discussion on the Bubblewrap issue [0], it was determined that the problem should be fixed by having WebKitGTK canonicalize paths before passing them to bwrap. There is now a WebKit issue for that fix [1]. [0] https://github.com/containers/bubblewrap/issues/195 [1] https://bugs.webkit.org/show_bug.cgi?id=211131 When the WebKit issue is fixed, that should solve the problem with /etc/pulse/client.conf. I believe that we will still have work to do in Guix to make sure the store is available inside the sandbox. Best, Jack From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 28 12:33:26 2020 Received: (at 40837) by debbugs.gnu.org; 28 Apr 2020 16:33:26 +0000 Received: from localhost ([127.0.0.1]:41182 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jTTAj-0005lZ-UU for submit@debbugs.gnu.org; Tue, 28 Apr 2020 12:33:26 -0400 Received: from sender4-pp-o93.zoho.com ([136.143.188.93]:25304) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jTTAi-0005lR-A8 for 40837@debbugs.gnu.org; Tue, 28 Apr 2020 12:33:24 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1588091602; cv=none; d=zohomail.com; s=zohoarc; b=PX/rAXcI2YjLl/HA3hz1sCYqKJGk3L1nnPKOs2bzGWGvAA2U4ejwUFz3pyT757Yqq+0ZCw7YsOGEg0+7QZAytb1fJ1bODSq4W2aRXNXHE8ppFHmNReawE5lKLXf90ZhvUYeOBCwNxuX6ZiNHgHRfGuZ0Ii67t6GKXrLCrh/A6dc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1588091602; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=aV1jpktVGkZZ1ojyb/m0ENWRuuvn3+MjdCtrpg/XqoQ=; b=OgHsCPm2e6ThiiEiZ8FzruvwcawENjT4616er8jcL2Kc4t5QkagTLvL92XrHCe3V34Q4xIJap2EdO05zvoV1/Y5ALcbRcI3a7yBmqDmcKf/yl9WcjuA9LcnDAYzZQvYzyU/efB2DqrFm2sn1h4Pbdijk+Mr0bbHL0KKUXCUf26A= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=zoho.com; spf=pass smtp.mailfrom=sirgazil@zoho.com; dmarc=pass header.from= header.from= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=zapps768; d=zoho.com; h=date:from:to:cc:message-id:in-reply-to:references:subject:mime-version:content-type:user-agent; b=SJcK/oj5Dv+Hwujsph3VEY8R+pAA/LZjouxPU3Q7n6SR1iQPZlPVllHHyYc8XGeJjuJpxTcm9IUy aAZM2G6yhScogDQagcOFaxSE28oVrbF0iqLNGDwyyzUopRY6EXrL DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1588091602; s=zm2020; d=zoho.com; i=sirgazil@zoho.com; h=Date:From:To:Cc:Message-ID:In-Reply-To:References:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding; bh=aV1jpktVGkZZ1ojyb/m0ENWRuuvn3+MjdCtrpg/XqoQ=; b=PDjzRXEOU8xEDf5nzPc1OxZLuWdjdiqbmtOxO79FDr0TNC9sczzBxfG0Htu55rFl 9fAshh0B6fZaH3PdHylTp9Khekp/0LpxH7avvvIv2RHMk2kneQGxFp557BPavmmtIQM pgrcX7Y+0BqLp/J2XPoKKfDAAqzzFyPcleGl5270= Received: from mail.zoho.com by mx.zohomail.com with SMTP id 1588091596362720.6937795448299; Tue, 28 Apr 2020 09:33:16 -0700 (PDT) Received: from [179.15.13.185] by mail.zoho.com with HTTP;Tue, 28 Apr 2020 09:33:16 -0700 (PDT) Date: Tue, 28 Apr 2020 16:33:16 +0000 From: sirgazil To: "Jack Hill" Message-ID: <171c1a2ae49.fd191b3320285.7608315760355987557@zoho.com> In-Reply-To: References: <171b356d9e2.1154aefce15638.8921669740072490388@zoho.com> Subject: Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Importance: Medium User-Agent: Zoho Mail X-Mailer: Zoho Mail X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 40837 Cc: 40837 <40837@debbugs.gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) ---- On Tue, 28 Apr 2020 23:27:57 +0000 Jack Hill wrote ---- > After further discussion on the Bubblewrap issue [0], it was determined > that the problem should be fixed by having