further FIPS patch
(from https://github.com/openSUSE/firefox-maintenance/commit/23d322af9566055af016e6e409dcc3c9856c3666)
--- a/MozillaFirefox/MozillaFirefox.changes Tue Aug 25 21:27:22 2020 +0200
+++ b/MozillaFirefox/MozillaFirefox.changes Tue Aug 25 21:31:17 2020 +0200
@@ -1,4 +1,9 @@
-------------------------------------------------------------------
+Tue Aug 25 19:30:15 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- more whitelisting for sandbox in relation to FIPS (bsc#1174284)
+
+-------------------------------------------------------------------
Sat Aug 22 06:52:01 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Firefox 80.0
--- a/mozilla-sandbox-fips.patch Tue Aug 25 21:27:22 2020 +0200
+++ b/mozilla-sandbox-fips.patch Tue Aug 25 21:31:17 2020 +0200
@@ -1,16 +1,49 @@
-From: meissner@suse.com
+From: meissner@suse.com, cgrobertson@suse.com
Subject: allow Firefox to access addtional process information
-Reference: http://bugzilla.suse.com/show_bug.cgi?id=1167132
+References:
+http://bugzilla.suse.com/show_bug.cgi?id=1167132
+bsc#1174284 - Firefox tab just crashed in FIPS mode
-Index: firefox-74.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
-===================================================================
---- firefox-74.0.orig/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
-+++ firefox-74.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
-@@ -276,6 +276,7 @@ SandboxBrokerPolicyFactory::SandboxBroke
+diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp
+--- a/security/sandbox/linux/Sandbox.cpp
++++ b/security/sandbox/linux/Sandbox.cpp
+@@ -647,16 +647,17 @@ void SetMediaPluginSandbox(const char* a
+ SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", aFilePath,
+ strerror(errno));
+ MOZ_CRASH("failed while trying to open the plugin file ");
+ }
+
+ auto files = new SandboxOpenedFiles();
+ files->Add(std::move(plugin));
+ files->Add("/dev/urandom", true);
++ files->Add("/dev/random", true);
+ files->Add("/etc/ld.so.cache"); // Needed for NSS in clearkey.
+ files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz");
+ files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq");
+ files->Add("/proc/cpuinfo"); // Info also available via CPUID instruction.
+ files->Add("/proc/sys/crypto/fips_enabled"); // Needed for NSS in clearkey.
+ #ifdef __i386__
+ files->Add("/proc/self/auxv"); // Info also in process's address space.
+ #endif
+diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
++++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+@@ -308,16 +308,18 @@ void SandboxBrokerPolicyFactory::InitCon
+ policy->AddDir(rdwr, "/dev/dri");
+ }
+
+ // Bug 1575985: WASM library sandbox needs RW access to /dev/null
+ policy->AddPath(rdwr, "/dev/null");
// Read permissions
policy->AddPath(rdonly, "/dev/urandom");
++ policy->AddPath(rdonly, "/dev/random");
+ policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
policy->AddPath(rdonly, "/proc/cpuinfo");
policy->AddPath(rdonly, "/proc/meminfo");
policy->AddDir(rdonly, "/sys/devices/cpu");
+ policy->AddDir(rdonly, "/sys/devices/system/cpu");
+ policy->AddDir(rdonly, "/lib");
+ policy->AddDir(rdonly, "/lib64");
+ policy->AddDir(rdonly, "/usr/lib");
+ policy->AddDir(rdonly, "/usr/lib32");