mozilla: mozilla-sandbox-fips.patch@bb219fd0d646 (annotated)

1142 c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	1	From: meissner@suse.com, cgrobertson@suse.com
1123 7fa561e5d7c7 Firefox 74.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: diff changeset	2	Subject: allow Firefox to access addtional process information
1142 c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	3	References:
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	4	http://bugzilla.suse.com/show_bug.cgi?id=1167132
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	5	bsc#1174284 - Firefox tab just crashed in FIPS mode
1123 7fa561e5d7c7 Firefox 74.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: diff changeset	6
1142 c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	7	diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	8	--- a/security/sandbox/linux/Sandbox.cpp
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	9	+++ b/security/sandbox/linux/Sandbox.cpp
1164 bb219fd0d646 Firefox 93.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: 1142 diff changeset	10	@@ -650,16 +650,17 @@ void SetMediaPluginSandbox(const char* a
1142 c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	11	SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", aFilePath,
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	12	strerror(errno));
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	13	MOZ_CRASH("failed while trying to open the plugin file ");
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	14	}
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	15
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	16	auto files = new SandboxOpenedFiles();
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	17	files->Add(std::move(plugin));
1164 bb219fd0d646 Firefox 93.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: 1142 diff changeset	18	files->Add("/dev/urandom", SandboxOpenedFile::Dup::YES);
bb219fd0d646 Firefox 93.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: 1142 diff changeset	19	+ files->Add("/dev/random", SandboxOpenedFile::Dup::YES);
1142 c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	20	files->Add("/etc/ld.so.cache"); // Needed for NSS in clearkey.
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	21	files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz");
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	22	files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq");
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	23	files->Add("/proc/cpuinfo"); // Info also available via CPUID instruction.
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	24	files->Add("/proc/sys/crypto/fips_enabled"); // Needed for NSS in clearkey.
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	25	#ifdef __i386__
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	26	files->Add("/proc/self/auxv"); // Info also in process's address space.
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	27	#endif
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	28	diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	29	--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	30	+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
1164 bb219fd0d646 Firefox 93.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: 1142 diff changeset	31	@@ -315,16 +315,18 @@ void SandboxBrokerPolicyFactory::InitCon
1142 c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	32	policy->AddDir(rdwr, "/dev/dri");
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	33	}
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	34
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	35	// Bug 1575985: WASM library sandbox needs RW access to /dev/null
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	36	policy->AddPath(rdwr, "/dev/null");
1123 7fa561e5d7c7 Firefox 74.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: diff changeset	37
7fa561e5d7c7 Firefox 74.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: diff changeset	38	// Read permissions
7fa561e5d7c7 Firefox 74.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: diff changeset	39	policy->AddPath(rdonly, "/dev/urandom");
1142 c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	40	+ policy->AddPath(rdonly, "/dev/random");
1123 7fa561e5d7c7 Firefox 74.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: diff changeset	41	+ policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
7fa561e5d7c7 Firefox 74.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: diff changeset	42	policy->AddPath(rdonly, "/proc/cpuinfo");
7fa561e5d7c7 Firefox 74.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: diff changeset	43	policy->AddPath(rdonly, "/proc/meminfo");
7fa561e5d7c7 Firefox 74.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: diff changeset	44	policy->AddDir(rdonly, "/sys/devices/cpu");
1142 c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	45	policy->AddDir(rdonly, "/sys/devices/system/cpu");
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	46	policy->AddDir(rdonly, "/lib");
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	47	policy->AddDir(rdonly, "/lib64");
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	48	policy->AddDir(rdonly, "/usr/lib");
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	49	policy->AddDir(rdonly, "/usr/lib32");

author	Wolfgang Rosenauer <wr@rosenauer.org>
	Sun, 17 Oct 2021 20:19:48 +0200
branch	firefox93
changeset 1164	bb219fd0d646
parent 1142	c5e32127317c
child 1165	e009fde1282b
permissions	-rw-r--r--