WebKitGTK canonicalize paths > before passing them to bwrap. There is now a WebKit issue for that fix [1]. > > [0] https://github.com/containers/bubblewrap/issues/195 > [1] https://bugs.webkit.org/show_bug.cgi?id=211131 > > When the WebKit issue is fixed, that should solve the problem with > /etc/pulse/client.conf. I believe that we will still have work to do in > Guix to make sure the store is available inside the sandbox. Thanks for working on this, Jack. From debbugs-submit-bounces@debbugs.gnu.org Mon May 04 15:44:54 2020 Received: (at 40837) by debbugs.gnu.org; 4 May 2020 19:44:54 +0000 Received: from localhost ([127.0.0.1]:33986 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jVh1K-00057a-3l for submit@debbugs.gnu.org; Mon, 04 May 2020 15:44:54 -0400 Received: from sender4-of-o56.zoho.com ([136.143.188.56]:21655) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jVguT-0004vS-VZ for 40837@debbugs.gnu.org; Mon, 04 May 2020 15:37:50 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1588621066; cv=none; d=zohomail.com; s=zohoarc; b=deky27S+zsVW7DTuvGlQ+mrC16gHadMraseK0FkRGQ4I15IP8ufBj9nzGrfLYCrczFNMqsPGv18jYRg8jEC1KWktQIaEIRVvPXGWO0MgsTSkfE7iSmpQHZTgeGgTTZL4Jy6I79XeQAaZHnWtbSLSxf2mr/exBsflDZJSLe4bx5k= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1588621066; h=Content-Type:Date:From:MIME-Version:Message-ID:To; bh=uveDrTIECRivTd5/TSDBSIlj9lLupdk3Zk2TAlEpRiw=; b=H1vysflJKUdd486QRzK7QUCPC50r2Ti+P5Xxud4W4eGz+JppMAnqU77OGg7Iq2TixX+8xXjgCg5s65VPUB9Zg589hzq9C0BO7k7v46VsG4ad7gVy2j9MfTW3k/P48bxVLSMBvDhrmS6oqYQiMpPuDMKw132e1V4IpfIy8AGUWX4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=elephly.net; spf=pass smtp.mailfrom=issues.guix.gnu.org@elephly.net; dmarc=pass header.from= header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1588621066; s=zoho; d=elephly.net; i=issues.guix.gnu.org@elephly.net; h=MIME-Version:Content-Type:From:To:Date:Message-ID; bh=uveDrTIECRivTd5/TSDBSIlj9lLupdk3Zk2TAlEpRiw=; b=caR5Jd42w8Z86VAmQ1yMpIPSa6y0rNLnKPUJROtbogDicOSO81vBSBrlH5quBLIV 26XBruKDfsga5NPKYufMsMucHyhy7FLElGYYxaWeWtworZGfqlQZHcsoDBx8RInADGA ofOGyXaYb7FMJPQylzlhWopidYa5kSLFBpamZdr4= Received: from localhost (185.220.101.144 [185.220.101.144]) by mx.zohomail.com with SMTPS id 1588621064350861.69952280909; Mon, 4 May 2020 12:37:44 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 From: sirgazil via web To: 40837@debbugs.gnu.org Date: Mon, 4 May 2020 21:27:35 +0200 Message-ID: <7fbdd51a1f10.ac6d83595bb47cb@guile.gnu.org> X-ZohoMailClient: External X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: I can reproduce this problem. Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: elephly.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [136.143.188.56 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [136.143.188.56 listed in wl.mailspike.net] 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject 0.0 AC_FROM_MANY_DOTS Multiple periods in From user name X-Debbugs-Envelope-To: 40837 X-Mailman-Approved-At: Mon, 04 May 2020 15:44:52 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) I can reproduce this problem. From debbugs-submit-bounces@debbugs.gnu.org Wed May 06 12:39:44 2020 Received: (at 40837) by debbugs.gnu.org; 6 May 2020 16:39:44 +0000 Received: from localhost ([127.0.0.1]:40948 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jWN56-0005qp-EM for submit@debbugs.gnu.org; Wed, 06 May 2020 12:39:44 -0400 Received: from