[flatpak] add /run/host/fonts to the sandbox whitelist

RESOLVED FIXED in Firefox 57

Status

()

enhancement
P1
minor
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: jhorak, Assigned: gcp)

Tracking

(Blocks 1 bug)

Trunk
mozilla57
All
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox57 fixed)

Details

Attachments

(1 attachment)

Reporter

Description

2 years ago
Currently there is allowed access to the [1]:
/usr/X11R6/lib/X11/fonts
/usr/share
which covers loading system installed fonts.
The flatpak puts fonts installed on host to the /run/host/fonts. Currently the Firefox sandbox deny the access to this location which leads to the missing letters when specific font is used on page. See report [2].

[1] https://dxr.mozilla.org/mozilla-central/rev/632e42dca494ec3d90b70325d9c359f80cb3f38a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp#98
[2] https://github.com/xhorak/firefox-devedition-flatpak/issues/36
Reporter

Updated

2 years ago
Blocks: flatpak

Comment 1

2 years ago
You need /run/host/fonts/user-fonts too. That is where the $HOME/.fonts (or equivalent) fonts show up (as your app might not have generic homedir access)
Assignee

Updated

2 years ago
Assignee: nobody → gpascutto

Updated

2 years ago
Priority: -- → P1
Assignee

Comment 2

2 years ago
(In reply to Alexander Larsson from comment #1)
> You need /run/host/fonts/user-fonts too. That is where the $HOME/.fonts (or
> equivalent) fonts show up (as your app might not have generic homedir access)

We allow $HOME/.fonts specifically so that one should be fine.

Comment 3

2 years ago
What I mean is that a flatpak sandboxed app (say firefox) typically does not have full access to the normal filesystem. So, the files in /home/user/.fonts will not be there in the sandbox. To make per-user installed fonts work in such applications, flatpak exposes a read-only version of /home/user/.fonts as /run/host/user-fonts in the sandbox (and configures fontconfig to look there).

So, direct access to ~/.fonts will only work if the firefox app has full homedir access.
Assignee

Updated

2 years ago
Duplicate of this bug: 1390392
Comment hidden (mozreview-request)
Comment hidden (obsolete)
Assignee

Comment 7

2 years ago
(In reply to Jan Horak from comment #6)
> The attached patch does not fix the issue, we must miss something there.
> I'll look into in further.

Huh, that's really surprising given https://bugzilla.mozilla.org/show_bug.cgi?id=1390392#c15
Reporter

Comment 8

2 years ago
Sorry for the confusion, I was wrong about it. It works fine with patch applied. Thanks.
Comment on attachment 8907535 [details]
Bug 1396733 - Add flatpak font dirs to the sandbox whitelist.

https://reviewboard.mozilla.org/r/179244/#review184662
Attachment #8907535 - Flags: review?(jld) → review+

Comment 10

2 years ago
Pushed by gpascutto@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ec5526fce679
Add flatpak font dirs to the sandbox whitelist. r=jld

Comment 11

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/ec5526fce679
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
You need to log in before you can comment on or make changes to this bug.