unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
* [bug#39127] [PATCH] fixing icecat's multimedia
@ 2020-01-14  0:58 Julien Lepiller
  2020-01-14  1:29 ` Tobias Geerinckx-Rice via Guix-patches via
  2020-01-16  9:04 ` bug#39127: " Tobias Geerinckx-Rice via Guix-patches via
  0 siblings, 2 replies; 5+ messages in thread
From: Julien Lepiller @ 2020-01-14  0:58 UTC (permalink / raw)
  To: 39127

[-- Attachment #1: Type: text/plain, Size: 868 bytes --]

From IRC yesterday, I found that icecat was still missing something to
properly read multimedia streams, like mp3/mp4. In the current version,
it now tries to open ffmpeg's library dynamically, by looking in the
store, instead of standard locations (/usr/lib etc). But this is not
enough: even if icecat can properly find the library, it cannot load it
because it uses a sandboxing feature that only allows it to read and
write files from/to specific locations. /gnu/store is not part of them.

Since icecat has access to /lib and /usr/lib, I think we can also give
it read access (not write) to /gnu/store. This patch attempts to do
just that, but I couldn't build icecat because of a lack of space. It
sets the default security.sandbox.content.read_path_whitelist to
/gnu/store/, the leading / meaning "and everything under it,
recursively").

Wdyt?

[-- Attachment #2: 0001-gnu-icecat-Give-access-to-the-store-to-the-sandbox.patch --]
[-- Type: text/x-patch, Size: 1270 bytes --]

From adf7fdeffaa806edcd8abdac0746c06dad52c495 Mon Sep 17 00:00:00 2001
From: Julien Lepiller <julien@lepiller.eu>
Date: Tue, 14 Jan 2020 01:48:42 +0100
Subject: [PATCH] gnu: icecat: Give access to the store to the sandbox.

* gnu/packages/gnuzilla.scm (icecat): Add punch-hole-in-sandbox phase.
---
 gnu/packages/gnuzilla.scm | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 62b4390eab..14f446ee0a 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -971,6 +971,14 @@ from forcing GEXP-PROMISE."
                (("libavcodec\\.so")
                 (string-append (assoc-ref inputs "ffmpeg") "/lib/libavcodec.so")))
              #t))
+         (add-after 'fix-ffmpeg-runtime-linker 'punch-hole-in-sandbox
+           (lambda _
+             (substitute* "browser/app/profile/icecat.js"
+               (("\"security.sandbox.content.read_path_whitelist\", \"\"")
+                (string-append
+                  "\"security.sandbox.content.read_path_whitelist\", \""
+                  (%store-directory) "/\"")))
+             #t))
          (replace 'bootstrap
            (lambda _
              (invoke "sh" "-c" "autoconf old-configure.in > old-configure")
-- 
2.24.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-01-16  9:05 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-01-14  0:58 [bug#39127] [PATCH] fixing icecat's multimedia Julien Lepiller
2020-01-14  1:29 ` Tobias Geerinckx-Rice via Guix-patches via
2020-01-14  1:36   ` Julien Lepiller
2020-01-14  1:42     ` Tobias Geerinckx-Rice via Guix-patches via
2020-01-16  9:04 ` bug#39127: " Tobias Geerinckx-Rice via Guix-patches via

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).