io12
commented
2 months ago I remember having issues with buildFHSEnvBubblewrap, but I don't remember the details. Maybe that's why the tests are failing?
Open pschmitt opened 2 months ago
io12
commented
2 months ago I remember having issues with buildFHSEnvBubblewrap, but I don't remember the details. Maybe that's why the tests are failing?
pschmitt
commented
2 months ago Yeah, that's probably the reason. Imma try to dig further in the next few days.
io12
commented
2 months ago Setting
extraBwrapArgs = [
"--ro-bind /etc/pam.d /etc/pam.d"
"--ro-bind /etc/pam /etc/pam"
];seems to help, but the test opening gnome-calculator fails with error need to run as root or suid, which I think means that bubblewrap is dropping privileges (snap-confine is supposed to run as root), but I'm not sure.
io12
commented
2 months ago Apparently execve()s automatically drop privileges when run through bubblewrap? I'm really not sure what's going on here.
$ bat *.py
───────┬─────────────────────────────────────────────────────────────────────────
│ File: a.py
───────┼─────────────────────────────────────────────────────────────────────────
1 │ #!/nix/store/glfr70gi7hfaj50mwj2431p8bg60fhqw-python3-3.11.9/bin/python3
2 │
3 │ import os
4 │
5 │ os.setresuid(1000, 0, 0)
6 │ os.execv("./b.py", ["./b.py"])
───────┴─────────────────────────────────────────────────────────────────────────
───────┬─────────────────────────────────────────────────────────────────────────
│ File: b.py
───────┼─────────────────────────────────────────────────────────────────────────
1 │ #!/nix/store/glfr70gi7hfaj50mwj2431p8bg60fhqw-python3-3.11.9/bin/python3
2 │
3 │ import os
4 │
5 │ print(os.getresuid())
───────┴─────────────────────────────────────────────────────────────────────────
$ sudo ./a.py
(1000, 0, 0)
$ sudo bwrap --dev-bind / / ./a.py
(1000, 1000, 1000)
So,
this updates the FHS env from
buildFHSEnvChroot(which is deprecated) tobuildFHSEnvChroot.buildFHSEnvBubblewrapbind-mounts /etc/fonts by default which probably helps with https://github.com/io12/nix-snapd/issues/4There's a few extras:
/var/lib/snapd/nix-systemd-systemare now symlinked to/run/systemd/system. W/o this installing my beloved (/s) oracle-cloud-agent snap would prevent snapd from starting at all./etc/oracle-cloud-agent(again, oca wouldn't start w/o it). I don't quite know how to make these bind mounts less static. Ideally, we'd bind-mount/etcentirely - maybe?