GNU bug report logs - #47628
webkitgtk-2.32.0 fails to launch without /usr/bin

Previous Next

Package: guix;

Reported by: Mark H Weaver <mhw <at> netris.org>

Date: Tue, 6 Apr 2021 22:48:01 UTC

Severity: normal

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47628 in the body.
You can then email your comments to 47628 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#47628; Package guix. (Tue, 06 Apr 2021 22:48:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mark H Weaver <mhw <at> netris.org>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Tue, 06 Apr 2021 22:48:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: bug-guix <at> gnu.org
Subject: Epiphany fails to launch after webkitgtk-2.32.0 update
Date: Tue, 06 Apr 2021 18:46:14 -0400
FYI, since updating to webkitgtk-2.32.0 (commit
3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no
window appears, although GNOME Shell shows an empty outline in overview
mode, as if there's a window but it has never been painted.

When running 'epiphany' from the command line, I see the followin
warning from 'bwrap', which indicates that it's looking in /usr/bin:

--8<---------------cut here---------------start------------->8---
mhw <at> jojen ~$ epiphany

** (epiphany:1016): WARNING **: 18:36:48.495: Registering special URI scheme ftp is no longer allowed
bwrap: Can't find source path /usr/bin: No such file or directory
--8<---------------cut here---------------end--------------->8---

I wonder if this only works when Guix is run on top of a more
traditional OS that has /usr/bin.

Is anyone successfully able to use Epiphany on a pure Guix system
(without /usr/bin) with Webkitgtk-2.32.0?  (The Webkitgtk version is
shown in the "About Web" window, which is accessible from the hamburger
menu.

      Mark




Information forwarded to bug-guix <at> gnu.org:
bug#47628; Package guix. (Tue, 06 Apr 2021 23:06:02 GMT) Full text and rfc822 format available.

Message #8 received at 47628 <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: 47628 <at> debbugs.gnu.org
Subject: webkitgtk-2.32.0 is broken on my system (was Re: bug#47628:
 Epiphany fails to launch after webkitgtk-2.32.0 update)
Date: Tue, 06 Apr 2021 19:04:06 -0400
retitle 47628 webkitgtk-2.32.0 is broken on my system
thanks

Mark H Weaver <mhw <at> netris.org> writes:

> FYI, since updating to webkitgtk-2.32.0 (commit
> 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no
> window appears, although GNOME Shell shows an empty outline in overview
> mode, as if there's a window but it has never been painted.
>
> When running 'epiphany' from the command line, I see the followin
> warning from 'bwrap', which indicates that it's looking in /usr/bin:

I see exactly the same behavior with 'eolie': the window never appears,
(except for an outline in GNOME Shell's overview mode), and I see the
same warning:

  "bwrap: Can't find source path /usr/bin: No such file or directory"

In both cases, if I try to close the phantom window from overview mode,
it informs me that the application is not responding, and I have to
force quit to make the phantom window go away.

       Mark




Information forwarded to bug-guix <at> gnu.org:
bug#47628; Package guix. (Wed, 07 Apr 2021 07:37:02 GMT) Full text and rfc822 format available.

Message #11 received at 47628 <at> debbugs.gnu.org (full text, mbox):

From: Guillaume Le Vaillant <glv <at> posteo.net>
To: Mark H Weaver <mhw <at> netris.org>
Cc: 47628 <at> debbugs.gnu.org
Subject: Re: bug#47628: webkitgtk-2.32.0 is broken on my system
Date: Wed, 07 Apr 2021 09:35:48 +0200
[Message part 1 (text/plain, inline)]
Mark H Weaver <mhw <at> netris.org> skribis:

> retitle 47628 webkitgtk-2.32.0 is broken on my system
> thanks
>
> Mark H Weaver <mhw <at> netris.org> writes:
>
>> FYI, since updating to webkitgtk-2.32.0 (commit
>> 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no
>> window appears, although GNOME Shell shows an empty outline in overview
>> mode, as if there's a window but it has never been painted.
>>
>> When running 'epiphany' from the command line, I see the followin
>> warning from 'bwrap', which indicates that it's looking in /usr/bin:
>
> I see exactly the same behavior with 'eolie': the window never appears,
> (except for an outline in GNOME Shell's overview mode), and I see the
> same warning:
>
>   "bwrap: Can't find source path /usr/bin: No such file or directory"
>
> In both cases, if I try to close the phantom window from overview mode,
> it informs me that the application is not responding, and I have to
> force quit to make the phantom window go away.
>
>        Mark

On my Guix system, epiphany with webkitgtk-2.32.0 seems to work fine
(with Guix at commit 14392c77896561c5846c0f3a0588720792d61e95).
The window appears and I can browse websites, and it doesn't print any
error about 'bwrap'.
I'm using StumpWM and not Gnome Shell; I don't know if it has an impact
on epiphany's behavior.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#47628; Package guix. (Thu, 08 Apr 2021 08:24:01 GMT) Full text and rfc822 format available.

