Hello ports@
After upgrading to Firefox 71, I was no longer able to input
Japanese due to the newly-added unveil and pledge support. After
some debugging, I found that adding the following lines to
/etc/firefox/unveil.main allowed me to input Japanese as usual.
---------8<----------
--- /usr/local/lib/firefox/browser/defaults/preferences/unveil.main Sat Dec
21 15:08:23 2019
+++ /etc/firefox/unveil.main Fri Jan 3 12:25:53 2020
@@ -3,6 +3,12 @@
/dev/video rw
/dev/video0 rw
+# for launching the anthy input method from uim
+/etc/anthy-conf r
+~/.anthy r
+~/.tomoe r
+~/.uim.d r
+
/etc/fonts r
/etc/machine-id r
---------8<----------
However, this raises some interesting questions. How far down
this path do we want to go? The above patch enables the UIM+Anthy
combination to work again, but what about SCIM+Anthy? Ibus+Anthy?
SCIM+Pinyin? There are 26 ports in ports/inputmethods; do all of
them get added to unveil.main?
While I'm aware that adding every possible contingency to unveil
largely defeats its purpose, I'm also concerned that the
alternative would be users simply disabling pledge+unveil
entirely if they find that they can no longer input CJK text.
Which then brings us full circle to the security model of unveil
being defeated...
That being the case, perhaps adding a short blurb like the
following to Firefox's pkg-readme would be a better way to go.
---------8<----------
--- README Sat Jan 4 11:22:21 2020
+++ README.new Sat Jan 4 11:25:11 2020
@@ -28,6 +28,23 @@
Each file can be overridden by copying it to ${SYSCONFDIR}/firefox/
and modifying it.
+CJK IMEs
+========
+Due to unveil(2) limiting filesystem access, CJK IMEs will not
+work with the default unveil permissions. To enable the use of
+CJK IMEs, one must first identify which files in /etc and /home
+that the IME uses, and then add them to unveil.main by following
+the instructions in the above section.
+
+For example, the UIM+Anthy combination needs the following lines
+added to unveil.main:
+
+ # for launching the anthy input method from uim
+ /etc/anthy-conf r
+ ~/.anthy r
+ ~/.tomoe r
+ ~/.uim.d r
+
3rd-Party MIME Handlers
=======================
Due to unveil(2) limiting filesystem access, only the default MIME
---------8<----------
This would give users a hint of where and what to look for if they
find their IME no longer working, but would avoid going down the
rabbit hole of adding dozens upon dozens of exceptions to unveil.
Either way, I'm definitely grateful for all the work the
developers have put in to get pledge+unveil support added to
mainline Firefox.
Thank you for all the hard work!
--
Bryan
