mirror of
https://git.savannah.gnu.org/git/guix.git
synced 2026-04-06 21:20:33 +02:00
972a8412d5
User profile directory has changed to "~/.tor project" in this version as MOZ_APP_PROFILE flag cannot be set anymore. * gnu/packages/tor-browsers.scm (firefox-locales): Update to 64046fdc97. (%torbrowser-build-date): Update to 20251028094500. (%torbrowser-version): Update to 15.0. (%torbrowser-firefox-version): Update to 140.4.0esr-15.0-1-build4. (torbrowser-translation-base): Update to cdd3da6308. (torbrowser-translation-specific): Update to 3395fe5bdb. (lld-as-ld-wrapper-18): Replace with lld-as-ld-wrapper-19. (make-torbrowser) [inputs]: Use libpng-apng-next, icu4c-76 and nss-rapid, in place of the defaults for those libraries. [native-inputs]: Use rust-cbindgen-0.28, lld-as-ld-wrapper-19, llvm-19 and clang-19. [arguments] <#:configure-flags>: Remove '--enable-official-branding' which breaks browser branding as of this version. <#:phases> 'setenv: Do not set MOZ_APP_PROFILE, which is now implied and breaks configuration phase when set. * gnu/packages/patches/torbrowser-compare-paths.patch: ... * gnu/packages/patches/torbrowser-use-system-wide-dir.patch: ... * gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch: Refresh patches. Change Id: Id4134edd63328f479589e6ed61f46a869dbbda5d Signed-off-by: Andreas Enge <andreas@enge.fr>
54 lines
2.6 KiB
Diff
54 lines
2.6 KiB
Diff
By default Firefox sandbox security model allows browser components to
|
|
access files under '/usr', '/etc' and user home directories. However,
|
|
similar to Nix, on Guix some of those file hierarchies are actually
|
|
symlinks to '/gnu/store' paths, which then get denied, breaking some
|
|
expected functionality on the browser. Moreover, their final store
|
|
paths are not available on the build environment and also expected to
|
|
change.
|
|
|
|
Guix users that are willing to further restrict browsers' access to their
|
|
file systems and do not mind losing some funcionality are advised to use
|
|
Guix Containers.
|
|
|
|
See: <https://bugzilla.mozilla.org/show_bug.cgi?id=1848615#c8>,
|
|
<https://codeberg.org/guix/guix/issues/661>,
|
|
<https://issues.guix.gnu.org/38045> and
|
|
<https://issues.guix.gnu.org/77559>
|
|
|
|
diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
|
|
index 4eff5e6..42171eb 100644
|
|
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
|
|
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
|
|
@@ -476,6 +476,7 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
|
|
// Various places where fonts reside
|
|
policy->AddTree(rdonly, "/usr/X11R6/lib/X11/fonts");
|
|
policy->AddTree(rdonly, "/nix/store");
|
|
+ policy->AddTree(rdonly, "/gnu/store");
|
|
// https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/blob/e434e680d22260f277f4a30ec4660ed32b591d16/files/fontconfig-flatpak.conf
|
|
policy->AddTree(rdonly, "/run/host/fonts");
|
|
policy->AddTree(rdonly, "/run/host/user-fonts");
|
|
@@ -485,6 +486,7 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
|
|
// Bug 1848615
|
|
policy->AddPath(rdonly, "/usr");
|
|
policy->AddPath(rdonly, "/nix");
|
|
+ policy->AddPath(rdonly, "/gnu");
|
|
|
|
AddLdconfigPaths(policy);
|
|
AddLdLibraryEnvPaths(policy);
|
|
@@ -934,6 +936,7 @@ SandboxBrokerPolicyFactory::GetRDDPolicy(int aPid) {
|
|
policy->AddTree(rdonly, "/usr/lib64");
|
|
policy->AddTree(rdonly, "/run/opengl-driver/lib");
|
|
policy->AddTree(rdonly, "/nix/store");
|
|
+ policy->AddTree(rdonly, "/gnu/store");
|
|
|
|
// Bug 1647957: memory reporting.
|
|
AddMemoryReporting(policy.get(), aPid);
|
|
@@ -1079,6 +1082,7 @@ SandboxBrokerPolicyFactory::GetUtilityProcessPolicy(int aPid) {
|
|
// Required to make sure ffmpeg loads properly, this is already existing on
|
|
// Content and RDD
|
|
policy->AddTree(rdonly, "/nix/store");
|
|
+ policy->AddTree(rdonly, "/gnu/store");
|
|
|
|
// glibc will try to stat64("/") while populating nsswitch database
|
|
// https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/nss_database.c;h=cf0306adc47f12d9bc761ab1b013629f4482b7e6;hb=9826b03b747b841f5fc6de2054bf1ef3f5c4bdf3#l396
|