[GTK][WPE] bubblewrap sandbox should be disabled when running inside docker
authorclopez@igalia.com <clopez@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 18 Sep 2019 15:53:11 +0000 (15:53 +0000)
committerclopez@igalia.com <clopez@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 18 Sep 2019 15:53:11 +0000 (15:53 +0000)
https://bugs.webkit.org/show_bug.cgi?id=201914

Reviewed by Michael Catanzaro.

Detect if running inside Docker by checking the file /.dockerenv
In that case, disable the sandbox.

* UIProcess/Launcher/glib/ProcessLauncherGLib.cpp:
(WebKit::isInsideDocker):
(WebKit::ProcessLauncher::launchProcess):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@250036 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/UIProcess/Launcher/glib/ProcessLauncherGLib.cpp

index 6e2b855..9c6ee7e 100644 (file)
@@ -1,3 +1,17 @@
+2019-09-18  Carlos Alberto Lopez Perez  <clopez@igalia.com>
+
+        [GTK][WPE] bubblewrap sandbox should be disabled when running inside docker
+        https://bugs.webkit.org/show_bug.cgi?id=201914
+
+        Reviewed by Michael Catanzaro.
+
+        Detect if running inside Docker by checking the file /.dockerenv
+        In that case, disable the sandbox.
+
+        * UIProcess/Launcher/glib/ProcessLauncherGLib.cpp:
+        (WebKit::isInsideDocker):
+        (WebKit::ProcessLauncher::launchProcess):
+
 2019-09-17  Ross Kirsling  <ross.kirsling@sony.com>
 
         Unreviewed WinCairo build fix following r249985.
index dcf8c3c..d906d8d 100644 (file)
@@ -50,6 +50,16 @@ static void childSetupFunction(gpointer userData)
 }
 
 #if ENABLE(BUBBLEWRAP_SANDBOX)
+static bool isInsideDocker()
+{
+    static Optional<bool> ret;
+    if (ret)
+        return *ret;
+
+    ret = g_file_test("/.dockerenv", G_FILE_TEST_EXISTS);
+    return *ret;
+}
+
 static bool isInsideFlatpak()
 {
     static Optional<bool> ret;
@@ -159,9 +169,9 @@ void ProcessLauncher::launchProcess()
     if (sandboxEnv)
         sandboxEnabled = !strcmp(sandboxEnv, "1");
 
-    // You cannot use bubblewrap within Flatpak so lets ensure it never happens.
+    // You cannot use bubblewrap within Flatpak or Docker so lets ensure it never happens.
     // Snap can allow it but has its own limitations that require workarounds.
-    if (sandboxEnabled && !isInsideFlatpak() && !isInsideSnap())
+    if (sandboxEnabled && !isInsideFlatpak() && !isInsideSnap() && !isInsideDocker())
         process = bubblewrapSpawn(launcher.get(), m_launchOptions, argv, &error.outPtr());
     else
 #endif