# HG changeset patch # User Wolfgang Rosenauer # Date 1634971612 -7200 # Node ID e009fde1282b959bc5bb447e9251fad8ef5dea46 # Parent bb219fd0d64637105926fd90f1e7eaf75971ef7f enable LTO fix aarch64 build fix sandbox patch to detect FIPS mode in socket sandbox diff -r bb219fd0d646 -r e009fde1282b MozillaFirefox/MozillaFirefox.changes --- a/MozillaFirefox/MozillaFirefox.changes Sun Oct 17 20:19:48 2021 +0200 +++ b/MozillaFirefox/MozillaFirefox.changes Sat Oct 23 08:46:52 2021 +0200 @@ -1,4 +1,18 @@ ------------------------------------------------------------------- +Wed Oct 20 06:49:52 UTC 2021 - Martin Sirringhaus + +- Rebase mozilla-sandbox-fips.patch to punch another hole in the + sandbox containment, to be able to open /proc/sys/crypto/fips_enabled + from within the newly introduced socket process sandbox. + This fixes bsc#1191815 and bsc#1190141 + +------------------------------------------------------------------- +Mon Oct 18 12:44:44 UTC 2021 - Guillaume GARDET + +- Add patch to fix build on aarch64 (bmo#1729124) + * mozilla-bmo1729124.patch + +------------------------------------------------------------------- Fri Oct 1 18:33:33 UTC 2021 - Wolfgang Rosenauer - Mozilla Firefox 93.0 diff -r bb219fd0d646 -r e009fde1282b MozillaFirefox/MozillaFirefox.spec --- a/MozillaFirefox/MozillaFirefox.spec Sun Oct 17 20:19:48 2021 +0200 +++ b/MozillaFirefox/MozillaFirefox.spec Sat Oct 23 08:46:52 2021 +0200 @@ -227,6 +227,7 @@ Patch29: mozilla-silence-no-return-type.patch Patch30: mozilla-bmo1725828.patch Patch31: mozilla-bmo531915.patch +Patch32: mozilla-bmo1729124.patch # Firefox/browser Patch101: firefox-kde.patch Patch102: firefox-branded-icons.patch @@ -357,6 +358,7 @@ %patch29 -p1 %patch30 -p1 %patch31 -p1 +%patch32 -p1 # Firefox %patch101 -p1 %patch102 -p1 @@ -520,7 +522,7 @@ %endif %ifarch x86_64 # LTO needs newer toolchain stack only (at least GCC 8.2.1 (r268506) -%if 0%{?suse_version} > 1500 && 0%{?suse_version} < 1550 +%if 0%{?suse_version} > 1500 ac_add_options --enable-lto %if 0%{?do_profiling} ac_add_options MOZ_PGO=1 diff -r bb219fd0d646 -r e009fde1282b MozillaFirefox/mozilla-bmo1729124.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/MozillaFirefox/mozilla-bmo1729124.patch Sat Oct 23 08:46:52 2021 +0200 @@ -0,0 +1,1 @@ +../mozilla-bmo1729124.patch \ No newline at end of file diff -r bb219fd0d646 -r e009fde1282b mozilla-bmo1729124.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mozilla-bmo1729124.patch Sat Oct 23 08:46:52 2021 +0200 @@ -0,0 +1,50 @@ + +# HG changeset patch +# User Zhao Jiazhong +# Date 1631000649 0 +# Node ID eac40293649628d32911c909219d514bebb8ce63 +# Parent 6582d77235867224aaf8621bad8ee167dfb31460 +Bug 1729124 - [MIPS64][ARM64] Fix gcc build issue. r=lth + +The SpecificRegs struct needs a constructor. + +Differential Revision: https://phabricator.services.mozilla.com/D124535 + +diff --git a/js/src/wasm/WasmBCRegDefs.h b/js/src/wasm/WasmBCRegDefs.h +--- a/js/src/wasm/WasmBCRegDefs.h ++++ b/js/src/wasm/WasmBCRegDefs.h +@@ -374,25 +374,31 @@ struct SpecificRegs { + }; + #elif defined(JS_CODEGEN_ARM) + struct SpecificRegs { + RegI64 abiReturnRegI64; + + SpecificRegs() : abiReturnRegI64(ReturnReg64) {} + }; + #elif defined(JS_CODEGEN_ARM64) +-struct SpecificRegs {}; ++struct SpecificRegs { ++ // Required by gcc. ++ SpecificRegs() {} ++}; + #elif defined(JS_CODEGEN_MIPS32) + struct SpecificRegs { + RegI64 abiReturnRegI64; + + SpecificRegs() : abiReturnRegI64(ReturnReg64) {} + }; + #elif defined(JS_CODEGEN_MIPS64) +-struct SpecificRegs {}; ++struct SpecificRegs { ++ // Required by gcc. ++ SpecificRegs() {} ++}; + #else + struct SpecificRegs { + # ifndef JS_64BIT + RegI64 abiReturnRegI64; + # endif + + SpecificRegs() { MOZ_CRASH("BaseCompiler porting interface: SpecificRegs"); } + }; + diff -r bb219fd0d646 -r e009fde1282b mozilla-sandbox-fips.patch --- a/mozilla-sandbox-fips.patch Sun Oct 17 20:19:48 2021 +0200 +++ b/mozilla-sandbox-fips.patch Sat Oct 23 08:46:52 2021 +0200 @@ -4,15 +4,11 @@ http://bugzilla.suse.com/show_bug.cgi?id=1167132 bsc#1174284 - Firefox tab just crashed in FIPS mode -diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp ---- a/security/sandbox/linux/Sandbox.cpp -+++ b/security/sandbox/linux/Sandbox.cpp -@@ -650,16 +650,17 @@ void SetMediaPluginSandbox(const char* a - SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", aFilePath, - strerror(errno)); - MOZ_CRASH("failed while trying to open the plugin file "); - } - +Index: firefox-93.0/security/sandbox/linux/Sandbox.cpp +=================================================================== +--- firefox-93.0.orig/security/sandbox/linux/Sandbox.cpp ++++ firefox-93.0/security/sandbox/linux/Sandbox.cpp +@@ -655,6 +655,7 @@ void SetMediaPluginSandbox(const char* a auto files = new SandboxOpenedFiles(); files->Add(std::move(plugin)); files->Add("/dev/urandom", SandboxOpenedFile::Dup::YES); @@ -20,20 +16,11 @@ files->Add("/etc/ld.so.cache"); // Needed for NSS in clearkey. files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz"); files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq"); - files->Add("/proc/cpuinfo"); // Info also available via CPUID instruction. - files->Add("/proc/sys/crypto/fips_enabled"); // Needed for NSS in clearkey. - #ifdef __i386__ - files->Add("/proc/self/auxv"); // Info also in process's address space. - #endif -diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp ---- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp -+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp -@@ -315,16 +315,18 @@ void SandboxBrokerPolicyFactory::InitCon - policy->AddDir(rdwr, "/dev/dri"); - } - - // Bug 1575985: WASM library sandbox needs RW access to /dev/null - policy->AddPath(rdwr, "/dev/null"); +Index: firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp +=================================================================== +--- firefox-93.0.orig/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp ++++ firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp +@@ -320,6 +320,8 @@ void SandboxBrokerPolicyFactory::InitCon // Read permissions policy->AddPath(rdonly, "/dev/urandom"); @@ -42,8 +29,12 @@ policy->AddPath(rdonly, "/proc/cpuinfo"); policy->AddPath(rdonly, "/proc/meminfo"); policy->AddDir(rdonly, "/sys/devices/cpu"); - policy->AddDir(rdonly, "/sys/devices/system/cpu"); - policy->AddDir(rdonly, "/lib"); - policy->AddDir(rdonly, "/lib64"); - policy->AddDir(rdonly, "/usr/lib"); - policy->AddDir(rdonly, "/usr/lib32"); +@@ -792,6 +794,8 @@ SandboxBrokerPolicyFactory::GetSocketPro + auto policy = MakeUnique(); + + policy->AddPath(rdonly, "/dev/urandom"); ++ policy->AddPath(rdonly, "/dev/random"); ++ policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled"); + policy->AddPath(rdonly, "/proc/cpuinfo"); + policy->AddPath(rdonly, "/proc/meminfo"); + policy->AddDir(rdonly, "/sys/devices/cpu"); diff -r bb219fd0d646 -r e009fde1282b series --- a/series Sun Oct 17 20:19:48 2021 +0200 +++ b/series Sat Oct 23 08:46:52 2021 +0200 @@ -25,6 +25,7 @@ mozilla-silence-no-return-type.patch mozilla-bmo1725828.patch mozilla-bmo531915.patch +mozilla-bmo1729124.patch # Firefox patches firefox-kde.patch