GNU bug report logs - #47628
webkitgtk-2.32.0 fails to launch without /usr/bin

Previous Next

Package: guix;

Reported by: Mark H Weaver <mhw <at> netris.org>

Date: Tue, 6 Apr 2021 22:48:01 UTC

Severity: normal

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #30 received at 47628 <at> debbugs.gnu.org (full text, mbox):

From: Efraim Flashner <efraim <at> flashner.co.il>
To: Mark H Weaver <mhw <at> netris.org>
Cc: Guillaume Le Vaillant <glv <at> posteo.net>, 47628 <at> debbugs.gnu.org
Subject: Re: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
Date: Fri, 9 Apr 2021 13:09:03 +0300

[Message part 1 (text/plain, inline)]
On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote:
> I suspect that the relevant bit that needs to be changed is line 779 of
> the following file in the webkitgtk-2.32.0 source code:
> 
>   Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
> 
> Most likely, that line can simply be deleted.  Here's the relevant
> excerpt, with line 779 marked by "==>":

Looking at the other lines above it, we could just change it from
ro-bind to ro-bind-try.

> 
> --8<---------------cut here---------------start------------->8---
> GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const ProcessLauncher::LaunchOptions& launchOptions, char** argv, GError **error)
> {
>     ASSERT(launcher);
> 
>     // For now we are just considering the network process trusted as it
>     // requires a lot of access but doesn't execute arbitrary code like
>     // the WebProcess where our focus lies.
>     if (launchOptions.processType == ProcessLauncher::ProcessType::Network)
>         return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error));
> 
>     const char* runDir = g_get_user_runtime_dir();
>     Vector<CString> sandboxArgs = {
>         "--die-with-parent",
>         "--unshare-pid",
>         "--unshare-uts",
> 
>         // We assume /etc has safe permissions.
>         // At a later point we can start masking privacy-concerning files.
>         "--ro-bind", "/etc", "/etc",
>         "--dev", "/dev",
>         "--proc", "/proc",
>         "--tmpfs", "/tmp",
>         "--unsetenv", "TMPDIR",
>         "--dir", runDir,
>         "--setenv", "XDG_RUNTIME_DIR", runDir,
>         "--symlink", "../run", "/var/run",
>         "--symlink", "../tmp", "/var/tmp",
>         "--ro-bind", "/sys/block", "/sys/block",
>         "--ro-bind", "/sys/bus", "/sys/bus",
>         "--ro-bind", "/sys/class", "/sys/class",
>         "--ro-bind", "/sys/dev", "/sys/dev",
>         "--ro-bind", "/sys/devices", "/sys/devices",
> 
>         "--ro-bind-try", "/usr/share", "/usr/share",
>         "--ro-bind-try", "/usr/local/share", "/usr/local/share",
>         "--ro-bind-try", DATADIR, DATADIR,
> 
>        // Bind mount the store inside the WebKitGTK sandbox.
>        "--ro-bind", "@storedir@", "@storedir@",
> 
>         // We only grant access to the libdirs webkit is built with and
>         // guess system libdirs. This will always have some edge cases.
>         "--ro-bind-try", "/lib", "/lib",
>         "--ro-bind-try", "/usr/lib", "/usr/lib",
>         "--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
>         "--ro-bind-try", LIBDIR, LIBDIR,
>         "--ro-bind-try", "/lib64", "/lib64",
>         "--ro-bind-try", "/usr/lib64", "/usr/lib64",
>         "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",
> 
>         "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
>     };
> 
>     if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) {
>         sandboxArgs.appendVector(Vector<CString>({
> ==>         "--ro-bind", "/usr/bin", "/usr/bin",
>             // This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed
>             // only because we have to mount .flatpak-info in its mount namespace. The user rundir
>             // is where we mount our proxy socket.
>             "--bind", runDir, runDir,
>         }));
>     } else {
>         // xdg-dbus-proxy needs access to host abstract sockets to connect to the a11y bus. Secure
>         // host services must not use abstract sockets. Otherwise, only the network process should
>         // have network access, and the network process is not sandboxed at all.
>         sandboxArgs.appendVector(Vector<CString>({
>             "--unshare-net"
>         }));
>     }
> --8<---------------cut here---------------end--------------->8---
> 
>        Mark

-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 3 years and 68 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.