| Summary: | [GTK] Bubblewrap sandbox should not break X11 forwarding | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Michael Catanzaro <mcatanzaro> | ||||
| Component: | WebKitGTK | Assignee: | Michael Catanzaro <mcatanzaro> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | ajfclark, bugs-noreply, cgarcia, clopez, mcatanzaro, pgriffis | ||||
| Priority: | P2 | ||||||
| Version: | WebKit Nightly Build | ||||||
| Hardware: | PC | ||||||
| OS: | Linux | ||||||
| See Also: | https://bugzilla.redhat.com/show_bug.cgi?id=1905720 | ||||||
| Bug Depends on: | |||||||
| Bug Blocks: | 206533 | ||||||
| Attachments: |
|
||||||
|
Description
Michael Catanzaro
2021-02-16 13:12:43 PST
Created attachment 420537 [details]
Patch
Understanding the issue correctly now, I've also found a more subtle workaround that doesn't require letting down the sandbox as much. On the machine running evolution, I use socat to redirect a unix socket to the expected X server. For example, if ssh has given me localhost:10.0 as my DISPLAY: socat UNIX-LISTEN:/tmp/.X11-unix/X10,fork TCP:localhost:6010 & And then run evolution on using that display successfully: DISPLAY=:10.0 evolution Slightly messy, but perhaps better than allowing carte blanche network access? (In reply to Michael Catanzaro from comment #1) > Created attachment 420537 [details] > Patch Thanks for being so quick with that. I'll spin up a dev environment and test this. (In reply to Andrew Clark from comment #2) > Slightly messy, but perhaps better than allowing carte blanche network > access? Right that would be best (though we'd want to do that manually without depending on /usr/bin/socat). That's basically option 1 from https://gitlab.gnome.org/GNOME/evolution/-/issues/1369#note_1038267, whereas what I implemented is option 2. Comment on attachment 420537 [details]
Patch
Downstream user reports this patch works....
If anyone wants to try to set up a socket forwarding scheme, that would be the ideal solution. In the meantime, this patch works.
(In reply to Michael Catanzaro from comment #1) > Created attachment 420537 [details] > Patch Confirmed this works in my setup too. Thank you. aclark@pleco 0 ~ $ ldd `which evolution` | grep webkit libwebkit2gtk-4.0.so.37 => /lib/x86_64-linux-gnu/libwebkit2gtk-4.0.so.37 (0x00007f82f992e000) aclark@pleco 0 ~ $ evolution (evolution-alarm-notify:2288541): GLib-GIO-WARNING **: 11:12:51.637: Your application did not unregister from D-Bus before destruction. Consider using g_application_run(). (WebKitWebProcess:2): Gtk-WARNING **: 11:12:52.256: cannot open display: localhost:10.0 (WebKitWebProcess:2): Gtk-WARNING **: 11:12:57.277: cannot open display: localhost:10.0 (evolution:2288506): evolution-WARNING **: 11:12:59.816: Shell not finalized on exit aclark@pleco 0 ~ $ export LD_LIBRARY_PATH=/usr/local/lib/ aclark@pleco 0 ~ $ ldd `which evolution` | grep webkit libwebkit2gtk-4.0.so.37 => /usr/local/lib/libwebkit2gtk-4.0.so.37 (0x00007eff36260000) aclark@pleco 0 ~ $ evolution (evolution-alarm-notify:2288732): GLib-GIO-WARNING **: 11:13:29.087: Your application did not unregister from D-Bus before destruction. Consider using g_application_run(). (evolution:2288697): GLib-GIO-WARNING **: 11:13:35.853: Your application did not unregister from D-Bus before destruction. Consider using g_application_run(). aclark@pleco 0 ~ $ Ping reviewers Committed r273965: <https://commits.webkit.org/r273965> All reviewed patches have been landed. Closing bug and clearing flags on attachment 420537 [details]. |