Mercurial Mercurial > hg > mozilla / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mozilla-sandbox-fips.patch
branchfirefox93
changeset 1165 e009fde1282b
parent 1164 bb219fd0d646 
--- a/mozilla-sandbox-fips.patch	Sun Oct 17 20:19:48 2021 +0200
+++ b/mozilla-sandbox-fips.patch	Sat Oct 23 08:46:52 2021 +0200
@@ -4,15 +4,11 @@
 http://bugzilla.suse.com/show_bug.cgi?id=1167132
 bsc#1174284 - Firefox tab just crashed in FIPS mode
 
-diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp
---- a/security/sandbox/linux/Sandbox.cpp
-+++ b/security/sandbox/linux/Sandbox.cpp
-@@ -650,16 +650,17 @@ void SetMediaPluginSandbox(const char* a
-     SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", aFilePath,
-                       strerror(errno));
-     MOZ_CRASH("failed while trying to open the plugin file ");
-   }
- 
+Index: firefox-93.0/security/sandbox/linux/Sandbox.cpp
+===================================================================
+--- firefox-93.0.orig/security/sandbox/linux/Sandbox.cpp
++++ firefox-93.0/security/sandbox/linux/Sandbox.cpp
+@@ -655,6 +655,7 @@ void SetMediaPluginSandbox(const char* a
    auto files = new SandboxOpenedFiles();
    files->Add(std::move(plugin));
    files->Add("/dev/urandom", SandboxOpenedFile::Dup::YES);
@@ -20,20 +16,11 @@
    files->Add("/etc/ld.so.cache");  // Needed for NSS in clearkey.
    files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz");
    files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq");
-   files->Add("/proc/cpuinfo");  // Info also available via CPUID instruction.
-   files->Add("/proc/sys/crypto/fips_enabled");  // Needed for NSS in clearkey.
- #ifdef __i386__
-   files->Add("/proc/self/auxv");  // Info also in process's address space.
- #endif
-diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
---- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
-+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
-@@ -315,16 +315,18 @@ void SandboxBrokerPolicyFactory::InitCon
-     policy->AddDir(rdwr, "/dev/dri");
-   }
- 
-   // Bug 1575985: WASM library sandbox needs RW access to /dev/null
-   policy->AddPath(rdwr, "/dev/null");
+Index: firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+===================================================================
+--- firefox-93.0.orig/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
++++ firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+@@ -320,6 +320,8 @@ void SandboxBrokerPolicyFactory::InitCon
  
    // Read permissions
    policy->AddPath(rdonly, "/dev/urandom");
@@ -42,8 +29,12 @@
    policy->AddPath(rdonly, "/proc/cpuinfo");
    policy->AddPath(rdonly, "/proc/meminfo");
    policy->AddDir(rdonly, "/sys/devices/cpu");
-   policy->AddDir(rdonly, "/sys/devices/system/cpu");
-   policy->AddDir(rdonly, "/lib");
-   policy->AddDir(rdonly, "/lib64");
-   policy->AddDir(rdonly, "/usr/lib");
-   policy->AddDir(rdonly, "/usr/lib32");
+@@ -792,6 +794,8 @@ SandboxBrokerPolicyFactory::GetSocketPro
+   auto policy = MakeUnique<SandboxBroker::Policy>();
+ 
+   policy->AddPath(rdonly, "/dev/urandom");
++  policy->AddPath(rdonly, "/dev/random");
++  policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
+   policy->AddPath(rdonly, "/proc/cpuinfo");
+   policy->AddPath(rdonly, "/proc/meminfo");
+   policy->AddDir(rdonly, "/sys/devices/cpu");
mozilla