Message #14 received at 47628 <at> debbugs.gnu.org (full text, mbox):

From: Efraim Flashner <efraim <at> flashner.co.il>
To: Guillaume Le Vaillant <glv <at> posteo.net>
Cc: Mark H Weaver <mhw <at> netris.org>, 47628 <at> debbugs.gnu.org
Subject: Re: bug#47628: webkitgtk-2.32.0 is broken on my system
Date: Thu, 8 Apr 2021 11:22:49 +0300
[Message part 1 (text/plain, inline)]
On Wed, Apr 07, 2021 at 09:35:48AM +0200, Guillaume Le Vaillant wrote:
> Mark H Weaver <mhw <at> netris.org> skribis:
> 
> > retitle 47628 webkitgtk-2.32.0 is broken on my system
> > thanks
> >
> > Mark H Weaver <mhw <at> netris.org> writes:
> >
> >> FYI, since updating to webkitgtk-2.32.0 (commit
> >> 3c5e1412e3ef769df8e4826d0aedabaa3aa0d631), epiphany fails to launch: no
> >> window appears, although GNOME Shell shows an empty outline in overview
> >> mode, as if there's a window but it has never been painted.
> >>
> >> When running 'epiphany' from the command line, I see the followin
> >> warning from 'bwrap', which indicates that it's looking in /usr/bin:
> >
> > I see exactly the same behavior with 'eolie': the window never appears,
> > (except for an outline in GNOME Shell's overview mode), and I see the
> > same warning:
> >
> >   "bwrap: Can't find source path /usr/bin: No such file or directory"
> >
> > In both cases, if I try to close the phantom window from overview mode,
> > it informs me that the application is not responding, and I have to
> > force quit to make the phantom window go away.
> >
> >        Mark
> 
> On my Guix system, epiphany with webkitgtk-2.32.0 seems to work fine
> (with Guix at commit 14392c77896561c5846c0f3a0588720792d61e95).
> The window appears and I can browse websites, and it doesn't print any
> error about 'bwrap'.
> I'm using StumpWM and not Gnome Shell; I don't know if it has an impact
> on epiphany's behavior.

It "works" for me on bb4f47a7f614eea78a8c8a0d3e5fc55bf4e52646, using Guix
System with Enlightenment. I get errors about not committing changes to
dconf and I'm unable to change settings in preferences. Does your system
have /bin/sh or /usr/bin/env? That's the only thing I have in /usr/bin.

-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#47628; Package guix. (Thu, 08 Apr 2021 14:22:02 GMT) Full text and rfc822 format available.

Message #17 received at 47628 <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: Efraim Flashner <efraim <at> flashner.co.il>, Guillaume Le Vaillant
 <glv <at> posteo.net>
Cc: 47628 <at> debbugs.gnu.org
Subject: Re: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin/env
Date: Thu, 08 Apr 2021 10:19:37 -0400
retitle 47628 webkitgtk-2.32.0 fails to launch without /usr/bin/env
thanks

Hi Efraim,

Efraim Flashner <efraim <at> flashner.co.il> writes:
> It "works" for me on bb4f47a7f614eea78a8c8a0d3e5fc55bf4e52646, using Guix
> System with Enlightenment. I get errors about not committing changes to
> dconf and I'm unable to change settings in preferences. Does your system
> have /bin/sh or /usr/bin/env? That's the only thing I have in /usr/bin.

That's it!  I have /bin/sh but not /usr/bin/env.  Adding /usr/bin/env
fixes the problem for me.

It would be good to eliminate that dependency.  If webkitgtk is using
/usr/bin/env from within its sandbox, that's worrisome.  I want it using
software components determined at build time.  I do *not* want it
searching in PATH for things.

To be continued...

