2 Subject: allow Firefox to access addtional process information |
2 Subject: allow Firefox to access addtional process information |
3 References: |
3 References: |
4 http://bugzilla.suse.com/show_bug.cgi?id=1167132 |
4 http://bugzilla.suse.com/show_bug.cgi?id=1167132 |
5 bsc#1174284 - Firefox tab just crashed in FIPS mode |
5 bsc#1174284 - Firefox tab just crashed in FIPS mode |
6 |
6 |
7 diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp |
7 Index: firefox-93.0/security/sandbox/linux/Sandbox.cpp |
8 --- a/security/sandbox/linux/Sandbox.cpp |
8 =================================================================== |
9 +++ b/security/sandbox/linux/Sandbox.cpp |
9 --- firefox-93.0.orig/security/sandbox/linux/Sandbox.cpp |
10 @@ -650,16 +650,17 @@ void SetMediaPluginSandbox(const char* a |
10 +++ firefox-93.0/security/sandbox/linux/Sandbox.cpp |
11 SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", aFilePath, |
11 @@ -655,6 +655,7 @@ void SetMediaPluginSandbox(const char* a |
12 strerror(errno)); |
|
13 MOZ_CRASH("failed while trying to open the plugin file "); |
|
14 } |
|
15 |
|
16 auto files = new SandboxOpenedFiles(); |
12 auto files = new SandboxOpenedFiles(); |
17 files->Add(std::move(plugin)); |
13 files->Add(std::move(plugin)); |
18 files->Add("/dev/urandom", SandboxOpenedFile::Dup::YES); |
14 files->Add("/dev/urandom", SandboxOpenedFile::Dup::YES); |
19 + files->Add("/dev/random", SandboxOpenedFile::Dup::YES); |
15 + files->Add("/dev/random", SandboxOpenedFile::Dup::YES); |
20 files->Add("/etc/ld.so.cache"); // Needed for NSS in clearkey. |
16 files->Add("/etc/ld.so.cache"); // Needed for NSS in clearkey. |
21 files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz"); |
17 files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz"); |
22 files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq"); |
18 files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq"); |
23 files->Add("/proc/cpuinfo"); // Info also available via CPUID instruction. |
19 Index: firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp |
24 files->Add("/proc/sys/crypto/fips_enabled"); // Needed for NSS in clearkey. |
20 =================================================================== |
25 #ifdef __i386__ |
21 --- firefox-93.0.orig/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp |
26 files->Add("/proc/self/auxv"); // Info also in process's address space. |
22 +++ firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp |
27 #endif |
23 @@ -320,6 +320,8 @@ void SandboxBrokerPolicyFactory::InitCon |
28 diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp |
|
29 --- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp |
|
30 +++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp |
|
31 @@ -315,16 +315,18 @@ void SandboxBrokerPolicyFactory::InitCon |
|
32 policy->AddDir(rdwr, "/dev/dri"); |
|
33 } |
|
34 |
|
35 // Bug 1575985: WASM library sandbox needs RW access to /dev/null |
|
36 policy->AddPath(rdwr, "/dev/null"); |
|
37 |
24 |
38 // Read permissions |
25 // Read permissions |
39 policy->AddPath(rdonly, "/dev/urandom"); |
26 policy->AddPath(rdonly, "/dev/urandom"); |
40 + policy->AddPath(rdonly, "/dev/random"); |
27 + policy->AddPath(rdonly, "/dev/random"); |
41 + policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled"); |
28 + policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled"); |
42 policy->AddPath(rdonly, "/proc/cpuinfo"); |
29 policy->AddPath(rdonly, "/proc/cpuinfo"); |
43 policy->AddPath(rdonly, "/proc/meminfo"); |
30 policy->AddPath(rdonly, "/proc/meminfo"); |
44 policy->AddDir(rdonly, "/sys/devices/cpu"); |
31 policy->AddDir(rdonly, "/sys/devices/cpu"); |
45 policy->AddDir(rdonly, "/sys/devices/system/cpu"); |
32 @@ -792,6 +794,8 @@ SandboxBrokerPolicyFactory::GetSocketPro |
46 policy->AddDir(rdonly, "/lib"); |
33 auto policy = MakeUnique<SandboxBroker::Policy>(); |
47 policy->AddDir(rdonly, "/lib64"); |
34 |
48 policy->AddDir(rdonly, "/usr/lib"); |
35 policy->AddPath(rdonly, "/dev/urandom"); |
49 policy->AddDir(rdonly, "/usr/lib32"); |
36 + policy->AddPath(rdonly, "/dev/random"); |
|
37 + policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled"); |
|
38 policy->AddPath(rdonly, "/proc/cpuinfo"); |
|
39 policy->AddPath(rdonly, "/proc/meminfo"); |
|
40 policy->AddDir(rdonly, "/sys/devices/cpu"); |