commit a0f6de2e117780da4c7e355a13b825819c31c3c2 Author: Yawning Angel yawning@schwanenlied.me Date: Sat Dec 10 18:38:09 2016 +0000
Bug #20806: Make "libavcodec.so" in the sandbox configurable.
Add `--allow-gstreamer` that disables the hard prohibition on gstreamer libraries, as long as libavcodec is also allowed and present to handle weird systems that link firefox dependencies against gstreamer. --- .../internal/sandbox/application.go | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go index 64492a9..8895a36 100644 --- a/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go +++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/application.go @@ -20,6 +20,7 @@ package sandbox
import ( "bytes" + "flag" "fmt" "io/ioutil" "log" @@ -39,7 +40,10 @@ import (
const restrictedLibDir = "/usr/lib"
-var distributionDependentLibSearchPath []string +var ( + distributionDependentLibSearchPath []string + allowGstreamer bool +)
// RunTorBrowser launches sandboxed Tor Browser. func RunTorBrowser(cfg *config.Config, manif *config.Manifest, tor *tor.Tor) (cmd *exec.Cmd, err error) { @@ -281,11 +285,14 @@ func filterCodecs(fn string, allowFfmpeg bool) error { _, fn = filepath.Split(fn) lfn := strings.ToLower(fn)
- codecPrefixes := []string{ - // gstreamer is always disallowed, see `findBestCodec()`. - "libstreamer", - "libgstapp", - "libgstvideo", + codecPrefixes := []string{} + if !allowGstreamer && !allowFfmpeg { + // Unless overridden, gstreamer is explicitly prohibited. + codecPrefixes = append(codecPrefixes, []string{ + "libstreamer", + "libgstapp", + "libgstvideo", + }...) } if !allowFfmpeg { codecPrefixes = append(codecPrefixes, "libavcodec") @@ -810,4 +817,6 @@ func init() { }
distributionDependentLibSearchPath = searchPaths + + flag.BoolVar(&allowGstreamer, "allow-gstreamer", false, "Don't blacklist gstreamer libraries.") }