     Mark




Changed bug title to 'webkitgtk-2.32.0 fails to launch without /usr/bin/env' from 'Epiphany fails to launch after webkitgtk-2.32.0 update' Request was from Mark H Weaver <mhw <at> netris.org> to control <at> debbugs.gnu.org. (Thu, 08 Apr 2021 14:22:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#47628; Package guix. (Thu, 08 Apr 2021 14:35:01 GMT) Full text and rfc822 format available.

Message #22 received at 47628 <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: Efraim Flashner <efraim <at> flashner.co.il>, Guillaume Le Vaillant
 <glv <at> posteo.net>
Cc: 47628 <at> debbugs.gnu.org
Subject: Re: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
Date: Thu, 08 Apr 2021 10:32:38 -0400
retitle 47628 webkitgtk-2.32.0 fails to launch without /usr/bin
thanks

Earlier, I wrote:
> That's it!  I have /bin/sh but not /usr/bin/env.  Adding /usr/bin/env
> fixes the problem for me.

Actually, it suffices for /usr/bin to exist as an empty directory.
/usr/bin/env is never actually used.

       Mark




Changed bug title to 'webkitgtk-2.32.0 fails to launch without /usr/bin' from 'webkitgtk-2.32.0 fails to launch without /usr/bin/env' Request was from Mark H Weaver <mhw <at> netris.org> to control <at> debbugs.gnu.org. (Thu, 08 Apr 2021 14:35:01 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#47628; Package guix. (Thu, 08 Apr 2021 15:10:02 GMT) Full text and rfc822 format available.

Message #27 received at 47628 <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: Efraim Flashner <efraim <at> flashner.co.il>, Guillaume Le Vaillant
 <glv <at> posteo.net>
Cc: 47628 <at> debbugs.gnu.org
Subject: Re: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
Date: Thu, 08 Apr 2021 11:07:31 -0400
I suspect that the relevant bit that needs to be changed is line 779 of
the following file in the webkitgtk-2.32.0 source code:

  Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp

Most likely, that line can simply be deleted.  Here's the relevant
excerpt, with line 779 marked by "==>":

--8<---------------cut here---------------start------------->8---
GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const ProcessLauncher::LaunchOptions& launchOptions, char** argv, GError **error)
{
    ASSERT(launcher);

    // For now we are just considering the network process trusted as it
    // requires a lot of access but doesn't execute arbitrary code like
    // the WebProcess where our focus lies.
    if (launchOptions.processType == ProcessLauncher::ProcessType::Network)
        return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error));

    const char* runDir = g_get_user_runtime_dir();
    Vector<CString> sandboxArgs = {
        "--die-with-parent",
        "--unshare-pid",
        "--unshare-uts",

        // We assume /etc has safe permissions.
        // At a later point we can start masking privacy-concerning files.
        "--ro-bind", "/etc", "/etc",
        "--dev", "/dev",
        "--proc", "/proc",
        "--tmpfs", "/tmp",
        "--unsetenv", "TMPDIR",
        "--dir", runDir,
        "--setenv", "XDG_RUNTIME_DIR", runDir,
        "--symlink", "../run", "/var/run",
        "--symlink", "../tmp", "/var/tmp",
        "--ro-bind", "/sys/block", "/sys/block",
        "--ro-bind", "/sys/bus", "/sys/bus",
        "--ro-bind", "/sys/class", "/sys/class",
        "--ro-bind", "/sys/dev", "/sys/dev",
        "--ro-bind", "/sys/devices", "/sys/devices",

        "--ro-bind-try", "/usr/share", "/usr/share",
        "--ro-bind-try", "/usr/local/share", "/usr/local/share",
        "--ro-bind-try", DATADIR, DATADIR,

       // Bind mount the store inside the WebKitGTK sandbox.
       "--ro-bind", "@storedir@", "@storedir@",

        // We only grant access to the libdirs webkit is built with and
        // guess system libdirs. This will always have some edge cases.
        "--ro-bind-try", "/lib", "/lib",
        "--ro-bind-try", "/usr/lib", "/usr/lib",
        "--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
        "--ro-bind-try", LIBDIR, LIBDIR,
        "--ro-bind-try", "/lib64", "/lib64",
        "--ro-bind-try", "/usr/lib64", "/usr/lib64",
        "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",

        "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
    };

    if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) {
        sandboxArgs.appendVector(Vector<CString>({
==>         "--ro-bind", "/usr/bin", "/usr/bin",
            // This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed
            // only because we have to mount .flatpak-info in its mount namespace. The user rundir
            // is where we mount our proxy socket.
            "--bind", runDir, runDir,
        }));
    } else {
        // xdg-dbus-proxy needs access to host abstract sockets to connect to the a11y bus. Secure
        // host services must not use abstract sockets. Otherwise, only the network process should
        // have network access, and the network process is not sandboxed at all.
        sandboxArgs.appendVector(Vector<CString>({
            "--unshare-net"
        }));
    }
--8<---------------cut here---------------end--------------->8---

       Mark




Information forwarded to bug-guix <at> gnu.org:
bug#47628; Package guix. (Tue, 13 Apr 2021 11:35:01 GMT) Full text and rfc822 format available.

