enable LTO
fix aarch64 build
fix sandbox patch to detect FIPS mode in socket sandbox
--- a/MozillaFirefox/MozillaFirefox.changes Sun Oct 17 20:19:48 2021 +0200
+++ b/MozillaFirefox/MozillaFirefox.changes Sat Oct 23 08:46:52 2021 +0200
@@ -1,4 +1,18 @@
-------------------------------------------------------------------
+Wed Oct 20 06:49:52 UTC 2021 - Martin Sirringhaus <martin.sirringhaus@suse.com>
+
+- Rebase mozilla-sandbox-fips.patch to punch another hole in the
+ sandbox containment, to be able to open /proc/sys/crypto/fips_enabled
+ from within the newly introduced socket process sandbox.
+ This fixes bsc#1191815 and bsc#1190141
+
+-------------------------------------------------------------------
+Mon Oct 18 12:44:44 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Add patch to fix build on aarch64 (bmo#1729124)
+ * mozilla-bmo1729124.patch
+
+-------------------------------------------------------------------
Fri Oct 1 18:33:33 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Firefox 93.0
--- a/MozillaFirefox/MozillaFirefox.spec Sun Oct 17 20:19:48 2021 +0200
+++ b/MozillaFirefox/MozillaFirefox.spec Sat Oct 23 08:46:52 2021 +0200
@@ -227,6 +227,7 @@
Patch29: mozilla-silence-no-return-type.patch
Patch30: mozilla-bmo1725828.patch
Patch31: mozilla-bmo531915.patch
+Patch32: mozilla-bmo1729124.patch
# Firefox/browser
Patch101: firefox-kde.patch
Patch102: firefox-branded-icons.patch
@@ -357,6 +358,7 @@
%patch29 -p1
%patch30 -p1
%patch31 -p1
+%patch32 -p1
# Firefox
%patch101 -p1
%patch102 -p1
@@ -520,7 +522,7 @@
%endif
%ifarch x86_64
# LTO needs newer toolchain stack only (at least GCC 8.2.1 (r268506)
-%if 0%{?suse_version} > 1500 && 0%{?suse_version} < 1550
+%if 0%{?suse_version} > 1500
ac_add_options --enable-lto
%if 0%{?do_profiling}
ac_add_options MOZ_PGO=1
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/MozillaFirefox/mozilla-bmo1729124.patch Sat Oct 23 08:46:52 2021 +0200
@@ -0,0 +1,1 @@
+../mozilla-bmo1729124.patch
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/mozilla-bmo1729124.patch Sat Oct 23 08:46:52 2021 +0200
@@ -0,0 +1,50 @@
+
+# HG changeset patch
+# User Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
+# Date 1631000649 0
+# Node ID eac40293649628d32911c909219d514bebb8ce63
+# Parent 6582d77235867224aaf8621bad8ee167dfb31460
+Bug 1729124 - [MIPS64][ARM64] Fix gcc build issue. r=lth
+
+The SpecificRegs struct needs a constructor.
+
+Differential Revision: https://phabricator.services.mozilla.com/D124535
+
+diff --git a/js/src/wasm/WasmBCRegDefs.h b/js/src/wasm/WasmBCRegDefs.h
+--- a/js/src/wasm/WasmBCRegDefs.h
++++ b/js/src/wasm/WasmBCRegDefs.h
+@@ -374,25 +374,31 @@ struct SpecificRegs {
+ };
+ #elif defined(JS_CODEGEN_ARM)
+ struct SpecificRegs {
+ RegI64 abiReturnRegI64;
+
+ SpecificRegs() : abiReturnRegI64(ReturnReg64) {}
+ };
+ #elif defined(JS_CODEGEN_ARM64)
+-struct SpecificRegs {};
++struct SpecificRegs {
++ // Required by gcc.
++ SpecificRegs() {}
++};
+ #elif defined(JS_CODEGEN_MIPS32)
+ struct SpecificRegs {
+ RegI64 abiReturnRegI64;
+
+ SpecificRegs() : abiReturnRegI64(ReturnReg64) {}
+ };
+ #elif defined(JS_CODEGEN_MIPS64)
+-struct SpecificRegs {};
++struct SpecificRegs {
++ // Required by gcc.
++ SpecificRegs() {}
++};
+ #else
+ struct SpecificRegs {
+ # ifndef JS_64BIT
+ RegI64 abiReturnRegI64;
+ # endif
+
+ SpecificRegs() { MOZ_CRASH("BaseCompiler porting interface: SpecificRegs"); }
+ };
+
--- a/mozilla-sandbox-fips.patch Sun Oct 17 20:19:48 2021 +0200
+++ b/mozilla-sandbox-fips.patch Sat Oct 23 08:46:52 2021 +0200
@@ -4,15 +4,11 @@
http://bugzilla.suse.com/show_bug.cgi?id=1167132
bsc#1174284 - Firefox tab just crashed in FIPS mode
-diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp
---- a/security/sandbox/linux/Sandbox.cpp
-+++ b/security/sandbox/linux/Sandbox.cpp
-@@ -650,16 +650,17 @@ void SetMediaPluginSandbox(const char* a
- SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", aFilePath,
- strerror(errno));
- MOZ_CRASH("failed while trying to open the plugin file ");
- }
-
+Index: firefox-93.0/security/sandbox/linux/Sandbox.cpp
+===================================================================
+--- firefox-93.0.orig/security/sandbox/linux/Sandbox.cpp
++++ firefox-93.0/security/sandbox/linux/Sandbox.cpp
+@@ -655,6 +655,7 @@ void SetMediaPluginSandbox(const char* a
auto files = new SandboxOpenedFiles();
files->Add(std::move(plugin));
files->Add("/dev/urandom", SandboxOpenedFile::Dup::YES);
@@ -20,20 +16,11 @@
files->Add("/etc/ld.so.cache"); // Needed for NSS in clearkey.
files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz");
files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq");
- files->Add("/proc/cpuinfo"); // Info also available via CPUID instruction.
- files->Add("/proc/sys/crypto/fips_enabled"); // Needed for NSS in clearkey.
- #ifdef __i386__
- files->Add("/proc/self/auxv"); // Info also in process's address space.
- #endif
-diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
---- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
-+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
-@@ -315,16 +315,18 @@ void SandboxBrokerPolicyFactory::InitCon
- policy->AddDir(rdwr, "/dev/dri");
- }
-
- // Bug 1575985: WASM library sandbox needs RW access to /dev/null
- policy->AddPath(rdwr, "/dev/null");
+Index: firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+===================================================================
+--- firefox-93.0.orig/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
++++ firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+@@ -320,6 +320,8 @@ void SandboxBrokerPolicyFactory::InitCon
// Read permissions
policy->AddPath(rdonly, "/dev/urandom");
@@ -42,8 +29,12 @@
policy->AddPath(rdonly, "/proc/cpuinfo");
policy->AddPath(rdonly, "/proc/meminfo");
policy->AddDir(rdonly, "/sys/devices/cpu");
- policy->AddDir(rdonly, "/sys/devices/system/cpu");
- policy->AddDir(rdonly, "/lib");
- policy->AddDir(rdonly, "/lib64");
- policy->AddDir(rdonly, "/usr/lib");
- policy->AddDir(rdonly, "/usr/lib32");
+@@ -792,6 +794,8 @@ SandboxBrokerPolicyFactory::GetSocketPro
+ auto policy = MakeUnique<SandboxBroker::Policy>();
+
+ policy->AddPath(rdonly, "/dev/urandom");
++ policy->AddPath(rdonly, "/dev/random");
++ policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
+ policy->AddPath(rdonly, "/proc/cpuinfo");
+ policy->AddPath(rdonly, "/proc/meminfo");
+ policy->AddDir(rdonly, "/sys/devices/cpu");
--- a/series Sun Oct 17 20:19:48 2021 +0200
+++ b/series Sat Oct 23 08:46:52 2021 +0200
@@ -25,6 +25,7 @@
mozilla-silence-no-return-type.patch
mozilla-bmo1725828.patch
mozilla-bmo531915.patch
+mozilla-bmo1729124.patch
# Firefox patches
firefox-kde.patch