mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-26 07:34:11 +00:00
f930ba6aba
Since31ac354cbe
, bubblewrap gets called the following way on NixOS system, when it has `share/fonts` in `environment.pathsToLink`: $ bwrap --ro-bind /nix/store /nix/store --ro-bind /run/current-system /run/current-system --ro-bind-try /run/current-system/sw/share/fonts /run/current-system/sw/share/fonts -- $(realpath $(which true)) bwrap: Can't mkdir parents for /run/current-system/sw/share/fonts: No such file or directory It fails because `/run/current-system/sw` is a symlink so bubblewrap is not be able to add another mountpoint inside. Ideally, we would remove the `/run/current-system/sw` bind mount and mount only specific subdirectories we need, like the fonts. Unfortunately, it is not clear what else is needed. For example, in the past, Pipewire’s Jack module was loaded from `/run/current-system/sw/lib`756e60344f
So, for now, let’s keep the and mount and move the binding of NixOS directories to the end. Adding bindings starting at leaves and moving to root should be fine. While at it, let’s also make the binding of `/run/current-system` conditional since it will not be available outside of NixOS. Fixes: https://github.com/NixOS/nixpkgs/issues/197085
18 lines
1.0 KiB
Diff
18 lines
1.0 KiB
Diff
diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
|
|
index 0a201fe176..fa3690c12a 100644
|
|
--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
|
|
+++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
|
|
@@ -819,6 +819,12 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
|
|
sandboxArgs.append("--unshare-ipc");
|
|
}
|
|
|
|
+ // Nix Directories
|
|
+ sandboxArgs.appendVector(Vector<CString>({ "--ro-bind", "@storeDir@", "@storeDir@" }));
|
|
+ sandboxArgs.appendVector(Vector<CString>({ "--ro-bind-try", "/run/current-system", "/run/current-system" }));
|
|
+ sandboxArgs.appendVector(Vector<CString>({ "--ro-bind-try", "@driverLink@/lib", "@driverLink@/lib" }));
|
|
+ sandboxArgs.appendVector(Vector<CString>({ "--ro-bind-try", "@driverLink@/share", "@driverLink@/share" }));
|
|
+
|
|
#if ENABLE(DEVELOPER_MODE)
|
|
const char* execDirectory = g_getenv("WEBKIT_EXEC_PATH");
|
|
if (execDirectory) {
|