diff options
| author | Brice Waegeneire <brice@waegenei.re> | 2025-06-22 15:18:13 +0200 |
|---|---|---|
| committer | Hilton Chain <hako@ultrarare.space> | 2025-06-25 03:04:28 +0800 |
| commit | 4d6bc7d0dce675f55de7cebf0c918428f88e5755 (patch) | |
| tree | 2bdf5c119575efbca6fadb8faac72adb5aedb18e | |
| parent | 554e6e6b43a597bf96cc04b948546abdd8d069e3 (diff) | |
nongnu: firefox: Fix GPU decoding.
* nongnu/packages/patches/firefox-esr-add-store-to-rdd-allowlist.patch: New
file.
* nongnu/packages/mozilla.scm (firefox-esr)[source]<patches>: Add it.
[#:phases]<wrap-glxtest>: New phase ported from Guix's librewolf package.
<wrap-program>: Remove whitelist manipulation.
[inputs]: Add pciutils.
* nongnu/packages/patches/firefox-add-store-to-rdd-allowlist.patch: New file.
* nongnu/packages/mozilla.scm (firefox)[source]<patches>: Add it.
Fixes: https://gitlab.com/nonguix/nonguix/-/issues/389
Signed-off-by: Hilton Chain <hako@ultrarare.space>
Modified-by: Hilton Chain <hako@ultrarare.space>
| -rw-r--r-- | nongnu/packages/mozilla.scm | 45 | ||||
| -rw-r--r-- | nongnu/packages/patches/firefox-add-store-to-rdd-allowlist.patch | 36 | ||||
| -rw-r--r-- | nongnu/packages/patches/firefox-esr-add-store-to-rdd-allowlist.patch | 36 |
3 files changed, 95 insertions, 22 deletions
diff --git a/nongnu/packages/mozilla.scm b/nongnu/packages/mozilla.scm index c15d4ddd..35cf6e10 100644 --- a/nongnu/packages/mozilla.scm +++ b/nongnu/packages/mozilla.scm @@ -17,7 +17,7 @@ ;;; Copyright © 2020-2025 Jonathan Brielmaier <jonathan.brielmaier@web.de> ;;; Copyright © 2020 Zhu Zihao <all_but_last@163.com> ;;; Copyright © 2021 pineapples <guixuser6392@protonmail.com> -;;; Copyright © 2021, 2024 Brice Waegeneire <brice@waegenei.re> +;;; Copyright © 2021, 2024, 2025 Brice Waegeneire <brice@waegenei.re> ;;; Copyright © 2021, 2022, 2023 John Kehayias <john.kehayias@protonmail.com> ;;; Copyright © 2022 Pierre Langlois <pierre.langlois@gmx.com> ;;; Copyright © 2023-2025 Tomas Volf <wolf@wolfsden.cz> @@ -63,6 +63,7 @@ #:use-module (gnu packages node) #:use-module (gnu packages nss) #:use-module (gnu packages perl) + #:use-module (gnu packages pciutils) #:use-module (gnu packages pkg-config) #:use-module (gnu packages pulseaudio) #:use-module (gnu packages python) @@ -106,7 +107,8 @@ %load-path) patch)) '("firefox-esr-compare-paths.patch" - "firefox-esr-use-system-wide-dir.patch"))) + "firefox-esr-use-system-wide-dir.patch" + "firefox-esr-add-store-to-rdd-allowlist.patch"))) ;; XXX: 75 Mo (800+ Mo uncompressed) of unused tests. ;; Removing it makes it possible to compile on some systems. (modules '((guix build utils))) @@ -351,6 +353,20 @@ (string-drop hash 8))))))) (replace 'install (lambda _ (invoke "./mach" "install"))) + (add-after 'install 'wrap-glxtest + ;; glxtest uses dlopen() to load mesa and pci + ;; libs, wrap it to set LD_LIBRARY_PATH. + (lambda* (#:key inputs outputs #:allow-other-keys) + (let* ((out (assoc-ref outputs "out")) + (lib (string-append out "/lib")) + (libs (map + (lambda (lib-name) + (string-append (assoc-ref inputs + lib-name) + "/lib")) + '("mesa" "pciutils")))) + (wrap-program (car (find-files lib "^glxtest$")) + `("LD_LIBRARY_PATH" prefix ,libs))))) (add-after 'install 'wrap-program (lambda* (#:key inputs outputs #:allow-other-keys) ;; The following two functions are from Guix's icecat package in @@ -380,28 +396,11 @@ ;; and libva depend on). (pciaccess-lib (string-append (assoc-ref inputs "libpciaccess") "/lib")) - ;; VA-API is run in the RDD (Remote Data Decoder) sandbox - ;; and must be explicitly given access to files it needs. - ;; Rather than adding the whole store (as Nix had - ;; upstream do, see - ;; <https://github.com/NixOS/nixpkgs/pull/165964> and - ;; linked upstream patches), we can just follow the - ;; runpaths of the needed libraries to add everything to - ;; LD_LIBRARY_PATH. These will then be accessible in the - ;; RDD sandbox. - ;; TODO: Properly handle the runpath of libraries needed - ;; (for RDD) recursively, so the explicit libpciaccess - ;; can be removed. - (rdd-whitelist - (map (cut string-append <> "/") - (delete-duplicates - (append-map runpaths-of-input - '("mesa" "ffmpeg"))))) (pulseaudio-lib (string-append (assoc-ref inputs "pulseaudio") "/lib")) ;; For sharing on Wayland (pipewire-lib (string-append (assoc-ref inputs "pipewire") - "/lib")) + "/lib")) ;; For U2F and WebAuthn (eudev-lib (string-append (assoc-ref inputs "eudev") "/lib")) (gtk-share (string-append (assoc-ref inputs "gtk+") @@ -409,7 +408,7 @@ (wrap-program (car (find-files lib "^firefox$")) `("LD_LIBRARY_PATH" prefix (,mesa-lib ,libnotify-lib ,libva-lib ,pciaccess-lib ,pulseaudio-lib ,eudev-lib - ,@rdd-whitelist ,pipewire-lib)) + ,pipewire-lib)) `("XDG_DATA_DIRS" prefix (,gtk-share)) `("MOZ_LEGACY_PROFILES" = ("1")) `("MOZ_ALLOW_DOWNGRADE" = ("1")))))) @@ -485,6 +484,7 @@ nspr-4.32 ;; nss pango + pciutils pipewire pixman pulseaudio @@ -550,7 +550,8 @@ Release (ESR) version.") patch)) '("firefox-restore-desktop-files.patch" "firefox-ge-138-compare-paths.patch" - "firefox-use-system-wide-dir.patch"))) + "firefox-use-system-wide-dir.patch" + "firefox-add-store-to-rdd-allowlist.patch"))) ;; XXX: 75 Mo (800+ Mo uncompressed) of unused tests. ;; Removing it makes it possible to compile on some systems. (modules '((guix build utils))) diff --git a/nongnu/packages/patches/firefox-add-store-to-rdd-allowlist.patch b/nongnu/packages/patches/firefox-add-store-to-rdd-allowlist.patch new file mode 100644 index 00000000..4bdaa7dd --- /dev/null +++ b/nongnu/packages/patches/firefox-add-store-to-rdd-allowlist.patch @@ -0,0 +1,36 @@ +diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp +index 4eff5e6..42171eb 100644 +--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp ++++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp +@@ -476,6 +476,7 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() { + // Various places where fonts reside + policy->AddTree(rdonly, "/usr/X11R6/lib/X11/fonts"); + policy->AddTree(rdonly, "/nix/store"); ++ policy->AddTree(rdonly, "/gnu/store"); + // https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/blob/e434e680d22260f277f4a30ec4660ed32b591d16/files/fontconfig-flatpak.conf + policy->AddTree(rdonly, "/run/host/fonts"); + policy->AddTree(rdonly, "/run/host/user-fonts"); +@@ -485,6 +486,7 