From 48e223d33746516010677197ce12b7bf3bb6637c Mon Sep 17 00:00:00 2001
Message-Id: <48e223d33746516010677197ce12b7bf3bb6637c.1632614888.git.iskarian@mgsn.dev>
From: Sarah Morgensen <iskarian@mgsn.dev>
Date: Sat, 25 Sep 2021 17:05:24 -0700
Subject: [PATCH] gnu: icecat: Fix sandbox path whitelist.

Fixes <https://issues.guix.gnu.org/34136>.

* gnu/packages/gnuzilla.scm (icecat)[arguments]<#:phases>
{fix-ffmpeg-runtime-linker}: Move sandbox whitelist logic to...
{set-sandbox-whitelist}: ...here.  Set whitelist to "/gnu/store/".
---
 gnu/packages/gnuzilla.scm | 30 ++++++++++--------------------
 1 file changed, 10 insertions(+), 20 deletions(-)

diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 431b487fd0..e71df45966 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -1124,26 +1124,16 @@ from forcing GEXP-PROMISE."
                ;; Arrange to load libavcodec.so by its absolute file name.
                (substitute* "dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp"
                  (("libavcodec\\.so")
-                  libavcodec))
-               ;; Populate the sandbox read-path whitelist as needed by ffmpeg.
-               (let* ((mime-info (assoc-ref inputs "shared-mime-info"))
-                      (libavcodec-runpath (call-with-input-file libavcodec
-                                            (compose elf-dynamic-info-runpath
-                                                     elf-dynamic-info
-                                                     parse-elf
-                                                     get-bytevector-all)))
-                      (whitelist (cons (string-append mime-info "/share/mime/")
-                                       (map (lambda (dir)
-                                              (string-append dir "/"))
-                                            libavcodec-runpath)))
-                      (whitelist-string (string-join whitelist ","))
-                      (port (open-file "browser/app/profile/icecat.js" "a")))
-                 (format #t "setting 'security.sandbox.content.read_path_whitelist' to '~a'~%"
-                         whitelist-string)
-                 (format port "~%pref(\"security.sandbox.content.read_path_whitelist\", ~S);~%"
-                         whitelist-string)
-                 (close-output-port port))
-               #t)))
+                  libavcodec)))))
+         (add-after 'fix-ffmpeg-runtime-linker 'set-sandbox-whitelist
+           (lambda _
+             (let ((port (open-file "browser/app/profile/icecat.js" "a"))
+                   (whitelist-string "/gnu/store/"))
+               (format #t "setting 'security.sandbox.content.read_path_whitelist' to '~a'~%"
+                       whitelist-string)
+               (format port "~%pref(\"security.sandbox.content.read_path_whitelist\", ~S);~%"
+                       whitelist-string)
+               (close-output-port port))))
          (replace 'bootstrap
            (lambda _
              (invoke "sh" "-c" "autoconf old-configure.in > old-configure")

base-commit: 69f37702dfcda776a190d5c40fad8518469ce3c4
-- 
2.33.0