Closed Bug 1396733 Opened 4 years ago Closed 4 years ago
[flatpak] add /run/host/fonts to the sandbox whitelist
59 bytes, text/x-review-board-request
Currently there is allowed access to the : /usr/X11R6/lib/X11/fonts /usr/share which covers loading system installed fonts. The flatpak puts fonts installed on host to the /run/host/fonts. Currently the Firefox sandbox deny the access to this location which leads to the missing letters when specific font is used on page. See report .  https://dxr.mozilla.org/mozilla-central/rev/632e42dca494ec3d90b70325d9c359f80cb3f38a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp#98  https://github.com/xhorak/firefox-devedition-flatpak/issues/36
You need /run/host/fonts/user-fonts too. That is where the $HOME/.fonts (or equivalent) fonts show up (as your app might not have generic homedir access)
(In reply to Alexander Larsson from comment #1) > You need /run/host/fonts/user-fonts too. That is where the $HOME/.fonts (or > equivalent) fonts show up (as your app might not have generic homedir access) We allow $HOME/.fonts specifically so that one should be fine.
What I mean is that a flatpak sandboxed app (say firefox) typically does not have full access to the normal filesystem. So, the files in /home/user/.fonts will not be there in the sandbox. To make per-user installed fonts work in such applications, flatpak exposes a read-only version of /home/user/.fonts as /run/host/user-fonts in the sandbox (and configures fontconfig to look there). So, direct access to ~/.fonts will only work if the firefox app has full homedir access.
(In reply to Jan Horak from comment #6) > The attached patch does not fix the issue, we must miss something there. > I'll look into in further. Huh, that's really surprising given https://bugzilla.mozilla.org/show_bug.cgi?id=1390392#c15
Sorry for the confusion, I was wrong about it. It works fine with patch applied. Thanks.
Comment on attachment 8907535 [details] Bug 1396733 - Add flatpak font dirs to the sandbox whitelist. https://reviewboard.mozilla.org/r/179244/#review184662
Attachment #8907535 - Flags: review?(jld) → review+
Pushed by firstname.lastname@example.org: https://hg.mozilla.org/integration/autoland/rev/ec5526fce679 Add flatpak font dirs to the sandbox whitelist. r=jld
You need to log in before you can comment on or make changes to this bug.