Bug 221990 - [GTK] Bubblewrap sandbox should not break X11 forwarding
Summary: [GTK] Bubblewrap sandbox should not break X11 forwarding
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Linux
: P2 Normal
Assignee: Michael Catanzaro
URL:
Keywords:
Depends on:
Blocks: 206533
  Show dependency treegraph
 
Reported: 2021-02-16 13:12 PST by Michael Catanzaro
Modified: 2021-03-05 07:31 PST (History)
6 users (show)

See Also:


Attachments
Patch (4.94 KB, patch)
2021-02-16 13:46 PST, Michael Catanzaro
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2021-02-16 13:12:43 PST
Currently the bubblewrap sandbox breaks X11 forwarding via SSH, I suspect because the web process is unable to connect to the X server via TCP due to being isolated in a network namespace. We should just disable the network namespace in this case and accept that such configurations are less secure. Untested patch incoming. I will ask a couple users who use X11 forwarding to test the patch and will request review once somebody confirms whether it actually works.
Comment 1 Michael Catanzaro 2021-02-16 13:46:49 PST
Created attachment 420537 [details]
Patch
Comment 2 Andrew Clark 2021-02-16 14:17:00 PST
Understanding the issue correctly now, I've also found a more subtle workaround that doesn't require letting down the sandbox as much.

On the machine running evolution, I use socat to redirect a unix socket to the expected X server. For example, if ssh has given me localhost:10.0 as my DISPLAY:
socat UNIX-LISTEN:/tmp/.X11-unix/X10,fork TCP:localhost:6010 &

And then run evolution on using that display successfully:
DISPLAY=:10.0 evolution

Slightly messy, but perhaps better than allowing carte blanche network access?
Comment 3 Andrew Clark 2021-02-16 14:18:57 PST
(In reply to Michael Catanzaro from comment #1)
> Created attachment 420537 [details]
> Patch

Thanks for being so quick with that. I'll spin up a dev environment and test this.
Comment 4 Michael Catanzaro 2021-02-16 14:48:19 PST
(In reply to Andrew Clark from comment #2)
> Slightly messy, but perhaps better than allowing carte blanche network
> access?

Right that would be best (though we'd want to do that manually without depending on /usr/bin/socat). That's basically option 1 from https://gitlab.gnome.org/GNOME/evolution/-/issues/1369#note_1038267, whereas what I implemented is option 2.
Comment 5 Michael Catanzaro 2021-02-18 16:03:57 PST
Comment on attachment 420537 [details]
Patch

Downstream user reports this patch works....

If anyone wants to try to set up a socket forwarding scheme, that would be the ideal solution. In the meantime, this patch works.
Comment 6 Andrew Clark 2021-02-21 16:15:35 PST
(In reply to Michael Catanzaro from comment #1)
> Created attachment 420537 [details]
> Patch

Confirmed this works in my setup too. Thank you.

aclark@pleco 0 ~ $ ldd `which evolution` | grep webkit
	libwebkit2gtk-4.0.so.37 => /lib/x86_64-linux-gnu/libwebkit2gtk-4.0.so.37 (0x00007f82f992e000)
aclark@pleco 0 ~ $ evolution 

(evolution-alarm-notify:2288541): GLib-GIO-WARNING **: 11:12:51.637: Your application did not unregister from D-Bus before destruction. Consider using g_application_run().

(WebKitWebProcess:2): Gtk-WARNING **: 11:12:52.256: cannot open display: localhost:10.0

(WebKitWebProcess:2): Gtk-WARNING **: 11:12:57.277: cannot open display: localhost:10.0

(evolution:2288506): evolution-WARNING **: 11:12:59.816: Shell not finalized on exit
aclark@pleco 0 ~ $ export LD_LIBRARY_PATH=/usr/local/lib/
aclark@pleco 0 ~ $ ldd `which evolution` | grep webkit
	libwebkit2gtk-4.0.so.37 => /usr/local/lib/libwebkit2gtk-4.0.so.37 (0x00007eff36260000)
aclark@pleco 0 ~ $ evolution 

(evolution-alarm-notify:2288732): GLib-GIO-WARNING **: 11:13:29.087: Your application did not unregister from D-Bus before destruction. Consider using g_application_run().

(evolution:2288697): GLib-GIO-WARNING **: 11:13:35.853: Your application did not unregister from D-Bus before destruction. Consider using g_application_run().
aclark@pleco 0 ~ $
Comment 7 Michael Catanzaro 2021-03-04 13:20:07 PST
Ping reviewers
Comment 8 EWS 2021-03-05 07:31:55 PST
Committed r273965: <https://commits.webkit.org/r273965>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 420537 [details].