** Description changed:

  [ Impact ]
  
-  * GTK in 26.04 has a single image loader: glycin, which sandboxes its 
loaders using `bwrap`
-  * This doesn't work in snaps because they're already sandboxed
-  * The patch adds detection for when glycin runs in a snap environment 
through apparmor or environment, and disables sandboxing in this case
-  * There's no change to behaviour outside of snap
+  * GTK in 26.04 has a single image loader: glycin, which sandboxes its 
loaders using `bwrap`
+  * This doesn't work in snaps because they're already sandboxed
+  * The patch adds detection for when glycin runs in a snap environment 
through apparmor or environment, and disables sandboxing in this case
+  * There's no change to behaviour outside of snap
  
  [ Test Plan ]
  
-  * Build the snap from: 
https://github.com/canonical/iot-example-graphical-snap/tree/26/GTK3-adventure/
-    Notice it crashes on startup with:
-    ```
-    Bail out! 
Gtk:ERROR:../../../gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion 
failed (error == NULL): Failed to load 
/snap/iot-example-graphical-snap/x2/usr/share/icons/Adwaita/scalable/status/image-missing.svg:
 Loader process exited early with status '1'Command:  "bwrap" "--unshare-all" 
"--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" 
"--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" 
"/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" 
"--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" 
"/tmp-run" "--setenv" "XDG_RUNTIME_DIR" 
"/run/user/1000/snap.iot-example-graphical-snap" "--symlink" "/usr/lib64" 
"/lib64" "--symlink" "/usr/lib32" "/lib32" "--symlink" "/usr/lib" "/lib" 
"--ro-bind-try" "/etc/fonts/conf.d" "/etc/fonts/conf.d" "--ro-bind-try" 
"/etc/fonts/fonts.conf" "/etc/fonts/fonts.conf" "--ro-bind-try" 
"/home/michal/snap/iot-example-graphical-snap/common/.cache/fontconfig" 
"/home/michal/snap/iot-example-graphical-snap/common/.cache/fontconfig" 
"--ro-bind-try" "/snap/iot-example-graphical-snap/x2/usr/share/fonts" 
"/snap/iot-example-graphical-snap/x2/usr/share/fonts" "--ro-bind-try" 
"/var/cache/fontconfig" "/var/cache/fontconfig" "--bind-try" 
"/home/michal/snap/iot-example-graphical-snap/common/.cache/glycin/usr/libexec/glycin-loaders/2+/glycin-svg"
 
"/home/michal/snap/iot-example-graphical-snap/common/.cache/glycin/usr/libexec/glycin-loaders/2+/glycin-svg"
 "--setenv" "XDG_CACHE_HOME" 
"/home/michal/snap/iot-example-graphical-snap/common/.cache/glycin/usr/libexec/glycin-loaders/2+/glycin-svg"
 "--seccomp" "15" "/usr/libexec/glycin-loaders/2+/glycin-svg" "--dbus-fd" "14" 
(gdk-pixbuf-error-quark, 0)
-    ```
+  * Build the snap from: 
https://github.com/canonical/iot-example-graphical-snap/tree/26/GTK3-adventure/
+    Notice it crashes on startup with:
+    ```
+    Bail out! 
Gtk:ERROR:../../../gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion 
failed (error == NULL): Failed to load 
/snap/iot-example-graphical-snap/x2/usr/share/icons/Adwaita/scalable/status/image-missing.svg:
 Loader process exited early with status '1'Command:  "bwrap" "--unshare-all" 
"--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" 
"--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" 
"/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" 
"--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" 
"/tmp-run" "--setenv" "XDG_RUNTIME_DIR" 
"/run/user/1000/snap.iot-example-graphical-snap" "--symlink" "/usr/lib64" 
"/lib64" "--symlink" "/usr/lib32" "/lib32" "--symlink" "/usr/lib" "/lib" 
"--ro-bind-try" "/etc/fonts/conf.d" "/etc/fonts/conf.d" "--ro-bind-try" 
"/etc/fonts/fonts.conf" "/etc/fonts/fonts.conf" "--ro-bind-try" 
"/home/michal/snap/iot-example-graphical-snap/common/.cache/fontconfig" 
"/home/michal/snap/iot-example-graphical-snap/common/.cache/fontconfig" 
"--ro-bind-try" "/snap/iot-example-graphical-snap/x2/usr/share/fonts" 
"/snap/iot-example-graphical-snap/x2/usr/share/fonts" "--ro-bind-try" 
"/var/cache/fontconfig" "/var/cache/fontconfig" "--bind-try" 
"/home/michal/snap/iot-example-graphical-snap/common/.cache/glycin/usr/libexec/glycin-loaders/2+/glycin-svg"
 
"/home/michal/snap/iot-example-graphical-snap/common/.cache/glycin/usr/libexec/glycin-loaders/2+/glycin-svg"
 "--setenv" "XDG_CACHE_HOME" 
"/home/michal/snap/iot-example-graphical-snap/common/.cache/glycin/usr/libexec/glycin-loaders/2+/glycin-svg"
 "--seccomp" "15" "/usr/libexec/glycin-loaders/2+/glycin-svg" "--dbus-fd" "14" 
(gdk-pixbuf-error-quark, 0)
+    ```
+ 
+  * Verify that building the snap against the updated glycin from -proposed
+    solves the issue. This can be done from launchpad, such as: 
https://launchpad.net/~mir-team/mir/+snap/gtk3-adventure
  
  [ Where problems could occur ]
  
-  * The patch shouldn't affect non-snap environments, and is a clear 
improvement for GTK-based snaps, allowing them to work at all :)
-  * This disables sandboxing _within_ snaps, so whatever data is available to 
the snap is vulnerable to be exploited - this is status quo from before glycin, 
though.
- 
+  * The patch shouldn't affect non-snap environments, and is a clear 
improvement for GTK-based snaps, allowing them to work at all :)
+  * This disables sandboxing _within_ snaps, so whatever data is available to 
the snap is vulnerable to be exploited - this is status quo from before glycin, 
though.
  
  [ Other Info ]
  
-  * The patch comes from the GNOME SDK Snap: 
https://github.com/ubuntu/gnome-sdk/commit/9b048312c0321f7648f85bbd24ab4642ee36a030
-  * There's a planned effort to enable nested sandboxing via landlock instead, 
but there's no ETA on this at the moment.
+  * The patch comes from the GNOME SDK Snap: 
https://github.com/ubuntu/gnome-sdk/commit/9b048312c0321f7648f85bbd24ab4642ee36a030
+  * There's a planned effort to enable nested sandboxing via landlock instead, 
but there's no ETA on this at the moment.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2158724

Title:
  [SRU] glycin doesn't work in snaps due to sandboxing

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glycin/+bug/2158724/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to