221990 2021-02-16 13:12:43 -0800 [GTK] Bubblewrap sandbox should not break X11 forwarding 2021-03-05 07:31:58 -0800 1 1 1 Unclassified WebKit WebKitGTK WebKit Nightly Build PC Linux RESOLVED FIXED https://bugzilla.redhat.com/show_bug.cgi?id=1905720 P2 Normal --- 206533 1 mcatanzaro mcatanzaro ajfclark bugs-noreply cgarcia clopez mcatanzaro pgriffis oldest_to_newest 1729888 0 mcatanzaro 2021-02-16 13:12:43 -0800 Currently the bubblewrap sandbox breaks X11 forwarding via SSH, I suspect because the web process is unable to connect to the X server via TCP due to being isolated in a network namespace. We should just disable the network namespace in this case and accept that such configurations are less secure. Untested patch incoming. I will ask a couple users who use X11 forwarding to test the patch and will request review once somebody confirms whether it actually works. 1729919 1 420537 mcatanzaro 2021-02-16 13:46:49 -0800 Created attachment 420537 Patch 1729933 2 ajfclark 2021-02-16 14:17:00 -0800 Understanding the issue correctly now, I've also found a more subtle workaround that doesn't require letting down the sandbox as much. On the machine running evolution, I use socat to redirect a unix socket to the expected X server. For example, if ssh has given me localhost:10.0 as my DISPLAY: socat UNIX-LISTEN:/tmp/.X11-unix/X10,fork TCP:localhost:6010 & And then run evolution on using that display successfully: DISPLAY=:10.0 evolution Slightly messy, but perhaps better than allowing carte blanche network access? 1729935 3 ajfclark 2021-02-16 14:18:57 -0800 (In reply to Michael Catanzaro from comment #1) > Created attachment 420537 [details] > Patch Thanks for being so quick with that. I'll spin up a dev environment and test this. 1729955 4 mcatanzaro 2021-02-16 14:48:19 -0800 (In reply to Andrew Clark from comment #2) > Slightly messy, but perhaps better than allowing carte blanche network > access? Right that would be best (though we'd want to do that manually without depending on /usr/bin/socat). That's basically option 1 from https://gitlab.gnome.org/GNOME/evolution/-/issues/1369#note_1038267, whereas what I implemented is option 2. 