-
-
Notifications
You must be signed in to change notification settings - Fork 14.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
webkitgtk: Bind NixOS directories to sandbox last #201219
Conversation
Since WebKit/WebKit@31ac354, bubblewrap gets called the following way on NixOS system, when it has `share/fonts` in `environment.pathsToLink`: $ bwrap --ro-bind /nix/store /nix/store --ro-bind /run/current-system /run/current-system --ro-bind-try /run/current-system/sw/share/fonts /run/current-system/sw/share/fonts -- $(realpath $(which true)) bwrap: Can't mkdir parents for /run/current-system/sw/share/fonts: No such file or directory It fails because `/run/current-system/sw` is a symlink so bubblewrap is not be able to add another mountpoint inside. Ideally, we would remove the `/run/current-system/sw` bind mount and mount only specific subdirectories we need, like the fonts. Unfortunately, it is not clear what else is needed. For example, in the past, Pipewire’s Jack module was loaded from `/run/current-system/sw/lib` NixOS@756e603 So, for now, let’s keep the and mount and move the binding of NixOS directories to the end. Adding bindings starting at leaves and moving to root should be fine. While at it, let’s also make the binding of `/run/current-system` conditional since it will not be available outside of NixOS. Fixes: NixOS#197085
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cherry-picked this commit on my 22.05 installation where GNOME Web would simply not load any pages and now it works perfectly.
Thanks, @jtojnar !
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Online Accounts, Epiphany, and Tangram all seem to be fixed for me with this PR.
Result of 18 packages marked as broken and skipped:
11 packages failed to build:
210 packages built:
|
Successfully created backport PR #203770 for |
Description of changes
Since WebKit/WebKit@31ac354, bubblewrap gets called the following way on NixOS system, when it has
share/fonts
inenvironment.pathsToLink
:It fails because
/run/current-system/sw
is a symlink so bubblewrap is not be able to add another mountpoint inside.Ideally, we would remove the
/run/current-system/sw
bind mount and mount only specific subdirectories we need, like the fonts. Unfortunately, it is not clear what else is needed. For example, in the past, Pipewire’s Jack module was loaded from/run/current-system/sw/lib
.So, for now, let’s keep the and mount and move the binding of NixOS directories to the end. Adding bindings starting at leaves and moving to root should be fine.
While at it, let’s also make the binding of
/run/current-system
conditional, since it will not be available outside of NixOS.Fixes: #197085
Things done
Untested.
sandbox = true
set innix.conf
? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)nixos/doc/manual/md-to-db.sh
to update generated release notes