* [bug#39127] [PATCH] fixing icecat's multimedia
@ 2020-01-14 0:58 Julien Lepiller
2020-01-14 1:29 ` Tobias Geerinckx-Rice via Guix-patches via
2020-01-16 9:04 ` bug#39127: " Tobias Geerinckx-Rice via Guix-patches via
0 siblings, 2 replies; 5+ messages in thread
From: Julien Lepiller @ 2020-01-14 0:58 UTC (permalink / raw)
To: 39127
[-- Attachment #1: Type: text/plain, Size: 868 bytes --]
From IRC yesterday, I found that icecat was still missing something to
properly read multimedia streams, like mp3/mp4. In the current version,
it now tries to open ffmpeg's library dynamically, by looking in the
store, instead of standard locations (/usr/lib etc). But this is not
enough: even if icecat can properly find the library, it cannot load it
because it uses a sandboxing feature that only allows it to read and
write files from/to specific locations. /gnu/store is not part of them.
Since icecat has access to /lib and /usr/lib, I think we can also give
it read access (not write) to /gnu/store. This patch attempts to do
just that, but I couldn't build icecat because of a lack of space. It
sets the default security.sandbox.content.read_path_whitelist to
/gnu/store/, the leading / meaning "and everything under it,
recursively").
Wdyt?
[-- Attachment #2: 0001-gnu-icecat-Give-access-to-the-store-to-the-sandbox.patch --]
[-- Type: text/x-patch, Size: 1270 bytes --]
From adf7fdeffaa806edcd8abdac0746c06dad52c495 Mon Sep 17 00:00:00 2001
From: Julien Lepiller <julien@lepiller.eu>
Date: Tue, 14 Jan 2020 01:48:42 +0100
Subject: [PATCH] gnu: icecat: Give access to the store to the sandbox.
* gnu/packages/gnuzilla.scm (icecat): Add punch-hole-in-sandbox phase.
---
gnu/packages/gnuzilla.scm | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 62b4390eab..14f446ee0a 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -971,6 +971,14 @@ from forcing GEXP-PROMISE."
(("libavcodec\\.so")
(string-append (assoc-ref inputs "ffmpeg") "/lib/libavcodec.so")))
#t))
+ (add-after 'fix-ffmpeg-runtime-linker 'punch-hole-in-sandbox
+ (lambda _
+ (substitute* "browser/app/profile/icecat.js"
+ (("\"security.sandbox.content.read_path_whitelist\", \"\"")
+ (string-append
+ "\"security.sandbox.content.read_path_whitelist\", \""
+ (%store-directory) "/\"")))
+ #t))
(replace 'bootstrap
(lambda _
(invoke "sh" "-c" "autoconf old-configure.in > old-configure")
--
2.24.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [bug#39127] [PATCH] fixing icecat's multimedia
2020-01-14 0:58 [bug#39127] [PATCH] fixing icecat's multimedia Julien Lepiller
@ 2020-01-14 1:29 ` Tobias Geerinckx-Rice via Guix-patches via
2020-01-14 1:36 ` Julien Lepiller
2020-01-16 9:04 ` bug#39127: " Tobias Geerinckx-Rice via Guix-patches via
1 sibling, 1 reply; 5+ messages in thread
From: Tobias Geerinckx-Rice via Guix-patches via @ 2020-01-14 1:29 UTC (permalink / raw)
To: 39127, Julien Lepiller
[-- Attachment #1: Type: text/plain, Size: 842 bytes --]
Julien,
Thanks! For anything with ‘security’ *and* ‘sandbox’ in the name
we should definitely involve IceCat upstream.
Julien Lepiller 写道:
> (substitute* "browser/app/profile/icecat.js"
> (("\"security.sandbox.content.read_path_whitelist\", \"\"")
> (string-append
> "\"security.sandbox.content.read_path_whitelist\", \""
> (%store-directory) "/\"")))
When I asked bandali on IRC a few weeks(?) ago about this exact
patch, they didn't sound convinced. But we were both quite unsure
:-) Have things changed? Have you talked to Mark?
> Since icecat has access to /lib and /usr/lib, I think we can
> also give
> it read access (not write) to /gnu/store.
That sounds reasonable, if you're certain that it's read-only.