1731071 5 420537 mcatanzaro 2021-02-18 16:03:57 -0800 Comment on attachment 420537 Patch Downstream user reports this patch works.... If anyone wants to try to set up a socket forwarding scheme, that would be the ideal solution. In the meantime, this patch works. 1732006 6 ajfclark 2021-02-21 16:15:35 -0800 (In reply to Michael Catanzaro from comment #1) > Created attachment 420537 [details] > Patch Confirmed this works in my setup too. Thank you. aclark@pleco 0 ~ $ ldd `which evolution` | grep webkit libwebkit2gtk-4.0.so.37 => /lib/x86_64-linux-gnu/libwebkit2gtk-4.0.so.37 (0x00007f82f992e000) aclark@pleco 0 ~ $ evolution (evolution-alarm-notify:2288541): GLib-GIO-WARNING **: 11:12:51.637: Your application did not unregister from D-Bus before destruction. Consider using g_application_run(). (WebKitWebProcess:2): Gtk-WARNING **: 11:12:52.256: cannot open display: localhost:10.0 (WebKitWebProcess:2): Gtk-WARNING **: 11:12:57.277: cannot open display: localhost:10.0 (evolution:2288506): evolution-WARNING **: 11:12:59.816: Shell not finalized on exit aclark@pleco 0 ~ $ export LD_LIBRARY_PATH=/usr/local/lib/ aclark@pleco 0 ~ $ ldd `which evolution` | grep webkit libwebkit2gtk-4.0.so.37 => /usr/local/lib/libwebkit2gtk-4.0.so.37 (0x00007eff36260000) aclark@pleco 0 ~ $ evolution (evolution-alarm-notify:2288732): GLib-GIO-WARNING **: 11:13:29.087: Your application did not unregister from D-Bus before destruction. Consider using g_application_run(). (evolution:2288697): GLib-GIO-WARNING **: 11:13:35.853: Your application did not unregister from D-Bus before destruction. Consider using g_application_run(). aclark@pleco 0 ~ $ 1735993 7 mcatanzaro 2021-03-04 13:20:07 -0800 Ping reviewers 1736328 8 ews-feeder 2021-03-05 07:31:55 -0800 Committed r273965: <https://commits.webkit.org/r273965> All reviewed patches have been landed. Closing bug and clearing flags on attachment 420537. 420537 2021-02-16 13:46:49 -0800 2021-03-05 07:31:57 -0800 Patch bug-221990-20210216154648.patch text/plain 5062 mcatanzaro U3VidmVyc2lvbiBSZXZpc2lvbjogMjcyOTIxCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L0No YW5nZUxvZyBiL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCmluZGV4IGViYjNkMzE1ODA5OTc2Yzhk Y2JkNDZjYzBhNDAwOTM4M2Q1NjNjM2EuLmNiN2Q2MzBlOTIyOThlYjQ2YjIxYTA2MTI1MTNiMmI4 