#47106 Bubblewrap hates Guix containers 😞

Message #47 received at 47106@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47106) by debbugs.gnu.org; 16 Mar 2021 10:55:02 +0000
From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 16 06:55:02 2021
Received: from localhost ([127.0.0.1]:38290 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lM7Lq-0001q3-1c
	for submit@debbugs.gnu.org; Tue, 16 Mar 2021 06:55:02 -0400
Received: from imta-38.everyone.net ([216.200.145.38]:39154)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <bokr@oz.net>) id 1lM7Ln-0001ph-ID
 for 47106@debbugs.gnu.org; Tue, 16 Mar 2021 06:55:00 -0400
Received: from pps.filterd (omta003.sj2.proofpoint.com [127.0.0.1])
 by imta-38.everyone.net (8.16.0.43/8.16.0.43) with SMTP id 12GAqYbI022416;
 Tue, 16 Mar 2021 03:54:57 -0700
X-Eon-Originating-Account: PWA8kbIySTUxJ6dzi1ZYH4BQ7FXTSavK3r6B33nlqms
X-Eon-Dm: m0116787.ppops.net
Received: by m0116787.mta.everyone.net (EON-AUTHRELAY2 - 5a81cfb8)
 id m0116787.603eb1d4.c9f2e; Tue, 16 Mar 2021 03:54:56 -0700
X-Eon-Sig: AQMHrIJgUI6AfXZsnwIAAAAD,b83093b5dea7232fc859ca7f427bda9f
X-Eip: YnAcN7gtBeI2ArwYFoYcxeXAwCoAc6_gE8YjC0Jqixg
Date: Tue, 16 Mar 2021 11:54:42 +0100
From: Bengt Richter <bokr@bokr.com>
To: Leo Prikler <leo.prikler@student.tugraz.at>
Subject: Re: bug#47106: Bubblewrap hates Guix containers 😞
Message-ID: <20210316105442.GA3903@LionPure>
References: <fbb3401a61ae78f092b33b7a36428f8520a7a6bd.camel@student.tugraz.at>
 <87r1kjpbvx.fsf@gnu.org>
 <2922127e61435e64f95d3d398ef6932a02336188.camel@student.tugraz.at>
 <20210313122718.GA11708@LionPure>
 <fa11fb1fb6dfb6e2c048d4fe8dec005e3b2b114a.camel@student.tugraz.at>
 <20210313170704.GA3712@LionPure>
 <a4efcc5c7928de5d89596500803dee510d85b7c0.camel@student.tugraz.at>
 <20210314174539.GA10548@LionPure>
 <d0638eba7e63c71edd4267c1675e0ea7f5b7b4ae.camel@student.tugraz.at>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <d0638eba7e63c71edd4267c1675e0ea7f5b7b4ae.camel@student.tugraz.at>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761
 definitions=2021-03-16_03:2021-03-16,
 2021-03-16 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0
 priorityscore=1501
 lowpriorityscore=0 spamscore=0 mlxlogscore=999 bulkscore=0 clxscore=1034
 impostorscore=0 malwarescore=0 suspectscore=0 mlxscore=0 phishscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000
 definitions=main-2103160075
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: 47106
Cc: 47106@debbugs.gnu.org, Ludovic Courtès <ludo@gnu.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Reply-To: Bengt Richter <bokr@bokr.com>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Hi Leo,
One more favor? ;)

