Accepting request 927811 from mozilla:Factory

- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires - (re-)enable LTO on Tumbleweed - Rebase mozilla-sandbox-fips.patch to punch another hole in the sandbox containment, to be able to open /proc/sys/crypto/fips_enabled from within the newly introduced socket process sandbox. This fixes bsc#1191815 and bsc#1190141 - Add patch to fix build on aarch64 (bmo#1729124) OBS-URL: https://build.opensuse.org/request/show/927811 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=348
2021-10-29 20:33:08 +00:00 · 2021-10-29 20:33:08 +00:00 · 1221141379
commit 1221141379
parent 53dc001d8c 151a4b1f05
3 changed files with 35 additions and 31 deletions
--- a/MozillaFirefox.changes
+++ b/MozillaFirefox.changes
@ -1,7 +1,21 @@
+-------------------------------------------------------------------
+Tue Oct 26 19:48:24 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires
+- (re-)enable LTO on Tumbleweed
+
+-------------------------------------------------------------------
+Wed Oct 20 06:49:52 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
+
+- Rebase mozilla-sandbox-fips.patch to punch another hole in the
+  sandbox containment, to be able to open /proc/sys/crypto/fips_enabled
+  from within the newly introduced socket process sandbox.
+  This fixes bsc#1191815 and bsc#1190141
+
 -------------------------------------------------------------------
 Mon Oct 18 12:44:44 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org>

- Add patch to fix build on aarch64 - bmo#1729124 
+- Add patch to fix build on aarch64 (bmo#1729124)
  * mozilla-bmo1729124.patch

 -------------------------------------------------------------------
--- a/MozillaFirefox.spec
+++ b/MozillaFirefox.spec
@ -145,7 +145,6 @@ BuildRequires:  clang6-devel
 %else
 BuildRequires:  clang-devel >= 5
 %endif
-BuildRequires:  pkgconfig(gdk-x11-2.0)
 BuildRequires:  pkgconfig(glib-2.0) >= 2.22
 BuildRequires:  pkgconfig(gobject-2.0)
 BuildRequires:  pkgconfig(gtk+-3.0) >= 3.14.0
@ -522,7 +521,7 @@ ac_add_options --enable-optimize="-O1"
 %endif
 %ifarch x86_64
 # LTO needs newer toolchain stack only (at least GCC 8.2.1 (r268506)
-%if 0%{?suse_version} > 1500 && 0%{?suse_version} < 1550
+%if 0%{?suse_version} > 1500
 ac_add_options --enable-lto
 %if 0%{?do_profiling}
 ac_add_options MOZ_PGO=1
--- a/mozilla-sandbox-fips.patch
+++ b/mozilla-sandbox-fips.patch
@ -4,15 +4,11 @@ References:
 http://bugzilla.suse.com/show_bug.cgi?id=1167132
 bsc#1174284 - Firefox tab just crashed in FIPS mode

-diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp
--- a/security/sandbox/linux/Sandbox.cpp
-+++ b/security/sandbox/linux/Sandbox.cpp
-@@ -650,16 +650,17 @@ void SetMediaPluginSandbox(const char* a
-     SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", aFilePath,
-                       strerror(errno));
-     MOZ_CRASH("failed while trying to open the plugin file ");
-   }
- 
+Index: firefox-93.0/security/sandbox/linux/Sandbox.cpp
+===================================================================
+--- firefox-93.0.orig/security/sandbox/linux/Sandbox.cpp
+++ firefox-93.0/security/sandbox/linux/Sandbox.cpp
+@@ -655,6 +655,7 @@ void SetMediaPluginSandbox(const char* a
   auto files = new SandboxOpenedFiles();
   files->Add(std::move(plugin));
   files->Add("/dev/urandom", SandboxOpenedFile::Dup::YES);
@ -20,20 +16,11 @@ diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox
   files->Add("/etc/ld.so.cache");  // Needed for NSS in clearkey.
   files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz");
   files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq");
-   files->Add("/proc/cpuinfo");  // Info also available via CPUID instruction.
-   files->Add("/proc/sys/crypto/fips_enabled");  // Needed for NSS in clearkey.
- #ifdef __i386__
-   files->Add("/proc/self/auxv");  // Info also in process's address space.
- #endif
-diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
-+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
-@@ -315,16 +315,18 @@ void SandboxBrokerPolicyFactory::InitCon
-     policy->AddDir(rdwr, "/dev/dri");
-   }
- 
-   // Bug 1575985: WASM library sandbox needs RW access to /dev/null
-   policy->AddPath(rdwr, "/dev/null");
+Index: firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+===================================================================
+--- firefox-93.0.orig/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+@@ -320,6 +320,8 @@ void SandboxBrokerPolicyFactory::InitCon
 
   // Read permissions
   policy->AddPath(rdonly, "/dev/urandom");
@ -42,8 +29,12 @@ diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/secu
   policy->AddPath(rdonly, "/proc/cpuinfo");
   policy->AddPath(rdonly, "/proc/meminfo");
   policy->AddDir(rdonly, "/sys/devices/cpu");
-   policy->AddDir(rdonly, "/sys/devices/system/cpu");
-   policy->AddDir(rdonly, "/lib");
-   policy->AddDir(rdonly, "/lib64");
-   policy->AddDir(rdonly, "/usr/lib");
-   policy->AddDir(rdonly, "/usr/lib32");
+@@ -792,6 +794,8 @@ SandboxBrokerPolicyFactory::GetSocketPro
+   auto policy = MakeUnique<SandboxBroker::Policy>();
+ 
+   policy->AddPath(rdonly, "/dev/urandom");
+  policy->AddPath(rdonly, "/dev/random");
+  policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
+   policy->AddPath(rdonly, "/proc/cpuinfo");
+   policy->AddPath(rdonly, "/proc/meminfo");
+   policy->AddDir(rdonly, "/sys/devices/cpu");