Message #30 received at 47628 <at> debbugs.gnu.org (full text, mbox):

From: Efraim Flashner <efraim <at> flashner.co.il>
To: Mark H Weaver <mhw <at> netris.org>
Cc: Guillaume Le Vaillant <glv <at> posteo.net>, 47628 <at> debbugs.gnu.org
Subject: Re: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
Date: Fri, 9 Apr 2021 13:09:03 +0300
[Message part 1 (text/plain, inline)]
On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote:
> I suspect that the relevant bit that needs to be changed is line 779 of
> the following file in the webkitgtk-2.32.0 source code:
> 
>   Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
> 
> Most likely, that line can simply be deleted.  Here's the relevant
> excerpt, with line 779 marked by "==>":

Looking at the other lines above it, we could just change it from
ro-bind to ro-bind-try.

> 
> --8<---------------cut here---------------start------------->8---
> GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const ProcessLauncher::LaunchOptions& launchOptions, char** argv, GError **error)
> {
>     ASSERT(launcher);
> 
>     // For now we are just considering the network process trusted as it
>     // requires a lot of access but doesn't execute arbitrary code like
>     // the WebProcess where our focus lies.
>     if (launchOptions.processType == ProcessLauncher::ProcessType::Network)
>         return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error));
> 
>     const char* runDir = g_get_user_runtime_dir();
>     Vector<CString> sandboxArgs = {
>         "--die-with-parent",
>         "--unshare-pid",
>         "--unshare-uts",
> 
>         // We assume /etc has safe permissions.
>         // At a later point we can start masking privacy-concerning files.
>         "--ro-bind", "/etc", "/etc",
>         "--dev", "/dev",
>         "--proc", "/proc",
>         "--tmpfs", "/tmp",
>         "--unsetenv", "TMPDIR",
>         "--dir", runDir,
>         "--setenv", "XDG_RUNTIME_DIR", runDir,
>         "--symlink", "../run", "/var/run",
>         "--symlink", "../tmp", "/var/tmp",
>         "--ro-bind", "/sys/block", "/sys/block",
>         "--ro-bind", "/sys/bus", "/sys/bus",
>         "--ro-bind", "/sys/class", "/sys/class",
>         "--ro-bind", "/sys/dev", "/sys/dev",
>         "--ro-bind", "/sys/devices", "/sys/devices",
> 
>         "--ro-bind-try", "/usr/share", "/usr/share",
>         "--ro-bind-try", "/usr/local/share", "/usr/local/share",
>         "--ro-bind-try", DATADIR, DATADIR,
> 
>        // Bind mount the store inside the WebKitGTK sandbox.
>        "--ro-bind", "@storedir@", "@storedir@",
> 
>         // We only grant access to the libdirs webkit is built with and
>         // guess system libdirs. This will always have some edge cases.
>         "--ro-bind-try", "/lib", "/lib",
>         "--ro-bind-try", "/usr/lib", "/usr/lib",
>         "--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
>         "--ro-bind-try", LIBDIR, LIBDIR,
>         "--ro-bind-try", "/lib64", "/lib64",
>         "--ro-bind-try", "/usr/lib64", "/usr/lib64",
>         "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",
> 
>         "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
>     };
> 
>     if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) {
>         sandboxArgs.appendVector(Vector<CString>({
> ==>         "--ro-bind", "/usr/bin", "/usr/bin",
>             // This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed
>             // only because we have to mount .flatpak-info in its mount namespace. The user rundir
>             // is where we mount our proxy socket.
>             "--bind", runDir, runDir,
>         }));
>     } else {
>         // xdg-dbus-proxy needs access to host abstract sockets to connect to the a11y bus. Secure
>         // host services must not use abstract sockets. Otherwise, only the network process should
>         // have network access, and the network process is not sandboxed at all.
>         sandboxArgs.appendVector(Vector<CString>({
>             "--unshare-net"
>         }));
>     }
> --8<---------------cut here---------------end--------------->8---
> 
>        Mark

-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#47628; Package guix. (Tue, 13 Apr 2021 19:25:01 GMT) Full text and rfc822 format available.

