Closed Bug 1733814 Opened 4 months ago Closed 4 months ago

[flatpak] Add /run/host/local-fonts/ to the sandbox whitelist

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

All
Linux
enhancement

Tracking

()

RESOLVED FIXED
95 Branch
Tracking Status
firefox94 --- fixed
firefox95 --- fixed

People

(Reporter: zwjmazza, Assigned: gerard-majax)

Details

Attachments

(1 file)

This is similar to Bug #1396733

/run/host/local-fonts/ exposes manually installed system-wide fonts from /usr/local/share/fonts/ to flatpak applications.

Currently /run/host/fonts/ and /run/host/user-fonts/ are both whitelisted, but /run/host/local-fonts/ is not. This renders any fonts exposed in this location unusable by Firefox, despite being recognized by the container's fontconfig.

Assignee: nobody → lissyx+mozillians
Pushed by alissy@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/aa135a33a544
Add /run/host/local-fonts to sandbox r=gcp
Status: UNCONFIRMED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → 95 Branch

Is this something we should consider uplifting to Beta or can this ride 95 to release?

Flags: needinfo?(lissyx+mozillians)

I'd suspect we want, but maybe Olivier might know better?

Flags: needinfo?(lissyx+mozillians) → needinfo?(olivier)

I'm not familiar with flatpak packaging matters, I'm involved with the snap packaging only.

The change looks trivial enough and makes sense, so I suppose it wouldn't hurt to uplift it to beta at this stage, but I don't think that's for me to decide.

Flags: needinfo?(olivier)

Oh my bad, I misread and confused flatpak with Snap :/

Comment on attachment 9244305 [details]
Bug 1733814 - Add /run/host/local-fonts to sandbox r?gcp!

Beta/Release Uplift Approval Request

  • User impact if declined: Missing fonts
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Only adding a new authorized path to the list of paths, similar to existing.
  • String changes made/needed:
Attachment #9244305 - Flags: approval-mozilla-beta?
Attachment #9244305 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Approved for uplift 94.0b6

You need to log in before you can comment on or make changes to this bug.