torbrowser: reduce risk of stale Nix store references

This patch restructures the expression and wrapper to minimize Nix store references captured by the user's state directory. The previous version would write lots of references to the Nix store into the user's state directory, resulting in synchronization issues between the Store and the local state directory. At best, this would cause TBB to stop working when the version used to instantiate the local state was garbage collected; at worst, a user would continue to use the old version even after an upgrade. To solve the issue, hard-code as much as possible at the Store side and minimize the amount of stuff being copied into the local state dir. Currently, only a few files generated at firefox startup and fontconfig cache files end up capturing store paths; these files are simply removed upon every startup. Otherwise, no capture should occur and the user should always be using the TBB associated with the tor-browser wrapper script. To check for stale Store paths, do `grep -Ero '/nix/store/[^/]+' ~/.local/share/tor-browser` This command should *never* return any other store path than the one associated with the current tor-browser wrapper script, even after an update (assuming you've run tor-browser at least once after updating). Deviations from this general rule are considered bugs from now on. Note that no attempt has been made to support pluggable transports; they are still broken with this patch (to be fixed in a follow-up patch). User visible changes: - Wrapper retains only environment variables required for TBB to work - pulseaudioSupport can be toggled independently of mediaSupport (the latter weakly implies the former). - Store local state under $TBB_HOME. Defaults to $XDG_DATA_HOME/tor-browser - Stop obnoxious first-run stuff (NoScript redirect, in particular) - Set desktop item GenericName to Web Browser Some minor enhancements: - Disable Hydra builds - Specify system -> source mapping to make it easier to extend supported platforms.
2017-03-25 15:59:13 +01:00 · 2017-03-25 15:59:13 +01:00 · ecd0e1a2c7
parent 417844b596
commit ecd0e1a2c7
3 changed files with 302 additions and 104 deletions
--- a/pkgs/applications/networking/browsers/torbrowser/default.nix
+++ b/pkgs/applications/networking/browsers/torbrowser/default.nix
@ -0,0 +1,301 @@
+{ stdenv
+, fetchurl
+, makeDesktopItem
+
+# Common run-time dependencies
+, zlib
+
+# libxul run-time dependencies
+, alsaLib
+, atk
+, cairo
+, dbus
+, dbus_glib
+, fontconfig
+, freetype
+, gdk_pixbuf
+, glib
+, gtk2
+, libX11
+, libXext
+, libXrender
+, libXt
+, pango
+
+# Pulseaudio support
+, pulseaudioSupport ? mediaSupport
+, libpulseaudio
+
+# Media support (implies pulseaudio support)
+, mediaSupport ? false
+, gstreamer
+, gst-plugins-base
+, gst-plugins-good
+, gst-ffmpeg
+, gmp
+, ffmpeg
+}:
+
+with stdenv.lib;
+
+let
+  libPath = makeLibraryPath ([
+    alsaLib
+    atk
+    cairo
+    dbus
+    dbus_glib
+    fontconfig
+    freetype
+    gdk_pixbuf
+    glib
+    gtk2
+    libX11
+    libXext
+    libXrender
+    libXt
+    pango
+    stdenv.cc.cc
+    zlib
+  ]
+  ++ optionals pulseaudioSupport [ libpulseaudio ]
+  ++ optionals mediaSupport [
+    gstreamer
+    gst-plugins-base
+    gmp
+    ffmpeg
+  ]);
+
+  gstPluginsPath = concatMapStringsSep ":" (x:
+    "${x}/lib/gstreamer-0.10") [
+      gstreamer
+      gst-plugins-base
+      gst-plugins-good
+      gst-ffmpeg
+    ];
+
+  # Upstream source
+  version = "6.5.1";
+
+  lang = "en-US";
+
+  srcs = {
+    "x86_64-linux" = fetchurl {
+      url = "https://dist.torproject.org/torbrowser/${version}/tor-browser-linux64-${version}_${lang}.tar.xz";
+      sha256 = "1p2bgavvyzahqpjg9vp14c0s50rmha3v1hs1c8zvz6fj8fgrhn0i";
+    };
+
+    "i686-linux" = fetchurl {
+      url = "https://dist.torproject.org/torbrowser/${version}/tor-browser-linux32-${version}_${lang}.tar.xz";
+      sha256 = "1zfghr01bhpn39wqaw7hyx7yap7xyla4m3mrgz2vi9a5qsyxmbcr";
+    };
+  };
+in
+
+stdenv.mkDerivation rec {
+  name = "tor-browser-${version}";
+  inherit version;
+
+  src = srcs."${stdenv.system}" or (throw "unsupported system: ${stdenv.system}");
+
+  preferLocalBuild = true;
+
+  desktopItem = makeDesktopItem {
+    name = "torbrowser";
+    exec = "tor-browser";
+    icon = "torbrowser";
+    desktopName = "Tor Browser";
+    genericName = "Web Browser";
+    comment = meta.description;
+    categories = "Network;WebBrowser;Security;";
+  };
+
+  buildCommand = ''
+    # For convenience ...
+    TBB_IN_STORE=$out/share/tor-browser
+    interp=$(< $NIX_CC/nix-support/dynamic-linker)
+
+    # Unpack & enter
+    mkdir -p "$TBB_IN_STORE"
+    tar xf "${src}" -C "$TBB_IN_STORE" --strip-components=2
+    pushd "$TBB_IN_STORE"
+
+    # Set ELF interpreter
+    for exe in firefox TorBrowser/Tor/tor ; do
+      patchelf --set-interpreter "$interp" "$exe"
+    done
+
+    # The final libPath.  Note, we could split this into firefoxLibPath
+    # and torLibPath for accuracy, but this is more convenient ...
+    libPath=${libPath}:$TBB_IN_STORE:$TBB_IN_STORE/TorBrowser/Tor
+
+    # Prepare for autoconfig.
+    #
+    # See https://developer.mozilla.org/en-US/Firefox/Enterprise_deployment
+    cat >defaults/pref/autoconfig.js <<EOF
+    //
+    pref("general.config.filename", "mozilla.cfg");
+    pref("general.config.obscure_value", 0);
+    EOF
+
+    # Hard-coded Firefox preferences.
+    cat >mozilla.cfg <<EOF
+    // First line must be a comment
+
+    // Always update via Nix
+    lockPref("app.update.auto", false);
+    lockPref("app.update.enabled", false);
+    lockPref("extensions.update.autoUpdateDefault", false);
+    lockPref("extensions.update.enabled", false);
+
+    // User should never change these.  Locking prevents these
+    // values from being written to prefs.js, avoiding Store
+    // path capture.
+    lockPref("extensions.torlauncher.torrc-defaults_path", "$TBB_IN_STORE/TorBrowser/Data/Tor/torrc-defaults");
+    lockPref("extensions.torlauncher.tor_path", "$TBB_IN_STORE/TorBrowser/Tor/tor");
+
+    // Reset pref that captures store paths.
+    clearPref("extensions.xpiState");
+
+    // Stop obnoxious first-run redirection.
+    lockPref("noscript.firstRunRedirection", false);
+    EOF
+
+    # Hard-code path to TBB fonts; see also FONTCONFIG_FILE in
+    # the wrapper below.
+    FONTCONFIG_FILE=$TBB_IN_STORE/TorBrowser/Data/fontconfig/fonts.conf
+    sed -i "$FONTCONFIG_FILE" \
+        -e "s,<dir>fonts</dir>,<dir>$TBB_IN_STORE/fonts</dir>,"
+
+    # Move default extension overrides into distribution dir, to avoid
+    # having to synchronize between local state and store.
+    mv TorBrowser/Data/Browser/profile.default/preferences/extension-overrides.js defaults/pref/torbrowser.js
+
+    # Hard-code paths to geoip data files, to prevent them from being
+    # copied into the local state directory.
+    cat >>TorBrowser/Data/Tor/torrc-defaults <<EOF
+    GeoIPFile $TBB_IN_STORE/TorBrowser/Data/Tor/geoip
+    GeoIPv6File $TBB_IN_STORE/TorBrowser/Data/Tor/geoip6
+    EOF
+
+    # Generate wrapper
+    mkdir -p $out/bin
+    cat > "$out/bin/tor-browser" << EOF
+    #! ${stdenv.shell}
+    set -o errexit -o nounset
+
+    # Enter local state directory.
+    REAL_HOME=\$HOME
+    TBB_HOME=\''${TBB_HOME:-''${XDG_DATA_HOME:-\$REAL_HOME/.local/share}/tor-browser}
+    HOME=\$TBB_HOME
+
+    mkdir -p "\$HOME"
+    cd "\$HOME"
+
+    # Initialize empty TBB local state directory hierarchy.  We
+    # intentionally mirror the layout that TBB would see if executed from
+    # the unpacked bundle dir.
+    mkdir -p "\$HOME/TorBrowser" "\$HOME/TorBrowser/Data"
+
+    # Initialize the Tor data directory.
+    mkdir -p "\$HOME/TorBrowser/Data/Tor"
+
+    # Initialize the browser profile state.  Note that the only data
+    # copied from the Store payload is the initial bookmark file, which is
+    # never updated once created.  All other files under user's profile
+    # dir are generated by TBB.
+    mkdir -p "\$HOME/TorBrowser/Data/Browser/profile.default"
+    cp -u --no-preserve=mode,owner "$TBB_IN_STORE/TorBrowser/Data/Browser/profile.default/bookmarks.html" \
+      "\$HOME/TorBrowser/Data/Browser/profile.default/bookmarks.html"
+
+    # Clear out some files that tend to capture store references but are
+    # easily generated by firefox at startup.
+    rm -f "\$HOME/TorBrowser/Data/Browser/profile.default"/{compatibility.ini,extensions.ini,extensions.json}
+
+    # Ensure that we're always using the up-to-date extensions.
+    ln -snf "$TBB_IN_STORE/TorBrowser/Data/Browser/profile.default/extensions" \
+      "\$HOME/TorBrowser/Data/Browser/profile.default/extensions"
+
+    ${optionalString pulseaudioSupport ''
+      # Figure out some envvars for pulseaudio
+      : "\''${XDG_RUNTIME_DIR:=/run/user/\$(id -u)}"
+      : "\''${XDG_CONFIG_HOME:=\$REAL_HOME/.config}"
+      : "\''${PULSE_SERVER:=\$XDG_RUNTIME_DIR/pulse/native}"
+      : "\''${PULSE_COOKIE:=\$XDG_CONFIG_HOME/pulse/cookie}"
+    ''}
+
+    # Font cache files capture store paths; clear them out on the off
+    # chance that TBB would continue using old font files.
+    rm -rf "\$HOME/.cache/fontconfig"
+
+    # Lift-off
+    #
+    # XAUTHORITY and DISPLAY are required for TBB to work at all.
+    #
+    # DBUS_SESSION_BUS_ADDRESS is inherited to avoid auto-launch; to
+    # prevent that, set it to an empty/invalid value prior to running
+    # tor-browser.
+    #
+    # PULSE_SERVER is necessary for audio playback.
+    #
+    # Setting FONTCONFIG_FILE is required to make fontconfig read the TBB
+    # fonts.conf; upstream uses FONTCONFIG_PATH, but FC_DEBUG=1024
+    # indicates the system fonts.conf being used instead.
+    exec env -i \
+      HOME="\$HOME" \
+      XAUTHORITY="\$XAUTHORITY" \
+      DISPLAY="\$DISPLAY" \
+      DBUS_SESSION_BUS_ADDRESS="\$DBUS_SESSION_BUS_ADDRESS" \
+      \
+      PULSE_SERVER="\''${PULSE_SERVER:-}" \
+      PULSE_COOKIE="\''${PULSE_COOKIE:-}" \
+      \
+      GST_PLUGIN_SYSTEM_PATH="${optionalString mediaSupport gstPluginsPath}" \
+      GST_REGISTRY="/dev/null" \
+      GST_REGISTRY_UPDATE="no" \
+      \
+      FONTCONFIG_FILE="$FONTCONFIG_FILE" \
+      \
+      LD_LIBRARY_PATH="$libPath" \
+      \
+      "$TBB_IN_STORE/firefox" \
+        --class "Tor Browser" \
+        -no-remote \
+        -profile "\$HOME/TorBrowser/Data/Browser/profile.default" \
+        "\''${@}"
+    EOF
+    chmod +x $out/bin/tor-browser
+
+    # Easier access to docs
+    mkdir -p $out/share/doc
+    ln -s $TBB_IN_STORE/TorBrowser/Docs $out/share/doc/tor-browser
+
+    # Install .desktop item
+    mkdir -p $out/share/applications
+    cp $desktopItem/share/applications"/"* $out/share/applications
+
+    # Install icons
+    mkdir -p $out/share/pixmaps
+    cp browser/icons/mozicon128.png $out/share/pixmaps/torbrowser.png
+
+    # Check installed apps
+    echo "Checking bundled Tor ..."
+    LD_LIBRARY_PATH=$libPath $TBB_IN_STORE/TorBrowser/Tor/tor --version >/dev/null
+
+    echo "Checking tor-browser wrapper ..."
+    DISPLAY="" XAUTHORITY="" DBUS_SESSION_BUS_ADDRESS="" TBB_HOME=$(mktemp -d) \
+      $out/bin/tor-browser --version >/dev/null
+  '';
+
+  meta = with stdenv.lib; {
+    description = "Tor Browser Bundle";
+    homepage = https://www.torproject.org/;
+    platforms = attrNames srcs;
+    maintainers = with maintainers; [ offline matejc doublec thoughtpolice joachifm ];
+    hydraPlatforms = [];
+    # MPL2.0+, GPL+, &c.  While it's not entirely clear whether
+    # the compound is "libre" in a strict sense (some components place certain
+    # restrictions on redistribution), it's free enough for our purposes.
+    license = licenses.free;
+  };
+}
--- a/pkgs/tools/security/tor/torbrowser.nix
+++ b/pkgs/tools/security/tor/torbrowser.nix
@ -1,103 +0,0 @@
-{ stdenv, fetchurl, makeDesktopItem
-, libXrender, libX11, libXext, libXt, alsaLib, dbus, dbus_glib, glib, gtk2
-, atk, pango, freetype, fontconfig, gdk_pixbuf, cairo, zlib
-, gstreamer, gst-plugins-base, gst-plugins-good, gst-ffmpeg, gmp, ffmpeg
-, libpulseaudio
-, mediaSupport ? false
-}:
-
-let
-  libPath = stdenv.lib.makeLibraryPath ([
-    stdenv.cc.cc zlib glib alsaLib dbus dbus_glib gtk2 atk pango freetype
-    fontconfig gdk_pixbuf cairo libXrender libX11 libXext libXt
-  ] ++ stdenv.lib.optionals mediaSupport [
-    gstreamer gst-plugins-base gmp ffmpeg
-    libpulseaudio
-  ]);
-
-  # Ignored if !mediaSupport
-  gstPlugins = [ gstreamer gst-plugins-base gst-plugins-good gst-ffmpeg ];
-
-  gstPluginsPath = stdenv.lib.concatMapStringsSep ":" (x:
-    "${x}/lib/gstreamer-0.10") gstPlugins;
-in
-
-stdenv.mkDerivation rec {
-  name = "tor-browser-${version}";
-  version = "6.5.1";
-
-  src = fetchurl {
-    url = "https://dist.torproject.org/torbrowser/${version}/tor-browser-linux${if stdenv.is64bit then "64" else "32"}-${version}_en-US.tar.xz";
-    sha256 = if stdenv.is64bit then
-      "1p2bgavvyzahqpjg9vp14c0s50rmha3v1hs1c8zvz6fj8fgrhn0i" else
-      "1zfghr01bhpn39wqaw7hyx7yap7xyla4m3mrgz2vi9a5qsyxmbcr";
-  };
-
-  preferLocalBuild = true;
-
-  desktopItem = makeDesktopItem {
-    name = "torbrowser";
-    exec = "tor-browser";
-    icon = "torbrowser";
-    desktopName = "Tor Browser";
-    genericName = "Tor Browser";
-    comment = meta.description;
-    categories = "Network;WebBrowser;Security;";
-  };
-
-  patchPhase = ''
-    patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" Browser/firefox
-    patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" Browser/TorBrowser/Tor/tor
-
-    sed -e "s,./TorBrowser,$out/share/tor-browser/Browser/TorBrowser,g" -i Browser/TorBrowser/Data/Tor/torrc-defaults
-  '';
-
-  doCheck = true;
-  checkPhase = ''
-    echo "Checking firefox..."
-    LD_LIBRARY_PATH=${libPath} Browser/firefox --help 1> /dev/null
-    echo "Checking tor..."
-    LD_LIBRARY_PATH=${libPath}:Browser/TorBrowser/Tor Browser/TorBrowser/Tor/tor --help 1> /dev/null
-  '';
-
-  installPhase = ''
-    mkdir -p $out/share/tor-browser
-    mkdir -p $out/bin
-    cp -R * $out/share/tor-browser
-
-    cat > "$out/bin/tor-browser" << EOF
-    #! ${stdenv.shell}
-    unset SESSION_MANAGER
-    export HOME="\$HOME/.torbrowser4"
-    if [ ! -d \$HOME ]; then
-      mkdir -p \$HOME && cp -R $out/share/tor-browser/Browser/TorBrowser/Data \$HOME/ && chmod -R +w \$HOME
-      echo "pref(\"extensions.torlauncher.tordatadir_path\", \"\$HOME/Data/Tor/\");" >> \
-        ~/Data/Browser/profile.default/preferences/extension-overrides.js
-      echo "pref(\"extensions.torlauncher.torrc-defaults_path\", \"\$HOME/Data/Tor/torrc-defaults\");" >> \
-        ~/Data/Browser/profile.default/preferences/extension-overrides.js
-      echo "pref(\"extensions.torlauncher.tor_path\", \"$out/share/tor-browser/Browser/TorBrowser/Tor/tor\");" >> \
-        ~/Data/Browser/profile.default/preferences/extension-overrides.js
-    fi
-    export FONTCONFIG_PATH=\$HOME/Data/fontconfig
-    export LD_LIBRARY_PATH=${libPath}:$out/share/tor-browser/Browser/TorBrowser/Tor
-    ${stdenv.lib.optionalString mediaSupport ''
-      export GST_PLUGIN_SYSTEM_PATH=${gstPluginsPath}
-    ''}
-    exec $out/share/tor-browser/Browser/firefox --class "Tor Browser" -no-remote -profile ~/Data/Browser/profile.default "\$@"
-    EOF
-    chmod +x $out/bin/tor-browser
-
-    mkdir -p $out/share/applications
-    cp $desktopItem/share/applications"/"* $out/share/applications
-
-    mkdir -p $out/share/pixmaps
-    cp Browser/browser/icons/mozicon128.png $out/share/pixmaps/torbrowser.png
-  '';
-
-  meta = with stdenv.lib; {
-    description = "Tor Browser Bundle";
-    homepage    = https://www.torproject.org/;
-    platforms   = platforms.linux;
-    maintainers = with maintainers; [ offline matejc doublec thoughtpolice joachifm ];
-  };
-}
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -4189,7 +4189,7 @@ with pkgs;

  tor-arm = callPackage ../tools/security/tor/tor-arm.nix { };

-  torbrowser = callPackage ../tools/security/tor/torbrowser.nix { };
+  torbrowser = callPackage ../applications/networking/browsers/torbrowser { };

  touchegg = callPackage ../tools/inputmethods/touchegg { };