Public bug reported: [ Impact ]
* GTK in 26.04 has a single image loader: glycin, which sandboxes its loaders using `bwrap` * This doesn't work in snaps because they're already sandboxed * The patch adds detection for when glycin runs in a snap environment through apparmor or environment, and disables sandboxing in this case * There's no change to behaviour outside of snap [ Test Plan ] * Build the snap from: https://github.com/canonical/iot-example-graphical-snap/tree/26/GTK3-adventure/ Notice it crashes on startup with: ``` Bail out! Gtk:ERROR:../../../gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /snap/iot-example-graphical-snap/x2/usr/share/icons/Adwaita/scalable/status/image-missing.svg: Loader process exited early with status '1'Command: "bwrap" "--unshare-all" "--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" "--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" "/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" "--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" "/tmp-run" "--setenv" "XDG_RUNTIME_DIR" "/run/user/1000/snap.iot-example-graphical-snap" "--symlink" "/usr/lib64" "/lib64" "--symlink" "/usr/lib32" "/lib32" "--symlink" "/usr/lib" "/lib" "--ro-bind-try" "/etc/fonts/conf.d" "/etc/fonts/conf.d" "--ro-bind-try" "/etc/fonts/fonts.conf" "/etc/fonts/fonts.conf" "--ro-bind-try" "/home/michal/snap/iot-example-graphical-snap/common/.cache/fontconfig" "/home/michal/snap/iot-example-graphical-snap/common/.cache/fontconfig" "--ro-bind-try" "/snap/iot-example-graphical-snap/x2/usr/share/fonts" "/snap/iot-example-graphical-snap/x2/usr/share/fonts" "--ro-bind-try" "/var/cache/fontconfig" "/var/cache/fontconfig" "--bind-try" "/home/michal/snap/iot-example-graphical-snap/common/.cache/glycin/usr/libexec/glycin-loaders/2+/glycin-svg" "/home/michal/snap/iot-example-graphical-snap/common/.cache/glycin/usr/libexec/glycin-loaders/2+/glycin-svg" "--setenv" "XDG_CACHE_HOME" "/home/michal/snap/iot-example-graphical-snap/common/.cache/glycin/usr/libexec/glycin-loaders/2+/glycin-svg" "--seccomp" "15" "/usr/libexec/glycin-loaders/2+/glycin-svg" "--dbus-fd" "14" (gdk-pixbuf-error-quark, 0) ``` [ Where problems could occur ] * The patch shouldn't affect non-snap environments, and is a clear improvement for GTK-based snaps, allowing them to work at all :) * This disables sandboxing _within_ snaps, so whatever data is available to the snap is vulnerable to be exploited - this is status quo from before glycin, though. [ Other Info ] * The patch comes from the GNOME SDK Snap: https://github.com/ubuntu/gnome-sdk/commit/9b048312c0321f7648f85bbd24ab4642ee36a030 * There's a planned effort to enable nested sandboxing via landlock instead, but there's no ETA on this at the moment. ** Affects: glycin (Ubuntu) Importance: Undecided Status: New ** Patch added: "glycin-snap-no-sandbox.patch" https://bugs.launchpad.net/bugs/2158724/+attachment/5979574/+files/glycin-snap-no-sandbox.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2158724 Title: [SRU] glycin doesn't work in snaps due to sandboxing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glycin/+bug/2158724/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
