[Webkit-unassigned] [Bug 258403] [WPE] WebProcess sandbox is too restrictive

Thu Jun 22 10:11:07 PDT 2023

https://bugs.webkit.org/show_bug.cgi?id=258403

Michael Catanzaro <mcatanzaro at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mcatanzaro at redhat.com

--- Comment #1 from Michael Catanzaro <mcatanzaro at redhat.com> ---
There's no way BubblewrapLauncher could plausibly be expected to know that you've installed GStreamer inside the WebKit build directory and it needs to mount the build directory in the sandbox. I assume this deps-build was never tested with the sandbox enabled until now?

You can review bindGStreamerData in BubblewrapLauncher.cpp to see how it decides to mount particular locations.

(In reply to Philippe Normand from comment #0)
> And also where can I write files now? home seems readonly :(

It would not be useful for it to be writable, because it's not the same home as on your host system and you'd be writing to the abyss. Many directories *within* home are mounted from the host, though, e.g., ~/.local/share/gstreamer-1.0. So if you're just debugging, you this is one of various places you can write stuff to. (Corollary: the data in these directories is expected to be malicious, because the compromised web process can write to them.)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230622/9054b2f3/attachment.htm>