From 07e2068a94e5c065693fa9c9ae7d669bb190b8677d7417c5d2a4c124de43cc77 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Thu, 21 Oct 2021 06:51:24 +0000 Subject: [PATCH 1/4] Accepting request 926488 from home:MSirringhaus:branches:mozilla:Factory - Rebase mozilla-sandbox-fips.patch to punch another hole in the sandbox containment, to be able to open /proc/sys/crypto/fips_enabled from within the newly introduced socket process sandbox. This fixes bsc#1191815 and bsc#1190141 OBS-URL: https://build.opensuse.org/request/show/926488 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=938 --- MozillaFirefox.changes | 8 +++++++ mozilla-sandbox-fips.patch | 47 +++++++++++++++----------------------- 2 files changed, 27 insertions(+), 28 deletions(-) diff --git a/MozillaFirefox.changes b/MozillaFirefox.changes index d75b3c0c..6c2fe80a 100644 --- a/MozillaFirefox.changes +++ b/MozillaFirefox.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Oct 20 06:49:52 UTC 2021 - Martin Sirringhaus + +- Rebase mozilla-sandbox-fips.patch to punch another hole in the + sandbox containment, to be able to open /proc/sys/crypto/fips_enabled + from within the newly introduced socket process sandbox. + This fixes bsc#1191815 and bsc#1190141 + ------------------------------------------------------------------- Mon Oct 18 12:44:44 UTC 2021 - Guillaume GARDET diff --git a/mozilla-sandbox-fips.patch b/mozilla-sandbox-fips.patch index 8381299f..fda8b550 100644 --- a/mozilla-sandbox-fips.patch +++ b/mozilla-sandbox-fips.patch @@ -4,15 +4,11 @@ References: http://bugzilla.suse.com/show_bug.cgi?id=1167132 bsc#1174284 - Firefox tab just crashed in FIPS mode -diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp ---- a/security/sandbox/linux/Sandbox.cpp -+++ b/security/sandbox/linux/Sandbox.cpp -@@ -650,16 +650,17 @@ void SetMediaPluginSandbox(const char* a - SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", aFilePath, - strerror(errno)); - MOZ_CRASH("failed while trying to open the plugin file "); - } - +Index: firefox-93.0/security/sandbox/linux/Sandbox.cpp +=================================================================== +--- firefox-93.0.orig/security/sandbox/linux/Sandbox.cpp ++++ firefox-93.0/security/sandbox/linux/Sandbox.cpp +@@ -655,6 +655,7 @@ void SetMediaPluginSandbox(const char* a auto files = new SandboxOpenedFiles(); files->Add(std::move(plugin)); files->Add("/dev/urandom", SandboxOpenedFile::Dup::YES); @@ -20,20 +16,11 @@ diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox files->Add("/etc/ld.so.cache"); // Needed for NSS in clearkey. files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz"); files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq"); - files->Add("/proc/cpuinfo"); // Info also available via CPUID instruction. - files->Add("/proc/sys/crypto/fips_enabled"); // Needed for NSS in clearkey. - #ifdef __i386__ - files->Add("/proc/self/auxv"); // Info also in process's address space. - #endif -diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp ---- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp -+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp -@@ -315,16 +315,18 @@ void SandboxBrokerPolicyFactory::InitCon - policy->AddDir(rdwr, "/dev/dri"); - } - - // Bug 1575985: WASM library sandbox needs RW access to /dev/null - policy->AddPath(rdwr, "/dev/null"); +Index: firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp +=================================================================== +--- firefox-93.0.orig/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp ++++ firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp +@@ -320,6 +320,8 @@ void SandboxBrokerPolicyFactory::InitCon // Read permissions policy->AddPath(rdonly, "/dev/urandom"); @@ -42,8 +29,12 @@ diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/secu policy->AddPath(rdonly, "/proc/cpuinfo"); policy->AddPath(rdonly, "/proc/meminfo"); policy->AddDir(rdonly, "/sys/devices/cpu"); - policy->AddDir(rdonly, "/sys/devices/system/cpu"); - policy->AddDir(rdonly, "/lib"); - policy->AddDir(rdonly, "/lib64"); - policy->AddDir(rdonly, "/usr/lib"); - policy->AddDir(rdonly, "/usr/lib32"); +@@ -792,6 +794,8 @@ SandboxBrokerPolicyFactory::GetSocketPro + auto policy = MakeUnique(); + + policy->AddPath(rdonly, "/dev/urandom"); ++ policy->AddPath(rdonly, "/dev/random"); ++ policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled"); + policy->AddPath(rdonly, "/proc/cpuinfo"); + policy->AddPath(rdonly, "/proc/meminfo"); + policy->AddDir(rdonly, "/sys/devices/cpu"); From 7f5ab49250d92e7de6ae0de5e7d6d8bb5af82efa01f9fe982fd55018d4715564 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Wed, 27 Oct 2021 15:31:17 +0000 Subject: [PATCH 2/4] Accepting request 927257 from home:marxin:branches:mozilla:Factory - Enable LTO for openSUSE Tumbleweed. OBS-URL: https://build.opensuse.org/request/show/927257 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=939 --- MozillaFirefox.changes | 5 +++++ MozillaFirefox.spec | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/MozillaFirefox.changes b/MozillaFirefox.changes index 6c2fe80a..eb6a86d9 100644 --- a/MozillaFirefox.changes +++ b/MozillaFirefox.