GNU bug report logs - #34135
IceCat lacks WebGL support

Previous Next

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Julien Lepiller <julien <at> lepiller.eu>
Cc: Ricardo Wurmus <rekado <at> elephly.net>, 34135 <at> debbugs.gnu.org
Subject: bug#34135: IceCat lacks WebGL support
Date: Mon, 21 Jan 2019 10:54:24 +0100

Julien Lepiller <julien <at> lepiller.eu> skribis:

> Le 21 janvier 2019 09:24:53 GMT+01:00, Ricardo Wurmus <rekado <at> elephly.net> a écrit :
>>
>>Ludovic Courtès <ludo <at> gnu.org> writes:
>>
>>> Hi Julien,
>>>
>>> Julien Lepiller <julien <at> lepiller.eu> skribis:
>>>
>>>> Try setting security.sandbox.content.read_path_whitelist to
>>/gnu/store/
>>>> (with a leading /) in about:config.
>>>
>>> Setting it to “/gnu/store/” (with a trailing slash) works, thank you!
>>>
>>> It turns out that setting LIBGL_DRIVERS_PATH is even unnecessary.
>>>
>>> I suppose we should patch the default value of
>>> ‘security.sandbox.content.read_path_whitelist’ in our package.  What
>>do
>>> people think?
>>
>>It isn’t much of a sandbox if all of /gnu/store would be permitted. 
>>Can
>>this be reduced to the paths of store items that are known at build
>>time?
>
> You'll have to list every library and there dependencies. Is that
> possible?

That would be possible, yes, though we’d have the build-time
dependencies rather than the run-time dependencies (since we cannot know
the run-time dependencies until IceCat is built.)

That said putting all of /gnu/store wouldn’t be that bad I think—at
least user data remains inaccessible, which is much better than exposing
/usr on FHS distros.

Thoughts?

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.