From e4a12e3825990a9428f23b0344b6caad2526317e Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 23 Jun 2021 10:47:12 +0200
Subject: flatpak: Enable loading system trust store on the host

This directs the libnssckbi.so symlink to p11-kit-client.so, instead
of p11-kit-trust.so, so Firefox flatpak can access the system trust
store on the host.  Since the /usr filesystem is read-only, this
creates the link in /app/lib64, which is added to LD_LIBRARY_PATH
inside flatpak.  A symlink to libnss3.so also needs to be created in
the same directory, to trick the directory search order in
ListPossibleLoadableRootsLocations:
https://hg.mozilla.org/mozilla-central/file/8e850fd29a957f505e0355c1326279e06e9040bb/security/manager/ssl/nsNSSComponent.cpp#l970

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 firefox.spec | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/firefox.spec b/firefox.spec
index fd950ef..b0cd7e8 100644
--- a/firefox.spec
+++ b/firefox.spec
@@ -152,7 +152,7 @@ ExcludeArch: armv7hl
 Summary:        Mozilla Firefox Web browser
 Name:           firefox
 Version:        89.0.2
-Release:        2%{?pre_tag}%{?dist}
+Release:        3%{?pre_tag}%{?dist}
 URL:            https://www.mozilla.org/firefox/
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 Source0:        https://archive.mozilla.org/pub/firefox/releases/%{version}%{?pre_version}/source/firefox-%{version}%{?pre_version}.source.tar.xz
@@ -921,6 +921,17 @@ rm -rf %{buildroot}%{mozappdir}/gtk2/
 rm -f %{buildroot}%{mozappdirdev}/sdk/lib/libmozjs.so
 rm -f %{buildroot}%{mozappdirdev}/sdk/lib/libmozalloc.so
 rm -f %{buildroot}%{mozappdirdev}/sdk/lib/libxul.so
+
+# Create a symlink to replace libnssckbi.so with p11-kit-client.so
+# instead of p11-kit-trust.so, so that Firefox can see the system
+# trust store on the host through the p11-kit RPC protocol.  A symlink
+# to libnss3.so is also needed, because Firefox tries to load
+# libnssckbi.so from the same directory where libnss3.so is loaded (as
+# of Firefox 89).
+%if 0%{?flatpak}
+ln -sf /usr/lib64/libnss3.so %{buildroot}%{_libdir}/libnss3.so
+ln -sf /usr/lib64/pkcs11/p11-kit-client.so %{buildroot}%{_libdir}/libnssckbi.so
+%endif
 #---------------------------------------------------------------------
 
 # Moves defaults/preferences to browser/defaults/preferences
@@ -1029,6 +1040,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 #---------------------------------------------------------------------
 
 %changelog
+* Mon Jul 12 2021 Daiki Ueno <dueno@redhat.com> - 89.0.2-3
+- flatpak: Enable loading system trust store on the host (rhbz#1766340)
+
 * Wed Jun 30 2021 Martin Stransky <stransky@redhat.com> - 89.0.2-2
 - Added fix for mozbz#1715254 (rhbz#1976892).
 
-- 
cgit