mozilla-sandbox-fips.patch
branchfirefox80
changeset 1142 c5e32127317c
parent 1123 7fa561e5d7c7
equal deleted inserted replaced
1141:edb0ebe8cccc 1142:c5e32127317c
     1 From: meissner@suse.com
     1 From: meissner@suse.com, cgrobertson@suse.com
     2 Subject: allow Firefox to access addtional process information
     2 Subject: allow Firefox to access addtional process information
     3 Reference: http://bugzilla.suse.com/show_bug.cgi?id=1167132
     3 References:
       
     4 http://bugzilla.suse.com/show_bug.cgi?id=1167132
       
     5 bsc#1174284 - Firefox tab just crashed in FIPS mode
     4 
     6 
     5 Index: firefox-74.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
     7 diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp
     6 ===================================================================
     8 --- a/security/sandbox/linux/Sandbox.cpp
     7 --- firefox-74.0.orig/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
     9 +++ b/security/sandbox/linux/Sandbox.cpp
     8 +++ firefox-74.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
    10 @@ -647,16 +647,17 @@ void SetMediaPluginSandbox(const char* a
     9 @@ -276,6 +276,7 @@ SandboxBrokerPolicyFactory::SandboxBroke
    11      SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", aFilePath,
       
    12                        strerror(errno));
       
    13      MOZ_CRASH("failed while trying to open the plugin file ");
       
    14    }
       
    15  
       
    16    auto files = new SandboxOpenedFiles();
       
    17    files->Add(std::move(plugin));
       
    18    files->Add("/dev/urandom", true);
       
    19 +  files->Add("/dev/random", true);
       
    20    files->Add("/etc/ld.so.cache");  // Needed for NSS in clearkey.
       
    21    files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz");
       
    22    files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq");
       
    23    files->Add("/proc/cpuinfo");  // Info also available via CPUID instruction.
       
    24    files->Add("/proc/sys/crypto/fips_enabled");  // Needed for NSS in clearkey.
       
    25  #ifdef __i386__
       
    26    files->Add("/proc/self/auxv");  // Info also in process's address space.
       
    27  #endif
       
    28 diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
       
    29 --- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
       
    30 +++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
       
    31 @@ -308,16 +308,18 @@ void SandboxBrokerPolicyFactory::InitCon
       
    32      policy->AddDir(rdwr, "/dev/dri");
       
    33    }
       
    34  
       
    35    // Bug 1575985: WASM library sandbox needs RW access to /dev/null
       
    36    policy->AddPath(rdwr, "/dev/null");
    10  
    37  
    11    // Read permissions
    38    // Read permissions
    12    policy->AddPath(rdonly, "/dev/urandom");
    39    policy->AddPath(rdonly, "/dev/urandom");
       
    40 +  policy->AddPath(rdonly, "/dev/random");
    13 +  policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
    41 +  policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
    14    policy->AddPath(rdonly, "/proc/cpuinfo");
    42    policy->AddPath(rdonly, "/proc/cpuinfo");
    15    policy->AddPath(rdonly, "/proc/meminfo");
    43    policy->AddPath(rdonly, "/proc/meminfo");
    16    policy->AddDir(rdonly, "/sys/devices/cpu");
    44    policy->AddDir(rdonly, "/sys/devices/cpu");
       
    45    policy->AddDir(rdonly, "/sys/devices/system/cpu");
       
    46    policy->AddDir(rdonly, "/lib");
       
    47    policy->AddDir(rdonly, "/lib64");
       
    48    policy->AddDir(rdonly, "/usr/lib");
       
    49    policy->AddDir(rdonly, "/usr/lib32");