From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id 2IX4DfMdxGO9GgAAbAwnHQ (envelope-from ) for ; Sun, 15 Jan 2023 16:38:27 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id OKofDfMdxGObUAAAG6o9tA (envelope-from ) for ; Sun, 15 Jan 2023 16:38:27 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0611713D86 for ; Sun, 15 Jan 2023 16:38:27 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pH54z-0007Oz-Uf; Sun, 15 Jan 2023 10:37:53 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pH54y-0007Ol-Ex for guix-devel@gnu.org; Sun, 15 Jan 2023 10:37:52 -0500 Received: from mail1.fsfe.org ([2001:aa8:ffed:f5f3::151]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pH54w-0006pM-1T for guix-devel@gnu.org; Sun, 15 Jan 2023 10:37:52 -0500 From: Jelle Licht DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fsfe.org; s=2021100501; t=1673797063; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=X3gXAb4qvwp/YsAUwKRjEYay0+fn3NrOnwa/qIoMKkA=; b=FxtWZzRmS0AQDi4tviaXVIf06xsMg9LnG2a3kOSkBKCMAa+q7L3NUrLNGENlxpZXnDgiph Im4q4Z64NywTJfyp7tpvTQsS7E5VNJ1x8ptQW6shLQ7P3P9eLR1y7S8eXxt3CMSub86t+L qopI8EafanesUVfWABG1A5yt4FHAink= To: guix-devel@gnu.org Subject: Guix driver paths for icecat RDD sandbox Date: Sun, 15 Jan 2023 16:37:42 +0100 Message-ID: <87o7qzzu49.fsf@fsfe.org> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=2001:aa8:ffed:f5f3::151; envelope-from=jlicht@fsfe.org; helo=mail1.fsfe.org X-Spam_score_int: -70 X-Spam_score: -7.1 X-Spam_bar: ------- X-Spam_report: (-7.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=fsfe.org header.s=2021100501 header.b=FxtWZzRm; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=fsfe.org ARC-Seal: i=1; s=key1; d=yhetil.org; t=1673797107; a=rsa-sha256; cv=none; b=j1cAe1dUAfs0jnpSOBHZzCjSY2QcQgttuUZbEhfAS7rf+l/RZS9t7xWzN+44tcrtVLcuiH Eo0gh478KgHIoLO577MGxTN1zyiPuTPc1OzxK9jIMm7UNwiV6pMuBkvqcMxR/xAQ+hyS7L /ElFm71mxAhU4+BvjdLlGkGAeXGcPohFZMym5bv3ON5yH+N/YUR5IXp4uaWsaimweupQpk Xr8hYtVClZfNrgWqKsOiEPzuR8YHIdAXRVOuAlzobz+E5p+r4EzPHoLSU8BJ6JzBqOm0fo Z2aSnDzkZviqy+urz4k2hvyc2YYLhhoWYEmlORLTXjTF9Z2cSRGDWNh7HbdhWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1673797107; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=X3gXAb4qvwp/YsAUwKRjEYay0+fn3NrOnwa/qIoMKkA=; b=L1wtyndmMgjTEk5zY0fplaqeZZsGlpmU7dJg0I/Gs2lGBFFq/dRXIwrLz10paxAu4ExSRW eQEaD70dk8eoncQABazRz3L79Vtyz5VP4g/UIXCekdXAAqDFMyoTT+YjKMNZlcokgTqO6P xKyzylugJgFx+96C964BvF5FcrQsLX4dDftr900h6UY81yqVi8SnCIy3c866W8q6K0+BX8 SlmCe7CVaZg7/ywfZdfjacXdlNF0DjBRgXtZLoFpjJeQnsNXUFXPVjMoMv+QyT6bV+v+r/ V9zcca3OWXj2NpVD+pLcsm4NeGo2g02FowFzCfz/x9D7CzGxVAxbdWUyIK/Ing== X-Migadu-Queue-Id: 0611713D86 X-Migadu-Scanner: scn0.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=fsfe.org header.s=2021100501 header.b=FxtWZzRm; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=fsfe.org X-Migadu-Spam-Score: -11.73 X-Spam-Score: -11.73 X-TUID: lisJKegqKCQx Hi guix, I was playing around tyring to get hardware enabled video decoding working in icecat and/or firefox in guix, and found out that the fine folks working on Nix have already gotten a patch upstreamed that allows stuff in /nix/store to be loaded[0]. (Grep around for '/nix/store' in our icecat sources to see what I mean). >From what I can see, the RDD whitelist reads through symlinks, so the actual target file needs to be whitelisted before the file is loaded in the sandbox. Without this (or a similar fix), we'd need a custom package per possible value of LIBVA_DRIVERS_PATH, as loadable libraries for hardware accelaration do not seem directly configurable via 'browser/app/profile/icecat.js' at runtime. I may be wrong here, but this seems to also imply that a recompilation of icecat would be required as well every time one of these 'inputs' change :/. OTOH, it would have some drawbacks: - It hardcodes /gnu/store, instead of $MY_MAGIC_STORE_LOCATION - It allows loading of pretty much anything in the store by the sandboxed process. The second drawback seems pretty iffy, but the current suggested workaround is to disable the sandbox entirely. So that leaves us with 2 questions: 1. Do we want apply a patch to whitelist '/gnu/store'? 2. If so, would we want to also send this patch upstream firefox? They seem open to accepting it. I've opened an upstream issue for a similar treatment of /gnu/store, which may also simplify the 'build-sandbox-whitelist' phase of our icecat package[1] if accepted. I'm not entirely sure if that is ultimately a good thing yet though. Happy to hear any thoughts on this subject. - Jelle [0]: https://bugzilla.mozilla.org/show_bug.cgi?id=1761692 [1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1808408