OpenBSD Mail Box: firefox: unveil and pledge enhancements [9]

A ninth iteration, ignoring unveil() generating ENOENT rather than
dying.

Although ~/.cache/dconf shouldn't prevent startup, Firefox spams the
console frequently if doesn't exist first (because its unveil
doesn't allow creating it). So this version does essentially a
"mkdir -p" of it from the main process before doing the initial
filesystem veiling.

Also at https://jcs.org/patches/firefox-port-unveil9.diff

Index: Makefile
===================================================================
RCS file: /cvs/ports/www/mozilla-firefox/Makefile,v
retrieving revision 1.395
diff -u -p -u -p -r1.395 Makefile
--- Makefile 22 Sep 2019 17:19:06 -0000 1.395
+++ Makefile 27 Sep 2019 20:11:40 -0000
@@ -10,6 +10,8 @@ MOZILLA_BRANCH = release
MOZILLA_PROJECT = firefox
MOZILLA_CODENAME = browser

+REVISION= 0
+
WRKDIST = ${WRKDIR}/${MOZILLA_DIST}-${MOZILLA_DIST_VERSION:C/b[0-9]*//}
HOMEPAGE = https://www.mozilla.org/firefox/
SO_VERSION = 84.0
@@ -93,5 +95,10 @@ post-install:

# link default48.png to default.png to be used by default by non-icccm compliant wm
ln ${PREFIX}/lib/${MOZILLA_PROJECT}/browser/chrome/icons/default/default{48,}.png
+
+ ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/${MOZILLA_PROJECT}
+.for f in unveil.content unveil.gpu unveil.main pledge.content pledge.gpu pledge.main
+ ${INSTALL_DATA} ${FILESDIR}/${f} ${PREFIX}/share/examples/${MOZILLA_PROJECT}/
+.endfor

