tribes/guix
1
0
Fork 0
mirror of https://git.savannah.gnu.org/git/guix.git synced 2026-04-06 21:20:33 +02:00
Code Activity

gnu: librewolf: Add the store to the RDD allowlist.

Browse Source 
* gnu/packages/librewolf.scm (librewolf):
[patches]: Add librewolf-add-store-to-rdd-allowlist.patch.
[phase 'wrap-program]: Remove rdd allowlist manipulation.
* gnu/packages/patches/librewolf-add-store-to-rdd-allowlist.patch: Add.
This commit is contained in:
Ian Eure
2025-04-19 17:03:39 -07:00
parent 674880d122
commit ab24e2ebe5
2 changed files with 39 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
gnu/packages/librewolf.scm
View File

@@ -192,7 +192,8 @@
(patches
(search-patches
"torbrowser-compare-paths.patch"
"librewolf-use-system-wide-dir.patch")))))
"librewolf-use-system-wide-dir.patch"
"librewolf-add-store-to-rdd-allowlist.patch")))))
;;; Define the versions of rust needed to build firefox, trying to match
;;; upstream. See table at [0], `Uses' column for the specific version.
@@ -541,28 +542,11 @@
"pulseaudio"
"libpciaccess")))
;; VA-API is run in the RDD (Remote Data Decoder) sandbox
;; and must be explicitly given access to files it needs.
;; Rather than adding the whole store (as Nix had
;; upstream do, see
;; <https://github.com/NixOS/nixpkgs/pull/165964> and
;; linked upstream patches), we can just follow the
;; runpaths of the needed libraries to add everything to
;; LD_LIBRARY_PATH. These will then be accessible in the
;; RDD sandbox.
(rdd-whitelist
(map (cut string-append <> "/")
(delete-duplicates
(append-map runpaths-of-input
'("mesa"
"ffmpeg"
"libpciaccess")))))
(gtk-share (string-append (assoc-ref inputs
"gtk+")
"/share")))
(wrap-program (car (find-files lib "^librewolf$"))
`("LD_LIBRARY_PATH" prefix
(,@libs ,@rdd-whitelist))
`("LD_LIBRARY_PATH" prefix ,libs)
`("XDG_DATA_DIRS" prefix
(,gtk-share))
`("MOZ_LEGACY_PROFILES" =

36
gnu/packages/patches/librewolf-add-store-to-rdd-allowlist.patch Normal file
View File

@@ -0,0 +1,36 @@
diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
index 4eff5e6..42171eb 100644
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
@@ -476,6 +476,7 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
// Various places where fonts reside
policy->AddTree(rdonly, "/usr/X11R6/lib/X11/fonts");
policy->AddTree(rdonly, "/nix/store");
+ policy->AddTree(rdonly, "/gnu/store");
// https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/blob/e434e680d22260f277f4a30ec4660ed32b591d16/files/fontconfig-flatpak.conf
policy->AddTree(rdonly, "/run/host/fonts");
policy->AddTree(rdonly, "/run/host/user-fonts");
@@ -485,6 +486,7 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
// Bug 1848615
policy->AddPath(rdonly, "/usr");
policy->AddPath(rdonly, "/nix");
+ policy->AddPath(rdonly, "/gnu");
AddLdconfigPaths(policy);
AddLdLibraryEnvPaths(policy);
@@ -934,6 +936,7 @@ SandboxBrokerPolicyFactory::GetRDDPolicy(int aPid) {
policy->AddTree(rdonly, "/usr/lib64");
policy->AddTree(rdonly, "/run/opengl-driver/lib");
policy->AddTree(rdonly, "/nix/store");
+ policy->AddTree(rdonly, "/gnu/store");
// Bug 1647957: memory reporting.
AddMemoryReporting(policy.get(), aPid);
@@ -1079,6 +1082,7 @@ SandboxBrokerPolicyFactory::GetUtilityProcessPolicy(int aPid) {
// Required to make sure ffmpeg loads properly, this is already existing on
// Content and RDD
policy->AddTree(rdonly, "/nix/store");
+ policy->AddTree(rdonly, "/gnu/store");
// glibc will try to stat64("/") while populating nsswitch database
// https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/nss_database.c;h=cf0306adc47f12d9bc761ab1b013629f4482b7e6;hb=9826b03b747b841f5fc6de2054bf1ef3f5c4bdf3#l396