public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

torbrowser: reduce risk of stale Nix store references

Browse Source 
This patch restructures the expression and wrapper to minimize Nix store
references captured by the user's state directory.

The previous version would write lots of references to the Nix store into
the user's state directory, resulting in synchronization issues between
the Store and the local state directory.  At best, this would cause TBB to
stop working when the version used to instantiate the local state was
garbage collected; at worst, a user would continue to use the old version
even after an upgrade.

To solve the issue, hard-code as much as possible at the Store side and
minimize the amount of stuff being copied into the local state dir.
Currently, only a few files generated at firefox startup and fontconfig
cache files end up capturing store paths; these files are simply removed
upon every startup.  Otherwise, no capture should occur and the user
should always be using the TBB associated with the tor-browser wrapper
script.

To check for stale Store paths, do
   `grep -Ero '/nix/store/[^/]+' ~/.local/share/tor-browser`
This command should *never* return any other store path than the one
associated with the current tor-browser wrapper script, even after an
update (assuming you've run tor-browser at least once after updating).
Deviations from this general rule are considered bugs from now on.

Note that no attempt has been made to support pluggable transports; they
are still broken with this patch (to be fixed in a follow-up patch).

User visible changes:
- Wrapper retains only environment variables required for TBB to work
- pulseaudioSupport can be toggled independently of mediaSupport (the
  latter weakly implies the former).
- Store local state under $TBB_HOME.  Defaults to $XDG_DATA_HOME/tor-browser
- Stop obnoxious first-run stuff (NoScript redirect, in particular)
- Set desktop item GenericName to Web Browser

Some minor enhancements:
- Disable Hydra builds
- Specify system -> source mapping to make it easier to
  extend supported platforms.
This commit is contained in:
Joachim Fasting
2017-03-25 15:59:13 +01:00
parent 417844b596
commit ecd0e1a2c7
3 changed files with 302 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
pkgs/tools/security/tor/torbrowser.nix
View File

@@ -1,103 +0,0 @@
{ stdenv, fetchurl, makeDesktopItem
, libXrender, libX11, libXext, libXt, alsaLib, dbus, dbus_glib, glib, gtk2
, atk, pango, freetype, fontconfig, gdk_pixbuf, cairo, zlib
, gstreamer, gst-plugins-base, gst-plugins-good, gst-ffmpeg, gmp, ffmpeg
, libpulseaudio
, mediaSupport ? false
}:
let
libPath = stdenv.lib.makeLibraryPath ([
stdenv.cc.cc zlib glib alsaLib dbus dbus_glib gtk2 atk pango freetype
fontconfig gdk_pixbuf cairo libXrender libX11 libXext libXt
] ++ stdenv.lib.optionals mediaSupport [
gstreamer gst-plugins-base gmp ffmpeg
libpulseaudio
]);
# Ignored if !mediaSupport
gstPlugins = [ gstreamer gst-plugins-base gst-plugins-good gst-ffmpeg ];
gstPluginsPath = stdenv.lib.concatMapStringsSep ":" (x:
"${x}/lib/gstreamer-0.10") gstPlugins;
in
stdenv.mkDerivation rec {
name = "tor-browser-${version}";
version = "6.5.1";
src = fetchurl {
url = "https://dist.torproject.org/torbrowser/${version}/tor-browser-linux${if stdenv.is64bit then "64" else "32"}-${version}_en-US.tar.xz";
sha256 = if stdenv.is64bit then
"1p2bgavvyzahqpjg9vp14c0s50rmha3v1hs1c8zvz6fj8fgrhn0i" else
"1zfghr01bhpn39wqaw7hyx7yap7xyla4m3mrgz2vi9a5qsyxmbcr";
};
preferLocalBuild = true;
desktopItem = makeDesktopItem {
name = "torbrowser";
exec = "tor-browser";
icon = "torbrowser";
desktopName = "Tor Browser";
genericName = "Tor Browser";
comment = meta.description;
categories = "Network;WebBrowser;Security;";
};
patchPhase = ''
patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" Browser/firefox
patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" Browser/TorBrowser/Tor/tor
sed -e "s,./TorBrowser,$out/share/tor-browser/Browser/TorBrowser,g" -i Browser/TorBrowser/Data/Tor/torrc-defaults
'';
doCheck = true;
checkPhase = ''
echo "Checking firefox..."
LD_LIBRARY_PATH=${libPath} Browser/firefox --help 1> /dev/null
echo "Checking tor..."
LD_LIBRARY_PATH=${libPath}:Browser/TorBrowser/Tor Browser/TorBrowser/Tor/tor --help 1> /dev/null
'';
installPhase = ''
mkdir -p $out/share/tor-browser
mkdir -p $out/bin
cp -R * $out/share/tor-browser
cat > "$out/bin/tor-browser" << EOF
#! ${stdenv.shell}
unset SESSION_MANAGER
export HOME="\$HOME/.torbrowser4"
if [ ! -d \$HOME ]; then
mkdir -p \$HOME && cp -R $out/share/tor-browser/Browser/TorBrowser/Data \$HOME/ && chmod -R +w \$HOME
echo "pref(\"extensions.torlauncher.tordatadir_path\", \"\$HOME/Data/Tor/\");" >> \
~/Data/Browser/profile.default/preferences/extension-overrides.js
echo "pref(\"extensions.torlauncher.torrc-defaults_path\", \"\$HOME/Data/Tor/torrc-defaults\");" >> \
~/Data/Browser/profile.default/preferences/extension-overrides.js
echo "pref(\"extensions.torlauncher.tor_path\", \"$out/share/tor-browser/Browser/TorBrowser/Tor/tor\");" >> \
~/Data/Browser/profile.default/preferences/extension-overrides.js
fi
export FONTCONFIG_PATH=\$HOME/Data/fontconfig
export LD_LIBRARY_PATH=${libPath}:$out/share/tor-browser/Browser/TorBrowser/Tor
${stdenv.lib.optionalString mediaSupport ''
export GST_PLUGIN_SYSTEM_PATH=${gstPluginsPath}
''}
exec $out/share/tor-browser/Browser/firefox --class "Tor Browser" -no-remote -profile ~/Data/Browser/profile.default "\$@"
EOF
chmod +x $out/bin/tor-browser
mkdir -p $out/share/applications
cp $desktopItem/share/applications"/"* $out/share/applications
mkdir -p $out/share/pixmaps
cp Browser/browser/icons/mozicon128.png $out/share/pixmaps/torbrowser.png
'';
meta = with stdenv.lib; {
description = "Tor Browser Bundle";
homepage = https://www.torproject.org/;
platforms = platforms.linux;
maintainers = with maintainers; [ offline matejc doublec thoughtpolice joachifm ];
};
}