From ad836af7f9d1a4200407dca16d6dfc802f4a19f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Sun, 15 Oct 2023 18:23:41 +0200
Subject: tor-browser: use system install & simplify wrapper

Enables official system install which stores state in `~/.tor project`
instead of `~/.local/share/tor-browser`.

The custom wrapper, which added some isolation, is replaced with a
simpler makeWrapper-based solution.

These changes bring the `tor-browser` package much closer to the
`mullvad-browser` package.
---
 .../networking/browsers/tor-browser/default.nix    | 203 +++------------------
 1 file changed, 27 insertions(+), 176 deletions(-)

(limited to 'pkgs')

diff --git a/pkgs/applications/networking/browsers/tor-browser/default.nix b/pkgs/applications/networking/browsers/tor-browser/default.nix
index bb2c82145e0d..cd3711c5e967 100644
--- a/pkgs/applications/networking/browsers/tor-browser/default.nix
+++ b/pkgs/applications/networking/browsers/tor-browser/default.nix
@@ -1,9 +1,12 @@
-{ lib, stdenv
+{ lib
+, stdenv
 , fetchurl
 , makeDesktopItem
 , copyDesktopItems
+, makeWrapper
 , writeText
 , autoPatchelfHook
+, wrapGAppsHook
 , callPackage
 
 , atk
@@ -34,6 +37,9 @@
 , libdrm
 , libGL
 
+, mediaSupport ? true
+, ffmpeg
+
 , audioSupport ? mediaSupport
 
 , pipewireSupport ? audioSupport
@@ -47,18 +53,6 @@
 , libvaSupport ? mediaSupport
 , libva
 
-# Media support (implies audio support)
-, mediaSupport ? true
-, ffmpeg
-
-# Wrapper runtime
-, coreutils
-, glibcLocales
-, gnome
-, runtimeShell
-, shared-mime-info
-, gsettings-desktop-schemas
-
 # Hardening
 , graphene-hardened-malloc
 # Whether to use graphene-hardened-malloc
@@ -150,7 +144,7 @@ stdenv.mkDerivation rec {
 
   src = sources.${stdenv.hostPlatform.system} or (throw "unsupported system: ${stdenv.hostPlatform.system}");
 
-  nativeBuildInputs = [ autoPatchelfHook copyDesktopItems ];
+  nativeBuildInputs = [ autoPatchelfHook copyDesktopItems makeWrapper wrapGAppsHook ];
   buildInputs = [
     gtk3
     alsa-lib
@@ -192,6 +186,9 @@ stdenv.mkDerivation rec {
     # firefox is a wrapper that checks for a more recent libstdc++ & appends it to the ld path
     mv firefox.real firefox
 
+    # store state at `~/.tor browser` instead of relative to executable
+    touch "$TBB_IN_STORE/system-install"
+
     # The final libPath.  Note, we could split this into firefoxLibPath
     # and torLibPath for accuracy, but this is more convenient ...
     libPath=${libPath}:$TBB_IN_STORE:$TBB_IN_STORE/TorBrowser/Tor
@@ -215,7 +212,6 @@ stdenv.mkDerivation rec {
     sed -i TorBrowser/Data/Tor/torrc-defaults \
         -e "s|\(ClientTransportPlugin snowflake\) exec|\1 exec $interp|"
 
-
     # Prepare for autoconfig.
     #
     # See https://developer.mozilla.org/en-US/Firefox/Enterprise_deployment
@@ -229,12 +225,11 @@ stdenv.mkDerivation rec {
     cat >mozilla.cfg <<EOF
     // First line must be a comment
 
-    // Always update via Nixpkgs
-    lockPref("app.update.auto", false);
-    lockPref("app.update.enabled", false);
-    lockPref("extensions.update.autoUpdateDefault", false);
-    lockPref("extensions.update.enabled", false);
-    lockPref("extensions.torbutton.versioncheck_enabled", false);
+    // Reset pref that captures store paths.
+    clearPref("extensions.xpiState");
+
+    // Stop obnoxious first-run redirection.
+    lockPref("noscript.firstRunRedirection", false);
 
     // User should never change these.  Locking prevents these
     // values from being written to prefs.js, avoiding Store
@@ -242,12 +237,6 @@ stdenv.mkDerivation rec {
     lockPref("extensions.torlauncher.torrc-defaults_path", "$TBB_IN_STORE/TorBrowser/Data/Tor/torrc-defaults");
     lockPref("extensions.torlauncher.tor_path", "$TBB_IN_STORE/TorBrowser/Tor/tor");
 
-    // Reset pref that captures store paths.
-    clearPref("extensions.xpiState");
-
-    // Stop obnoxious first-run redirection.
-    lockPref("noscript.firstRunRedirection", false);
-
     // Insist on using IPC for communicating with Tor
     //
     // Defaults to creating \$XDG_RUNTIME_DIR/Tor/{socks,control}.socket
@@ -270,18 +259,12 @@ stdenv.mkDerivation rec {
     ''}
     EOF
 
-    # Hard-code path to TBB fonts; see also FONTCONFIG_FILE in
-    # the wrapper below.
+    # FONTCONFIG_FILE is required to make fontconfig read the TBB
+    # fonts.conf; upstream uses FONTCONFIG_PATH, but FC_DEBUG=1024
+    # indicates the system fonts.conf being used instead.
     FONTCONFIG_FILE=$TBB_IN_STORE/fontconfig/fonts.conf
     sed -i "$FONTCONFIG_FILE" \
-        -e "s,<dir>fonts</dir>,<dir>$TBB_IN_STORE/fonts</dir>,"
-
-    # Preload extensions by moving into the runtime instead of storing under the
-    # user's profile directory.
-    # See https://support.mozilla.org/en-US/kb/deploying-firefox-with-extensions
-    mkdir -p "$TBB_IN_STORE/distribution/extensions"
-    mv "$TBB_IN_STORE/TorBrowser/Data/Browser/profile.default/extensions/"* \
-      "$TBB_IN_STORE/distribution/extensions"
+      -e "s,<dir>fonts</dir>,<dir>$TBB_IN_STORE/fonts</dir>,"
 
     # Hard-code paths to geoip data files.  TBB resolves the geoip files
     # relative to torrc-defaults_path but if we do not hard-code them
@@ -292,145 +275,14 @@ stdenv.mkDerivation rec {
     GeoIPv6File $TBB_IN_STORE/TorBrowser/Data/Tor/geoip6
     EOF
 
-    WRAPPER_LD_PRELOAD=${lib.optionalString (useHardenedMalloc == true)
-      "${graphene-hardened-malloc}/lib/libhardened_malloc.so"}
-
-    WRAPPER_XDG_DATA_DIRS=${lib.concatMapStringsSep ":" (x: "${x}/share") [
-      gnome.adwaita-icon-theme
-      shared-mime-info
-    ]}
-    WRAPPER_XDG_DATA_DIRS+=":"${lib.concatMapStringsSep ":" (x: "${x}/share/gsettings-schemas/${x.name}") [
-      glib
-      gsettings-desktop-schemas
-      gtk3
-    ]};
-
-    # Generate wrapper
     mkdir -p $out/bin
-    cat > "$out/bin/tor-browser" << EOF
-    #! ${runtimeShell}
-    set -o errexit -o nounset
-
-    PATH=${lib.makeBinPath [ coreutils ]}
-    export LC_ALL=C
-    export LOCALE_ARCHIVE=${glibcLocales}/lib/locale/locale-archive
-
-    # Enter local state directory.
-    REAL_HOME=\''${HOME%/}
-    TBB_HOME=\''${TBB_HOME:-''${XDG_DATA_HOME:-\$REAL_HOME/.local/share}/tor-browser}
-    HOME=\$TBB_HOME
-
-    mkdir -p "\$HOME"
-    cd "\$HOME"
-
-    # Initialize empty TBB local state directory hierarchy.  We
-    # intentionally mirror the layout that TBB would see if executed from
-    # the unpacked bundle dir.
-    mkdir -p "\$HOME/TorBrowser" "\$HOME/TorBrowser/Data"
-
-    # Initialize the Tor data directory.
-    mkdir -p "\$HOME/TorBrowser/Data/Tor"
-
-    # TBB will fail if ownership is too permissive
-    chmod 0700 "\$HOME/TorBrowser/Data/Tor"
-
-    # Initialize the browser profile state.
-    # All files under user's profile dir are generated by TBB.
-    mkdir -p "\$HOME/TorBrowser/Data/Browser/profile.default"
-
-    # Clear some files if the last known store path is different from the new one
-    : "\''${KNOWN_STORE_PATH:=\$HOME/known-store-path}"
-    if ! [ "\$KNOWN_STORE_PATH" -ef $out ]; then
-      echo "Cleanup files with outdated store references"
-      ln -Tsf $out "\$KNOWN_STORE_PATH"
-
-      # Clear out some files that tend to capture store references but are
-      # easily generated by firefox at startup.
-      rm -f "\$HOME/TorBrowser/Data/Browser/profile.default"/{addonStartup.json.lz4,compatibility.ini,extensions.ini,extensions.json}
-      rm -f "\$HOME/TorBrowser/Data/Browser/profile.default"/startupCache/*
-    fi
-
-    # XDG
-    : "\''${XDG_RUNTIME_DIR:=/run/user/\$(id -u)}"
-    : "\''${XDG_CONFIG_HOME:=\$REAL_HOME/.config}"
-
-    ${lib.optionalString pulseaudioSupport ''
-      # Figure out some envvars for pulseaudio
-      : "\''${PULSE_SERVER:=\$XDG_RUNTIME_DIR/pulse/native}"
-      : "\''${PULSE_COOKIE:=\$XDG_CONFIG_HOME/pulse/cookie}"
-    ''}
-
-    # Font cache files capture store paths; clear them out on the off
-    # chance that TBB would continue using old font files.
-    rm -rf "\$HOME/.cache/fontconfig"
 
-    # Manually specify data paths (by default TB attempts to create these in the store)
-    {
-      echo "user_pref(\"extensions.torlauncher.toronionauthdir_path\", \"\$HOME/TorBrowser/Data/Tor/onion-auth\");"
-      echo "user_pref(\"extensions.torlauncher.torrc_path\", \"\$HOME/TorBrowser/Data/Tor/torrc\");"
-      echo "user_pref(\"extensions.torlauncher.tordatadir_path\", \"\$HOME/TorBrowser/Data/Tor\");"
-    } >> "\$HOME/TorBrowser/Data/Browser/profile.default/prefs.js"
-
-    # Lift-off
-    #
-    # XAUTHORITY and DISPLAY are required for TBB to work at all.
-    #
-    # DBUS_SESSION_BUS_ADDRESS is inherited to avoid auto-launch; to
-    # prevent that, set it to an empty/invalid value prior to running
-    # tor-browser.
-    #
-    # PULSE_SERVER is necessary for audio playback.
-    #
-    # Setting FONTCONFIG_FILE is required to make fontconfig read the TBB
-    # fonts.conf; upstream uses FONTCONFIG_PATH, but FC_DEBUG=1024
-    # indicates the system fonts.conf being used instead.
-    #
-    # XDG_DATA_DIRS is set to prevent searching system dirs (looking for .desktop & icons)
-    exec env -i \
-      LD_PRELOAD=$WRAPPER_LD_PRELOAD \
-      \
-      TZ=":" \
-      TZDIR="\''${TZDIR:-}" \
-      LOCALE_ARCHIVE="\$LOCALE_ARCHIVE" \
-      \
-      TMPDIR="\''${TMPDIR:-/tmp}" \
-      HOME="\$HOME" \
-      XAUTHORITY="\''${XAUTHORITY:-\$HOME/.Xauthority}" \
-      DISPLAY="\''${DISPLAY:-}" \
-      DBUS_SESSION_BUS_ADDRESS="\''${DBUS_SESSION_BUS_ADDRESS:-unix:path=\$XDG_RUNTIME_DIR/bus}" \\
-      \
-      XDG_DATA_HOME="\$HOME/.local/share" \
-      XDG_DATA_DIRS="$WRAPPER_XDG_DATA_DIRS" \
-      \
-      PULSE_SERVER="\''${PULSE_SERVER:-}" \
-      PULSE_COOKIE="\''${PULSE_COOKIE:-}" \
-      \
-      MOZ_ENABLE_WAYLAND="\''${MOZ_ENABLE_WAYLAND:-}" \
-      WAYLAND_DISPLAY="\''${WAYLAND_DISPLAY:-}" \
-      XDG_RUNTIME_DIR="\''${XDG_RUNTIME_DIR:-}" \
-      XCURSOR_PATH="\''${XCURSOR_PATH:-}" \
-      \
-      APULSE_PLAYBACK_DEVICE="\''${APULSE_PLAYBACK_DEVICE:-plug:dmix}" \
-      \
-      TOR_SKIP_LAUNCH="\''${TOR_SKIP_LAUNCH:-}" \
-      TOR_CONTROL_HOST="\''${TOR_CONTROL_HOST:-}" \
-      TOR_CONTROL_PORT="\''${TOR_CONTROL_PORT:-}" \
-      TOR_CONTROL_COOKIE_AUTH_FILE="\''${TOR_CONTROL_COOKIE_AUTH_FILE:-}" \
-      TOR_CONTROL_PASSWD="\''${TOR_CONTROL_PASSWD:-}" \
-      TOR_SOCKS_HOST="\''${TOR_SOCKS_HOST:-}" \
-      TOR_SOCKS_PORT="\''${TOR_SOCKS_PORT:-}" \
-      \
-      FONTCONFIG_FILE="$FONTCONFIG_FILE" \
-      \
-      LD_LIBRARY_PATH="$libPath" \
-      \
-      "$TBB_IN_STORE/firefox" \
-        --class "Tor Browser" \
-        -no-remote \
-        -profile "\$HOME/TorBrowser/Data/Browser/profile.default" \
-        "\''${@}"
-    EOF
-    chmod +x $out/bin/tor-browser
+    makeWrapper "$TBB_IN_STORE/firefox" "$out/bin/tor-browser" \
+      --prefix LD_PRELOAD : "${lib.optionalString (useHardenedMalloc == true)
+        "${graphene-hardened-malloc}/lib/libhardened_malloc.so"}" \
+      --prefix LD_LIBRARY_PATH : "$libPath" \
+      --set FONTCONFIG_FILE "$FONTCONFIG_FILE" \
+      --set-default MOZ_ENABLE_WAYLAND 1
 
     # Easier access to docs
     mkdir -p $out/share/doc
@@ -447,8 +299,7 @@ stdenv.mkDerivation rec {
     LD_LIBRARY_PATH=$libPath $TBB_IN_STORE/TorBrowser/Tor/tor --version >/dev/null
 
     echo "Checking tor-browser wrapper ..."
-      TBB_HOME=$(mktemp -d) \
-      $out/bin/tor-browser --version >/dev/null
+    $out/bin/tor-browser --version >/dev/null
 
     runHook postBuild
   '';
-- 
cgit v1.2.3