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Oct 25 08:13:55 UTC 2021 - Martin Liška + +- Enable LTO for openSUSE Tumbleweed. + ------------------------------------------------------------------- Wed Oct 20 06:49:52 UTC 2021 - Martin Sirringhaus diff --git a/MozillaFirefox.spec b/MozillaFirefox.spec index 4a4e09d1..f9e7c83a 100644 --- a/MozillaFirefox.spec +++ b/MozillaFirefox.spec @@ -522,7 +522,7 @@ ac_add_options --enable-optimize="-O1" %endif %ifarch x86_64 # LTO needs newer toolchain stack only (at least GCC 8.2.1 (r268506) -%if 0%{?suse_version} > 1500 && 0%{?suse_version} < 1550 +%if 0%{?suse_version} > 1500 ac_add_options --enable-lto %if 0%{?do_profiling} ac_add_options MOZ_PGO=1 From ae15405da484573c88b2fbd0945592994adf900ea16406deddc207310679167e Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Wed, 27 Oct 2021 15:31:55 +0000 Subject: [PATCH 3/4] Accepting request 927437 from home:iznogood:branches:mozilla:Factory - Drop unused pkgconfig(gdk-x11-2.0) BuildRequires. OBS-URL: https://build.opensuse.org/request/show/927437 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=940 --- MozillaFirefox.changes | 5 +++++ MozillaFirefox.spec | 1 - 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/MozillaFirefox.changes b/MozillaFirefox.changes index eb6a86d9..47a63aba 100644 --- a/MozillaFirefox.changes +++ b/MozillaFirefox.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Oct 25 15:31:31 UTC 2021 - Bjørn Lie + +- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires. + ------------------------------------------------------------------- Mon Oct 25 08:13:55 UTC 2021 - Martin Liška diff --git a/MozillaFirefox.spec b/MozillaFirefox.spec index f9e7c83a..449d38a3 100644 --- a/MozillaFirefox.spec +++ b/MozillaFirefox.spec @@ -145,7 +145,6 @@ BuildRequires: clang6-devel %else BuildRequires: clang-devel >= 5 %endif -BuildRequires: pkgconfig(gdk-x11-2.0) BuildRequires: pkgconfig(glib-2.0) >= 2.22 BuildRequires: pkgconfig(gobject-2.0) BuildRequires: pkgconfig(gtk+-3.0) >= 3.14.0 From 151a4b1f054dc86a462902ef5e918dd019649b343d06ff7a35b54b9ce8f4d143 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Wed, 27 Oct 2021 15:33:17 +0000 Subject: [PATCH 4/4] - Drop unused pkgconfig(gdk-x11-2.0) BuildRequires - (re-)enable LTO on Tumbleweed sandbox containment, to be able to open /proc/sys/crypto/fips_enabled - Add patch to fix build on aarch64 (bmo#1729124) OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=941 --- MozillaFirefox.changes | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/MozillaFirefox.changes b/MozillaFirefox.changes index 47a63aba..33022c39 100644 --- a/MozillaFirefox.changes +++ b/MozillaFirefox.changes @@ -1,25 +1,21 @@ ------------------------------------------------------------------- -Mon Oct 25 15:31:31 UTC 2021 - Bjørn Lie +Tue Oct 26 19:48:24 UTC 2021 - Wolfgang Rosenauer -- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires. - -------------------------------------------------------------------- -Mon Oct 25 08:13:55 UTC 2021 - Martin Liška - -- Enable LTO for openSUSE Tumbleweed. +- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires +- (re-)enable LTO on Tumbleweed ------------------------------------------------------------------- Wed Oct 20 06:49:52 UTC 2021 - Martin Sirringhaus - Rebase mozilla-sandbox-fips.patch to punch another hole in the - sandbox containment, to be able to open /proc/sys/crypto/fips_enabled + sandbox containment, to be able to open /proc/sys/crypto/fips_enabled from within the newly introduced socket process sandbox. This fixes bsc#1191815 and bsc#1190141 ------------------------------------------------------------------- Mon Oct 18 12:44:44 UTC 2021 - Guillaume GARDET -- Add patch to fix build on aarch64 - bmo#1729124 +- Add patch to fix build on aarch64 (bmo#1729124) * mozilla-bmo1729124.patch -------------------------------------------------------------------