256917 – [GLib] Re-enable bwrap sandbox in containers when supported

Bug 256917 - [GLib] Re-enable bwrap sandbox in containers when supported

Summary: [GLib] Re-enable bwrap sandbox in containers when supported

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Diego Pino

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-05-17 13:53 PDT by Patrick Griffis
Modified:	2023-05-22 20:00 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Patrick Griffis 2023-05-17 13:53:55 PDT

This detects if bwrap actually works inside of a container instead of always disabling it.

Comment 1 Patrick Griffis 2023-05-17 13:57:18 PDT

Pull request: https://github.com/WebKit/WebKit/pull/13985

Comment 2 EWS 2023-05-18 03:36:13 PDT

Committed 264196@main (4c39f3875728): <https://commits.webkit.org/264196@main>

Reviewed commits have been landed. Closing PR #13985 and removing active labels.

Comment 3 Diego Pino 2023-05-22 06:42:01 PDT

When building WPE for ARM64 inside a container I got the following error:

```
FAILED: Source/WTF/wtf/CMakeFiles/WTF.dir/glib/Sandbox.cpp.o 
/usr/bin/clang++-14  -DBUILDING_WEBKIT=1 -DBUILDING_WITH_CMAKE=1 -DBUILDING_WPE__=1 -DBUILDING_WTF -DGETTEXT_PACKAGE=\"WPE\" -DHAVE_CONFIG_H=1 -DJSC_GLIB_API_ENABLED -DPAS_BMALLOC=1 -DSTATICALLY_LINKED_WITH_bmalloc -I. -IWTF/DerivedSources -I../../../Source/WTF -I../../../Source/WTF/wtf -I../../../Source/WTF/wtf/dtoa -I../../../Source/WTF/wtf/fast_float -I../../../Source/WTF/wtf/persistence -I../../../Source/WTF/wtf/text -I../../../Source/WTF/wtf/text/icu -I../../../Source/WTF/wtf/threads -I../../../Source/WTF/wtf/unicode -Ibmalloc/Headers -isystem ../DependenciesWPE/Root/include/gio-unix-2.0 -isystem ../DependenciesWPE/Root/include/glib-2.0 -isystem ../DependenciesWPE/Root/lib/glib-2.0/include -fdiagnostics-color=always -fcolor-diagnostics -Wextra -Wall -pipe -Wno-noexcept-type -Wno-psabi -Wno-misleading-indentation -Wno-parentheses-equality -Qunused-arguments -Wundef -Wpointer-arith -Wmissing-format-attribute -Wformat-security -Wcast-align -Wno-tautological-compare  -fno-strict-aliasing -fno-exceptions -fno-rtti -O3 -DNDEBUG -fPIC -fvisibility=hidden -fvisibility-inlines-hidden   -pthread -std=c++2a -MD -MT Source/WTF/wtf/CMakeFiles/WTF.dir/glib/Sandbox.cpp.o -MF Source/WTF/wtf/CMakeFiles/WTF.dir/glib/Sandbox.cpp.o.d -o Source/WTF/wtf/CMakeFiles/WTF.dir/glib/Sandbox.cpp.o -c ../../../Source/WTF/wtf/glib/Sandbox.cpp
../../../Source/WTF/wtf/glib/Sandbox.cpp:49:13: error: use of undeclared identifier 'BWRAP_EXECUTABLE'
			BWRAP_EXECUTABLE,
```

Build flag ENABLE_BUBBLEWRAP_SANDBOX is OFF.

I think access to BWRAP_EXECUTABLE in Sandbox.cpp needs to be guarded by ENABLE(BUBBLEWRAP_SANDBOX).

Comment 4 Diego Pino 2023-05-22 06:44:29 PDT

Re-opening for pull request https://github.com/webkit/webkit/pull/14177

Comment 5 EWS 2023-05-22 20:00:27 PDT

Committed 264395@main (4977290ab4ab): <https://commits.webkit.org/264395@main>

Reviewed commits have been landed. Closing PR #14177 and removing active labels.