--- a/mozilla-sandbox-fips.patch Sun Oct 17 20:19:48 2021 +0200
+++ b/mozilla-sandbox-fips.patch Sat Oct 23 08:46:52 2021 +0200
@@ -4,15 +4,11 @@
http://bugzilla.suse.com/show_bug.cgi?id=1167132
bsc#1174284 - Firefox tab just crashed in FIPS mode
-diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp
---- a/security/sandbox/linux/Sandbox.cpp
-+++ b/security/sandbox/linux/Sandbox.cpp
-@@ -650,16 +650,17 @@ void SetMediaPluginSandbox(const char* a
- SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", aFilePath,
- strerror(errno));
- MOZ_CRASH("failed while trying to open the plugin file ");
- }
-
+Index: firefox-93.0/security/sandbox/linux/Sandbox.cpp
+===================================================================
+--- firefox-93.0.orig/security/sandbox/linux/Sandbox.cpp
++++ firefox-93.0/security/sandbox/linux/Sandbox.cpp
+@@ -655,6 +655,7 @@ void SetMediaPluginSandbox(const char* a
auto files = new SandboxOpenedFiles();
files->Add(std::move(plugin));
files->Add("/dev/urandom", SandboxOpenedFile::Dup::YES);
@@ -20,20 +16,11 @@
files->Add("/etc/ld.so.cache"); // Needed for NSS in clearkey.
files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz");
files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq");
- files->Add("/proc/cpuinfo"); // Info also available via CPUID instruction.
- files->Add("/proc/sys/crypto/fips_enabled"); // Needed for NSS in clearkey.
- #ifdef __i386__
- files->Add("/proc/self/auxv"); // Info also in process's address space.
- #endif
-diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
---- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
-+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
-@@ -315,16 +315,18 @@ void SandboxBrokerPolicyFactory::InitCon
- policy->AddDir(rdwr, "/dev/dri");
- }
-
- // Bug 1575985: WASM library sandbox needs RW access to /dev/null
- policy->AddPath(rdwr, "/dev/null");
+Index: firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+===================================================================
+--- firefox-93.0.orig/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
++++ firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+@@ -320,6 +320,8 @@ void SandboxBrokerPolicyFactory::InitCon
// Read permissions
policy->AddPath(rdonly, "/dev/urandom");
@@ -42,8 +29,12 @@
policy->AddPath(rdonly, "/proc/cpuinfo");
policy->AddPath(rdonly, "/proc/meminfo");
policy->AddDir(rdonly, "/sys/devices/cpu");
- policy->AddDir(rdonly, "/sys/devices/system/cpu");
- policy->AddDir(rdonly, "/lib");
- policy->AddDir(rdonly, "/lib64");
- policy->AddDir(rdonly, "/usr/lib");
- policy->AddDir(rdonly, "/usr/lib32");
+@@ -792,6 +794,8 @@ SandboxBrokerPolicyFactory::GetSocketPro
+ auto policy = MakeUnique<SandboxBroker::Policy>();
+
+ policy->AddPath(rdonly, "/dev/urandom");
++ policy->AddPath(rdonly, "/dev/random");
++ policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
+ policy->AddPath(rdonly, "/proc/cpuinfo");
+ policy->AddPath(rdonly, "/proc/meminfo");
+ policy->AddDir(rdonly, "/sys/devices/cpu");