wout3-smtp.messagingengine.com ([64.147.123.19]:39465) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jWN51-0005qT-H0 for 40837@debbugs.gnu.org; Wed, 06 May 2020 12:39:35 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 8FA62993; Wed, 6 May 2020 12:39:23 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Wed, 06 May 2020 12:39:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= from:to:cc:subject:in-reply-to:references:date:message-id :mime-version:content-type; s=fm2; bh=v2hhXML3VU9G3390i6Y3PG5HYz snOq9FmgXuw2ySw2o=; b=UlJX4JhYecRSFw8HrryIsdAn9tDtR3RakbacURls+T Bj6jOPzXYGEvY2pIBj05YKehsLJGcUzK/N+EyTWxvnUpjV/vR8gc5dg9zchosMwe yF7tTc8+IukQircrFRVMZZNm7pjyZsCHsskGCIWt4KsSslLiNz3b537gRAaC5FnM IBj5OmDU+SjCRb4XIFMayNDlVyf3R++zoodGSRt+lT9iBlFeshNrWsQjDQzv+sjO aKHU2SzucC2cz64YI9cTHn9Fkv7B6a5M7BWE++nIt3GbsaMQ2Q6BEjQdjYw/ukQb S5fXKjt2wN3Megu4QeyhBaQWNw+cf+gzCdx4ZLPD007A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=v2hhXM L3VU9G3390i6Y3PG5HYzsnOq9FmgXuw2ySw2o=; b=bkurdDKAO/D4Jh48RfyBe/ pT2p/2NZDTHphK6GaWjash5cdq1l5kWD06WI4CV4df1y528D2wEJJsjSHnhrCXKh 2MHbDwHPCa4IH8bKw/tHrQ1B63q/5RPHaxuQqgu1OECaONOU/MgjnPWcJppJgFIF m8pfjq8r+TwzyiKenlXpeKI5mLz1WoJs6tklDkcxHzrg1RBX5f2U/slR08NKjpwr n7VIlvLxgUB1niigCm7TApZz2MpSKUtYRsBrTlza/x0aQX/fxVfZhwmmJ/PmbBVb na3ntojbzxXVyrmP123AvHmb5VY5776QqT20nTThElMofcAzdQWBP2h+KwkVLPiw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrjeekgddutddtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvufgjfhgffffkgggtsehgtderredtredtnecuhfhrohhmpeforghrihhu shcuuegrkhhkvgcuoehmsggrkhhkvgesfhgrshhtmhgrihhlrdgtohhmqeenucggtffrrg htthgvrhhnpeejkeefkeelgeevjeetheeljeeuteduueelvdffvedufeevtddvfeevieef heevtdenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeekgedrvddtvddrie ekrdejheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhm pehmsggrkhhkvgesfhgrshhtmhgrihhlrdgtohhm X-ME-Proxy: Received: from localhost (ti0006q161-2604.bb.online.no [84.202.68.75]) by mail.messagingengine.com (Postfix) with ESMTPA id 63AF73066120; Wed, 6 May 2020 12:39:22 -0400 (EDT) From: Marius Bakke To: Jack Hill , 40837 <40837@debbugs.gnu.org> Subject: Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete In-Reply-To: References: <171b356d9e2.1154aefce15638.8921669740072490388@zoho.com> User-Agent: Notmuch/0.29.3 (https://notmuchmail.org) Emacs/26.3 (x86_64-pc-linux-gnu) Date: Wed, 06 May 2020 18:39:20 +0200 Message-ID: <87h7wt3tmv.fsf@devup.no> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 40837 Cc: sirgazil X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello Jack, Thanks a lot for this work. Jack Hill writes: > Some additional observations: > > With my patched webkitgtk, if I set: > > PULSE_CLIENTCONFIG=3D/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.c= onf > > it does work, which is an improvement compared to without the patch. Great. I have attached a patch for Guix that stops using /etc for these variables. > I notice that Nix [0] has a similar patch: > > """ > diff -ru old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/Bubbl= ewrapLauncher.cpp webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/Bu= bblewrapLauncher.cpp > --- old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/Bubblewrap= Launcher.cpp 2019-09-09 04:47:07.000000000 -0400 > +++ webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLaun= cher.cpp 2019-09-20 21:14:10.537921173 -0400 > @@ -585,7 +585,7 @@ > { SCMP_SYS(keyctl), nullptr }, > { SCMP_SYS(request_key), nullptr }, > > - // Scary VM/NUMA ops=20 > + // Scary VM/NUMA ops > { SCMP_SYS(move_pages), nullptr }, > { SCMP_SYS(mbind), nullptr }, > { SCMP_SYS(get_mempolicy), nullptr }, > @@ -724,6 +724,10 @@ > "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64", > > "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR, > + > + // Nix Directories > + "--ro-bind", "@storeDir@", "@storeDir@", > + "--ro-bind", "/run/current-system", "/run/current-system", > }; > // We would have to parse ld config files for more info. > bindPathVar(sandboxArgs, "LD_LIBRARY_PATH"); > """ > > [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4cc= c34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch > > so I wonder if I didn't do the mounts in the right place and or if it is= =20 > becasue I missed /run/current-system. > > I'm going to try to adapt the Nix patch to see if that helps. Were you able to verify whether /run/current-system is required inside the sandbox? I cleaned up your patch a bit and rebased it on the latest master branch, available as patch 2/2 below. Currently building it on 'core-updates' to verify that it works. It takes a while on my dinky quad-core server though. :-) It does not bind /run/current-system, and I think we should avoid it if possible. Ideally we would only mount the store paths required by the consumers instead of all of /gnu/store, but not sure how to achieve that. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: attachment; filename=0001-services-Do-not-use-symbolic-links-in-PulseAudio-var.patch Content-Transfer-Encoding: quoted-printable From=20a2607c8246456460a6bbed62144daf7196a5c9bd Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Wed, 6 May 2020 17:48:42 +0200 Subject: [PATCH 1/2] services: Do not use symbolic links in PulseAudio variables. This addresses by making these configuration files more easily accessible within the WebKitGTK+ sandbox. * gnu/services/sound.scm (pulseaudio-environment): Move below PULSEAUDIO-CONF-ENTRY. Create PULSE_CONFIG and PULSE_CLIENTCONFIG entries directly instead of referring to /etc/pulse. (pulseaudio-etc): Do not create /etc/pulse/client.conf and /etc/pulse/daemo= n.conf. =2D-- gnu/services/sound.scm | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm index a1c928222a..bdf819b422 100644 =2D-- a/gnu/services/sound.scm +++ b/gnu/services/sound.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =C2=A9 2018, 2020 Oleg Pykhalov ;;; Copyright =C2=A9 2020 Leo Prikler +;;; Copyright =C2=A9 2020 Marius Bakke ;;; ;;; This file is part of GNU Guix. ;;; @@ -127,11 +128,6 @@ ctl.!default { (default (file-append pulseaudio "/etc/pulse/system.pa")))) =20 =2D(define (pulseaudio-environment config) =2D `(;; Define these variables, so that pulseaudio honors /etc. =2D ("PULSE_CONFIG" . "/etc/pulse/daemon.conf") =2D ("PULSE_CLIENTCONFIG" . "/etc/pulse/client.conf"))) =2D (define (pulseaudio-conf-entry arg) (match arg ((key . value) @@ -139,21 +135,22 @@ ctl.!default { ((? string? _) (string-append arg "\n")))) =20 +(define pulseaudio-environment + (match-lambda + (($ client-conf daemon-conf default-script-= file) + `(("PULSE_CONFIG" . ,(apply mixed-text-file "daemon.conf" + "default-script-file =3D " default-script= -file "\n" + (map pulseaudio-conf-entry daemon-conf))) + ("PULSE_CLIENTCONFIG" . ,(apply mixed-text-file "client.conf" + (map pulseaudio-conf-entry client-c= onf))))))) + (define pulseaudio-etc (match-lambda =2D (($ client-conf daemon-conf =2D default-script-file system-script-fil= e) + (($ _ _ default-script-file system-script-f= ile) `(("pulse" ,(file-union "pulse" =2D `(("client.conf" =2D ,(apply mixed-text-file "client.conf" =2D (map pulseaudio-conf-entry client-conf))) =2D ("daemon.conf" =2D ,(apply mixed-text-file "daemon.conf" =2D "default-script-file =3D " default-script-file "\n" =2D (map pulseaudio-conf-entry daemon-conf))) =2D ("default.pa" ,default-script-file) + `(("default.pa" ,default-script-file) ("system.pa" ,system-script-file)))))))) =20 (define pulseaudio-service-type =2D-=20 2.26.2 --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0002-gnu-webkitgtk-Patch-to-share-store-via-Bubblewrap.patch Content-Transfer-Encoding: quoted-printable From=203864b54f4aadefc600433d3654b0a1a73ab6fa98 Mon Sep 17 00:00:00 2001 From: Jack Hill Date: Sat, 25 Apr 2020 22:03:48 -0400 Subject: [PATCH 2/2] gnu: webkitgtk: Patch to share store via Bubblewrap. Fixes . * gnu/packages/patches/webkitgtk-share-store.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/webkit.scm (webkitgtk)[source](patches): Use it. Co-authored-by: Marius Bakke =2D-- gnu/local.mk | 1 + .../patches/webkitgtk-share-store.patch | 20 +++++++++++++++++++ gnu/packages/webkit.scm | 12 ++++++++++- 3 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/webkitgtk-share-store.patch diff --git a/gnu/local.mk b/gnu/local.mk index 62eeb39ece..5c06415205 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -1542,6 +1542,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/vte-CVE-2012-2738-pt2.patch \ %D%/packages/patches/warsow-qfusion-fix-bool-return-type.patch \ %D%/packages/patches/weasyprint-library-paths.patch \ + %D%/packages/patches/webkitgtk-share-store.patch \ %D%/packages/patches/websocketpp-fix-for-boost-1.70.patch \ %D%/packages/patches/wicd-bitrate-none-fix.patch \ %D%/packages/patches/wicd-get-selected-profile-fix.patch \ diff --git a/gnu/packages/patches/webkitgtk-share-store.patch b/gnu/package= s/patches/webkitgtk-share-store.patch new file mode 100644 index 0000000000..4174e73b6c =2D-- /dev/null +++ b/gnu/packages/patches/webkitgtk-share-store.patch @@ -0,0 +1,20 @@ +Author: Jack Hill +Tell bubblewrap to share the store. + +See . + +--- +diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp = b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +index ad301ab2..d53b680e 100644 +--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp ++++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +@@ -737,6 +737,9 @@ GRefPtr bubblewrapSpawn(GSubprocessLaunch= er* launcher, const Proces + "--ro-bind-try", "/usr/local/share", "/usr/local/share", + "--ro-bind-try", DATADIR, DATADIR, +=20 ++ // Bind mount the store inside the WebKitGTK sandbox. ++ "--ro-bind", "@storedir@", "@storedir@", ++ + // We only grant access to the libdirs webkit is built with and + // guess system libdirs. This will always have some edge cases. + "--ro-bind-try", "/lib", "/lib", diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm index e52536c279..6035d6c59d 100644 =2D-- a/gnu/packages/webkit.scm +++ b/gnu/packages/webkit.scm @@ -128,7 +128,8 @@ engine that uses Wayland for graphics output.") "webkitgtk-" version ".tar.xz")) (sha256 (base32 =2D "1g9hik3bprki5s9d7y5288q5irwckbzajr6rnlvjrlnqrwjkblmr"))= )) + "1g9hik3bprki5s9d7y5288q5irwckbzajr6rnlvjrlnqrwjkblmr")) + (patches (search-patches "webkitgtk-share-store.patch")))) (build-system cmake-build-system) (outputs '("out" "doc")) (arguments @@ -156,6 +157,15 @@ engine that uses Wayland for graphics output.") "-DUSE_WOFF2=3DOFF") #:phases (modify-phases %standard-phases + (add-after 'unpack 'configure-bubblewrap-store-directory + (lambda _ + ;; This phase is a corollary to 'webkitgtk-share-store.patch'= to + ;; avoid hard coding /gnu/store, for users with other prefixe= s. + (let ((store-directory (%store-directory))) + (substitute* + "Source/WebKit/UIProcess/Launcher/glib/BubblewrapLaunch= er.cpp" + (("@storedir@") store-directory)) + #t))) (add-after 'unpack 'patch-gtk-doc-scan (lambda* (#:key inputs #:allow-other-keys) (for-each (lambda (file) =2D-=20 2.26.2 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl6y6DkACgkQoqBt8qM6 VPrkJQf+O74awPVgfywhjJEVTzjA8jvvsJilr/tI+I6OQk9aehdZO4SF6kP0Kyv+ a4OVopKyBRzplvoGrZpbS0smooOhY6DfF8/3T86d6dUv97O+iPP0ctSbfVDEdVsE xpH6GZef7cO+HwXjTpuoB82Zu74c1NLBese4MKNwPlHY4Ft+lGAXqlOewRm1J6x8 jyXy38VdDYiTFurFMbW9aStw1J0BuQ29nblM1nXhN26Nz/P7u3dxIzRSlNcdRJuy 6tL/QsMaegr5zRJ0P0CD1FF/rJv2/gzisyMfEP0DQ3yPYqF3kmEh5rVnMgIB1SLD L5WnIVfjHasYYHm8E2AANOfzDeDekA== =4Siz -----END PGP SIGNATURE----- --==-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Wed May 06 16:18:08 2020 Received: (at 40837) by debbugs.gnu.org; 6 May 2020 20:18:08 +0000 Received: from localhost ([127.0.0.1]:41262 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jWQUa-0002x3-60 for submit@debbugs.gnu.org; Wed, 06 May 2020 16:18:08 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:58414) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jWQUX-0002wY-SI for 40837@debbugs.gnu.org; Wed, 06 May 2020 16:18:06 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jWQUQ-0006qM-R6; Wed, 06 May 2020 16:17:59 -0400 Date: Wed, 6 May 2020 16:17:58 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: Marius Bakke Subject: Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete In-Reply-To: <87h7wt3tmv.fsf@devup.no> Message-ID: References: <171b356d9e2.1154aefce15638.8921669740072490388@zoho.com> <87h7wt3tmv.fsf@devup.no> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 40837 Cc: sirgazil , 40837 <40837@debbugs.gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On Wed, 6 May 2020, Marius Bakke wrote: > Hello Jack, > > Thanks a lot for this work. You're welcome. I'm happy that we seem to be making good progress. > Jack Hill writes: > >> Some additional observations: >> >> With my patched webkitgtk, if I set: >> >> PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf >> >> it does work, which is an improvement compared to without the patch. > > Great. I have attached a patch for Guix that stops using /etc for these > variables. Good idea! That way we won't have to wait for WebKitGTK to canonicalize all paths :) >> [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch >> >> so I wonder if I didn't do the mounts in the right place and or if it is >> becasue I missed /run/current-system. >> >> I'm going to try to adapt the Nix patch to see if that helps. > > Were you able to verify whether /run/current-system is required inside > the sandbox? I don't think /run/current-system is needed. > I cleaned up your patch a bit and rebased it on the latest master > branch, available as patch 2/2 below. Currently building it on > 'core-updates' to verify that it works. It takes a while on my dinky > quad-core server though. :-) > > It does not bind /run/current-system, and I think we should avoid it if > possible. Ideally we would only mount the store paths required by the > consumers instead of all of /gnu/store, but not sure how to achieve > that. I've tested the updated patch by applying it to master and merging into core-updates. I'm happy to report that everything seems to be working for me after doing so! Sharing less than the whole store sounds like a great aspiration, but I think we'd have to teach WebKitGTK how to ask Guix for its closure to do so. On FHS-compliant systems, all of the various /usr/lib and /usr/share directories are bind-mounted into the new namespace, so I don't think we're providing too much more. It's nice that our setuid binaries reside outside of the store :) Best, Jack From debbugs-submit-bounces@debbugs.gnu.org Wed May 06 16:53:40 2020 Received: (at 40837-done) by debbugs.gnu.org; 6 May 2020 20:53:40 +0000 Received: from localhost ([127.0.0.1]:41366 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jWR2x-0003ru-V7 for submit@debbugs.gnu.org; Wed, 06 May 2020 16:53:40 -0400 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]:51979) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jWR2v-0003rg-Ea for 40837-done@debbugs.gnu.org; Wed, 06 May 2020 16:53:38 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 8AF41487; Wed, 6 May 2020 16:53:31 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Wed, 06 May 2020 16:53:31 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= from:to:cc:subject:in-reply-to:references:date:message-id :mime-version:content-type; s=fm2; bh=tIsgWQfQMFHY6M8usE+1mUgYJz ihub7vlQNF1P6AAIE=; b=AZLyU3gKLWVix/+amR8d0N8GTcJnuowvPACJQbZ8hg PxsfTII2OUfJgPqB+nifRzHa7inG2Lk4Qe49WsyfH7DRFSLqejQ5yW1sKSjriAZC yxvCeSryVdoJ8z/Xel6zbC5BOLP7hDn2tAQwb+QBPXigs5WtVUTZA9F48vKpJDOo Z2VgIoRl0BghHQhAcPG9+jYiQnVxv74vLkpdHTQLvlpMWOYSrIE2LiPJgcq7G2ZM 3A/++416hCk+VTsG3QrpKjx0P3NLH7fuYyz/naYTFg8UEtFM/FehuplCKcfHFtjX 96oI5gc6UYHdM9f+EE6yDnjXv56LAsYBnKepC7dPwp5g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=tIsgWQ fQMFHY6M8usE+1mUgYJzihub7vlQNF1P6AAIE=; b=sAPI6lwsKOhqqbNtYHB9gX QO8AiA5/Wim1OHVgW5qGAKNMBbYNAz9wumJBymamy250PP/rdJBvsOMRokRkt8Rc qi9ZpZm+e9e8gwNAYggk/Esh2SvaL96834sL2aYaabefXUxT35ypdqL8DCZfVl12 H1M+PhutXIHTGAXTRtZtw7vCTPyw2/pgV/CNxiEAXYylXpfxhH6qNx/UxWjCRA/U gWX3ascEFKyDgOHynUMAY8o2jxJ8jehWCYusInJ3upSx/GOa1u0WSOmF1eLqOVoT NQMX8JDekgvQONE0fSaEzI7EN2jlKjOjnaNe55v03zQaEZxG7fPwnMuOJe522v9w == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrjeekgdduheduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvufgjfhgffffkgggtsehgtderredtredtnecuhfhrohhmpeforghrihhu shcuuegrkhhkvgcuoehmsggrkhhkvgesfhgrshhtmhgrihhlrdgtohhmqeenucggtffrrg htthgvrhhnpeejkeefkeelgeevjeetheeljeeuteduueelvdffvedufeevtddvfeevieef heevtdenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeekgedrvddtvddrie ekrdejheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhm pehmsggrkhhkvgesfhgrshhtmhgrihhlrdgtohhm X-ME-Proxy: Received: from localhost (ti0006q161-2604.bb.online.no [84.202.68.75]) by mail.messagingengine.com (Postfix) with ESMTPA id 11B8D328005A; Wed, 6 May 2020 16:53:29 -0400 (EDT) From: Marius Bakke To: Jack Hill Subject: Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete In-Reply-To: References: <171b356d9e2.1154aefce15638.8921669740072490388@zoho.com> <87h7wt3tmv.fsf@devup.no> User-Agent: Notmuch/0.29.3 (https://notmuchmail.org) Emacs/26.3 (x86_64-pc-linux-gnu) Date: Wed, 06 May 2020 22:53:28 +0200 Message-ID: <87v9l83hvb.fsf@devup.no> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 40837-done Cc: sirgazil , 40837 <40837-done@debbugs.gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Jack Hill writes: > On Wed, 6 May 2020, Marius Bakke wrote: > >> Hello Jack, >> >> Thanks a lot for this work. > > You're welcome. I'm happy that we seem to be making good progress. > >> Jack Hill writes: >> >>> Some additional observations: >>> >>> With my patched webkitgtk, if I set: >>> >>> PULSE_CLIENTCONFIG=3D/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client= .conf >>> >>> it does work, which is an improvement compared to without the patch. >> >> Great. I have attached a patch for Guix that stops using /etc for these >> variables. > > Good idea! That way we won't have to wait for WebKitGTK to canonicalize=20 > all paths :) > >>> [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4= ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch >>> >>> so I wonder if I didn't do the mounts in the right place and or if it is >>> becasue I missed /run/current-system. >>> >>> I'm going to try to adapt the Nix patch to see if that helps. >> >> Were you able to verify whether /run/current-system is required inside >> the sandbox? > > I don't think /run/current-system is needed. Excellent. I tested Epiphany with these patches on a popular video streaming site and everything seemed fine. >> I cleaned up your patch a bit and rebased it on the latest master >> branch, available as patch 2/2 below. Currently building it on >> 'core-updates' to verify that it works. It takes a while on my dinky >> quad-core server though. :-) >> >> It does not bind /run/current-system, and I think we should avoid it if >> possible. Ideally we would only mount the store paths required by the >> consumers instead of all of /gnu/store, but not sure how to achieve >> that. > > I've tested the updated patch by applying it to master and merging into=20 > core-updates. I'm happy to report that everything seems to be working for= =20 > me after doing so! > > Sharing less than the whole store sounds like a great aspiration, but I=20 > think we'd have to teach WebKitGTK how to ask Guix for its closure to do= =20 > so. On FHS-compliant systems, all of the various /usr/lib and /usr/share= =20 > directories are bind-mounted into the new namespace, so I don't think=20 > we're providing too much more. It's nice that our setuid binaries reside= =20 > outside of the store :) Indeed, thanks for testing and confirming. I added a little more context in the patch description and finally pushed it as a6919866b07e9ed3986abde7ae48d0c69ff3deed. Again, thank you very much for taking care of this. :-) --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl6zI8gACgkQoqBt8qM6 VPopngf+MY+1+C9Gj3c8fxIh6y+VxoYv1p5K3C55cezAncASmlIttmaYZEzdwSJj TCbl18aY/5lRTjQurPR+3WSImsTXmX7gqEDtiMLZvNfzV2bQoWYLNmCvsfoF2vtb ReWgUClr8j7QaFgqN05Wtqbyxc30bX3Tsp3UdfoNhQEG/dUVLJ/yQFt3NndFmRd2 qPXa6e4dDFvEwKAIdQUBpri7XY90Nu85V9CKOaMsI8Gm1KDGAPO94UZWGn7PzDJy nvcps3/B/2c8AhrEtDcFpdzfk3u73FUi3TkU2hrF0fZoAnasmF4urvHOyKvOSuX/ 1p8cMILAgIpAzN1cqj134dVWvmUSmA== =/X50 -----END PGP SIGNATURE----- --=-=-=-- From unknown Sat Jun 21 05:16:47 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 04 Jun 2020 11:24:06 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator