tor-browser-bundle-bin: runtime purity improvements

These changes reduce file accesses outside TBB_HOME or the Nix store, as determined by running under strace -e access,open,stat.
2017-08-20 02:13:22 +02:00 · 2017-08-20 02:13:22 +02:00 · f84125c3b1
parent c8f2dbae9f
commit f84125c3b1
1 changed files with 30 additions and 2 deletions
--- a/pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix
+++ b/pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix
@ -38,6 +38,12 @@
 # Pluggable transport dependencies
 , python27

+# Wrapper runtime
+, coreutils
+, glibcLocales
+, hicolor_icon_theme
+, shared_mime_info
+
 # Extra preferences
 , extraPrefs ? ""
 }:
@ -45,7 +51,9 @@
 with stdenv.lib;

 let
-  libPath = makeLibraryPath ([
+  libPath = makeLibraryPath libPkgs;
+
+  libPkgs = [
    atk
    cairo
    dbus
@ -62,6 +70,7 @@ let
    libXt
    pango
    stdenv.cc.cc
+    stdenv.cc.libc
    zlib
  ]
  ++ optionals pulseaudioSupport [ libpulseaudio ]
@ -70,7 +79,7 @@ let
    gst-plugins-base
    gmp
    ffmpeg
-  ]);
+  ];

  gstPluginsPath = concatMapStringsSep ":" (x:
    "${x}/lib/gstreamer-0.10") [
@ -225,12 +234,21 @@ stdenv.mkDerivation rec {
    GeoIPv6File $TBB_IN_STORE/TorBrowser/Data/Tor/geoip6
    EOF

+    WRAPPER_XDG_DATA_DIRS=${concatMapStringsSep ":" (x: "${x}/share") [
+      hicolor_icon_theme
+      shared_mime_info
+    ]}
+
    # Generate wrapper
    mkdir -p $out/bin
    cat > "$out/bin/tor-browser" << EOF
    #! ${stdenv.shell}
    set -o errexit -o nounset

+    PATH=${makeBinPath [ coreutils ]}
+    export LC_ALL=C
+    export LOCALE_ARCHIVE=${glibcLocales}/lib/locale/locale-archive
+
    # Enter local state directory.
    REAL_HOME=\$HOME
    TBB_HOME=\''${TBB_HOME:-''${XDG_DATA_HOME:-\$REAL_HOME/.local/share}/tor-browser}
@ -291,12 +309,22 @@ stdenv.mkDerivation rec {
    # Setting FONTCONFIG_FILE is required to make fontconfig read the TBB
    # fonts.conf; upstream uses FONTCONFIG_PATH, but FC_DEBUG=1024
    # indicates the system fonts.conf being used instead.
+    #
+    # XDG_DATA_DIRS is set to prevent searching system dirs (looking for .desktop & icons)
    exec env -i \
+      TZ=":" \
+      TZDIR="\''${TZDIR:-}" \
+      LOCALE_ARCHIVE="\$LOCALE_ARCHIVE" \
+      \
+      TMPDIR="\''${TMPDIR:-/tmp}" \
      HOME="\$HOME" \
      XAUTHORITY="\$XAUTHORITY" \
      DISPLAY="\$DISPLAY" \
      DBUS_SESSION_BUS_ADDRESS="\$DBUS_SESSION_BUS_ADDRESS" \
      \
+      XDG_DATA_HOME="\$HOME/.local/share" \
+      XDG_DATA_DIRS="$WRAPPER_XDG_DATA_DIRS" \
+      \
      PULSE_SERVER="\''${PULSE_SERVER:-}" \
      PULSE_COOKIE="\''${PULSE_COOKIE:-}" \
      \