1 From: meissner@suse.com |
1 From: meissner@suse.com, cgrobertson@suse.com |
2 Subject: allow Firefox to access addtional process information |
2 Subject: allow Firefox to access addtional process information |
3 Reference: http://bugzilla.suse.com/show_bug.cgi?id=1167132 |
3 References: |
|
4 http://bugzilla.suse.com/show_bug.cgi?id=1167132 |
|
5 bsc#1174284 - Firefox tab just crashed in FIPS mode |
4 |
6 |
5 Index: firefox-74.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp |
7 diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp |
6 =================================================================== |
8 --- a/security/sandbox/linux/Sandbox.cpp |
7 --- firefox-74.0.orig/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp |
9 +++ b/security/sandbox/linux/Sandbox.cpp |
8 +++ firefox-74.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp |
10 @@ -647,16 +647,17 @@ void SetMediaPluginSandbox(const char* a |
9 @@ -276,6 +276,7 @@ SandboxBrokerPolicyFactory::SandboxBroke |
11 SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", aFilePath, |
|
12 strerror(errno)); |
|
13 MOZ_CRASH("failed while trying to open the plugin file "); |
|
14 } |
|
15 |
|
16 auto files = new SandboxOpenedFiles(); |
|
17 files->Add(std::move(plugin)); |
|
18 files->Add("/dev/urandom", true); |
|
19 + files->Add("/dev/random", true); |
|
20 files->Add("/etc/ld.so.cache"); // Needed for NSS in clearkey. |
|
21 files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz"); |
|
22 files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq"); |
|
23 files->Add("/proc/cpuinfo"); // Info also available via CPUID instruction. |
|
24 files->Add("/proc/sys/crypto/fips_enabled"); // Needed for NSS in clearkey. |
|
25 #ifdef __i386__ |
|
26 files->Add("/proc/self/auxv"); // Info also in process's address space. |
|
27 #endif |
|
28 diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp |
|
29 --- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp |
|
30 +++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp |
|
31 @@ -308,16 +308,18 @@ void SandboxBrokerPolicyFactory::InitCon |
|
32 policy->AddDir(rdwr, "/dev/dri"); |
|
33 } |
|
34 |
|
35 // Bug 1575985: WASM library sandbox needs RW access to /dev/null |
|
36 policy->AddPath(rdwr, "/dev/null"); |
10 |
37 |
11 // Read permissions |
38 // Read permissions |
12 policy->AddPath(rdonly, "/dev/urandom"); |
39 policy->AddPath(rdonly, "/dev/urandom"); |
|
40 + policy->AddPath(rdonly, "/dev/random"); |
13 + policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled"); |
41 + policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled"); |
14 policy->AddPath(rdonly, "/proc/cpuinfo"); |
42 policy->AddPath(rdonly, "/proc/cpuinfo"); |
15 policy->AddPath(rdonly, "/proc/meminfo"); |
43 policy->AddPath(rdonly, "/proc/meminfo"); |
16 policy->AddDir(rdonly, "/sys/devices/cpu"); |
44 policy->AddDir(rdonly, "/sys/devices/cpu"); |
|
45 policy->AddDir(rdonly, "/sys/devices/system/cpu"); |
|
46 policy->AddDir(rdonly, "/lib"); |
|
47 policy->AddDir(rdonly, "/lib64"); |
|
48 policy->AddDir(rdonly, "/usr/lib"); |
|
49 policy->AddDir(rdonly, "/usr/lib32"); |