Julien Lepiller <jul...@lepiller.eu> skribis: > Le 21 janvier 2019 09:24:53 GMT+01:00, Ricardo Wurmus <rek...@elephly.net> a > écrit : >> >>Ludovic Courtès <l...@gnu.org> writes: >> >>> Hi Julien, >>> >>> Julien Lepiller <jul...@lepiller.eu> skribis: >>> >>>> Try setting security.sandbox.content.read_path_whitelist to >>/gnu/store/ >>>> (with a leading /) in about:config. >>> >>> Setting it to “/gnu/store/” (with a trailing slash) works, thank you! >>> >>> It turns out that setting LIBGL_DRIVERS_PATH is even unnecessary. >>> >>> I suppose we should patch the default value of >>> ‘security.sandbox.content.read_path_whitelist’ in our package. What >>do >>> people think? >> >>It isn’t much of a sandbox if all of /gnu/store would be permitted. >>Can >>this be reduced to the paths of store items that are known at build >>time? > > You'll have to list every library and there dependencies. Is that > possible?
That would be possible, yes, though we’d have the build-time dependencies rather than the run-time dependencies (since we cannot know the run-time dependencies until IceCat is built.) That said putting all of /gnu/store wouldn’t be that bad I think—at least user data remains inaccessible, which is much better than exposing /usr on FHS distros. Thoughts? Ludo’.
