mirror of
https://codeberg.org/guix/guix.git
synced 2025-10-02 02:15:12 +00:00
gnu: make-torbrowser: Remove redundant phase.
Follow up to commit 6ee9cd170b which added
torbrowsers-add-store-to-rdd-allowlist.patch and implicitly made
'build-sandbox-whitelist phase unnecessary.
Users are encouraged to use Guix Containers if they want to restrict
browsers' access to their file systems.
* gnu/packages/tor-browsers.scm (make-torbrowser) [arguments] <#:phases>
'build-sandbox-whitelist: Remove it;
'autoconfig: Remove step that adds the forementioned list to browser
default preferences.
* gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch: Add
explanatory comment and refer to issues this patch addresses.
Change-Id: Icc0ea4c2470e8bc82e3a2bf57966b46fd47a7cf8
Signed-off-by: Hilton Chain <hako@ultrarare.space>
This commit is contained in:
André Batista
Hilton Chain
parent
aad498d927
commit
17cdf44ba1
2 changed files with 17 additions and 28 deletions
|
|
@ -1,3 +1,20 @@
|
|||
By default Firefox sandbox security model allows browser components to
|
||||
access files under '/usr', '/etc' and user home directories. However,
|
||||
similar to Nix, on Guix some of those file hierarchies are actually
|
||||
symlinks to '/gnu/store' paths, which then get denied, breaking some
|
||||
expected functionality on the browser. Moreover, their final store
|
||||
paths are not available on the build environment and also expected to
|
||||
change.
|
||||
|
||||
Guix users that are willing to further restrict browsers' access to their
|
||||
file systems and do not mind losing some funcionality are advised to use
|
||||
Guix Containers.
|
||||
|
||||
See: <https://bugzilla.mozilla.org/show_bug.cgi?id=1848615#c8>,
|
||||
<https://codeberg.org/guix/guix/issues/661>,
|
||||
<https://issues.guix.gnu.org/38045> and
|
||||
<https://issues.guix.gnu.org/77559>
|
||||
|
||||
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
|
||||
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
|
||||
@@ -452,6 +452,7 @@
|
||||
|
|
|
|||
|
|
@ -424,30 +424,6 @@ Browser.")
|
|||
(substitute* "dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp"
|
||||
(("libavcodec\\.so")
|
||||
(search-input-file inputs "lib/libavcodec.so")))))
|
||||
(add-after 'fix-ffmpeg-runtime-linker 'build-sandbox-whitelist
|
||||
(lambda* (#:key inputs #:allow-other-keys)
|
||||
(define (runpath-of lib)
|
||||
(call-with-input-file lib
|
||||
(compose elf-dynamic-info-runpath
|
||||
elf-dynamic-info
|
||||
parse-elf
|
||||
get-bytevector-all)))
|
||||
(define (runpaths-of-input label)
|
||||
(let* ((dir (string-append (assoc-ref inputs label) "/lib"))
|
||||
(libs (find-files dir "\\.so$")))
|
||||
(append-map runpath-of libs)))
|
||||
;; Populate the sandbox read-path whitelist as needed by ffmpeg.
|
||||
(let* ((whitelist
|
||||
(map (cut string-append <> "/")
|
||||
(delete-duplicates
|
||||
`(,(string-append (assoc-ref inputs "shared-mime-info")
|
||||
"/share/mime")
|
||||
,@(append-map runpaths-of-input
|
||||
'("mesa" "ffmpeg"))))))
|
||||
(whitelist-string (string-join whitelist ",")))
|
||||
(with-output-to-file "whitelist.txt"
|
||||
(lambda ()
|
||||
(display whitelist-string))))))
|
||||
(add-after 'patch-source-shebangs 'patch-cargo-checksums
|
||||
(lambda _
|
||||
(use-modules (guix build cargo-utils))
|
||||
|
|
@ -754,10 +730,6 @@ Browser.")
|
|||
;; Default is 5.
|
||||
(format #t "pref(~s, ~a);~%"
|
||||
"extensions.enabledScopes" "13")
|
||||
(format #t "pref(~s, ~s);~%"
|
||||
"security.sandbox.content.read_path_whitelist"
|
||||
(call-with-input-file "whitelist.txt"
|
||||
get-string-all))
|
||||
;; Add-ons pannel (see settings.js in Icecat source).
|
||||
(format #t "pref(~s, ~s);~%"
|
||||
"extensions.getAddons.search.browseURL"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue