# HG changeset patch # User Wolfgang Rosenauer # Date 1598383877 -7200 # Node ID c5e32127317c5e9020f637dba8d81ae22b776fc0 # Parent edb0ebe8cccce3ddba58bf87ae5e0e688a50608f further FIPS patch (from https://github.com/openSUSE/firefox-maintenance/commit/23d322af9566055af016e6e409dcc3c9856c3666) diff -r edb0ebe8cccc -r c5e32127317c MozillaFirefox/MozillaFirefox.changes --- a/MozillaFirefox/MozillaFirefox.changes Tue Aug 25 21:27:22 2020 +0200 +++ b/MozillaFirefox/MozillaFirefox.changes Tue Aug 25 21:31:17 2020 +0200 @@ -1,4 +1,9 @@ ------------------------------------------------------------------- +Tue Aug 25 19:30:15 UTC 2020 - Wolfgang Rosenauer + +- more whitelisting for sandbox in relation to FIPS (bsc#1174284) + +------------------------------------------------------------------- Sat Aug 22 06:52:01 UTC 2020 - Wolfgang Rosenauer - Mozilla Firefox 80.0 diff -r edb0ebe8cccc -r c5e32127317c mozilla-sandbox-fips.patch --- a/mozilla-sandbox-fips.patch Tue Aug 25 21:27:22 2020 +0200 +++ b/mozilla-sandbox-fips.patch Tue Aug 25 21:31:17 2020 +0200 @@ -1,16 +1,49 @@ -From: meissner@suse.com +From: meissner@suse.com, cgrobertson@suse.com Subject: allow Firefox to access addtional process information -Reference: http://bugzilla.suse.com/show_bug.cgi?id=1167132 +References: +http://bugzilla.suse.com/show_bug.cgi?id=1167132 +bsc#1174284 - Firefox tab just crashed in FIPS mode -Index: firefox-74.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp -=================================================================== ---- firefox-74.0.orig/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp -+++ firefox-74.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp -@@ -276,6 +276,7 @@ SandboxBrokerPolicyFactory::SandboxBroke +diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp +--- a/security/sandbox/linux/Sandbox.cpp ++++ b/security/sandbox/linux/Sandbox.cpp +@@ -647,16 +647,17 @@ void SetMediaPluginSandbox(const char* a + SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", aFilePath, + strerror(errno)); + MOZ_CRASH("failed while trying to open the plugin file "); + } + + auto files = new SandboxOpenedFiles(); + files->Add(std::move(plugin)); + files->Add("/dev/urandom", true); ++ files->Add("/dev/random", true); + files->Add("/etc/ld.so.cache"); // Needed for NSS in clearkey. + files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz"); + files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq"); + files->Add("/proc/cpuinfo"); // Info also available via CPUID instruction. + files->Add("/proc/sys/crypto/fips_enabled"); // Needed for NSS in clearkey. + #ifdef __i386__ + files->Add("/proc/self/auxv"); // Info also in process's address space. + #endif +diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp +--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp ++++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp +@@ -308,16 +308,18 @@ void SandboxBrokerPolicyFactory::InitCon + policy->AddDir(rdwr, "/dev/dri"); + } + + // Bug 1575985: WASM library sandbox needs RW access to /dev/null + policy->AddPath(rdwr, "/dev/null"); // Read permissions policy->AddPath(rdonly, "/dev/urandom"); ++ policy->AddPath(rdonly, "/dev/random"); + policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled"); policy->AddPath(rdonly, "/proc/cpuinfo"); policy->AddPath(rdonly, "/proc/meminfo"); policy->AddDir(rdonly, "/sys/devices/cpu"); + policy->AddDir(rdonly, "/sys/devices/system/cpu"); + policy->AddDir(rdonly, "/lib"); + policy->AddDir(rdonly, "/lib64"); + policy->AddDir(rdonly, "/usr/lib"); + policy->AddDir(rdonly, "/usr/lib32");