mozilla: mozilla-sandbox-fips.patch@c384af864671 (annotated)

1142 c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	1	From: meissner@suse.com, cgrobertson@suse.com
1123 7fa561e5d7c7 Firefox 74.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: diff changeset	2	Subject: allow Firefox to access addtional process information
1142 c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	3	References:
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	4	http://bugzilla.suse.com/show_bug.cgi?id=1167132
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	5	bsc#1174284 - Firefox tab just crashed in FIPS mode
1123 7fa561e5d7c7 Firefox 74.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: diff changeset	6
1165 e009fde1282b enable LTO Wolfgang Rosenauer <wr@rosenauer.org> parents: 1164 diff changeset	7	Index: firefox-93.0/security/sandbox/linux/Sandbox.cpp
e009fde1282b enable LTO Wolfgang Rosenauer <wr@rosenauer.org> parents: 1164 diff changeset	8	===================================================================
e009fde1282b enable LTO Wolfgang Rosenauer <wr@rosenauer.org> parents: 1164 diff changeset	9	--- firefox-93.0.orig/security/sandbox/linux/Sandbox.cpp
e009fde1282b enable LTO Wolfgang Rosenauer <wr@rosenauer.org> parents: 1164 diff changeset	10	+++ firefox-93.0/security/sandbox/linux/Sandbox.cpp
e009fde1282b enable LTO Wolfgang Rosenauer <wr@rosenauer.org> parents: 1164 diff changeset	11	@@ -655,6 +655,7 @@ void SetMediaPluginSandbox(const char* a
1142 c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	12	auto files = new SandboxOpenedFiles();
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	13	files->Add(std::move(plugin));
1164 bb219fd0d646 Firefox 93.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: 1142 diff changeset	14	files->Add("/dev/urandom", SandboxOpenedFile::Dup::YES);
bb219fd0d646 Firefox 93.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: 1142 diff changeset	15	+ files->Add("/dev/random", SandboxOpenedFile::Dup::YES);
1142 c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	16	files->Add("/etc/ld.so.cache"); // Needed for NSS in clearkey.
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	17	files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz");
c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	18	files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq");
1165 e009fde1282b enable LTO Wolfgang Rosenauer <wr@rosenauer.org> parents: 1164 diff changeset	19	Index: firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
e009fde1282b enable LTO Wolfgang Rosenauer <wr@rosenauer.org> parents: 1164 diff changeset	20	===================================================================
e009fde1282b enable LTO Wolfgang Rosenauer <wr@rosenauer.org> parents: 1164 diff changeset	21	--- firefox-93.0.orig/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
e009fde1282b enable LTO Wolfgang Rosenauer <wr@rosenauer.org> parents: 1164 diff changeset	22	+++ firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
e009fde1282b enable LTO Wolfgang Rosenauer <wr@rosenauer.org> parents: 1164 diff changeset	23	@@ -320,6 +320,8 @@ void SandboxBrokerPolicyFactory::InitCon
1123 7fa561e5d7c7 Firefox 74.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: diff changeset	24
7fa561e5d7c7 Firefox 74.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: diff changeset	25	// Read permissions
7fa561e5d7c7 Firefox 74.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: diff changeset	26	policy->AddPath(rdonly, "/dev/urandom");
1142 c5e32127317c further FIPS patch Wolfgang Rosenauer <wr@rosenauer.org> parents: 1123 diff changeset	27	+ policy->AddPath(rdonly, "/dev/random");
1123 7fa561e5d7c7 Firefox 74.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: diff changeset	28	+ policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
7fa561e5d7c7 Firefox 74.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: diff changeset	29	policy->AddPath(rdonly, "/proc/cpuinfo");
7fa561e5d7c7 Firefox 74.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: diff changeset	30	policy->AddPath(rdonly, "/proc/meminfo");
7fa561e5d7c7 Firefox 74.0 Wolfgang Rosenauer <wr@rosenauer.org> parents: diff changeset	31	policy->AddDir(rdonly, "/sys/devices/cpu");
1165 e009fde1282b enable LTO Wolfgang Rosenauer <wr@rosenauer.org> parents: 1164 diff changeset	32	@@ -792,6 +794,8 @@ SandboxBrokerPolicyFactory::GetSocketPro
e009fde1282b enable LTO Wolfgang Rosenauer <wr@rosenauer.org> parents: 1164 diff changeset	33	auto policy = MakeUnique<SandboxBroker::Policy>();
e009fde1282b enable LTO Wolfgang Rosenauer <wr@rosenauer.org> parents: 1164 diff changeset	34
e009fde1282b enable LTO Wolfgang Rosenauer <wr@rosenauer.org> parents: 1164 diff changeset	35	policy->AddPath(rdonly, "/dev/urandom");
e009fde1282b enable LTO Wolfgang Rosenauer <wr@rosenauer.org> parents: 1164 diff changeset	36	+ policy->AddPath(rdonly, "/dev/random");
e009fde1282b enable LTO Wolfgang Rosenauer <wr@rosenauer.org> parents: 1164 diff changeset	37	+ policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
e009fde1282b enable LTO Wolfgang Rosenauer <wr@rosenauer.org> parents: 1164 diff changeset	38	policy->AddPath(rdonly, "/proc/cpuinfo");
e009fde1282b enable LTO Wolfgang Rosenauer <wr@rosenauer.org> parents: 1164 diff changeset	39	policy->AddPath(rdonly, "/proc/meminfo");
e009fde1282b enable LTO Wolfgang Rosenauer <wr@rosenauer.org> parents: 1164 diff changeset	40	policy->AddDir(rdonly, "/sys/devices/cpu");

author	Wolfgang Rosenauer <wr@rosenauer.org>
	Sat, 04 Dec 2021 11:19:16 +0100
branch	firefox94
changeset 1168	c384af864671
parent 1165	e009fde1282b
permissions	-rw-r--r--