Message ID | 20200114015819.713f4e4f@tachikoma.lepiller.eu |
---|---|
State | Accepted |
Headers | show |
Series | [bug#39127] fixing icecat's multimedia | expand |
Context | Check | Description |
---|---|---|
cbaines/applying patch | fail | Apply failed |
Julien, Thanks! For anything with ‘security’ *and* ‘sandbox’ in the name we should definitely involve IceCat upstream. Julien Lepiller 写道: > (substitute* "browser/app/profile/icecat.js" > (("\"security.sandbox.content.read_path_whitelist\", \"\"") > (string-append > "\"security.sandbox.content.read_path_whitelist\", \"" > (%store-directory) "/\""))) When I asked bandali on IRC a few weeks(?) ago about this exact patch, they didn't sound convinced. But we were both quite unsure :-) Have things changed? Have you talked to Mark? > Since icecat has access to /lib and /usr/lib, I think we can > also give > it read access (not write) to /gnu/store. That sounds reasonable, if you're certain that it's read-only. > Wdyt? LGTM from the Guix side. Kind regards, T G-R
Le Tue, 14 Jan 2020 02:29:20 +0100, Tobias Geerinckx-Rice <me@tobias.gr> a écrit : > Julien, > > Thanks! For anything with ‘security’ *and* ‘sandbox’ in the name > we should definitely involve IceCat upstream. > > Julien Lepiller 写道: > > (substitute* "browser/app/profile/icecat.js" > > (("\"security.sandbox.content.read_path_whitelist\", \"\"") > > (string-append > > "\"security.sandbox.content.read_path_whitelist\", \"" > > (%store-directory) "/\""))) > > When I asked bandali on IRC a few weeks(?) ago about this exact > patch, they didn't sound convinced. But we were both quite unsure > :-) Have things changed? Have you talked to Mark? I haven't talked to Mark, but here's how you can check: set security.sandbox.content.read_path_whitelist in about:config to an empty string (the default) and restart icecat. It cannot play the video from https://harmonist.tuxfamily.org/. It doesn't work. Set it to /gnu/store/ (with a trailing /) and restart the browser. Now the video works. This patch attempts to make the working scenario the default :) > > > Since icecat has access to /lib and /usr/lib, I think we can > > also give > > it read access (not write) to /gnu/store. > > That sounds reasonable, if you're certain that it's read-only. > > > Wdyt? > > LGTM from the Guix side. > > Kind regards, > > T G-R
Julien,
Julien Lepiller 写道:
> I haven't talked to Mark, but here's how you can check:
[…]
I meant about any potential security issues or alternative
solutions (e.g. restricting access to less than the entire store).
I was already aware of the problem and this work-around, and can
confirm that it works.
Kind regards,
T G-R
Fixed by mhw[0] in commit 429c8284d232c3f9fbe3dc87a3da323f3a864c03, so closing this one. Thanks! T G-R [0]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=38831#5
From adf7fdeffaa806edcd8abdac0746c06dad52c495 Mon Sep 17 00:00:00 2001 From: Julien Lepiller <julien@lepiller.eu> Date: Tue, 14 Jan 2020 01:48:42 +0100 Subject: [PATCH] gnu: icecat: Give access to the store to the sandbox. * gnu/packages/gnuzilla.scm (icecat): Add punch-hole-in-sandbox phase. --- gnu/packages/gnuzilla.scm | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 62b4390eab..14f446ee0a 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -971,6 +971,14 @@ from forcing GEXP-PROMISE." (("libavcodec\\.so") (string-append (assoc-ref inputs "ffmpeg") "/lib/libavcodec.so"))) #t)) + (add-after 'fix-ffmpeg-runtime-linker 'punch-hole-in-sandbox + (lambda _ + (substitute* "browser/app/profile/icecat.js" + (("\"security.sandbox.content.read_path_whitelist\", \"\"") + (string-append + "\"security.sandbox.content.read_path_whitelist\", \"" + (%store-directory) "/\""))) + #t)) (replace 'bootstrap (lambda _ (invoke "sh" "-c" "autoconf old-configure.in > old-configure") -- 2.24.0