On +2021-03-14 19:05:24 +0100, Leo Prikler wrote:
> Hi again³
> 
> Am Sonntag, den 14.03.2021, 18:45 +0100 schrieb Bengt Richter:
> > Hi again^2,
> > 
> > Maybe
> >     pstree -at
> > would show a little more?
> sh
>   |-dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7
> --sess
>   |-dbus-launch --autolaunch=fa7a4d52637958ddd37547bb5d8bd9d2--binary-
> synt
>   `-screen
>       `-screen
>           |-sh
>           |   `-.epiphany-real
>           |       |-WebKitNetworkPr 3 21
>           |       |   |-{BMScavenger}
>           |       |   |-{ReceiveQueue}
>           |       |   |-{StorageTask}
>           |       |   |-{Storage}
>           |       |   |-{WebStorage}
>           |       |   |-{background}
>           |       |   |-{dconf worker}
>           |       |   |-{erialBackground}
>           |       |   |-{gdbus}
>           |       |   `-{gmain}
>           |       |-bwrap --args 37 --
> /gnu/store/hqhxgw0i8xh38h6kwmyrkywcd24q5f1z-webk
>           |       |   `-bwrap --args 37 --
> /gnu/store/hqhxgw0i8xh38h6kwmyrkywcd24q5f1z-webk
>           |       |       `-WebKitWebProces 1277 28
>           |       |-{.epiphany-real}
>           |       |-{BMScavenger}
>           |       |-{HashSaltStorage}
>           |       |-{IconDatabase}
>           |       |-{PressureMonitor}
>           |       |-2*[{ReceiveQueue}]
>           |       |-{dconf worker}
>           |       |-{e Compile Queue}
>           |       |-{ebsiteDataStore}
>           |       |-{gdbus}
>           |       |-{gmain}
>           |       |-{re Remove Queue}
>           |       `-{tore Read Queue}
>           `-sh
>               `-pstree -at
> > Also,
> >     ls -lr /sys/class/drm
> total 0
> -r--r--r-- 1 65534 overflow 4096 Mar 14 17:59 version
> lrwxrwxrwx 1 65534 overflow    0 Mar 14 17:58 ttm ->
> ../../devices/virtual/drm/ttm
> lrwxrwxrwx 1 65534 overflow    0 Mar 14 17:59 renderD128 ->
> ../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/renderD128
> lrwxrwxrwx 1 65534 overflow    0 Mar 14 17:59 card0-VGA-1 ->
> ../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/card0/card0-VGA-
> 1
> lrwxrwxrwx 1 65534 overflow    0 Mar 14 17:59 card0-HDMI-A-1 ->
> ../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/card0/card0-
> HDMI-A-1
> lrwxrwxrwx 1 65534 overflow    0 Mar 14 17:58 card0-DVI-D-1 ->
> ../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/card0/card0-DVI-
> D-1
> lrwxrwxrwx 1 65534 overflow    0 Mar 14 17:58 card0 ->
> ../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/card0
> > if that's accessible -- I'm wondering if the version of screen
> > in the container is built with libdrm and is bypassing X or ??
> I doubt it is being built differently than screen normally is.
> 
> > Do you have a makefile or a guix something.scm defining
> > what's built/packed into your container? 
> Nah, it's a rather ad-hoc definition grown from what should be an Eolie
> container from the cookbook (also refer to #47097).
> 
>     guix environment --preserve='^DISPLAY$' --preserve=XAUTHORITY \
>      --preserve=TERM \
>      --expose=$XAUTHORITY \
>      --expose=/etc/machine-id \
>      --expose=/etc/ssl/certs/ \
>      --expose=/sys/block --expose=/sys/class --expose=/sys/bus \
>      --expose=/sys/dev --expose=/sys/devices \
>      --ad-hoc epiphany nss-certs dbus procps coreutils psmisc screen
> 
> Given that I expose most of /sys explicitly, you should take the above
> with a grain of salt.
> 
> > Sorry if my curiosity is making work for you, but I'd like to
> > try containers down the road -- tho right now I'm taking a break
> > from events IRL, so I may disappear for a while...
> I'm not personally impacted by this bug or anything, it's much rather a
> follow-up to my attempted fix of #47097.  I think there might be some
> flaw in trying to run a sandbox inside a sandbox (like bubblewrap
> inside `guix container`), that doesn't actually improve security in any
> meaningful way.
> 
> Regards,
> Leo
> 

If you can run this inside your container, I think it will be interesting:
    lsof -U|grep -i wayland

The above ought to show quickly if wayland is running.

lsof -U shows the open sockets.

If the above shows nothing, try
    lsof -U|grep -i x11
or    
    lsof -U|grep X

finally, it is interesting to see
    lsof -U|less

but on my laptop I just got
    lsof -U|wc
        403    3760   34643

so its a lot to look at.
Hopefully less in a container ;)

-- 
Regards,
Bengt Richter

Send a report that this bug log contains spam.