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() { + // Bug 1848615 + policy->AddPath(rdonly, "/usr"); + policy->AddPath(rdonly, "/nix"); ++ policy->AddPath(rdonly, "/gnu"); + + AddLdconfigPaths(policy); + AddLdLibraryEnvPaths(policy); +@@ -934,6 +936,7 @@ SandboxBrokerPolicyFactory::GetRDDPolicy(int aPid) { + policy->AddTree(rdonly, "/usr/lib64"); + policy->AddTree(rdonly, "/run/opengl-driver/lib"); + policy->AddTree(rdonly, "/nix/store"); ++ policy->AddTree(rdonly, "/gnu/store"); + + // Bug 1647957: memory reporting. + AddMemoryReporting(policy.get(), aPid); +@@ -1079,6 +1082,7 @@ SandboxBrokerPolicyFactory::GetUtilityProcessPolicy(int aPid) { + // Required to make sure ffmpeg loads properly, this is already existing on + // Content and RDD + policy->AddTree(rdonly, "/nix/store"); ++ policy->AddTree(rdonly, "/gnu/store"); + + // glibc will try to stat64("/") while populating nsswitch database + // https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/nss_database.c;h=cf0306adc47f12d9bc761ab1b013629f4482b7e6;hb=9826b03b747b841f5fc6de2054bf1ef3f5c4bdf3#l396 diff --git a/nongnu/packages/patches/firefox-esr-add-store-to-rdd-allowlist.patch b/nongnu/packages/patches/firefox-esr-add-store-to-rdd-allowlist.patch new file mode 100644 index 00000000..6ae18c37 --- /dev/null +++ b/nongnu/packages/patches/firefox-esr-add-store-to-rdd-allowlist.patch @@ -0,0 +1,36 @@ +diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp +index 0e5358e68e..efbde9616e 100644 +--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp ++++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp +@@ -452,6 +452,7 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() { + // Various places where fonts reside + policy->AddDir(rdonly, "/usr/X11R6/lib/X11/fonts"); + policy->AddDir(rdonly, "/nix/store"); ++ policy->AddDir(rdonly, "/gnu/store"); + // https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/blob/e434e680d22260f277f4a30ec4660ed32b591d16/files/fontconfig-flatpak.conf + policy->AddDir(rdonly, "/run/host/fonts"); + policy->AddDir(rdonly, "/run/host/user-fonts"); +@@ -461,6 +462,7 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() { + // Bug 1848615 + policy->AddPath(rdonly, "/usr"); + policy->AddPath(rdonly, "/nix"); ++ policy->AddPath(rdonly, "/gnu"); + + AddLdconfigPaths(policy); + AddLdLibraryEnvPaths(policy); +@@ -920,6 +922,7 @@ SandboxBrokerPolicyFactory::GetRDDPolicy(int aPid) { + policy->AddDir(rdonly, "/usr/lib64"); + policy->AddDir(rdonly, "/run/opengl-driver/lib"); + policy->AddDir(rdonly, "/nix/store"); ++ policy->AddDir(rdonly, "/gnu/store"); + + // Bug 1647957: memory reporting. + AddMemoryReporting(policy.get(), aPid); +@@ -1043,6 +1046,7 @@ SandboxBrokerPolicyFactory::GetUtilityProcessPolicy(int aPid) { + // Required to make sure ffmpeg loads properly, this is already existing on + // Content and RDD + policy->AddDir(rdonly, "/nix/store"); ++ policy->AddDir(rdonly, "/gnu/store"); + + // glibc will try to stat64("/") while populating nsswitch database + // https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/nss_database.c;h=cf0306adc47f12d9bc761ab1b013629f4482b7e6;hb=9826b03b747b841f5fc6de2054bf1ef3f5c4bdf3#l396 |