> Wdyt?
LGTM from the Guix side.
Kind regards,
T G-R
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* [bug#39127] [PATCH] fixing icecat's multimedia
2020-01-14 1:29 ` Tobias Geerinckx-Rice via Guix-patches via
@ 2020-01-14 1:36 ` Julien Lepiller
2020-01-14 1:42 ` Tobias Geerinckx-Rice via Guix-patches via
0 siblings, 1 reply; 5+ messages in thread
From: Julien Lepiller @ 2020-01-14 1:36 UTC (permalink / raw)
To: Tobias Geerinckx-Rice; +Cc: 39127
Le Tue, 14 Jan 2020 02:29:20 +0100,
Tobias Geerinckx-Rice <me@tobias.gr> a écrit :
> Julien,
>
> Thanks! For anything with ‘security’ *and* ‘sandbox’ in the name
> we should definitely involve IceCat upstream.
>
> Julien Lepiller 写道:
> > (substitute* "browser/app/profile/icecat.js"
> > (("\"security.sandbox.content.read_path_whitelist\", \"\"")
> > (string-append
> > "\"security.sandbox.content.read_path_whitelist\", \""
> > (%store-directory) "/\"")))
>
> When I asked bandali on IRC a few weeks(?) ago about this exact
> patch, they didn't sound convinced. But we were both quite unsure
> :-) Have things changed? Have you talked to Mark?
I haven't talked to Mark, but here's how you can check:
set security.sandbox.content.read_path_whitelist in about:config to an
empty string (the default) and restart icecat. It cannot play the video
from https://harmonist.tuxfamily.org/. It doesn't work. Set it to
/gnu/store/ (with a trailing /) and restart the browser. Now the video
works. This patch attempts to make the working scenario the default :)
>
> > Since icecat has access to /lib and /usr/lib, I think we can
> > also give
> > it read access (not write) to /gnu/store.
>
> That sounds reasonable, if you're certain that it's read-only.
>
> > Wdyt?
>
> LGTM from the Guix side.
>
> Kind regards,
>
> T G-R
^ permalink raw reply [flat|nested] 5+ messages in thread
* [bug#39127] [PATCH] fixing icecat's multimedia
2020-01-14 1:36 ` Julien Lepiller
@ 2020-01-14 1:42 ` Tobias Geerinckx-Rice via Guix-patches via
0 siblings, 0 replies; 5+ messages in thread
From: Tobias Geerinckx-Rice via Guix-patches via @ 2020-01-14 1:42 UTC (permalink / raw)
To: Julien Lepiller; +Cc: 39127
[-- Attachment #1: Type: text/plain, Size: 356 bytes --]
Julien,
Julien Lepiller 写道:
> I haven't talked to Mark, but here's how you can check:
[…]
I meant about any potential security issues or alternative
solutions (e.g. restricting access to less than the entire store).
I was already aware of the problem and this work-around, and can
confirm that it works.
Kind regards,
T G-R
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#39127: [PATCH] fixing icecat's multimedia
2020-01-14 0:58 [bug#39127] [PATCH] fixing icecat's multimedia Julien Lepiller
2020-01-14 1:29 ` Tobias Geerinckx-Rice via Guix-patches via
@ 2020-01-16 9:04 ` Tobias Geerinckx-Rice via Guix-patches via
1 sibling, 0 replies; 5+ messages in thread
From: Tobias Geerinckx-Rice via Guix-patches via @ 2020-01-16 9:04 UTC (permalink / raw)
To: 39127-done
[-- Attachment #1: Type: text/plain, Size: 166 bytes --]
Fixed by mhw[0] in commit
429c8284d232c3f9fbe3dc87a3da323f3a864c03, so closing this one.
Thanks!
T G-R
[0]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=38831#5
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-01-16 9:05 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-01-14 0:58 [bug#39127] [PATCH] fixing icecat's multimedia Julien Lepiller
2020-01-14 1:29 ` Tobias Geerinckx-Rice via Guix-patches via
2020-01-14 1:36 ` Julien Lepiller
2020-01-14 1:42 ` Tobias Geerinckx-Rice via Guix-patches via
2020-01-16 9:04 ` bug#39127: " Tobias Geerinckx-Rice via Guix-patches via
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.