GNU bug report logs - #40837
core-updates: webkitgtk web process sandbox incomplete

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Jack Hill <jackhill <at> jackhill.us>
Subject: bug#40837: closed (Re: bug#40837: core-updates: webkitgtk web
 process sandbox incomplete)
Date: Wed, 06 May 2020 20:54:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#40837: core-updates: webkitgtk web process sandbox incomplete

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 40837 <at> debbugs.gnu.org.

-- 
40837: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=40837
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Marius Bakke <mbakke <at> fastmail.com>
To: Jack Hill <jackhill <at> jackhill.us>
Cc: sirgazil <sirgazil <at> zoho.com>, 40837 <40837-done <at> debbugs.gnu.org>
Subject: Re: bug#40837: core-updates: webkitgtk web process sandbox incomplete
Date: Wed, 06 May 2020 22:53:28 +0200

[Message part 3 (text/plain, inline)]

Jack Hill <jackhill <at> jackhill.us> writes:

> On Wed, 6 May 2020, Marius Bakke wrote:
>
>> Hello Jack,
>>
>> Thanks a lot for this work.
>
> You're welcome. I'm happy that we seem to be making good progress.
>
>> Jack Hill <jackhill <at> jackhill.us> writes:
>>
>>> Some additional observations:
>>>
>>> With my patched webkitgtk, if I set:
>>>
>>> PULSE_CLIENTCONFIG=/gnu/store/zc4dsmvdabi00nvisrjhi9w00ff4igs7-client.conf
>>>
>>> it does work, which is an improvement compared to without the patch.
>>
>> Great.  I have attached a patch for Guix that stops using /etc for these
>> variables.
>
> Good idea! That way we won't have to wait for WebKitGTK to canonicalize 
> all paths :)
>
>>> [0] https://github.com/NixOS/nixpkgs/blob/465566948393cf533e3617704d1c4ccc34cf3753/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch
>>>
>>> so I wonder if I didn't do the mounts in the right place and or if it is
>>> becasue I missed /run/current-system.
>>>
>>> I'm going to try to adapt the Nix patch to see if that helps.
>>
>> Were you able to verify whether /run/current-system is required inside
>> the sandbox?
>
> I don't think /run/current-system is needed.

Excellent.  I tested Epiphany with these patches on a popular video
streaming site and everything seemed fine.

>> I cleaned up your patch a bit and rebased it on the latest master
>> branch, available as patch 2/2 below.  Currently building it on
>> 'core-updates' to verify that it works.  It takes a while on my dinky
>> quad-core server though.  :-)
>>
>> It does not bind /run/current-system, and I think we should avoid it if
>> possible.  Ideally we would only mount the store paths required by the
>> consumers instead of all of /gnu/store, but not sure how to achieve
>> that.
>
> I've tested the updated patch by applying it to master and merging into 
> core-updates. I'm happy to report that everything seems to be working for 
> me after doing so!
>
> Sharing less than the whole store sounds like a great aspiration, but I 
> think we'd have to teach WebKitGTK how to ask Guix for its closure to do 
> so. On FHS-compliant systems, all of the various /usr/lib and /usr/share 
> directories are bind-mounted into the new namespace, so I don't think 
> we're providing too much more. It's nice that our setuid binaries reside 
> outside of the store :)

Indeed, thanks for testing and confirming.

I added a little more context in the patch description and finally
pushed it as a6919866b07e9ed3986abde7ae48d0c69ff3deed.

Again, thank you very much for taking care of this.  :-)

[signature.asc (application/pgp-signature, inline)]

[Message part 5 (message/rfc822, inline)]

From: Jack Hill <jackhill <at> jackhill.us>
To: bug-guix <at> gnu.org
Subject: core-updates: epiphany web process crashes
Date: Fri, 24 Apr 2020 22:55:26 -0400 (EDT)

[Message part 6 (text/plain, inline)]

Hi Guix,

On Guix System with the current core-updates branch, epiphany/GNOME-Web 
starts, but doesn't work because the web process crash in a loop.

When I run epiphany from the terminal I see

"""
$ epiphany

** (epiphany:29457): CRITICAL **: 22:37:21.415: void webkit_web_context_register_uri_scheme(WebKitWebContext*, const char*, WebKitURISchemeRequestCallback, gpointer, GDestroyNotify): assertion 'g_ascii_strcasecmp(scheme, "ftp") != 0' failed
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory
bwrap: Can't create file at /etc/pulse/client.conf: No such file or directory

** (epiphany:29457): WARNING **: 22:37:21.866: Web process crashed
"""

The bwrap… and …Web process crashed lines then continue to print 
alternating.

Windows and tabs are created, but no content is ever drawn in them.

/etc/pulse/client.conf exists on the host, but maybe not in the namespaces 
created by bwrap?

Could this be related to WebKitGTK sandboxing: 
https://blogs.gnome.org/mcatanzaro/2020/03/31/sandboxing-webkitgtk-apps/

Best,
Jack

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.