From patchwork Tue Jan 14 00:58:19 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Julien Lepiller <julien@lepiller.eu>
X-Patchwork-Id: 19805
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id 7FEB217A97; Tue, 14 Jan 2020 00:59:11 +0000 (GMT)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID,
	URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTP id 33B4517A95
	for <patchwork@mira.cbaines.net>; Tue, 14 Jan 2020 00:59:11 +0000 (GMT)
Received: from localhost ([::1]:57728 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>)
	id 1irAY2-0003rN-Jh
	for patchwork@mira.cbaines.net; Mon, 13 Jan 2020 19:59:10 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:37260)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1irAXv-0003o2-14
 for guix-patches@gnu.org; Mon, 13 Jan 2020 19:59:04 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1irAXu-0005Vo-1N
 for guix-patches@gnu.org; Mon, 13 Jan 2020 19:59:02 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:54487)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1irAXt-0005VR-U6
 for guix-patches@gnu.org; Mon, 13 Jan 2020 19:59:01 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1irAXt-0003dO-QY
 for guix-patches@gnu.org; Mon, 13 Jan 2020 19:59:01 -0500
X-Loop: help-debbugs@gnu.org
Subject: [bug#39127] [PATCH] fixing icecat's multimedia
Resent-From: Julien Lepiller <julien@lepiller.eu>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Tue, 14 Jan 2020 00:59:01 +0000
Resent-Message-ID: <handler.39127.B.157896351613931@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 39127
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 39127@debbugs.gnu.org
X-Debbugs-Original-To: guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.157896351613931
 (code B ref -1); Tue, 14 Jan 2020 00:59:01 +0000
Received: (at submit) by debbugs.gnu.org; 14 Jan 2020 00:58:36 +0000
Received: from localhost ([127.0.0.1]:60460 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1irAXT-0003cc-Qp
 for submit@debbugs.gnu.org; Mon, 13 Jan 2020 19:58:36 -0500
Received: from lists.gnu.org ([209.51.188.17]:58085)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <julien@lepiller.eu>) id 1irAXS-0003cV-Sm
 for submit@debbugs.gnu.org; Mon, 13 Jan 2020 19:58:35 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:37195)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <julien@lepiller.eu>) id 1irAXR-0003Ij-By
 for guix-patches@gnu.org; Mon, 13 Jan 2020 19:58:34 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <julien@lepiller.eu>) id 1irAXQ-0004uK-4g
 for guix-patches@gnu.org; Mon, 13 Jan 2020 19:58:33 -0500
Received: from lepiller.eu ([2a00:5884:8208::1]:47000)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <julien@lepiller.eu>) id 1irAXP-0004mM-Fo
 for guix-patches@gnu.org; Mon, 13 Jan 2020 19:58:32 -0500
Received: from lepiller.eu (localhost [127.0.0.1])
 by lepiller.eu (OpenSMTPD) with ESMTP id e7eb96c2
 for <guix-patches@gnu.org>; Tue, 14 Jan 2020 00:58:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=lepiller.eu; h=date:from
 :to:subject:message-id:mime-version:content-type; s=dkim; bh=Ik+
 EcibZppVfjbIGI0JMVA97OnA=; b=cZK4z5uD1gp+fr/SibGtMqI1nuuvFx2DZyP
 tqMfWFjMJqgLTF0FydGMMHwHv233Cai1CRgDH6eSEnSgOTIyH4Qt4pmYGGu/kpJO
 7e5Id62zwCGeCEFExpopHOO3c5xaLyUQr12GZf4SGiTJUVi0IjMrGcV9qaCUe9BV
 IdtT3/U0w/Reln1QpZpMhtP54OJwKbzlnwy+oBOYhY04cO13ZGuyOG5mnwRpjiQZ
 atHlfbD6qbUpPZEEQKJSL8uQiQlcj/0/a71XsngAWH3bGBezhgZu6sDz2GtMKtWy
 MUVHXaz+kv5WpZc+LSA1IV3GhCR2FCAiLu1dxfZBEWPUCnVM2aw==
Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id d4020fb5
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO)
 for <guix-patches@gnu.org>; Tue, 14 Jan 2020 00:58:26 +0000 (UTC)
Date: Tue, 14 Jan 2020 01:58:19 +0100
From: Julien Lepiller <julien@lepiller.eu>
Message-ID: <20200114015819.713f4e4f@tachikoma.lepiller.eu>
X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; x86_64-unknown-linux-gnu)
MIME-Version: 1.0
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 209.51.188.43
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: "Guix-patches"
 <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-getmail-retrieved-from-mailbox: Patches

From IRC yesterday, I found that icecat was still missing something to
properly read multimedia streams, like mp3/mp4. In the current version,
it now tries to open ffmpeg's library dynamically, by looking in the
store, instead of standard locations (/usr/lib etc). But this is not
enough: even if icecat can properly find the library, it cannot load it
because it uses a sandboxing feature that only allows it to read and
write files from/to specific locations. /gnu/store is not part of them.

Since icecat has access to /lib and /usr/lib, I think we can also give
it read access (not write) to /gnu/store. This patch attempts to do
just that, but I couldn't build icecat because of a lack of space. It
sets the default security.sandbox.content.read_path_whitelist to
/gnu/store/, the leading / meaning "and everything under it,
recursively").

Wdyt?

From adf7fdeffaa806edcd8abdac0746c06dad52c495 Mon Sep 17 00:00:00 2001
From: Julien Lepiller <julien@lepiller.eu>
Date: Tue, 14 Jan 2020 01:48:42 +0100
Subject: [PATCH] gnu: icecat: Give access to the store to the sandbox.

* gnu/packages/gnuzilla.scm (icecat): Add punch-hole-in-sandbox phase.
---
 gnu/packages/gnuzilla.scm | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 62b4390eab..14f446ee0a 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -971,6 +971,14 @@ from forcing GEXP-PROMISE."
                (("libavcodec\\.so")
                 (string-append (assoc-ref inputs "ffmpeg") "/lib/libavcodec.so")))
              #t))
+         (add-after 'fix-ffmpeg-runtime-linker 'punch-hole-in-sandbox
+           (lambda _
+             (substitute* "browser/app/profile/icecat.js"
+               (("\"security.sandbox.content.read_path_whitelist\", \"\"")
+                (string-append
+                  "\"security.sandbox.content.read_path_whitelist\", \""
+                  (%store-directory) "/\"")))
+             #t))
          (replace 'bootstrap
            (lambda _
              (invoke "sh" "-c" "autoconf old-configure.in > old-configure")
-- 
2.24.0