.include <bsd.port.mk>
Index: files/all-openbsd.js
===================================================================
RCS file: /cvs/ports/www/mozilla-firefox/files/all-openbsd.js,v
retrieving revision 1.10
diff -u -p -u -p -r1.10 all-openbsd.js
--- files/all-openbsd.js 9 Sep 2019 18:50:35 -0000 1.10
+++ files/all-openbsd.js 27 Sep 2019 20:11:40 -0000
@@ -5,10 +5,6 @@ pref("app.normandy.enabled",false);
pref("browser.safebrowsing.enabled", false);
pref("browser.safebrowsing.malware.enabled", false);
pref("spellchecker.dictionary_path", "${LOCALBASE}/share/mozilla-dicts/");
-// enable pledging the content process
-pref("security.sandbox.content.level", 1);
-pref("security.sandbox.pledge.main","stdio rpath wpath cpath inet proc exec prot_exec flock ps sendfd recvfd dns vminfo tty drm unix fattr getpw mcast video");
-pref("security.sandbox.pledge.content","stdio rpath wpath cpath inet recvfd sendfd prot_exec unix drm ps");
pref("extensions.pocket.enabled", false);
pref("browser.newtabpage.enabled", false);
pref("browser.startup.homepage", "about:blank");
Index: files/pledge.content
===================================================================
RCS file: files/pledge.content
diff -N files/pledge.content
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/pledge.content 27 Sep 2019 20:11:40 -0000
@@ -0,0 +1,10 @@
+stdio
+rpath
+wpath
+cpath
+recvfd
+sendfd
+prot_exec
+unix
+drm
+ps
Index: files/pledge.gpu
===================================================================
RCS file: files/pledge.gpu
diff -N files/pledge.gpu
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/pledge.gpu 27 Sep 2019 20:11:40 -0000
@@ -0,0 +1,11 @@
+stdio
+rpath
+wpath
+cpath
+ps
+sendfd
+recvfd
+drm
+dns
+unix
+prot_exec
Index: files/pledge.main
===================================================================
RCS file: files/pledge.main
diff -N files/pledge.main
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/pledge.main 27 Sep 2019 20:11:40 -0000
@@ -0,0 +1,20 @@
+stdio
+rpath
+wpath
+cpath
+inet
+proc
+exec
+prot_exec
+flock
+ps
+sendfd
+recvfd
+dns
+vminfo
+tty
+drm
+unix
+fattr
+getpw
+mcast
Index: files/unveil.content
===================================================================
RCS file: files/unveil.content
diff -N files/unveil.content
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/unveil.content 27 Sep 2019 20:11:40 -0000
@@ -0,0 +1,43 @@
+/dev/drm0 rw
+
+/etc/fonts r
+/etc/machine-id r
+/usr/local/lib r
+/usr/local/firefox r
+/usr/local/share r
+/usr/share/locale r
+/var/cache/fontconfig r
+/usr/X11R6/lib r
+/usr/X11R6/share r
+/var/run r
+
+~/.XCompose r
+~/.Xauthority r
+~/.Xdefaults r
+~/.fontconfig r
+~/.fonts r
+~/.fonts.conf r
+~/.fonts.conf.d r
+~/.icons r
+~/.pki rwc
+~/.sndio rwc
+~/.terminfo r
+
+~/.mozilla r
+~/Downloads r
+
+/tmp rwc
+
+$XDG_CONFIG_HOME/dconf rwc
+$XDG_CONFIG_HOME/fontconfig r
+$XDG_CONFIG_HOME/gtk-3.0 r
+$XDG_CONFIG_HOME/mimeapps.list r
+$XDG_CONFIG_HOME/mozilla rwc
+$XDG_CONFIG_HOME/user-dirs.dirs r
+$XDG_DATA_HOME/applications r
+$XDG_DATA_HOME/applnk r
+$XDG_DATA_HOME/fonts r
+$XDG_DATA_HOME/glib-2.0 r
+$XDG_DATA_HOME/icons r
+$XDG_DATA_HOME/mime r
+$XDG_DATA_HOME/themes r
Index: files/unveil.gpu
===================================================================
RCS file: files/unveil.gpu
diff -N files/unveil.gpu
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/unveil.gpu 27 Sep 2019 20:11:40 -0000
@@ -0,0 +1,11 @@
+/dev/drm0 rw
+
+/usr/local/lib/firefox r
+/usr/local/lib/gdk-pixbuf-2.0 r
+/usr/X11R6/lib r
+/usr/share/locale r
+/usr/local/share r
+
+/tmp rw
+
+~/.Xauthority r
Index: files/unveil.main
===================================================================
RCS file: files/unveil.main
diff -N files/unveil.main
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/unveil.main 27 Sep 2019 20:11:40 -0000
@@ -0,0 +1,63 @@
+# for uuid generation?
+/dev/urandom r
+/dev/video rw
+
+/etc/fonts r
+/etc/machine-id r
+
+/usr/local/lib r
+/usr/local/firefox r
+/usr/local/lib/firefox rx
+/usr/local/share r
+/usr/share/locale r
+/var/cache/fontconfig r
+/usr/X11R6/lib r
+/usr/X11R6/share r
+/var/run r
+
+# printing
+/usr/bin/lpr rx
+
+# for launching registered 3rd party applications like pdf readers
+/usr/local/bin/gio-launch-desktop rx
+/etc/mailcap r
+~/.mailcap r
+~/.mime.types r
+
+~/.XCompose r
+~/.Xauthority r
+~/.Xdefaults r
+~/.fontconfig r
+~/.fonts r
+~/.fonts.conf r
+~/.fonts.conf.d r
+~/.icons r
+~/.pki rwc
+~/.sndio rwc
+~/.terminfo r
+
+~/.mozilla rwc
+~/Downloads rwc
+
+# for at least shm_open (for now)
+/tmp rwc
+
+# $XDG_CACHE_HOME, $XDG_CONFIG_HOME, and $XDG_DATA_HOME will expand to the
+# given variable if it exists in the environment, otherwise defaulting to
+# ~/.cache, ~/.config, and ~/.local/share
+$XDG_CACHE_HOME/dconf rwc
+$XDG_CACHE_HOME/thumbnails rwc
+$XDG_CONFIG_HOME/dconf rw
+$XDG_CONFIG_HOME/fontconfig r
+$XDG_CONFIG_HOME/gtk-3.0 r
+$XDG_CONFIG_HOME/mimeapps.list r
+$XDG_CONFIG_HOME/mozilla rwc
+$XDG_CONFIG_HOME/user-dirs.dirs r
+$XDG_DATA_HOME/applications rwc
+$XDG_DATA_HOME/applnk r
+$XDG_DATA_HOME/fonts r
+$XDG_DATA_HOME/glib-2.0 r
+$XDG_DATA_HOME/icons r
+$XDG_DATA_HOME/mime r
+$XDG_DATA_HOME/recently-used.xbel rwc
+$XDG_DATA_HOME/themes r
Index: patches/patch-browser_app_profile_firefox_js
===================================================================
RCS file: patches/patch-browser_app_profile_firefox_js
diff -N patches/patch-browser_app_profile_firefox_js
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-browser_app_profile_firefox_js 27 Sep 2019 20:11:40 -0000
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+Index: browser/app/profile/firefox.js
+--- browser/app/profile/firefox.js.orig
++++ browser/app/profile/firefox.js
+@@ -1130,11 +1130,8 @@ pref("security.sandbox.content.syscall_whitelist", "")
+

OpenBSD Mail Box

Friday, September 27, 2019

firefox: unveil and pledge enhancements [9]

No comments:

Post a Comment