[PATCH] fixing icecat's multimedia

Done

Details

2 participants

Julien Lepiller
Tobias Geerinckx-Rice

Owner: unassigned

Submitted by: Julien Lepiller

Severity: normal

Julien Lepiller wrote on 14 Jan 2020 01:58

Recipients:(address . guix-patches@gnu.org)

Message-ID:20200114015819.713f4e4f@tachikoma.lepiller.eu

From IRC yesterday, I found that icecat was still missing something to
properly read multimedia streams, like mp3/mp4. In the current version,
it now tries to open ffmpeg's library dynamically, by looking in the
store, instead of standard locations (/usr/lib etc). But this is not
enough: even if icecat can properly find the library, it cannot load it
because it uses a sandboxing feature that only allows it to read and
write files from/to specific locations. /gnu/store is not part of them.

Since icecat has access to /lib and /usr/lib, I think we can also give
it read access (not write) to /gnu/store. This patch attempts to do
just that, but I couldn't build icecat because of a lack of space. It
sets the default security.sandbox.content.read_path_whitelist to
/gnu/store/, the leading / meaning "and everything under it,
recursively").

Wdyt?

From adf7fdeffaa806edcd8abdac0746c06dad52c495 Mon Sep 17 00:00:00 2001

* gnu/packages/gnuzilla.scm (icecat): Add punch-hole-in-sandbox phase.

---

gnu/packages/gnuzilla.scm | 8 ++++++++

1 file changed, 8 insertions(+)

Toggle diff (21 lines)diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 62b4390eab..14f446ee0a 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -971,6 +971,14 @@ from forcing GEXP-PROMISE."
                (("libavcodec\\.so")
                 (string-append (assoc-ref inputs "ffmpeg") "/lib/libavcodec.so")))
              #t))
+         (add-after 'fix-ffmpeg-runtime-linker 'punch-hole-in-sandbox
+           (lambda _
+             (substitute* "browser/app/profile/icecat.js"
+               (("\"security.sandbox.content.read_path_whitelist\", \"\"")
+                (string-append
+                  "\"security.sandbox.content.read_path_whitelist\", \""
+                  (%store-directory) "/\"")))
+             #t))
          (replace 'bootstrap
            (lambda _
              (invoke "sh" "-c" "autoconf old-configure.in > old-configure")
-- 
2.24.0

Tobias Geerinckx-Rice wrote on 14 Jan 2020 02:29

Recipients:

Message-ID:87eew2hllb.fsf@nckx

Julien,

Thanks! For anything with ‘security’ *and* ‘sandbox’ in the name

we should definitely involve IceCat upstream.

Julien Lepiller ???

Toggle quote (6 lines)

> (substitute* "browser/app/profile/icecat.js"

> (("\"security.sandbox.content.read_path_whitelist\", \"\"")

> (string-append

> "\"security.sandbox.content.read_path_whitelist\", \""

> (%store-directory) "/\"")))

When I asked bandali on IRC a few weeks(?) ago about this exact

patch, they didn't sound convinced. But we were both quite unsure

:-) Have things changed? Have you talked to Mark?

Toggle quote (4 lines)

> Since icecat has access to /lib and /usr/lib, I think we can

> also give

> it read access (not write) to /gnu/store.

That sounds reasonable, if you're certain that it's read-only.

Toggle quote (2 lines)

> Wdyt?

LGTM from the Guix side.

Kind regards,

T G-R

Julien Lepiller wrote on 14 Jan 2020 02:36

Recipients:(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)(address . 39127@debbugs.gnu.org)

Message-ID:20200114023605.70d61b0b@tachikoma.lepiller.eu

Le Tue, 14 Jan 2020 02:29:20 +0100,

Tobias Geerinckx-Rice <me@tobias.gr> a écrit :

Toggle quote (16 lines)> Julien,
> 
> Thanks!  For anything with ‘security’ *and* ‘sandbox’ in the name 
> we should definitely involve IceCat upstream.
> 
> Julien Lepiller ???
> > (substitute* "browser/app/profile/icecat.js"
> >   (("\"security.sandbox.content.read_path_whitelist\", \"\"")
> >    (string-append
> >      "\"security.sandbox.content.read_path_whitelist\", \""
> >      (%store-directory) "/\"")))  
> 
> When I asked bandali on IRC a few weeks(?) ago about this exact 
> patch, they didn't sound convinced.  But we were both quite unsure 
> :-)  Have things changed?  Have you talked to Mark?

I haven't talked to Mark, but here's how you can check:

set security.sandbox.content.read_path_whitelist in about:config to an

empty string (the default) and restart icecat. It cannot play the video

from https://harmonist.tuxfamily.org/.It doesn't work. Set it to

/gnu/store/ (with a trailing /) and restart the browser. Now the video

works. This patch attempts to make the working scenario the default :)

Toggle quote (14 lines)> 
> > Since icecat has access to /lib and /usr/lib, I think we can 
> > also give
> > it read access (not write) to /gnu/store.  
> 
> That sounds reasonable, if you're certain that it's read-only.
> 
> > Wdyt?  
> 
> LGTM from the Guix side.
> 
> Kind regards,
> 
> T G-R

Tobias Geerinckx-Rice wrote on 14 Jan 2020 02:42

Recipients:(name . Julien Lepiller)(address . julien@lepiller.eu)(address . 39127@debbugs.gnu.org)

Message-ID:87d0bmhkyt.fsf@nckx

Julien,

Julien Lepiller ???

Toggle quote (2 lines)

> I haven't talked to Mark, but here's how you can check:

[…]

I meant about any potential security issues or alternative

solutions (e.g. restricting access to less than the entire store).

I was already aware of the problem and this work-around, and can

confirm that it works.

Kind regards,

T G-R

Tobias Geerinckx-Rice wrote on 16 Jan 2020 10:04

Recipients:(address . 39127-done@debbugs.gnu.org)

Message-ID:878sm7ai2a.fsf@nckx

Fixed by mhw[0] in commit

429c8284d232c3f9fbe3dc87a3da323f3a864c03, so closing this one.

Thanks!

T G-R

[0]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=38831#5

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 39127@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date