diff options
| author | Joachim Fasting <joachifm@fastmail.fm> | 2017-08-20 02:13:22 +0200 |
|---|---|---|
| committer | Joachim Fasting <joachifm@fastmail.fm> | 2017-09-09 17:37:14 +0200 |
| commit | f84125c3b11246ba0b9b2dec8bc916c8caac0f86 (patch) | |
| tree | 884d0b00a73dde065c6b76a7c088dbee54097500 /pkgs/applications/networking | |
| parent | c8f2dbae9f65eb5635052cb9808288ce8d9a4760 (diff) | |
| download | nixlib-f84125c3b11246ba0b9b2dec8bc916c8caac0f86.tar nixlib-f84125c3b11246ba0b9b2dec8bc916c8caac0f86.tar.gz nixlib-f84125c3b11246ba0b9b2dec8bc916c8caac0f86.tar.bz2 nixlib-f84125c3b11246ba0b9b2dec8bc916c8caac0f86.tar.lz nixlib-f84125c3b11246ba0b9b2dec8bc916c8caac0f86.tar.xz nixlib-f84125c3b11246ba0b9b2dec8bc916c8caac0f86.tar.zst nixlib-f84125c3b11246ba0b9b2dec8bc916c8caac0f86.zip | |
tor-browser-bundle-bin: runtime purity improvements
These changes reduce file accesses outside TBB_HOME or the Nix store, as determined by running under strace -e access,open,stat.
Diffstat (limited to 'pkgs/applications/networking')
| -rw-r--r-- | pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix | 32 |
1 files changed, 30 insertions, 2 deletions
diff --git a/pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix b/pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix index be92791b3ebc..b91b789a22b9 100644 --- a/pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix +++ b/pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix @@ -38,6 +38,12 @@ # Pluggable transport dependencies , python27 +# Wrapper runtime +, coreutils +, glibcLocales +, hicolor_icon_theme +, shared_mime_info + # Extra preferences , extraPrefs ? "" }: @@ -45,7 +51,9 @@ with stdenv.lib; let - libPath = makeLibraryPath ([ + libPath = makeLibraryPath libPkgs; + + libPkgs = [ atk cairo dbus @@ -62,6 +70,7 @@ let libXt pango stdenv.cc.cc + stdenv.cc.libc zlib ] ++ optionals pulseaudioSupport [ libpulseaudio ] @@ -70,7 +79,7 @@ let gst-plugins-base gmp ffmpeg - ]); + ]; gstPluginsPath = concatMapStringsSep ":" (x: "${x}/lib/gstreamer-0.10") [ @@ -225,12 +234,21 @@ stdenv.mkDerivation rec { GeoIPv6File $TBB_IN_STORE/TorBrowser/Data/Tor/geoip6 EOF + WRAPPER_XDG_DATA_DIRS=${concatMapStringsSep ":" (x: "${x}/share") [ + hicolor_icon_theme + shared_mime_info + ]} + # Generate wrapper mkdir -p $out/bin cat > "$out/bin/tor-browser" << EOF #! ${stdenv.shell} set -o errexit -o nounset + PATH=${makeBinPath [ coreutils ]} + export LC_ALL=C + export LOCALE_ARCHIVE=${glibcLocales}/lib/locale/locale-archive + # Enter local state directory. REAL_HOME=\$HOME TBB_HOME=\''${TBB_HOME:-''${XDG_DATA_HOME:-\$REAL_HOME/.local/share}/tor-browser} @@ -291,12 +309,22 @@ stdenv.mkDerivation rec { # Setting FONTCONFIG_FILE is required to make fontconfig read the TBB # fonts.conf; upstream uses FONTCONFIG_PATH, but FC_DEBUG=1024 # indicates the system fonts.conf being used instead. + # + # XDG_DATA_DIRS is set to prevent searching system dirs (looking for .desktop & icons) exec env -i \ + TZ=":" \ + TZDIR="\''${TZDIR:-}" \ + LOCALE_ARCHIVE="\$LOCALE_ARCHIVE" \ + \ + TMPDIR="\''${TMPDIR:-/tmp}" \ HOME="\$HOME" \ XAUTHORITY="\$XAUTHORITY" \ DISPLAY="\$DISPLAY" \ DBUS_SESSION_BUS_ADDRESS="\$DBUS_SESSION_BUS_ADDRESS" \ \ + XDG_DATA_HOME="\$HOME/.local/share" \ + XDG_DATA_DIRS="$WRAPPER_XDG_DATA_DIRS" \ + \ PULSE_SERVER="\''${PULSE_SERVER:-}" \ PULSE_COOKIE="\''${PULSE_COOKIE:-}" \ \ |