(address . guix-patches@gnu.org)
From IRC yesterday, I found that icecat was still missing something to
properly read multimedia streams, like mp3/mp4. In the current version,
it now tries to open ffmpeg's library dynamically, by looking in the
store, instead of standard locations (/usr/lib etc). But this is not
enough: even if icecat can properly find the library, it cannot load it
because it uses a sandboxing feature that only allows it to read and
write files from/to specific locations. /gnu/store is not part of them.
Since icecat has access to /lib and /usr/lib, I think we can also give
it read access (not write) to /gnu/store. This patch attempts to do
just that, but I couldn't build icecat because of a lack of space. It
sets the default security.sandbox.content.read_path_whitelist to
/gnu/store/, the leading / meaning "and everything under it,
recursively").
Wdyt?
From adf7fdeffaa806edcd8abdac0746c06dad52c495 Mon Sep 17 00:00:00 2001
From: Julien Lepiller <julien@lepiller.eu>
Date: Tue, 14 Jan 2020 01:48:42 +0100
Subject: [PATCH] gnu: icecat: Give access to the store to the sandbox.
* gnu/packages/gnuzilla.scm (icecat): Add punch-hole-in-sandbox phase.
---
gnu/packages/gnuzilla.scm | 8 ++++++++
1 file changed, 8 insertions(+)
Toggle diff (21 lines)
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 62b4390eab..14f446ee0a 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -971,6 +971,14 @@ from forcing GEXP-PROMISE."
(("libavcodec\\.so")
(string-append (assoc-ref inputs "ffmpeg") "/lib/libavcodec.so")))
#t))
+ (add-after 'fix-ffmpeg-runtime-linker 'punch-hole-in-sandbox
+ (lambda _
+ (substitute* "browser/app/profile/icecat.js"
+ (("\"security.sandbox.content.read_path_whitelist\", \"\"")
+ (string-append
+ "\"security.sandbox.content.read_path_whitelist\", \""
+ (%store-directory) "/\"")))
+ #t))
(replace 'bootstrap
(lambda _
(invoke "sh" "-c" "autoconf old-configure.in > old-configure")
--
2.24.0