NGM0NTMzNjMgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCisrKyBiL1NvdXJj ZS9XZWJLaXQvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMjIgQEAKKzIwMjEtMDItMTYgIE1pY2hhZWwg Q2F0YW56YXJvICA8bWNhdGFuemFyb0Bnbm9tZS5vcmc+CisKKyAgICAgICAgW0dUS10gQnViYmxl d3JhcCBzYW5kYm94IHNob3VsZCBub3QgYnJlYWsgWDExIGZvcndhcmRpbmcKKyAgICAgICAgaHR0 cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTIyMTk5MAorCisgICAgICAgIFJl dmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIElmICRESVNQTEFZIHBvaW50cyB0 byBhIFRDUCBzb2NrZXQsIG9yIGEgVW5peCBzb2NrZXQgb24gYSBkaWZmZXJlbnQgaG9zdCwgdGhl biB3ZSBjYW5ub3QKKyAgICAgICAgaXNvbGF0ZSB0aGUgd2ViIHByb2Nlc3MgZnJvbSB0aGUgbmV0 d29yayBhbmQgbXVzdCBncmFudCBhY2Nlc3MgdG8gdGhlIGhvc3QgbmV0d29yaworICAgICAgICBu YW1lc3BhY2UuCisKKyAgICAgICAgQWxzbywgY2xlYW4gdXAgc29tZSByZWxhdGVkIGNvZGUgYnkg YWRkaW5nIFBMQVRGT1JNKFgxMSkgZ3VhcmRzIHdoZXJlIGFwcHJvcHJpYXRlIGFuZAorICAgICAg ICByZW1vdmluZyBhIHJlZHVuZGFudCBkaXNwbGF5IHR5cGUgY2hlY2suCisKKyAgICAgICAgKiBV SVByb2Nlc3MvTGF1bmNoZXIvZ2xpYi9CdWJibGV3cmFwTGF1bmNoZXIuY3BwOgorICAgICAgICAo V2ViS2l0OjpiaW5kV2F5bGFuZCk6CisgICAgICAgIChXZWJLaXQ6OnNob3VsZFVuc2hhcmVOZXR3 b3JrKToKKyAgICAgICAgKFdlYktpdDo6YnViYmxld3JhcFNwYXduKToKKwogMjAyMS0wMi0xNiAg QWxleCBDaHJpc3RlbnNlbiAgPGFjaHJpc3RlbnNlbkB3ZWJraXQub3JnPgogCiAgICAgICAgIEFk ZCBBUEkgdG8gZGlzYWJsZSBIVFRQUyB1cGdyYWRlCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0 L1VJUHJvY2Vzcy9MYXVuY2hlci9nbGliL0J1YmJsZXdyYXBMYXVuY2hlci5jcHAgYi9Tb3VyY2Uv V2ViS2l0L1VJUHJvY2Vzcy9MYXVuY2hlci9nbGliL0J1YmJsZXdyYXBMYXVuY2hlci5jcHAKaW5k ZXggOGVlYzk4ZGRkZGZkYzlkZmI3M2Q4NTBjZWIwOTY2NTBjNzE3MjdmOC4uZmU4NGE3YzczNDIw ZTAzNTUyYzRjYmJhMTYzOTczMTEyZDljMGU4ZiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYktpdC9V SVByb2Nlc3MvTGF1bmNoZXIvZ2xpYi9CdWJibGV3cmFwTGF1bmNoZXIuY3BwCisrKyBiL1NvdXJj ZS9XZWJLaXQvVUlQcm9jZXNzL0xhdW5jaGVyL2dsaWIvQnViYmxld3JhcExhdW5jaGVyLmNwcApA QCAtMzMyLDYgKzMzMiw3IEBAIHN0YXRpYyB2b2lkIGJpbmREQnVzU2Vzc2lvbihWZWN0b3I8Q1N0 cmluZz4mIGFyZ3MsIFhER0RCdXNQcm94eUxhdW5jaGVyJiBwcm94eSkKICAgICB9CiB9CiAKKyNp ZiBQTEFURk9STShYMTEpCiBzdGF0aWMgdm9pZCBiaW5kWDExKFZlY3RvcjxDU3RyaW5nPiYgYXJn cykKIHsKICAgICBjb25zdCBjaGFyKiBkaXNwbGF5ID0gZ19nZXRlbnYoIkRJU1BMQVkiKTsKQEAg LTM1NCwxMyArMzU1LDExIEBAIHN0YXRpYyB2b2lkIGJpbmRYMTEoVmVjdG9yPENTdHJpbmc+JiBh