[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#47106: Bubblewrap hates Guix containers π
|
From: |
Bengt Richter |
|
Subject: |
bug#47106: Bubblewrap hates Guix containers π |
|
Date: |
Tue, 16 Mar 2021 11:54:42 +0100 |
|
User-agent: |
Mutt/1.10.1 (2018-07-13) |
Hi Leo,
One more favor? ;)
On +2021-03-14 19:05:24 +0100, Leo Prikler wrote:
> Hi againΒ³
>
> Am Sonntag, den 14.03.2021, 18:45 +0100 schrieb Bengt Richter:
> > Hi again^2,
> >
> > Maybe
> > pstree -at
> > would show a little more?
> sh
> |-dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7
> --sess
> |-dbus-launch --autolaunch=fa7a4d52637958ddd37547bb5d8bd9d2--binary-
> synt
> `-screen
> `-screen
> |-sh
> | `-.epiphany-real
> | |-WebKitNetworkPr 3 21
> | | |-{BMScavenger}
> | | |-{ReceiveQueue}
> | | |-{StorageTask}
> | | |-{Storage}
> | | |-{WebStorage}
> | | |-{background}
> | | |-{dconf worker}
> | | |-{erialBackground}
> | | |-{gdbus}
> | | `-{gmain}
> | |-bwrap --args 37 --
> /gnu/store/hqhxgw0i8xh38h6kwmyrkywcd24q5f1z-webk
> | | `-bwrap --args 37 --
> /gnu/store/hqhxgw0i8xh38h6kwmyrkywcd24q5f1z-webk
> | | `-WebKitWebProces 1277 28
> | |-{.epiphany-real}
> | |-{BMScavenger}
> | |-{HashSaltStorage}
> | |-{IconDatabase}
> | |-{PressureMonitor}
> | |-2*[{ReceiveQueue}]
> | |-{dconf worker}
> | |-{e Compile Queue}
> | |-{ebsiteDataStore}
> | |-{gdbus}
> | |-{gmain}
> | |-{re Remove Queue}
> | `-{tore Read Queue}
> `-sh
> `-pstree -at
> > Also,
> > ls -lr /sys/class/drm
> total 0
> -r--r--r-- 1 65534 overflow 4096 Mar 14 17:59 version
> lrwxrwxrwx 1 65534 overflow 0 Mar 14 17:58 ttm ->
> ../../devices/virtual/drm/ttm
> lrwxrwxrwx 1 65534 overflow 0 Mar 14 17:59 renderD128 ->
> ../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/renderD128
> lrwxrwxrwx 1 65534 overflow 0 Mar 14 17:59 card0-VGA-1 ->
> ../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/card0/card0-VGA-
> 1
> lrwxrwxrwx 1 65534 overflow 0 Mar 14 17:59 card0-HDMI-A-1 ->
> ../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/card0/card0-
> HDMI-A-1
> lrwxrwxrwx 1 65534 overflow 0 Mar 14 17:58 card0-DVI-D-1 ->
> ../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/card0/card0-DVI-
> D-1
> lrwxrwxrwx 1 65534 overflow 0 Mar 14 17:58 card0 ->
> ../../devices/pci0000:00/0000:00:02.0/0000:01:00.0/drm/card0
> > if that's accessible -- I'm wondering if the version of screen
> > in the container is built with libdrm and is bypassing X or ??
> I doubt it is being built differently than screen normally is.
>
> > Do you have a makefile or a guix something.scm defining
> > what's built/packed into your container?
> Nah, it's a rather ad-hoc definition grown from what should be an Eolie
> container from the cookbook (also refer to #47097).
>
> guix environment --preserve='^DISPLAY$' --preserve=XAUTHORITY \
> --preserve=TERM \
> --expose=$XAUTHORITY \
> --expose=/etc/machine-id \
> --expose=/etc/ssl/certs/ \
> --expose=/sys/block --expose=/sys/class --expose=/sys/bus \
> --expose=/sys/dev --expose=/sys/devices \
> --ad-hoc epiphany nss-certs dbus procps coreutils psmisc screen
>
> Given that I expose most of /sys explicitly, you should take the above
> with a grain of salt.
>
> > Sorry if my curiosity is making work for you, but I'd like to
> > try containers down the road -- tho right now I'm taking a break
> > from events IRL, so I may disappear for a while...
> I'm not personally impacted by this bug or anything, it's much rather a
> follow-up to my attempted fix of #47097. I think there might be some
> flaw in trying to run a sandbox inside a sandbox (like bubblewrap
> inside `guix container`), that doesn't actually improve security in any
> meaningful way.
>
> Regards,
> Leo
>
If you can run this inside your container, I think it will be interesting:
lsof -U|grep -i wayland
The above ought to show quickly if wayland is running.
lsof -U shows the open sockets.
If the above shows nothing, try
lsof -U|grep -i x11
or
lsof -U|grep X
finally, it is interesting to see
lsof -U|less
but on my laptop I just got
lsof -U|wc
403 3760 34643
so its a lot to look at.
Hopefully less in a container ;)
--
Regards,
Bengt Richter
- bug#47106: Bubblewrap hates Guix containers π, (continued)
- bug#47106: Bubblewrap hates Guix containers π, Leo Prikler, 2021/03/13
- bug#47106: Bubblewrap hates Guix containers π, Bengt Richter, 2021/03/13
- bug#47106: Bubblewrap hates Guix containers π, Leo Prikler, 2021/03/13
- bug#47106: Bubblewrap hates Guix containers π, Bengt Richter, 2021/03/14
- bug#47106: Bubblewrap hates Guix containers π, Leo Prikler, 2021/03/14
- bug#47106: Bubblewrap hates Guix containers π, Ludovic CourtΓ¨s, 2021/03/14
- bug#47106: Bubblewrap hates Guix containers π, Leo Prikler, 2021/03/14
- bug#47106: Bubblewrap hates Guix containers π, Ludovic CourtΓ¨s, 2021/03/15
- bug#47106: Bubblewrap hates Guix containers π, Leo Prikler, 2021/03/15
- bug#47106: Bubblewrap hates Guix containers π, Ludovic CourtΓ¨s, 2021/03/15
- bug#47106: Bubblewrap hates Guix containers π,
Bengt Richter <=
- bug#47106: Bubblewrap hates Guix containers π, Leo Prikler, 2021/03/16