** Description changed: [ Impact ] - * GTK in 26.04 has a single image loader: glycin, which sandboxes its loaders using `bwrap` - * This doesn't work in snaps because they're already sandboxed - * The patch adds detection for when glycin runs in a snap environment through apparmor or environment, and disables sandboxing in this case - * There's no change to behaviour outside of snap + * GTK in 26.04 has a single image loader: glycin, which sandboxes its loaders using `bwrap` + * This doesn't work in snaps because they're already sandboxed + * The patch adds detection for when glycin runs in a snap environment through apparmor or environment, and disables sandboxing in this case + * There's no change to behaviour outside of snap [ Test Plan ] - * Build the snap from: https://github.com/canonical/iot-example-graphical-snap/tree/26/GTK3-adventure/ - Notice it crashes on startup with: - ``` - Bail out! Gtk:ERROR:../../../gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /snap/iot-example-graphical-snap/x2/usr/share/icons/Adwaita/scalable/status/image-missing.svg: Loader process exited early with status '1'Command: "bwrap" "--unshare-all" "--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" "--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" "/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" "--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" "/tmp-run" "--setenv" "XDG_RUNTIME_DIR" "/run/user/1000/snap.iot-example-graphical-snap" "--symlink" "/usr/lib64" "/lib64" "--symlink" "/usr/lib32" "/lib32" "--symlink" "/usr/lib" "/lib" "--ro-bind-try" "/etc/fonts/conf.d" "/etc/fonts/conf.d" "--ro-bind-try" "/etc/fonts/fonts.conf" "/etc/fonts/fonts.conf" "--ro-bind-try" "/home/michal/snap/iot-example-graphical-snap/common/.cache/fontconfig" "/home/michal/snap/iot-example-graphical-snap/common/.cache/fontconfig" "--ro-bind-try" "/snap/iot-example-graphical-snap/x2/usr/share/fonts" "/snap/iot-example-graphical-snap/x2/usr/share/fonts" "--ro-bind-try" "/var/cache/fontconfig" "/var/cache/fontconfig" "--bind-try" "/home/michal/snap/iot-example-graphical-snap/common/.cache/glycin/usr/libexec/glycin-loaders/2+/glycin-svg" "/home/michal/snap/iot-example-graphical-snap/common/.cache/glycin/usr/libexec/glycin-loaders/2+/glycin-svg" "--setenv" "XDG_CACHE_HOME" "/home/michal/snap/iot-example-graphical-snap/common/.cache/glycin/usr/libexec/glycin-loaders/2+/glycin-svg" "--seccomp" "15" "/usr/libexec/glycin-loaders/2+/glycin-svg" "--dbus-fd" "14" (gdk-pixbuf-error-quark, 0) - ``` + * Build the snap from: https://github.com/canonical/iot-example-graphical-snap/tree/26/GTK3-adventure/ + Notice it crashes on startup with: + ``` + Bail out! Gtk:ERROR:../../../gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /snap/iot-example-graphical-snap/x2/usr/share/icons/Adwaita/scalable/status/image-missing.svg: Loader process exited early with status '1'Command: "bwrap" "--unshare-all" "--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" "--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" "/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" "--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" "/tmp-run" "--setenv" "XDG_RUNTIME_DIR" "/run/user/1000/snap.iot-example-graphical-snap" "--symlink" "/usr/lib64" "/lib64" "--symlink" "/usr/lib32" "/lib32" "--symlink" "/usr/lib" "/lib" "--ro-bind-try" "/etc/fonts/conf.d" "/etc/fonts/conf.d" "--ro-bind-try" "/etc/fonts/fonts.conf" "/etc/fonts/fonts.conf" "--ro-bind-try" "/home/michal/snap/iot-example-graphical-snap/common/.cache/fontconfig" "/home/michal/snap/iot-example-graphical-snap/common/.cache/fontconfig" "--ro-bind-try" "/snap/iot-example-graphical-snap/x2/usr/share/fonts" "/snap/iot-example-graphical-snap/x2/usr/share/fonts" "--ro-bind-try" "/var/cache/fontconfig" "/var/cache/fontconfig" "--bind-try" "/home/michal/snap/iot-example-graphical-snap/common/.cache/glycin/usr/libexec/glycin-loaders/2+/glycin-svg" "/home/michal/snap/iot-example-graphical-snap/common/.cache/glycin/usr/libexec/glycin-loaders/2+/glycin-svg" "--setenv" "XDG_CACHE_HOME" "/home/michal/snap/iot-example-graphical-snap/common/.cache/glycin/usr/libexec/glycin-loaders/2+/glycin-svg" "--seccomp" "15" "/usr/libexec/glycin-loaders/2+/glycin-svg" "--dbus-fd" "14" (gdk-pixbuf-error-quark, 0) + ``` + + * Verify that building the snap against the updated glycin from -proposed + solves the issue. This can be done from launchpad, such as: https://launchpad.net/~mir-team/mir/+snap/gtk3-adventure [ Where problems could occur ] - * The patch shouldn't affect non-snap environments, and is a clear improvement for GTK-based snaps, allowing them to work at all :) - * This disables sandboxing _within_ snaps, so whatever data is available to the snap is vulnerable to be exploited - this is status quo from before glycin, though. - + * The patch shouldn't affect non-snap environments, and is a clear improvement for GTK-based snaps, allowing them to work at all :) + * This disables sandboxing _within_ snaps, so whatever data is available to the snap is vulnerable to be exploited - this is status quo from before glycin, though. [ Other Info ] - * The patch comes from the GNOME SDK Snap: https://github.com/ubuntu/gnome-sdk/commit/9b048312c0321f7648f85bbd24ab4642ee36a030 - * There's a planned effort to enable nested sandboxing via landlock instead, but there's no ETA on this at the moment. + * The patch comes from the GNOME SDK Snap: https://github.com/ubuntu/gnome-sdk/commit/9b048312c0321f7648f85bbd24ab4642ee36a030 + * There's a planned effort to enable nested sandboxing via landlock instead, but there's no ETA on this at the moment.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2158724 Title: [SRU] glycin doesn't work in snaps due to sandboxing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glycin/+bug/2158724/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
