diff --git a/gnu/local.mk b/gnu/local.mk index 9502f24621..05a8716063 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1691,7 +1691,6 @@ dist_patch_DATA = \ %D%/packages/patches/libphonenumber-reproducible-build.patch \ %D%/packages/patches/libqalculate-3.8.0-libcurl-ssl-fix.patch \ %D%/packages/patches/libquicktime-ffmpeg.patch \ - %D%/packages/patches/librewolf-add-paths-to-rdd-allowlist.patch \ %D%/packages/patches/libsepol-versioned-docbook.patch \ %D%/packages/patches/libtar-CVE-2013-4420.patch \ %D%/packages/patches/libtgvoip-disable-sse2.patch \ diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm index 32b6d13d54..31de7a7171 100644 --- a/gnu/packages/librewolf.scm +++ b/gnu/packages/librewolf.scm @@ -212,7 +212,7 @@ (define rust-librewolf rust) ; 1.75 is the default in Guix, 1.65 is the minimum. ;; Update this id with every update to its release date. ;; It's used for cache validation and therefore can lead to strange bugs. ;; ex: date '+%Y%m%d%H%M%S' -(define %librewolf-build-id "20241003201141") +(define %librewolf-build-id "20241005085731") (define-public librewolf (package @@ -223,9 +223,7 @@ (define-public librewolf (inherit (make-librewolf-source #:version version #:firefox-hash "0w4z3fq5zhm63a0wmhvmqrj263bvy962dir25q3z0x5hx6hjawh2" - #:librewolf-hash "0f80pihn375bdjhjmmg2v1w96wpn76zb60ycy39wafwh1dnzybrd")) - (patches - (search-patches "librewolf-add-paths-to-rdd-allowlist.patch")))) + #:librewolf-hash "0f80pihn375bdjhjmmg2v1w96wpn76zb60ycy39wafwh1dnzybrd")))) (build-system gnu-build-system) (arguments (list @@ -592,12 +590,26 @@ (define (runpaths-of-input label) ;; For U2F and WebAuthn "eudev"))) + ;; VA-API is run in the RDD (Remote Data Decoder) sandbox + ;; and must be explicitly given access to files it needs. + ;; Rather than adding the whole store (as Nix had + ;; upstream do, see + ;; and + ;; linked upstream patches), we can just follow the + ;; runpaths of the needed libraries to add everything to + ;; LD_LIBRARY_PATH. These will then be accessible in the + ;; RDD sandbox. + (rdd-whitelist (map (cut string-append <> "/") + (delete-duplicates (append-map + runpaths-of-input + '("mesa" + "ffmpeg"))))) (gtk-share (string-append (assoc-ref inputs "gtk+") "/share"))) (wrap-program (car (find-files lib "^librewolf$")) `("LD_LIBRARY_PATH" prefix - ,libs) + (,@libs ,@rdd-whitelist)) `("XDG_DATA_DIRS" prefix (,gtk-share)) `("MOZ_LEGACY_PROFILES" = diff --git a/gnu/packages/patches/librewolf-add-paths-to-rdd-allowlist.patch b/gnu/packages/patches/librewolf-add-paths-to-rdd-allowlist.patch deleted file mode 100644 index 1bee0bddf5..0000000000 --- a/gnu/packages/patches/librewolf-add-paths-to-rdd-allowlist.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp -+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp -@@ -920,6 +920,8 @@ - policy->AddDir(rdonly, "/usr/lib64"); - policy->AddDir(rdonly, "/run/opengl-driver/lib"); - policy->AddDir(rdonly, "/nix/store"); -+ policy->AddDir(rdonly, "/gnu/store"); -+ policy->AddDir(rdonly, "/run/current-system/profile/lib"); - - // Bug 1647957: memory reporting. - AddMemoryReporting(policy.get(), aPid);