ENOENTs when running thumbnail helper under bubblewrap
The current bubblewrapping (bwrap
) of thumbnail generation programs one can configure under /usr/share/thumbnailers/
seems to be too restrictive, with pathname look-ups like /bin/bash
or /sbin/ldconfig
failing with ENOENTs. Perhaps paths like /bin
and /sbin
should be available inside the bubblewrap as well, rather than being mapped over by the symlinking described below:
"bwrap",
"--ro-bind", "/usr", "/usr",
"--ro-bind", "/lib", "/lib",
"--ro-bind", "/lib64", "/lib64",
"--proc", "/proc",
"--dev", "/dev",
"--symlink", "usr/bin", "/bin",
"--symlink", "usr/sbin", "/sbin",
"--chdir", "/",
"--setenv", "GIO_USE_VFS", "local",
"--unshare-all",
"--die-with-parent",
For example, this Thumbnailer Entry will always fail, whether one uses full paths or not, in the entry and/or in the script's shebang:
[Thumbnailer Entry]
TryExec=calibre-thumbnailer
Exec=calibre-thumbnailer %i %o %s
MimeType=application/epub+zip;application/vnd.ms-
htmlhelp;application/x-chm;application/x-mobi8-ebook;application/vnd.amazon.mobi8-ebook;application/x-mobipocket-
ebook;
/bin/bash
can't be found in the container sandbox, as described here as well: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902288
This is the script mentioned in the Thumbnailer Entry above:
#! /usr/bin/env bash
EXIT_SUCCESS=0
EXIT_FAILURE=1
ebook_filepath=$1
[[ -r $ebook_filepath && -f $ebook_filepath ]] || exit "$EXIT_FAILURE"
thumbnail_filepath=$2
[[ $thumbnail_filepath ]] || exit "$EXIT_FAILURE"
thumbnail_size=$3
[[ $thumbnail_size ]] || exit "$EXIT_FAILURE"
temporary_directory=$(mktemp --directory)
cd "$temporary_directory" || exit "$EXIT_FAILURE"
ebook-meta "$ebook_filepath" --get-cover=cover
if gm convert \
-size "$thumbnail_size" \
cover \
"$thumbnail_filepath"
then
exit "$EXIT_SUCCESS"
else
# Coalesce all failed exit codes into the recognised one
exit "$EXIT_FAILURE"
fi
It would be nice if scripts like these could work without sacrificing security (e.g. mounting other paths in the bubblewrap, always as read-only binds).