Currently the bubblewrap sandbox breaks X11 forwarding via SSH, I suspect because the web process is unable to connect to the X server via TCP due to being isolated in a network namespace. We should just disable the network namespace in this case and accept that such configurations are less secure. Untested patch incoming. I will ask a couple users who use X11 forwarding to test the patch and will request review once somebody confirms whether it actually works.
Created attachment 420537 [details] Patch
Understanding the issue correctly now, I've also found a more subtle workaround that doesn't require letting down the sandbox as much. On the machine running evolution, I use socat to redirect a unix socket to the expected X server. For example, if ssh has given me localhost:10.0 as my DISPLAY: socat UNIX-LISTEN:/tmp/.X11-unix/X10,fork TCP:localhost:6010 & And then run evolution on using that display successfully: DISPLAY=:10.0 evolution Slightly messy, but perhaps better than allowing carte blanche network access?
(In reply to Michael Catanzaro from comment #1) > Created attachment 420537 [details] > Patch Thanks for being so quick with that. I'll spin up a dev environment and test this.
(In reply to Andrew Clark from comment #2) > Slightly messy, but perhaps better than allowing carte blanche network > access? Right that would be best (though we'd want to do that manually without depending on /usr/bin/socat). That's basically option 1 from https://gitlab.gnome.org/GNOME/evolution/-/issues/1369#note_1038267, whereas what I implemented is option 2.
Comment on attachment 420537 [details] Patch Downstream user reports this patch works.... If anyone wants to try to set up a socket forwarding scheme, that would be the ideal solution. In the meantime, this patch works.
(In reply to Michael Catanzaro from comment #1) > Created attachment 420537 [details] > Patch Confirmed this works in my setup too. Thank you. aclark@pleco 0 ~ $ ldd `which evolution` | grep webkit libwebkit2gtk-4.0.so.37 => /lib/x86_64-linux-gnu/libwebkit2gtk-4.0.so.37 (0x00007f82f992e000) aclark@pleco 0 ~ $ evolution (evolution-alarm-notify:2288541): GLib-GIO-WARNING **: 11:12:51.637: Your application did not unregister from D-Bus before destruction. Consider using g_application_run(). (WebKitWebProcess:2): Gtk-WARNING **: 11:12:52.256: cannot open display: localhost:10.0 (WebKitWebProcess:2): Gtk-WARNING **: 11:12:57.277: cannot open display: localhost:10.0 (evolution:2288506): evolution-WARNING **: 11:12:59.816: Shell not finalized on exit aclark@pleco 0 ~ $ export LD_LIBRARY_PATH=/usr/local/lib/ aclark@pleco 0 ~ $ ldd `which evolution` | grep webkit libwebkit2gtk-4.0.so.37 => /usr/local/lib/libwebkit2gtk-4.0.so.37 (0x00007eff36260000) aclark@pleco 0 ~ $ evolution (evolution-alarm-notify:2288732): GLib-GIO-WARNING **: 11:13:29.087: Your application did not unregister from D-Bus before destruction. Consider using g_application_run(). (evolution:2288697): GLib-GIO-WARNING **: 11:13:35.853: Your application did not unregister from D-Bus before destruction. Consider using g_application_run(). aclark@pleco 0 ~ $
Ping reviewers
Committed r273965: <https://commits.webkit.org/r273965> All reviewed patches have been landed. Closing bug and clearing flags on attachment 420537 [details].