~ruther/guix-local

ref: b57b68aba645181b78bbdbef4ad908d60da03aa7 guix-local/gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch -rw-r--r-- 2.6 KiB
b57b68ab — Cayetano Santos gnu: open-logic: Move to hdl 30 days ago 
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

By default Firefox sandbox security model allows browser components to
access files under '/usr', '/etc' and user home directories.  However,
similar to Nix, on Guix some of those file hierarchies are actually
symlinks to '/gnu/store' paths, which then get denied, breaking some
expected functionality on the browser.  Moreover, their final store
paths are not available on the build environment and also expected to
change.

Guix users that are willing to further restrict browsers' access to their
file systems and do not mind losing some funcionality are advised to use
Guix Containers.

See: <https://bugzilla.mozilla.org/show_bug.cgi?id=1848615#c8>,
<https://codeberg.org/guix/guix/issues/661>,
<https://issues.guix.gnu.org/38045> and
<https://issues.guix.gnu.org/77559>

diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
index 4eff5e6..42171eb 100644
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
@@ -476,6 +476,7 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
   // Various places where fonts reside
   policy->AddTree(rdonly, "/usr/X11R6/lib/X11/fonts");
   policy->AddTree(rdonly, "/nix/store");
+  policy->AddTree(rdonly, "/gnu/store");
   // https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/blob/e434e680d22260f277f4a30ec4660ed32b591d16/files/fontconfig-flatpak.conf
   policy->AddTree(rdonly, "/run/host/fonts");
   policy->AddTree(rdonly, "/run/host/user-fonts");
@@ -485,6 +486,7 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
   // Bug 1848615
   policy->AddPath(rdonly, "/usr");
   policy->AddPath(rdonly, "/nix");
+  policy->AddPath(rdonly, "/gnu");
 
   AddLdconfigPaths(policy);
   AddLdLibraryEnvPaths(policy);
@@ -934,6 +936,7 @@ SandboxBrokerPolicyFactory::GetRDDPolicy(int aPid) {
   policy->AddTree(rdonly, "/usr/lib64");
   policy->AddTree(rdonly, "/run/opengl-driver/lib");
   policy->AddTree(rdonly, "/nix/store");
+  policy->AddTree(rdonly, "/gnu/store");
 
   // Bug 1647957: memory reporting.
   AddMemoryReporting(policy.get(), aPid);
@@ -1079,6 +1082,7 @@ SandboxBrokerPolicyFactory::GetUtilityProcessPolicy(int aPid) {
   // Required to make sure ffmpeg loads properly, this is already existing on
   // Content and RDD
   policy->AddTree(rdonly, "/nix/store");
+  policy->AddTree(rdonly, "/gnu/store");
 
   // glibc will try to stat64("/") while populating nsswitch database
   // https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/nss_database.c;h=cf0306adc47f12d9bc761ab1b013629f4482b7e6;hb=9826b03b747b841f5fc6de2054bf1ef3f5c4bdf3#l396