Message #33 received at 47628 <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: Efraim Flashner <efraim <at> flashner.co.il>
Cc: Guillaume Le Vaillant <glv <at> posteo.net>, 47628 <at> debbugs.gnu.org
Subject: Re: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
Date: Tue, 13 Apr 2021 15:22:47 -0400
[Message part 1 (text/plain, inline)]
Hi Efraim,

Efraim Flashner <efraim <at> flashner.co.il> writes:

> On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote:
>> I suspect that the relevant bit that needs to be changed is line 779 of
>> the following file in the webkitgtk-2.32.0 source code:
>> 
>>   Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
>> 
>> Most likely, that line can simply be deleted.  Here's the relevant
>> excerpt, with line 779 marked by "==>":
>
> Looking at the other lines above it, we could just change it from
> ro-bind to ro-bind-try.

I expect that would work, but why should we give the sandbox access to
/usr/bin at all?  I took a different approach: I removed access to *all*
of the FHS directories, since they should not be needed for a
Guix-compiled package.

Below, I've attached the patch that I'm currently using successfully on
my private branch of Guix.

What do you think?

     Thanks,
       Mark

[0001-DRAFT-gnu-webkitgtk-Trim-system-dirs-made-available-.patch (text/x-patch, inline)]
From 4a10e1deb63d1b2227a0bcc60a17ddb9af7b8cc3 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw <at> netris.org>
Date: Thu, 8 Apr 2021 11:27:55 -0400
Subject: [PATCH] DRAFT: gnu: webkitgtk: Trim system dirs made available to
 sandbox.

* gnu/packages/patches/webkitgtk-share-store.patch: Adjust patch.
---
 .../patches/webkitgtk-share-store.patch       | 46 ++++++++++++++-----
 1 file changed, 34 insertions(+), 12 deletions(-)

diff --git a/gnu/packages/patches/webkitgtk-share-store.patch b/gnu/packages/patches/webkitgtk-share-store.patch
index 053d86fcf4..c02157076e 100644
--- a/gnu/packages/patches/webkitgtk-share-store.patch
+++ b/gnu/packages/patches/webkitgtk-share-store.patch
@@ -1,19 +1,41 @@
-Tell bubblewrap to share the store.  Required for programs that use the
+Tell bubblewrap to share the store, and _not_ to share traditional FHS
+directories that are not used in Guix.  Required for programs that use the
 sandboxing features such as Epiphany.
 
-See <https://bugs.gnu.org/40837>.
-Author: Jack Hill <jackhill <at> jackhill.us>
----
+See <https://bugs.gnu.org/40837> and <https://bugs.gnu.org/47628>.
+Authors: Jack Hill <jackhill <at> jackhill.us> and Mark H Weaver <mhw <at> netris.org>.
+
 diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
 --- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
 +++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
-@@ -737,6 +737,9 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
-         "--ro-bind-try", "/usr/local/share", "/usr/local/share",
+@@ -749,26 +749,18 @@
+         "--ro-bind", "/sys/dev", "/sys/dev",
+         "--ro-bind", "/sys/devices", "/sys/devices",
+ 
+-        "--ro-bind-try", "/usr/share", "/usr/share",
+-        "--ro-bind-try", "/usr/local/share", "/usr/local/share",
          "--ro-bind-try", DATADIR, DATADIR,
  
-+       // Bind mount the store inside the WebKitGTK sandbox.
-+       "--ro-bind", "@storedir@", "@storedir@",
-+
-         // We only grant access to the libdirs webkit is built with and
-         // guess system libdirs. This will always have some edge cases.
-         "--ro-bind-try", "/lib", "/lib",
+-        // We only grant access to the libdirs webkit is built with and
+-        // guess system libdirs. This will always have some edge cases.
+-        "--ro-bind-try", "/lib", "/lib",
+-        "--ro-bind-try", "/usr/lib", "/usr/lib",
+-        "--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
+-        "--ro-bind-try", LIBDIR, LIBDIR,
+-        "--ro-bind-try", "/lib64", "/lib64",
+-        "--ro-bind-try", "/usr/lib64", "/usr/lib64",
+-        "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",
++        // Bind mount the store inside the WebKitGTK sandbox.
++        "--ro-bind", "@storedir@", "@storedir@",
+ 
++        // We only grant access to the libdirs webkit is built with.
++        "--ro-bind-try", LIBDIR, LIBDIR,
+         "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
+     };
+ 
+     if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) {
+         sandboxArgs.appendVector(Vector<CString>({
+-            "--ro-bind", "/usr/bin", "/usr/bin",
+             // This is a lot of access, but xdg-dbus-proxy is trusted so that's OK. It's sandboxed
+             // only because we have to mount .flatpak-info in its mount namespace. The user rundir
+             // is where we mount our proxy socket.
-- 
2.31.1


