[GStreamer] plugin scanner not available in bwrap sandbox #40320
Conversation
|
EWS run on previous version of this PR (hash e1f1ed3) |
There was a problem hiding this comment.
I'm going to click Approve, but I do wonder if this is really significantly easier than just adding some more symlinks to sandboxArgs in bubblewrapSpawn to fix things for more than just GStreamer?
We could test if /lib64 is a symlink on the host, and if so, then do "--symlink", "/lib64", "/usr/lib64", and that should probably fix this? Then we don't need to wonder what else besides GStreamer might be broken.
I checked what flatpak does. flatpak_run_setup_usr_links() creates symlinks for abs_usrmerged_dirs which is defined in flatpak-exports.c to be /bin, /lib, /lib32, /lib64, and /sbin. That's not so many locations; doesn't seem too hard?
|
CC @TingPing |
|
Yeah, I suppose we can use the same approach as flatpak. I can rework this, thanks for the review/feedback. |
|
EWS run on previous version of this PR (hash 25b0e6d) |
|
I tried this, but ... |
| auto symLink = makeString("/usr"_s, directory, '/'); | ||
| args.appendVector(Vector<CString> { "--symlink", directory.utf8(), symLink.utf8() }); |
There was a problem hiding this comment.
I think this is backwards, which would explain why /usr/bin/xdg-dbus-proxy is missing:
| auto symLink = makeString("/usr"_s, directory, '/'); | |
| args.appendVector(Vector<CString> { "--symlink", directory.utf8(), symLink.utf8() }); | |
| auto linkTarget = makeString("/usr"_s, directory, '/'); | |
| args.appendVector(Vector<CString> { "--symlink", linkTarget.utf8(), directory.utf8() }); |
There was a problem hiding this comment.
I tried both ways, didn't notice an improvement either way.
| auto symLink = makeString("/usr"_s, directory); | ||
| args.appendVector(Vector<CString> { "--ro-bind-try", symLink.utf8(), symLink.utf8() }); |
There was a problem hiding this comment.
This fails on non-usrmerged systems, e.g. if /bin is not a symlink then it won't be bound.
What I would do is bind normally here instead:
| auto symLink = makeString("/usr"_s, directory); | |
| args.appendVector(Vector<CString> { "--ro-bind-try", symLink.utf8(), symLink.utf8() }); | |
| args.appendVector(Vector<CString> { "--ro-bind", directory.utf8(), directory.utf8() }); |
That will take care of binding any paths not under /usr, like /bin or /lib. But we also need to bind the paths under /usr, like /usr/bin or /usr/lib. We could do that above, in the if (fileType == FileSystem::FileType::SymbolicLink) condition, but that would fail if the symlinks ever get removed (you never know, it could happen 50 years from now!), so probably best to just restore the use of --ro-bind-try that you removed for the locations under /usr?
There was a problem hiding this comment.
The reason the current wip patch is like this is that --ro-bind* and --symlink don't seem to play well together. If I keep both I get this bwrap: Can't make symlink at /bin: destination exists and is not a symlink.
I think this needs the attention of someone actually familiar with the bwrap options.
There was a problem hiding this comment.
The options do exactly what you tell them to. It's either create a symlink or mount a directory. The error message indicates exactly what is wrong: this is a usrmerged system and /bin is supposed to be a symlink to /usr/bin, so BubblewrapLauncher.cpp shouldn't be trying to --ro-bind the host /bin. But we do need to --ro-bind it on non-usrmerged systems. We need to do one of create symlink or bind host directory -- never both -- for each of these locations. That error message indicates your code is doing both. It's probably a simple mistake?
There was a problem hiding this comment.
Also: I notice the existing sandbox intentionally skips binding /bin except in the enableDebugPermissions case. We should probably maintain that behavior and just altogether remove /bin and /sbin from this function. We could create the symlinks in the enableDebugPermissions codepath if you want, though.
There was a problem hiding this comment.
You realize you contradict yourself then? You said "so probably best to just restore the use of --ro-bind-try that you removed for the locations under /usr?" and now "We need to do one of create symlink or bind host directory -- never both -- for each of these locations".
There was a problem hiding this comment.
Use --ro-bind-try in the non-usrmerge condition, when /bin is not a symlink.
|
EWS run on current version of this PR (hash b6d2cdc) |
|
I'm landing the initial version of this patch, which is simple and less invasive than the broken WIP I couldn't make work :( |
https://bugs.webkit.org/show_bug.cgi?id=287368 Reviewed by Michael Catanzaro. On UsrMerge systems where /lib64 is a symlink to /usr/lib64 and where the GStreamer registry attempts to load the plugin-scanner from /lib64/ the path needs to be allow-listed in the sandbox. * Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp: (WebKit::bindGStreamerData): Canonical link: https://commits.webkit.org/296779@main
b6d2cdc to
526ec66
Compare
|
Committed 296779@main (526ec66): https://commits.webkit.org/296779@main Reviewed commits have been landed. Closing PR #40320 and removing active labels. |
526ec66
b6d2cdc
🧪 gtk-wk2