Are you tired of compiling Firefox yet?
The preference keys for pledge and unveil settings were concerning
from a security standpoint, so I've taken a new direction and moved
them both to root-owned files. Landry and I are discussing this
with upstream:
https://bugzilla.mozilla.org/show_bug.cgi?id=1584839
These files are now installed to
/usr/local/lib/firefox/browser/defaults/preferences/ and you can put
your own versions in /etc/firefox if you need to override them (but
you shouldn't).
This also changes the way unveil or pledge are disabled for testing,
because the environment variable mechanism was scaring me by
allowing a potentially compromised main process to influence a new
content process. Now the only way to disable it is by modifying
those root-owned files to just contain "disable".
This also does essentially a 'mkdir -p $XDG_CACHE_HOME/dconf' on
startup from the main process if needed (like on a fresh login
account) because otherwise lots of things complain.
This also adds back the video pledge to the main process which got
lost along the way.
I would really like to commit this version to ports so we can at
least get snapshot packages out with this for testing before 6.6.
Index: Makefile
===================================================================
RCS file: /cvs/ports/www/mozilla-firefox/Makefile,v
retrieving revision 1.396
diff -u -p -u -p -r1.396 Makefile
--- Makefile 3 Oct 2019 17:57:49 -0000 1.396
+++ Makefile 4 Oct 2019 01:49:27 -0000
@@ -10,6 +10,8 @@ MOZILLA_BRANCH = release
MOZILLA_PROJECT = firefox
MOZILLA_CODENAME = browser
+REVISION= 0
+
WRKDIST = ${WRKDIR}/${MOZILLA_DIST}-${MOZILLA_DIST_VERSION:C/b[0-9]*//}
HOMEPAGE = https://www.mozilla.org/firefox/
SO_VERSION = 84.0
@@ -51,6 +53,8 @@ BUILD_DEPENDS += lang/node
BUILD_DEPENDS += devel/cbindgen>=0.9.0
# 67 requires nasm for bundled libav1d
BUILD_DEPENDS += devel/nasm
+# unveil support relies on xdg-open
+RUN_DEPENDS += devel/xdg-utils
WANTLIB += X11-xcb Xcursor Xi intl xcb xcb-shm ${COMPILER_LIBCXX}
@@ -64,7 +68,7 @@ MAKE_ENV += BUILD_VERBOSE_LOG="1"
CONFIGURE_ARGS += --enable-release #1386371
CONFIGURE_ARGS += --enable-sandbox
CONFIGURE_ARGS += --with-libclang-path=${LOCALBASE}/lib
-SUBST_VARS += LOCALBASE X11BASE
+SUBST_VARS += LOCALBASE X11BASE MOZILLA_PROJECT
show-commit:
@curl -s https://releases.mozilla.org/pub/mozilla.org/firefox/releases/${MOZILLA_VERSION}/SOURCE| awk -F / '/^https:\/\/hg/ {print $$7 }'
@@ -92,6 +96,10 @@ post-install:
${PREFIX}/share/pixmaps/firefox.png
# link default48.png to default.png to be used by default by non-icccm compliant wm
- ln ${PREFIX}/lib/${MOZILLA_PROJECT}/browser/chrome/icons/default/default{48,}.png
+ ln -f ${PREFIX}/lib/${MOZILLA_PROJECT}/browser/chrome/icons/default/default{48,}.png
+
+.for f in unveil.content unveil.gpu unveil.main pledge.content pledge.gpu pledge.main
+ ${INSTALL_DATA} ${FILESDIR}/${f} ${PREFIX}/lib/${MOZILLA_PROJECT}/browser/defaults/preferences/
+.endfor
.include <bsd.port.mk>
Index: files/all-openbsd.js
===================================================================
RCS file: /cvs/ports/www/mozilla-firefox/files/all-openbsd.js,v
retrieving revision 1.10
diff -u -p -u -p -r1.10 all-openbsd.js
--- files/all-openbsd.js 9 Sep 2019 18:50:35 -0000 1.10
+++ files/all-openbsd.js 4 Oct 2019 01:49:27 -0000
@@ -5,10 +5,6 @@ pref("app.normandy.enabled",false);
pref("browser.safebrowsing.enabled", false);
pref("browser.safebrowsing.malware.enabled", false);
pref("spellchecker.dictionary_path", "${LOCALBASE}/share/mozilla-dicts/");
-// enable pledging the content process
-pref("security.sandbox.content.level", 1);
-pref("security.sandbox.pledge.main","stdio rpath wpath cpath inet proc exec prot_exec flock ps sendfd recvfd dns vminfo tty drm unix fattr getpw mcast video");
-pref("security.sandbox.pledge.content","stdio rpath wpath cpath inet recvfd sendfd prot_exec unix drm ps");
pref("extensions.pocket.enabled", false);
pref("browser.newtabpage.enabled", false);
pref("browser.startup.homepage", "about:blank");
