guix_mirror_bot pushed a commit to branch master
in repository guix.
commit 17cdf44ba16ae75c5428091b204b08bfa57ccab5
Author: André Batista <[email protected]>
AuthorDate: Fri Aug 1 14:22:37 2025 -0300
gnu: make-torbrowser: Remove redundant phase.
Follow up to commit 6ee9cd170b10a52162e43abcdb1f7148da5d7f45 which added
torbrowsers-add-store-to-rdd-allowlist.patch and implicitly made
'build-sandbox-whitelist phase unnecessary.
Users are encouraged to use Guix Containers if they want to restrict
browsers' access to their file systems.
* gnu/packages/tor-browsers.scm (make-torbrowser) [arguments] <#:phases>
'build-sandbox-whitelist: Remove it;
'autoconfig: Remove step that adds the forementioned list to browser
default preferences.
* gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch: Add
explanatory comment and refer to issues this patch addresses.
Change-Id: Icc0ea4c2470e8bc82e3a2bf57966b46fd47a7cf8
Signed-off-by: Hilton Chain <[email protected]>
---
.../torbrowsers-add-store-to-rdd-allowlist.patch | 17 +++++++++++++
gnu/packages/tor-browsers.scm | 28 ----------------------
2 files changed, 17 insertions(+), 28 deletions(-)
diff --git a/gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch
b/gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch
index 2e0e5009f4..ad648cbac4 100644
--- a/gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch
+++ b/gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch
@@ -1,3 +1,20 @@
+By default Firefox sandbox security model allows browser components to
+access files under '/usr', '/etc' and user home directories. However,
+similar to Nix, on Guix some of those file hierarchies are actually
+symlinks to '/gnu/store' paths, which then get denied, breaking some
+expected functionality on the browser. Moreover, their final store
+paths are not available on the build environment and also expected to
+change.
+
+Guix users that are willing to further restrict browsers' access to their
+file systems and do not mind losing some funcionality are advised to use
+Guix Containers.
+
+See: <https://bugzilla.mozilla.org/show_bug.cgi?id=1848615#c8>,
+<https://codeberg.org/guix/guix/issues/661>,
+<https://issues.guix.gnu.org/38045> and
+<https://issues.guix.gnu.org/77559>
+
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
@@ -452,6 +452,7 @@
diff --git a/gnu/packages/tor-browsers.scm b/gnu/packages/tor-browsers.scm
index fbcd9f933a..116d25875a 100644
--- a/gnu/packages/tor-browsers.scm
+++ b/gnu/packages/tor-browsers.scm
@@ -424,30 +424,6 @@ Browser.")
(substitute* "dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp"
(("libavcodec\\.so")
(search-input-file inputs "lib/libavcodec.so")))))
- (add-after 'fix-ffmpeg-runtime-linker 'build-sandbox-whitelist
- (lambda* (#:key inputs #:allow-other-keys)
- (define (runpath-of lib)
- (call-with-input-file lib
- (compose elf-dynamic-info-runpath
- elf-dynamic-info
- parse-elf
- get-bytevector-all)))
- (define (runpaths-of-input label)
- (let* ((dir (string-append (assoc-ref inputs label) "/lib"))
- (libs (find-files dir "\\.so$")))
- (append-map runpath-of libs)))
- ;; Populate the sandbox read-path whitelist as needed by ffmpeg.
- (let* ((whitelist
- (map (cut string-append <> "/")
- (delete-duplicates
- `(,(string-append (assoc-ref inputs
"shared-mime-info")
- "/share/mime")
- ,@(append-map runpaths-of-input
- '("mesa" "ffmpeg"))))))
- (whitelist-string (string-join whitelist ",")))
- (with-output-to-file "whitelist.txt"
- (lambda ()
- (display whitelist-string))))))
(add-after 'patch-source-shebangs 'patch-cargo-checksums
(lambda _
(use-modules (guix build cargo-utils))
@@ -754,10 +730,6 @@ Browser.")
;; Default is 5.
(format #t "pref(~s, ~a);~%"
"extensions.enabledScopes" "13")
- (format #t "pref(~s, ~s);~%"
- "security.sandbox.content.read_path_whitelist"
- (call-with-input-file "whitelist.txt"
- get-string-all))
;; Add-ons pannel (see settings.js in Icecat source).
(format #t "pref(~s, ~s);~%"
"extensions.getAddons.search.browseURL"
