From b9a4705f80e89fff3b65288cbbe8df73a365aee3 Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Sun, 6 Feb 2022 23:26:24 -0500 Subject: gnu: webkitgtk: Adjust BubbleWrap wrapper. This revisits with a fix that doesn't require to have PULSE_CLIENTCONFIG point to an absolute store location, which will allow us to revert to have PULSE_CLIENTCONFIG point to a fixed location under /etc. This would alleviate the need to reboot to have changes to the PulseAudio configuration effected. * gnu/packages/patches/webkitgtk-share-store.patch: Delete file. * gnu/packages/patches/webkitgtk-bubblewrap-paths.patch: Add file. * gnu/packages/patches/webkitgtk-canonicalize-paths.patch: Likewise. * gnu/local.mk (dist_patch_DATA): Update patches list. * gnu/packages/webkit.scm (webkitgtk)[patches]: Adjust accordingly. --- gnu/local.mk | 3 +- .../webkitgtk-adjust-bubblewrap-paths.patch | 38 +++++++++++++ .../patches/webkitgtk-bind-all-fonts.patch | 17 +++--- .../patches/webkitgtk-canonicalize-paths.patch | 66 ++++++++++++++++++++++ gnu/packages/patches/webkitgtk-share-store.patch | 19 ------- gnu/packages/webkit.scm | 5 +- 6 files changed, 117 insertions(+), 31 deletions(-) create mode 100644 gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch create mode 100644 gnu/packages/patches/webkitgtk-canonicalize-paths.patch delete mode 100644 gnu/packages/patches/webkitgtk-share-store.patch diff --git a/gnu/local.mk b/gnu/local.mk index dcee1611b2..c4869f538c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1925,8 +1925,9 @@ dist_patch_DATA = \ %D%/packages/patches/vte-CVE-2012-2738-pt2.patch \ %D%/packages/patches/vtk-fix-freetypetools-build-failure.patch \ %D%/packages/patches/warsow-qfusion-fix-bool-return-type.patch \ - %D%/packages/patches/webkitgtk-share-store.patch \ %D%/packages/patches/webkitgtk-bind-all-fonts.patch \ + %D%/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch \ + %D%/packages/patches/webkitgtk-canonicalize-paths.patch \ %D%/packages/patches/webrtc-audio-processing-big-endian.patch \ %D%/packages/patches/websocketpp-fix-for-cmake-3.15.patch \ %D%/packages/patches/wicd-bitrate-none-fix.patch \ diff --git a/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch b/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch new file mode 100644 index 0000000000..18ddb645ad --- /dev/null +++ b/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch @@ -0,0 +1,38 @@ +Share /gnu/store in the BubbleWrap container and remove FHS mounts. + +This is a Guix-specific patch not meant to be upstreamed. +diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +index f0a5e4b05dff..88b11f806968 100644 +--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp ++++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +@@ -854,27 +854,12 @@ GRefPtr bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces + "--ro-bind", "/sys/dev", "/sys/dev", + "--ro-bind", "/sys/devices", "/sys/devices", + +- "--ro-bind-try", "/usr/share", "/usr/share", +- "--ro-bind-try", "/usr/local/share", "/usr/local/share", + "--ro-bind-try", DATADIR, DATADIR, +- +- // We only grant access to the libdirs webkit is built with and +- // guess system libdirs. This will always have some edge cases. +- "--ro-bind-try", "/lib", "/lib", +- "--ro-bind-try", "/usr/lib", "/usr/lib", +- "--ro-bind-try", "/usr/local/lib", "/usr/local/lib", + "--ro-bind-try", LIBDIR, LIBDIR, +-#if CPU(ADDRESS64) +- "--ro-bind-try", "/lib64", "/lib64", +- "--ro-bind-try", "/usr/lib64", "/usr/lib64", +- "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64", +-#else +- "--ro-bind-try", "/lib32", "/lib32", +- "--ro-bind-try", "/usr/lib32", "/usr/lib32", +- "--ro-bind-try", "/usr/local/lib32", "/usr/local/lib32", +-#endif +- + "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR, ++ ++ // Bind mount the store inside the WebKitGTK sandbox. ++ "--ro-bind", "@storedir@", "@storedir@", + }; + + if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) { diff --git a/gnu/packages/patches/webkitgtk-bind-all-fonts.patch b/gnu/packages/patches/webkitgtk-bind-all-fonts.patch index e7b06cc650..27013180c4 100644 --- a/gnu/packages/patches/webkitgtk-bind-all-fonts.patch +++ b/gnu/packages/patches/webkitgtk-bind-all-fonts.patch @@ -1,26 +1,25 @@ -Add fonts from all XDG_DATA_DIRS, not just XDG_DATA_HOME. +Upstream commit: https://github.com/WebKit/WebKit/commit/31ac354cbeecf866f9a38f7b2f8f59f7975d3f6a -See . -Author: Liliana Marie Prikler -Index: webkitgtk-2.28.2/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp -=================================================================== +diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +index ecc804663784..8de174be3c0e 100644 --- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp -@@ -387,6 +387,7 @@ static void bindFonts(Vector& args) +@@ -288,6 +288,7 @@ static void bindFonts(Vector& args) const char* homeDir = g_get_home_dir(); const char* dataDir = g_get_user_data_dir(); const char* cacheDir = g_get_user_cache_dir(); + const char* const * dataDirs = g_get_system_data_dirs(); - + // Configs can include custom dirs but then we have to parse them... GUniquePtr fontConfig(g_build_filename(configDir, "fontconfig", nullptr)); -@@ -403,6 +404,10 @@ static void bindFonts(Vector& args) +@@ -304,6 +305,10 @@ static void bindFonts(Vector& args) bindIfExists(args, fontHomeConfigDir.get()); bindIfExists(args, fontData.get()); bindIfExists(args, fontHomeData.get()); -+ for (auto dataDir = dataDirs; dataDir != nullptr && *dataDir != nullptr; dataDir++) { ++ for (auto* dataDir = dataDirs; dataDir && *dataDir; dataDir++) { + GUniquePtr fontDataDir(g_build_filename(*dataDir, "fonts", nullptr)); + bindIfExists(args, fontDataDir.get()); + } bindIfExists(args, "/var/cache/fontconfig"); // Used by Debian. } + diff --git a/gnu/packages/patches/webkitgtk-canonicalize-paths.patch b/gnu/packages/patches/webkitgtk-canonicalize-paths.patch new file mode 100644 index 0000000000..741d534831 --- /dev/null +++ b/gnu/packages/patches/webkitgtk-canonicalize-paths.patch @@ -0,0 +1,66 @@ +Upstream commit: https://github.com/WebKit/WebKit/commit/6a87eb254ef57a986a1a6ce9a3a4b66928afeb65 + +diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +index ecc804663784..a2a1c9d7a4dd 100644 +--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp ++++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp +@@ -27,7 +27,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -165,6 +164,15 @@ enum class BindFlags { + Device, + }; + ++static void bindSymlinksRealPath(Vector& args, const char* path, const char* bindOption = "--ro-bind") ++{ ++ WTF::String realPath = FileSystem::realPath(path); ++ if (path != realPath) { ++ CString rpath = realPath.utf8(); ++ args.appendVector(Vector({ bindOption, rpath.data(), rpath.data() })); ++ } ++} ++ + static void bindIfExists(Vector& args, const char* path, BindFlags bindFlags = BindFlags::ReadOnly) + { + if (!path || path[0] == '\0') +@@ -177,7 +185,16 @@ static void bindIfExists(Vector& args, const char* path, BindFlags bind + bindType = "--ro-bind-try"; + else + bindType = "--bind-try"; +- args.appendVector(Vector({ bindType, path, path })); ++ ++ // Canonicalize the source path, otherwise a symbolic link could ++ // point to a location outside of the namespace. ++ bindSymlinksRealPath(args, path, bindType); ++ ++ // As /etc is exposed wholesale, do not layer extraneous bind ++ // directives on top, which could fail in the presence of symbolic ++ // links. ++ if (!g_str_has_prefix(path, "/etc/")) ++ args.appendVector(Vector({ bindType, path, path })); + } + + static void bindDBusSession(Vector& args, bool allowPortals) +@@ -410,17 +427,6 @@ static void bindV4l(Vector& args) + })); + } + +-static void bindSymlinksRealPath(Vector& args, const char* path) +-{ +- char realPath[PATH_MAX]; +- +- if (realpath(path, realPath) && strcmp(path, realPath)) { +- args.appendVector(Vector({ +- "--ro-bind", realPath, realPath, +- })); +- } +-} +- + // Translate a libseccomp error code into an error message. libseccomp + // mostly returns negative errno values such as -ENOMEM, but some + // standard errno values are used for non-standard purposes where their diff --git a/gnu/packages/patches/webkitgtk-share-store.patch b/gnu/packages/patches/webkitgtk-share-store.patch deleted file mode 100644 index 053d86fcf4..0000000000 --- a/gnu/packages/patches/webkitgtk-share-store.patch +++ /dev/null @@ -1,19 +0,0 @@ -Tell bubblewrap to share the store. Required for programs that use the -sandboxing features such as Epiphany. - -See . -Author: Jack Hill ---- -diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp ---- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp -+++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp -@@ -737,6 +737,9 @@ GRefPtr bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces - "--ro-bind-try", "/usr/local/share", "/usr/local/share", - "--ro-bind-try", DATADIR, DATADIR, - -+ // Bind mount the store inside the WebKitGTK sandbox. -+ "--ro-bind", "@storedir@", "@storedir@", -+ - // We only grant access to the libdirs webkit is built with and - // guess system libdirs. This will always have some edge cases. - "--ro-bind-try", "/lib", "/lib", diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm index 40537f5e0a..f79d6bd4f6 100644 --- a/gnu/packages/webkit.scm +++ b/gnu/packages/webkit.scm @@ -247,8 +247,9 @@ acceleration in mind, leveraging common 3D graphics APIs for best performance.") (sha256 (base32 "1xn1hhd0qaxmjf6vy6664i4mmmjsw9zgrr4w8ni3415d981zvj3b")) - (patches (search-patches "webkitgtk-share-store.patch" - "webkitgtk-bind-all-fonts.patch")))) + (patches (search-patches "webkitgtk-bind-all-fonts.patch" + "webkitgtk-adjust-bubblewrap-paths.patch" + "webkitgtk-canonicalize-paths.patch")))) (build-system cmake-build-system) (outputs '("out" "doc" "debug")) (arguments -- cgit v1.2.3