blog · git · desktop · images · contact & privacy · gopher

---

lariza starts using WebKitGTK sandboxing

2020-05-04

Alright, this will be the last boring blog post about lariza for a while. It’s about another major change that deserves a little more explanation.

WebKitGTK sandboxing will be enabled in the next release.

Sandboxing will look like this in the process tree:

lariza(1030)─┬─WebKitNetworkPr(1035)───...
             ├─bwrap(1050)───bwrap(1051)───WebKitWebProces(1054)─┬─{WebKitWebProces}(1059)
             │                                                   ├─...
             │                                                   └─{WebKitWebProces}(4837)
             ├─bwrap(9975)───bwrap(9977)───WebKitWebProces(9978)─┬─{WebKitWebProces}(9979)
             │                                                   ├─...
             │                                                   └─{WebKitWebProces}(9986)
             └─...

bwrap means it uses bubblewrap to isolate those components that are especially vulnerable. Rendering and JavaScript processing happens here. Web extensions, too. This kind of isolation is a pretty good idea, if you ask me, and might be long overdue.

bubblewrap should already be a dependency of WebKitGTK, at least it is on Arch Linux. You should not have to do anything for it to work. Well, kind of.

It will, for example, isolate the process’s filesystem, like a chroot. The process still needs access to a couple of things, so there will be a bunch of bind mounts. You can inspect those by looking at /proc:

$ cat /proc/1054/mounts
...
/dev/sdb1 /usr/lib ext4 ro,nosuid,nodev,relatime 0 0
/dev/sdb1 /usr/share/zoneinfo/Europe/Berlin ext4 ro,nosuid,nodev,relatime 0 0
tmpfs /tmp/.X11-unix/X0 tmpfs rw,nosuid,nodev,relatime,size=31457280k 0 0
/dev/sdb1 /home/tux/.Xauthority ext4 ro,nosuid,nodev,relatime 0 0
...

Note that there are mounts like this:

/dev/sdb1 /home/tux/.config/fontconfig ext4 ro,nosuid,nodev,relatime 0 0
/dev/sdb1 /home/tux/.fontconfig ext4 ro,nosuid,nodev,relatime 0 0
/dev/sdb1 /home/tux/.fonts ext4 ro,nosuid,nodev,relatime 0 0

Your config files. Depending on how you set those up, you need to make changes. For example, my ~/.config/fontconfig/fonts.conf happened to be a symlink to a file in my ~/work/dotfiles-pub repository. This will break, of course, since the latter directory is not available to the isolated process. In this particular case, it resulted in horrible font rendering quality. If you do similar things, you need to adapt your setup.

It’s unfortunate that we don’t have pledge(2) and unveil(2) on Linux. I suspect we would see a wider adoption of process isolation, because these two syscalls are much easier to use than anything available on Linux at the moment.

Comments?