https://bugzilla.redhat.com/show_bug.cgi?id=2304189 Hector Martin <marcan@xxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(marcan@xxxxxxxxx) | --- Comment #30 from Hector Martin <marcan@xxxxxxxxx> --- Why can't we just patch firefox to add the openh264 lib to the sandbox? https://searchfox.org/mozilla-central/source/security/sandbox/linux/Sandbox.cpp#730 The file list is right there. This seems like a reasonable use case. This isn't the first time we had to get browser sandboxes modified to fix stuff (e.g. we had it with Mesa driver stuff in Chrome IIRC). More generally: This is arguably a bug in Firefox. The plugin .so links to libopenh264 using standard dynamic linking (it doesn't try to dlopen() it at runtime or anything). That means Firefox has the capacity to inspect the plugin file before loading it and add its required libraries to the allowed files list. In fact it requires other libs: # ldd module/libgmp-openh264.so linux-vdso.so.1 (0x0000ffffbb150000) libopenh264.so.7 => /lib64/libopenh264.so.7 (0x0000ffffbb070000) libstdc++.so.6 => /lib64/libstdc++.so.6 (0x0000ffffbae00000) libm.so.6 => /lib64/libm.so.6 (0x0000ffffbad50000) libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x0000ffffbacf0000) libc.so.6 => /lib64/libc.so.6 (0x0000ffffbab10000) /lib/ld-linux-aarch64.so.1 (0x0000ffffbb108000) I suspect the only reason this worked at all until now is because Firefox already loads all of those other libraries (libstdc++.so.6, libm, etc.) so the dynamic linker doesn't have to open the files again when loading the plugin. Re FAR, I think we just need to make sure all of our extrafiles are installed in one dnf invocation. As long as openh264 and mozilla-openh264 are both extrafiles and installed together, I don't think dnf will complain. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2304189 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202304189%23c30 -- _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue