Le 21 janvier 2019 09:24:53 GMT+01:00, Ricardo Wurmus <rek...@elephly.net> a écrit : > >Ludovic Courtès <l...@gnu.org> writes: > >> Hi Julien, >> >> Julien Lepiller <jul...@lepiller.eu> skribis: >> >>> Try setting security.sandbox.content.read_path_whitelist to >/gnu/store/ >>> (with a leading /) in about:config. >> >> Setting it to “/gnu/store/” (with a trailing slash) works, thank you! >> >> It turns out that setting LIBGL_DRIVERS_PATH is even unnecessary. >> >> I suppose we should patch the default value of >> ‘security.sandbox.content.read_path_whitelist’ in our package. What >do >> people think? > >It isn’t much of a sandbox if all of /gnu/store would be permitted. >Can >this be reduced to the paths of store items that are known at build >time?
You'll have to list every library and there dependencies. Is that possible? Also I think icecat has read permission to /usr by default, so setting permission to the store is similar.
