GNU bug report logs - #39127
[PATCH] fixing icecat's multimedia

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 39127 in the body.
You can then email your comments to 39127 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Julien Lepiller <julien <at> lepiller.eu>
To: guix-patches <at> gnu.org
Subject: [PATCH] fixing icecat's multimedia
Date: Tue, 14 Jan 2020 01:58:19 +0100

[Message part 1 (text/plain, inline)]

From IRC yesterday, I found that icecat was still missing something to
properly read multimedia streams, like mp3/mp4. In the current version,
it now tries to open ffmpeg's library dynamically, by looking in the
store, instead of standard locations (/usr/lib etc). But this is not
enough: even if icecat can properly find the library, it cannot load it
because it uses a sandboxing feature that only allows it to read and
write files from/to specific locations. /gnu/store is not part of them.

Since icecat has access to /lib and /usr/lib, I think we can also give
it read access (not write) to /gnu/store. This patch attempts to do
just that, but I couldn't build icecat because of a lack of space. It
sets the default security.sandbox.content.read_path_whitelist to
/gnu/store/, the leading / meaning "and everything under it,
recursively").

Wdyt?

[0001-gnu-icecat-Give-access-to-the-store-to-the-sandbox.patch (text/x-patch, attachment)]

Message #8 received at 39127 <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: 39127 <at> debbugs.gnu.org, Julien Lepiller <julien <at> lepiller.eu>
Subject: Re: [bug#39127] [PATCH] fixing icecat's multimedia
Date: Tue, 14 Jan 2020 02:29:20 +0100

[Message part 1 (text/plain, inline)]

Julien,

Thanks!  For anything with ‘security’ *and* ‘sandbox’ in the name 
we should definitely involve IceCat upstream.

Julien Lepiller 写道：
> (substitute* "browser/app/profile/icecat.js"
>   (("\"security.sandbox.content.read_path_whitelist\", \"\"")
>    (string-append
>      "\"security.sandbox.content.read_path_whitelist\", \""
>      (%store-directory) "/\"")))

When I asked bandali on IRC a few weeks(?) ago about this exact 
patch, they didn't sound convinced.  But we were both quite unsure 
:-)  Have things changed?  Have you talked to Mark?

> Since icecat has access to /lib and /usr/lib, I think we can 
> also give
> it read access (not write) to /gnu/store.

That sounds reasonable, if you're certain that it's read-only.

> Wdyt?

LGTM from the Guix side.

Kind regards,

T G-R

[signature.asc (application/pgp-signature, inline)]

Message #11 received at 39127 <at> debbugs.gnu.org (full text, mbox):

From: Julien Lepiller <julien <at> lepiller.eu>
To: Tobias Geerinckx-Rice <me <at> tobias.gr>
Cc: 39127 <at> debbugs.gnu.org
Subject: Re: [bug#39127] [PATCH] fixing icecat's multimedia
Date: Tue, 14 Jan 2020 02:36:05 +0100

Le Tue, 14 Jan 2020 02:29:20 +0100,
Tobias Geerinckx-Rice <me <at> tobias.gr> a écrit :

> Julien,
> 
> Thanks!  For anything with ‘security’ *and* ‘sandbox’ in the name 
> we should definitely involve IceCat upstream.
> 
> Julien Lepiller 写道：
> > (substitute* "browser/app/profile/icecat.js"
> >   (("\"security.sandbox.content.read_path_whitelist\", \"\"")
> >    (string-append
> >      "\"security.sandbox.content.read_path_whitelist\", \""
> >      (%store-directory) "/\"")))  
> 
> When I asked bandali on IRC a few weeks(?) ago about this exact 
> patch, they didn't sound convinced.  But we were both quite unsure 
> :-)  Have things changed?  Have you talked to Mark?

I haven't talked to Mark, but here's how you can check:

set security.sandbox.content.read_path_whitelist in about:config to an
empty string (the default) and restart icecat. It cannot play the video
from https://harmonist.tuxfamily.org/. It doesn't work. Set it to
/gnu/store/ (with a trailing /) and restart the browser. Now the video
works. This patch attempts to make the working scenario the default :)

> 
> > Since icecat has access to /lib and /usr/lib, I think we can 
> > also give
> > it read access (not write) to /gnu/store.  
> 
> That sounds reasonable, if you're certain that it's read-only.
> 
> > Wdyt?  
> 
> LGTM from the Guix side.
> 
> Kind regards,
> 
> T G-R

Message #14 received at 39127 <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: Julien Lepiller <julien <at> lepiller.eu>
Cc: 39127 <at> debbugs.gnu.org
Subject: Re: [bug#39127] [PATCH] fixing icecat's multimedia
Date: Tue, 14 Jan 2020 02:42:50 +0100

[Message part 1 (text/plain, inline)]

Julien,

Julien Lepiller 写道：
> I haven't talked to Mark, but here's how you can check:

[…]

I meant about any potential security issues or alternative 
solutions (e.g. restricting access to less than the entire store).

I was already aware of the problem and this work-around, and can 
confirm that it works.

Kind regards,

T G-R

[signature.asc (application/pgp-signature, inline)]

Message #19 received at 39127-done <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: 39127-done <at> debbugs.gnu.org
Subject: Re: [bug#39127] [PATCH] fixing icecat's multimedia
Date: Thu, 16 Jan 2020 10:04:13 +0100

[Message part 1 (text/plain, inline)]

Fixed by mhw[0] in commit 
429c8284d232c3f9fbe3dc87a3da323f3a864c03, so closing this one.

Thanks!

T G-R

[0]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=38831#5

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.