summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--gnu/packages/gnuzilla.scm37
1 files changed, 31 insertions, 6 deletions
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 62b4390eab..0797cb06b8 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -1,7 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2019 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2019, 2020 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
 ;;; Copyright © 2016, 2017, 2018, 2019 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Alex Griffin <a@ajgrf.com>
@@ -756,6 +756,7 @@ from forcing GEXP-PROMISE."
        ;;   and related comments in the 'remove-bundled-libraries' phase.
        ;; UNBUNDLE-ME! ("nspr" ,nspr)
        ;; UNBUNDLE-ME! ("nss" ,nss)
+       ("shared-mime-info" ,shared-mime-info)
        ("sqlite" ,sqlite)
        ("startup-notification" ,startup-notification)
        ("unzip" ,unzip)
@@ -882,6 +883,10 @@ from forcing GEXP-PROMISE."
                   (ice-9 match)
                   (srfi srfi-34)
                   (srfi srfi-35)
+                  (rnrs bytevectors)
+                  (rnrs io ports)
+                  (guix elf)
+                  (guix build gremlin)
                   ,@%gnu-build-system-modules)
        #:phases
        (modify-phases %standard-phases
@@ -966,11 +971,31 @@ from forcing GEXP-PROMISE."
              #t))
          (add-after 'link-libxul-with-libraries 'fix-ffmpeg-runtime-linker
            (lambda* (#:key inputs #:allow-other-keys)
-             ;; Arrange to load libavcodec.so by its absolute file name.
-             (substitute* "dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp"
-               (("libavcodec\\.so")
-                (string-append (assoc-ref inputs "ffmpeg") "/lib/libavcodec.so")))
-             #t))
+             (let* ((ffmpeg (assoc-ref inputs "ffmpeg"))
+                    (libavcodec (string-append ffmpeg "/lib/libavcodec.so")))
+               ;; Arrange to load libavcodec.so by its absolute file name.
+               (substitute* "dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp"
+                 (("libavcodec\\.so")
+                  libavcodec))
+               ;; Populate the sandbox read-path whitelist as needed by ffmpeg.
+               (let* ((mime-info (assoc-ref inputs "shared-mime-info"))
+                      (libavcodec-runpath (call-with-input-file libavcodec
+                                            (compose elf-dynamic-info-runpath
+                                                     elf-dynamic-info
+                                                     parse-elf
+                                                     get-bytevector-all)))
+                      (whitelist (cons (string-append mime-info "/share/mime/")
+                                       (map (lambda (dir)
+                                              (string-append dir "/"))
+                                            libavcodec-runpath)))
+                      (whitelist-string (string-join whitelist ","))
+                      (port (open-file "browser/app/profile/icecat.js" "a")))
+                 (format #t "setting 'security.sandbox.content.read_path_whitelist' to '~a'~%"
+                         whitelist-string)
+                 (format port "~%pref(\"security.sandbox.content.read_path_whitelist\", ~S);~%"
+                         whitelist-string)
+                 (close-output-port port))
+               #t)))
          (replace 'bootstrap
            (lambda _
              (invoke "sh" "-c" "autoconf old-configure.in > old-configure")