By default Firefox sandbox security model allows browser components to access files under '/usr', '/etc' and user home directories. However, similar to Nix, on Guix some of those file hierarchies are actually symlinks to '/gnu/store' paths, which then get denied, breaking some expected functionality on the browser. Moreover, their final store paths are not available on the build environment and also expected to change. Guix users that are willing to further restrict browsers' access to their file systems and do not mind losing some funcionality are advised to use Guix Containers. See: , , and --- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp +++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp @@ -452,6 +452,7 @@ // Various places where fonts reside policy->AddDir(rdonly, "/usr/X11R6/lib/X11/fonts"); policy->AddDir(rdonly, "/nix/store"); + policy->AddDir(rdonly, "/gnu/store"); // https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/blob/e434e680d22260f277f4a30ec4660ed32b591d16/files/fontconfig-flatpak.conf policy->AddDir(rdonly, "/run/host/fonts"); policy->AddDir(rdonly, "/run/host/user-fonts"); @@ -461,6 +462,7 @@ // Bug 1848615 policy->AddPath(rdonly, "/usr"); policy->AddPath(rdonly, "/nix"); + policy->AddPath(rdonly, "/gnu"); AddLdconfigPaths(policy); AddLdLibraryEnvPaths(policy); @@ -920,6 +922,7 @@ policy->AddDir(rdonly, "/usr/lib64"); policy->AddDir(rdonly, "/run/opengl-driver/lib"); policy->AddDir(rdonly, "/nix/store"); + policy->AddDir(rdonly, "/gnu/store"); // Bug 1647957: memory reporting. AddMemoryReporting(policy.get(), aPid); @@ -1043,6 +1046,7 @@ // Required to make sure ffmpeg loads properly, this is already existing on // Content and RDD policy->AddDir(rdonly, "/nix/store"); + policy->AddDir(rdonly, "/gnu/store"); // glibc will try to stat64("/") while populating nsswitch database // https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/nss_database.c;h=cf0306adc47f12d9bc761ab1b013629f4482b7e6;hb=9826b03b747b841f5fc6de2054bf1ef3f5c4bdf3#l396