cmdzKQogICAgIH0gZWxzZQogICAgICAgICBiaW5kSWZFeGlzdHMoYXJncywgeGF1dGgpOwogfQor I2VuZGlmCiAKICNpZiBQTEFURk9STShXQVlMQU5EKSAmJiBVU0UoRUdMKQogc3RhdGljIHZvaWQg YmluZFdheWxhbmQoVmVjdG9yPENTdHJpbmc+JiBhcmdzKQogewotICAgIGlmIChQbGF0Zm9ybURp c3BsYXk6OnNoYXJlZERpc3BsYXkoKS50eXBlKCkgIT0gUGxhdGZvcm1EaXNwbGF5OjpUeXBlOjpX YXlsYW5kKQotICAgICAgICByZXR1cm47Ci0KICAgICBjb25zdCBjaGFyKiBkaXNwbGF5ID0gZ19n ZXRlbnYoIldBWUxBTkRfRElTUExBWSIpOwogICAgIGlmICghZGlzcGxheSkKICAgICAgICAgZGlz cGxheSA9ICJ3YXlsYW5kLTAiOwpAQCAtNzIxLDYgKzcyMCwyOSBAQCBzdGF0aWMgaW50IHNldHVw U2VjY29tcCgpCiAgICAgcmV0dXJuIHRtcGZkOwogfQogCitzdGF0aWMgYm9vbCBzaG91bGRVbnNo YXJlTmV0d29yayhQcm9jZXNzTGF1bmNoZXI6OlByb2Nlc3NUeXBlIHByb2Nlc3NUeXBlKQorewor ICAgIC8vIHhkZy1kYnVzLXByb3h5IG5lZWRzIGFjY2VzcyB0byBob3N0IGFic3RyYWN0IHNvY2tl dHMgdG8gY29ubmVjdCB0byB0aGUgYTExeSBidXMuIFNlY3VyZQorICAgIC8vIGhvc3Qgc2Vydmlj ZXMgbXVzdCBub3QgdXNlIGFic3RyYWN0IHNvY2tldHMuCisgICAgaWYgKHByb2Nlc3NUeXBlID09 IFByb2Nlc3NMYXVuY2hlcjo6UHJvY2Vzc1R5cGU6OkRCdXNQcm94eSkKKyAgICAgICAgcmV0dXJu IGZhbHNlOworCisjaWYgUExBVEZPUk0oWDExKQorICAgIC8vIEFsc28sIHRoZSB3ZWIgcHJvY2Vz cyBuZWVkcyBhY2Nlc3MgdG8gaG9zdCBuZXR3b3JraW5nIGlmIHRoZSBYIHNlcnZlciBpcyBydW5u aW5nIG92ZXIgVENQIG9yCisgICAgLy8gb24gYSBkaWZmZXJlbnQgaG9zdCdzIFVuaXggc29ja2V0 OyB0aGlzIGlzIGxpa2VseSB0aGUgY2FzZSBpZiB0aGUgZmlyc3QgY2hhcmFjdGVyIG9mIERJU1BM QVkKKyAgICAvLyBpcyBub3QgYSBjb2xvbi4KKyAgICBpZiAocHJvY2Vzc1R5cGUgPT0gUHJvY2Vz c0xhdW5jaGVyOjpQcm9jZXNzVHlwZTo6V2ViICYmIFBsYXRmb3JtRGlzcGxheTo6c2hhcmVkRGlz cGxheSgpLnR5cGUoKSA9PSBQbGF0Zm9ybURpc3BsYXk6OlR5cGU6OlgxMSkgeworICAgICAgICBj b25zdCBjaGFyKiBkaXNwbGF5ID0gZ19nZXRlbnYoIkRJU1BMQVkiKTsKKyAgICAgICAgaWYgKGRp c3BsYXkgJiYgZGlzcGxheVswXSAhPSAnOicpCisgICAgICAgICAgICByZXR1cm4gZmFsc2U7Cisg ICAgfQorI2VuZGlmCisKKyAgICAvLyBPdGhlcndpc2UsIG9ubHkgdGhlIG5ldHdvcmsgcHJvY2Vz cyBzaG91bGQgaGF2ZSBuZXR3b3JrIGFjY2Vzcy4gSWYgd2UgYXJlIHRoZSBuZXR3b3JrCisgICAg Ly8gcHJvY2VzcywgdGhlbiB3ZSBhcmUgbm90IHNhbmRib3hlZCBhbmQgaGF2ZSBhbHJlYWR5IGJh aWxlZCBvdXQgYmVmb3JlIHRoaXMgcG9pbnQuCisgICAgcmV0dXJuIHRydWU7Cit9CisKIEdSZWZQ dHI8R1N1YnByb2Nlc3M+IGJ1YmJsZXdyYXBTcGF3bihHU3VicHJvY2Vzc0xhdW5jaGVyKiBsYXVu Y2hlciwgY29uc3QgUHJvY2Vzc0xhdW5jaGVyOjpMYXVuY2hPcHRpb25zJiBsYXVuY2hPcHRpb25z LCBjaGFyKiogYXJndiwgR0Vycm9yICoqZXJyb3IpCiB7CiAgICAgQVNTRVJUKGxhdW5jaGVyKTsK QEAgLTc3OSwxNSArODAxLDExIEBAIEdSZWZQdHI8R1N1YnByb2Nlc3M+IGJ1YmJsZXdyYXBTcGF3 bihHU3VicHJvY2Vzc0xhdW5jaGVyKiBsYXVuY2hlciwgY29uc3QgUHJvY2VzCiAgICAgICAgICAg ICAvLyBpcyB3aGVyZSB3ZSBtb3VudCBvdXIgcHJveHkgc29ja2V0LgogICAgICAgICAgICAgIi0t YmluZCIsIHJ1bkRpciwgcnVuRGlyLAogICAgICAgICB9KSk7Ci0gICAgfSBlbHNlIHsKLSAgICAg ICAgLy8geGRnLWRidXMtcHJveHkgbmVlZHMgYWNjZXNzIHRvIGhvc3QgYWJzdHJhY3Qgc29ja2V0 cyB0byBjb25uZWN0IHRvIHRoZSBhMTF5IGJ1cy4gU2VjdXJlCi0gICAgICAgIC8vIGhvc3Qgc2Vy dmljZXMgbXVzdCBub3QgdXNlIGFic3RyYWN0IHNvY2tldHMuIE90aGVyd2lzZSwgb25seSB0aGUg bmV0d29yayBwcm9jZXNzIHNob3VsZAotICAgICAgICAvLyBoYXZlIG5ldHdvcmsgYWNjZXNzLCBh bmQgdGhlIG5ldHdvcmsgcHJvY2VzcyBpcyBub3Qgc2FuZGJveGVkIGF0IGFsbC4KLSAgICAgICAg c2FuZGJveEFyZ3MuYXBwZW5kVmVjdG9yKFZlY3RvcjxDU3RyaW5nPih7Ci0gICAgICAgICAgICAi LS11bnNoYXJlLW5ldCIKLSAgICAgICAgfSkpOwogICAgIH0KIAorICAgIGlmIChzaG91bGRVbnNo YXJlTmV0d29yayhsYXVuY2hPcHRpb25zLnByb2Nlc3NUeXBlKSkKKyAgICAgICAgc2FuZGJveEFy Z3MuYXBwZW5kKCItLXVuc2hhcmUtbmV0Iik7CisKICAgICAvLyBXZSB3b3VsZCBoYXZlIHRvIHBh cnNlIGxkIGNvbmZpZyBmaWxlcyBmb3IgbW9yZSBpbmZvLgogICAgIGJpbmRQYXRoVmFyKHNhbmRi b3hBcmdzLCAiTERfTElCUkFSWV9QQVRIIik7CiAKQEAgLTgyMCwxNCArODM4LDE2IEBAIEdSZWZQ dHI8R1N1YnByb2Nlc3M+IGJ1YmJsZXdyYXBTcGF3bihHU3VicHJvY2Vzc0xhdW5jaGVyKiBsYXVu Y2hlciwgY29uc3QgUHJvY2VzCiAgICAgaWYgKGxhdW5jaE9wdGlvbnMucHJvY2Vzc1R5cGUgPT0g UHJvY2Vzc0xhdW5jaGVyOjpQcm9jZXNzVHlwZTo6V2ViKSB7CiAgICAgICAgIHN0YXRpYyBYREdE QnVzUHJveHlMYXVuY2hlciBwcm94eTsKIAotICAgICAgICAvLyBJZiBXYXlsYW5kIGluIHVzZSBk b24ndCBncmFudCBYMTEKICNpZiBQTEFURk9STShXQVlMQU5EKSAmJiBVU0UoRUdMKQogICAgICAg ICBpZiAoUGxhdGZvcm1EaXNwbGF5OjpzaGFyZWREaXNwbGF5KCkudHlwZSgpID09IFBsYXRmb3Jt RGlzcGxheTo6VHlwZTo6V2F5bGFuZCkgewogICAgICAgICAgICAgYmluZFdheWxhbmQoc2FuZGJv eEFyZ3MpOwogICAgICAgICAgICAgc2FuZGJveEFyZ3MuYXBwZW5kKCItLXVuc2hhcmUtaXBjIik7 Ci0gICAgICAgIH0gZWxzZQorICAgICAgICB9CiAjZW5kaWYKKyNpZiBQTEFURk9STShYMTEpCisg ICAgICAgIGlmIChQbGF0Zm9ybURpc3BsYXk6OnNoYXJlZERpc3BsYXkoKS50eXBlKCkgPT0gUGxh dGZvcm1EaXNwbGF5OjpUeXBlOjpYMTEpCiAgICAgICAgICAgICBiaW5kWDExKHNhbmRib3hBcmdz KTsKKyNlbmRpZgogCiAgICAgICAgIGZvciAoY29uc3QgYXV0byYgcGF0aEFuZFBlcm1pc3Npb24g OiBsYXVuY2hPcHRpb25zLmV4dHJhV2ViUHJvY2Vzc1NhbmRib3hQYXRocykgewogICAgICAgICAg ICAgc2FuZGJveEFyZ3MuYXBwZW5kVmVjdG9yKFZlY3RvcjxDU3RyaW5nPih7Cg==