GNU bug report logs - #40837
core-updates: webkitgtk web process sandbox incomplete

Previous Next

Package: guix;

Reported by: Jack Hill <jackhill <at> jackhill.us>

Date: Sat, 25 Apr 2020 02:56:02 UTC

Severity: normal

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

Full log

Message #25 received at 40837 <at> debbugs.gnu.org (full text, mbox):

From: Jack Hill <jackhill <at> jackhill.us>
To: 40837 <40837 <at> debbugs.gnu.org>
Cc: sirgazil <sirgazil <at> zoho.com>
Subject: Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete
Date: Sun, 26 Apr 2020 16:42:44 -0400 (EDT)

Some additional observations:

With my patched webkitgtk, if I set:

PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf

it does work, which is an improvement compared to without the patch.

I notice that Nix [0] has a similar patch:

"""
diff -ru old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
--- old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp	2019-09-09 04:47:07.000000000 -0400
+++ webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp	2019-09-20 21:14:10.537921173 -0400
@@ -585,7 +585,7 @@
         { SCMP_SYS(keyctl), nullptr },
         { SCMP_SYS(request_key), nullptr },

-        // Scary VM/NUMA ops 
+        // Scary VM/NUMA ops
         { SCMP_SYS(move_pages), nullptr },
         { SCMP_SYS(mbind), nullptr },
         { SCMP_SYS(get_mempolicy), nullptr },
@@ -724,6 +724,10 @@
         "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",

         "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
+
+        // Nix Directories
+        "--ro-bind", "@storeDir@", "@storeDir@",
+        "--ro-bind", "/run/current-system", "/run/current-system",
     };
     // We would have to parse ld config files for more info.
     bindPathVar(sandboxArgs, "LD_LIBRARY_PATH");
"""

[0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch

so I wonder if I didn't do the mounts in the right place and or if it is 
becasue I missed /run/current-system.

I'm going to try to adapt the Nix patch to see if that helps.

Best,
Jack
This bug report was last modified 5 years and 17 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.