[bug#70446] [PATCH v3] gnu: webkitgtk: Add locale and dri access to gtk sandbox in order to silence gtk locale warnings and enable hardware accelerated video, respectively. Adjust bubblewrap wrapper to add user profile locale and dri directories.

[Liliana Marie Prikler]

Am Freitag, dem 19.04.2024 um 17:55 -0400 schrieb Abhishek Cherath:
> * gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch:
> Add @dridir@ and @localedir@ to bubblewrap gtk sandbox
> Add ~/.guix-profile/lib/dri and ~/.guix-profile/share/locale
> to bubblewrap gtk sandbox.
> 
> * gnu/packages/webkit.scm (webkitgtk)[arguments]: In the
> 'configure-bubblewrap-store-directory' phase, also supply locale
> and dri directory paths to webkitgtk-adjust-bubblewrap-paths.patch
> template.
> 
> Change-Id: I6be0c473ebaa6c04ebb00a2b4afcae2c89396e4f
> ---
> Only shares user profile locale and dri folders.
> 
>  .../webkitgtk-adjust-bubblewrap-paths.patch   | 33
> +++++++++++++++++--
>  gnu/packages/webkit.scm                       | 11 ++++++-
>  2 files changed, 40 insertions(+), 4 deletions(-)
> 
> diff --git a/gnu/packages/patches/webkitgtk-adjust-bubblewrap-
> paths.patch b/gnu/packages/patches/webkitgtk-adjust-bubblewrap-
> paths.patch
> index 18ddb645ad..0cf1498b92 100644
> --- a/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch
> +++ b/gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch
> @@ -1,11 +1,22 @@
>  Share /gnu/store in the BubbleWrap container and remove FHS mounts.
> +Also share locale and dri directories (user and system.)
>  
>  This is a Guix-specific patch not meant to be upstreamed.
>  diff --git
> a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
> b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
> -index f0a5e4b05dff..88b11f806968 100644
> +index 99395d6..3604730 100644
>  --- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
>  +++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
> -@@ -854,27 +854,12 @@ GRefPtr<GSubprocess>
> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
> +@@ -765,6 +765,9 @@ GRefPtr<GSubprocess>
> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
> +         return adoptGRef(g_subprocess_launcher_spawnv(launcher,
> argv, error));
> + 
> +     const char* runDir = g_get_user_runtime_dir();
> ++    const char* homeDir = g_get_home_dir();
> ++    char* userDriDir = g_strconcat(homeDir, "/.guix-
> profile/lib/dri", NULL);
> ++    char* userLocaleDir = g_strconcat(homeDir, "/.guix-
> profile/share/locale", NULL);
> +     Vector<CString> sandboxArgs = {
> +         "--die-with-parent",
> +         "--unshare-uts",
> +@@ -786,28 +788,28 @@ GRefPtr<GSubprocess>
> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
>           "--ro-bind", "/sys/dev", "/sys/dev",
>           "--ro-bind", "/sys/devices", "/sys/devices",
>   
> @@ -33,6 +44,22 @@ index f0a5e4b05dff..88b11f806968 100644
>  +
>  +        // Bind mount the store inside the WebKitGTK sandbox.
>  +        "--ro-bind", "@storedir@", "@storedir@",
> ++
> ++        // Bind mount the locales in profile
> ++        "--ro-bind-try", userLocaleDir, userLocaleDir,
> ++
> ++        // Bind mount the dri dir in profile
> ++        "--ro-bind-try", userDriDir, userDriDir,
For reference, why are these two needed here?  Can't we do this with
the locales and drivers referenced below?  Should we perhaps expand
GUIX_LOCPATH here?
> ++
> ++        // This is needed for locales if not in profile
> ++        "--ro-bind-try", "@localedir@", "@localedir@",
> ++
> ++        // This is needed for video hardware acceleration (va-api)
> ++        // via /lib/dri if not in profile
> ++        "--ro-bind-try", "@dridir@", "@dridir@",
>       };
> ++    free(userLocaleDir);
> ++    free(userDriDir);
>   
> -     if (launchOptions.processType ==
> ProcessLauncher::ProcessType::DBusProxy) {
> +     if (enableDebugPermissions()) {
> +         const char* dataDir = g_get_user_data_dir();
> diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm
> index bf24a65e83..a0d04f31d3 100644
> --- a/gnu/packages/webkit.scm
> +++ b/gnu/packages/webkit.scm
> @@ -8,6 +8,7 @@
>  ;;; Copyright © 2019 Marius Bakke <mbakke@fastmail.com>
>  ;;; Copyright © 2021, 2022, 2023 Maxim Cournoyer
> <maxim.cournoyer@gmail.com>
>  ;;; Copyright © 2022, 2023 Efraim Flashner <efraim@flashner.co.il>
> +;;; Copyright © 2024 Abhishek Cherath <abhi@quic.us>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -190,7 +191,15 @@ (define-public webkitgtk
>                (let ((store-directory (%store-directory)))
>                  (substitute*
>                     
> "Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp"
> -                  (("@storedir@") store-directory)))))
> +                  (("@storedir@") store-directory)
> +                  ;; this adds access to drivers for va-api
> +                  ;; for hardware accelerated video
> +                  (("@dridir@") "/run/current-
> system/profile/lib/dri")
> +                  ;; this silences gtk locale errors
> +                  ;; Unfortunately, simply bind mounting
> /run/current-system
> +                  ;; does not work since it leads to weird issues
> +                  ;; with symlinks that confuse bubblewrap.
> +                  (("@localedir@") "/run/current-system/locale")))))
>            (add-after 'unpack 'do-not-disable-new-dtags
>              ;; Ensure the linker uses new dynamic tags as this is
> what Guix
>              ;; uses and validates in the validate-runpath phase.
> 
> base-commit: b05bb6608c7f25ddce6b563194ba5a3007009282
Note that any item you add here which references the user home will
fail to be loaded correctly when using `guix shell' in a way that hides
it; or even just using `guix shell' normally with a user who doesn't
have the hardware-accelerated drivers in their home.  For system paths,
this is somewhat different, since we can more or less expect them to
exist and mirror the layout of other distros to some extent.

Cheers