Information forwarded to bug-guix <at> gnu.org:
bug#47628; Package guix. (Wed, 14 Apr 2021 15:24:01 GMT) Full text and rfc822 format available.

Message #36 received at 47628 <at> debbugs.gnu.org (full text, mbox):

From: Efraim Flashner <efraim <at> flashner.co.il>
To: Mark H Weaver <mhw <at> netris.org>
Cc: Guillaume Le Vaillant <glv <at> posteo.net>, 47628 <at> debbugs.gnu.org
Subject: Re: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
Date: Wed, 14 Apr 2021 18:22:29 +0300
[Message part 1 (text/plain, inline)]
On Tue, Apr 13, 2021 at 03:22:47PM -0400, Mark H Weaver wrote:
> Hi Efraim,
> 
> Efraim Flashner <efraim <at> flashner.co.il> writes:
> 
> > On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote:
> >> I suspect that the relevant bit that needs to be changed is line 779 of
> >> the following file in the webkitgtk-2.32.0 source code:
> >> 
> >>   Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
> >> 
> >> Most likely, that line can simply be deleted.  Here's the relevant
> >> excerpt, with line 779 marked by "==>":
> >
> > Looking at the other lines above it, we could just change it from
> > ro-bind to ro-bind-try.
> 
> I expect that would work, but why should we give the sandbox access to
> /usr/bin at all?  I took a different approach: I removed access to *all*
> of the FHS directories, since they should not be needed for a
> Guix-compiled package.
> 
> Below, I've attached the patch that I'm currently using successfully on
> my private branch of Guix.
> 
> What do you think?
> 

Since we should be linking to any libraries we need anyway and patching
any calls out to other binaries then I suppose this should work. I
suggested ro-bind-try to minimize the patch size.


-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]

Reply sent to Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility. (Fri, 18 Mar 2022 02:48:02 GMT) Full text and rfc822 format available.

Notification sent to Mark H Weaver <mhw <at> netris.org>:
bug acknowledged by developer. (Fri, 18 Mar 2022 02:48:02 GMT) Full text and rfc822 format available.

Message #41 received at 47628-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Mark H Weaver <mhw <at> netris.org>
Cc: Guillaume Le Vaillant <glv <at> posteo.net>, 47628-done <at> debbugs.gnu.org,
 Efraim Flashner <efraim <at> flashner.co.il>
Subject: Re: bug#47628: webkitgtk-2.32.0 fails to launch without /usr/bin
Date: Thu, 17 Mar 2022 22:47:10 -0400
Hi Mark,

Mark H Weaver <mhw <at> netris.org> writes:

> Hi Efraim,
>
> Efraim Flashner <efraim <at> flashner.co.il> writes:
>
>> On Thu, Apr 08, 2021 at 11:07:31AM -0400, Mark H Weaver wrote:
>>> I suspect that the relevant bit that needs to be changed is line 779 of
>>> the following file in the webkitgtk-2.32.0 source code:
>>> 
>>>   Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
>>> 
>>> Most likely, that line can simply be deleted.  Here's the relevant
>>> excerpt, with line 779 marked by "==>":
>>
>> Looking at the other lines above it, we could just change it from
>> ro-bind to ro-bind-try.
>
> I expect that would work, but why should we give the sandbox access to
> /usr/bin at all?  I took a different approach: I removed access to *all*
> of the FHS directories, since they should not be needed for a
> Guix-compiled package.
>
> Below, I've attached the patch that I'm currently using successfully on
> my private branch of Guix.
>
> What do you think?

Our webkitgtk package is patched in such a way (and more) since commit
b9a4705f80e89fff3b65288cbbe8df73a365aee3.

Thanks, 

Maxim




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 15 Apr 2022 11:24:05 GMT) Full text and rfc822 format available.

This bug report was last modified 1 year and 349 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.