GNU bug report logs

#47106 Bubblewrap hates Guix containers 😞

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #29 received at 47106@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47106) by debbugs.gnu.org; 14 Mar 2021 18:05:30 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 14 14:05:30 2021
Received: from localhost ([127.0.0.1]:34174 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lLV7K-0005Sc-BQ
	for submit@debbugs.gnu.org; Sun, 14 Mar 2021 14:05:30 -0400
Received: from mailrelay.tugraz.at ([129.27.2.202]:24319)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo.prikler@student.tugraz.at>) id 1lLV7I-0005ST-HQ
 for 47106@debbugs.gnu.org; Sun, 14 Mar 2021 14:05:29 -0400
Received: from nijino.local (217-149-164-20.nat.highway.telekom.at
 [217.149.164.20])
 by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4Dz6sc712rz3xmf;
 Sun, 14 Mar 2021 19:05:24 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at;
 s=mailrelay; t=1615745125;
 bh=fMQnoVe24+ivB4ucJ8nNvZ/p7vOPPEUXW6rQDjOJ5lo=;
 h=Subject:From:To:Cc:Date:In-Reply-To:References;
 b=rbw8RjU0LJFGlLv3JqFDtyp2IfVl4tiA+VRtG2LhHEgARKsgRG28TEfP6gxCNfhJR
 9N+0kxNoClbEORAHF/EAz/BjZFzms0ZUC5EYTJaj/xW3TM/WM+RJcP0GYHI8yrXlI8
 IYbcVJkbCS5YO0d6EDLpUtjqIbfGOpWHbDXXdK9E=
Message-ID: <d0638eba7e63c71edd4267c1675e0ea7f5b7b4ae.camel@student.tugraz.at>
Subject: Re: bug#47106: Bubblewrap hates Guix containers
 😞
From: Leo Prikler <leo.prikler@student.tugraz.at>
To: Bengt Richter <bokr@bokr.com>
Date: Sun, 14 Mar 2021 19:05:24 +0100
In-Reply-To: <20210314174539.GA10548@LionPure>
References: <fbb3401a61ae78f092b33b7a36428f8520a7a6bd.camel@student.tugraz.at>
 <87r1kjpbvx.fsf@gnu.org>
 <2922127e61435e64f95d3d398ef6932a02336188.camel@student.tugraz.at>
 <20210313122718.GA11708@LionPure>
 <fa11fb1fb6dfb6e2c048d4fe8dec005e3b2b114a.camel@student.tugraz.at>
 <20210313170704.GA3712@LionPure>
 <a4efcc5c7928de5d89596500803dee510d85b7c0.camel@student.tugraz.at>
 <20210314174539.GA10548@LionPure>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TUG-Backscatter-control: bt4lQm5Tva3SBgCuw0EnZw
X-Spam-Scanner: SpamAssassin 3.003001 
X-Spam-Score-relay: -1.9
X-Scanned-By: MIMEDefang 2.74 on 129.27.10.116
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 47106
Cc: 47106@debbugs.gnu.org, Ludovic Courtès <ludo@gnu.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi again³

Am Sonntag, den 14.03.2021, 18:45 +0100 schrieb Bengt Richter:
> Hi again^2,
> 
> Maybe
>     pstree -at
> would show a little more?
sh
  |-dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7
--sess
  |-dbus-launch --autolaunch=fa7a4d52637958ddd37547bb5d8bd9d2--binary-
synt
  `-screen
      `-screen
          |-sh
          |   `-.epiphany-real
          |       |-WebKitNetworkPr 3 21
          |       |   |-{BMScavenger}
          |       |   |-{ReceiveQueue}
          |       |   |-{StorageTask}
          |       |   |-{Storage}
          |       |   |-{WebStorage}
          |       |   |-{background}
          |       |   |-{dconf worker}
          |       |   |-{erialBackground}
          |       |   |-{gdbus}
          |       |   `-{gmain}
          |       |-bwrap --args 37 --
/gnu/store/hqhxgw0i8xh38h6kwmyrkywcd24q5f1z-webk
          |       |   `-bwrap --args 37 --
/gnu/store/hqhxgw0i8xh38h6kwmyrkywcd24q5f1z-webk
          |       |       `-WebKitWebProces 1277 28
          |       |-{.epiphany-real}
          |       |-{BMScavenger}
          |       |-{HashSaltStorage}
          |       |-{IconDatabase}
          |       |-{PressureMonitor}
          |       |-2*[{ReceiveQueue}]
          |       |-{dconf worker}
          |       |-{e Compile Queue}
          |       |-{ebsiteDataStore}
          |       |-{gdbus}
          |       |-{gmain}
          |       |-{re Remove Queue}
          |       `-{tore Read Queue}
          `-sh
              `-pstree -at
> Also,
>     ls -lr /sys/class/drm
total 0
-r--r--r-- 1 65534 overflow 4096 Mar 14 17:59 version
lrwxrwxrwx 1 65534 overflow    0 Mar 14 17:58 ttm ->
../../devices/virtual/drm/ttm
lrwxrwxrwx 1 65534 overflow    0 Mar 14 17:59 renderD128 ->
../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/renderD128
lrwxrwxrwx 1 65534 overflow    0 Mar 14 17:59 card0-VGA-1 ->
../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/card0/card0-VGA-
1
lrwxrwxrwx 1 65534 overflow    0 Mar 14 17:59 card0-HDMI-A-1 ->
../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/card0/card0-
HDMI-A-1
lrwxrwxrwx 1 65534 overflow    0 Mar 14 17:58 card0-DVI-D-1 ->
../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/card0/card0-DVI-
D-1
lrwxrwxrwx 1 65534 overflow    0 Mar 14 17:58 card0 ->
../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/card0
> if that's accessible -- I'm wondering if the version of screen
> in the container is built with libdrm and is bypassing X or ??
I doubt it is being built differently than screen normally is.

> Do you have a makefile or a guix something.scm defining
> what's built/packed into your container? 
Nah, it's a rather ad-hoc definition grown from what should be an Eolie
container from the cookbook (also refer to #47097).

    guix environment --preserve='^DISPLAY$' --preserve=XAUTHORITY \
     --preserve=TERM \
     --expose=$XAUTHORITY \
     --expose=/etc/machine-id \
     --expose=/etc/ssl/certs/ \
     --expose=/sys/block --expose=/sys/class --expose=/sys/bus \
     --expose=/sys/dev --expose=/sys/devices \
     --ad-hoc epiphany nss-certs dbus procps coreutils psmisc screen

Given that I expose most of /sys explicitly, you should take the above
with a grain of salt.

> Sorry if my curiosity is making work for you, but I'd like to
> try containers down the road -- tho right now I'm taking a break
> from events IRL, so I may disappear for a while...
I'm not personally impacted by this bug or anything, it's much rather a
follow-up to my attempted fix of #47097.  I think there might be some
flaw in trying to run a sandbox inside a sandbox (like bubblewrap
inside `guix container`), that doesn't actually improve security in any
meaningful way.

Regards,
Leo

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 09:15:43 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.