Index: files/pledge.content
===================================================================
RCS file: files/pledge.content
diff -N files/pledge.content
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/pledge.content 4 Oct 2019 01:49:27 -0000
@@ -0,0 +1,10 @@
+stdio
+rpath
+wpath
+cpath
+recvfd
+sendfd
+prot_exec
+unix
+drm
+ps
Index: files/pledge.gpu
===================================================================
RCS file: files/pledge.gpu
diff -N files/pledge.gpu
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/pledge.gpu 4 Oct 2019 01:49:27 -0000
@@ -0,0 +1,11 @@
+stdio
+rpath
+wpath
+cpath
+ps
+sendfd
+recvfd
+drm
+dns
+unix
+prot_exec
Index: files/pledge.main
===================================================================
RCS file: files/pledge.main
diff -N files/pledge.main
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/pledge.main 4 Oct 2019 01:49:27 -0000
@@ -0,0 +1,21 @@
+stdio
+rpath
+wpath
+cpath
+inet
+proc
+exec
+prot_exec
+flock
+ps
+sendfd
+recvfd
+dns
+vminfo
+tty
+drm
+unix
+fattr
+getpw
+mcast
+video
Index: files/unveil.content
===================================================================
RCS file: files/unveil.content
diff -N files/unveil.content
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/unveil.content 4 Oct 2019 01:49:27 -0000
@@ -0,0 +1,43 @@
+/dev/drm0 rw
+
+/etc/fonts r
+/etc/machine-id r
+/usr/local/lib r
+/usr/local/firefox r
+/usr/local/share r
+/usr/share/locale r
+/var/cache/fontconfig r
+/usr/X11R6/lib r
+/usr/X11R6/share r
+/var/run r
+
+~/.XCompose r
+~/.Xauthority r
+~/.Xdefaults r
+~/.fontconfig r
+~/.fonts r
+~/.fonts.conf r
+~/.fonts.conf.d r
+~/.icons r
+~/.pki rwc
+~/.sndio rwc
+~/.terminfo r
+
+~/.mozilla r
+~/Downloads r
+
+/tmp rwc
+
+$XDG_CONFIG_HOME/dconf rwc
+$XDG_CONFIG_HOME/fontconfig r
+$XDG_CONFIG_HOME/gtk-3.0 r
+$XDG_CONFIG_HOME/mimeapps.list r
+$XDG_CONFIG_HOME/mozilla rwc
+$XDG_CONFIG_HOME/user-dirs.dirs r
+$XDG_DATA_HOME/applications r
+$XDG_DATA_HOME/applnk r
+$XDG_DATA_HOME/fonts r
+$XDG_DATA_HOME/glib-2.0 r
+$XDG_DATA_HOME/icons r
+$XDG_DATA_HOME/mime r
+$XDG_DATA_HOME/themes r
Index: files/unveil.gpu
===================================================================
RCS file: files/unveil.gpu
diff -N files/unveil.gpu
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/unveil.gpu 4 Oct 2019 01:49:27 -0000
@@ -0,0 +1,11 @@
+/dev/drm0 rw
+
+/usr/local/lib/firefox r
+/usr/local/lib/gdk-pixbuf-2.0 r
+/usr/X11R6/lib r
+/usr/share/locale r
+/usr/local/share r
+
+/tmp rwc
+
+~/.Xauthority r
Index: files/unveil.main
===================================================================
RCS file: files/unveil.main
diff -N files/unveil.main
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/unveil.main 4 Oct 2019 01:49:27 -0000
@@ -0,0 +1,63 @@
+# for uuid generation?
+/dev/urandom r
+/dev/video rw
+
+/etc/fonts r
+/etc/machine-id r
+
+/usr/local/lib r
+/usr/local/firefox r
+/usr/local/lib/firefox rx
+/usr/local/share r
+/usr/share/locale r
+/var/cache/fontconfig r
+/usr/X11R6/lib r
+/usr/X11R6/share r
+/var/run r
+
+# printing
+/usr/bin/lpr rx
+
+# for launching registered 3rd party applications like pdf readers
+/usr/local/bin/gio-launch-desktop rx
+/etc/mailcap r
+~/.mailcap r
+~/.mime.types r
+
+~/.XCompose r
+~/.Xauthority r
+~/.Xdefaults r
+~/.fontconfig r
+~/.fonts r
+~/.fonts.conf r
+~/.fonts.conf.d r
+~/.icons r
+~/.pki rwc
+~/.sndio rwc
+~/.terminfo r
+
+~/.mozilla rwc
+~/Downloads rwc
+
+# for at least shm_open (for now)
+/tmp rwc
+
+# $XDG_CACHE_HOME, $XDG_CONFIG_HOME, and $XDG_DATA_HOME will expand to the
+# given variable if it exists in the environment, otherwise defaulting to
+# ~/.cache, ~/.config, and ~/.local/share
+$XDG_CACHE_HOME/dconf rwc
+$XDG_CACHE_HOME/thumbnails rwc
+$XDG_CONFIG_HOME/dconf rw
+$XDG_CONFIG_HOME/fontconfig r
+$XDG_CONFIG_HOME/gtk-3.0 r
+$XDG_CONFIG_HOME/mimeapps.list r
+$XDG_CONFIG_HOME/mozilla rwc
+$XDG_CONFIG_HOME/user-dirs.dirs r
+$XDG_DATA_HOME/applications rwc
+$XDG_DATA_HOME/applnk r
+$XDG_DATA_HOME/fonts r
+$XDG_DATA_HOME/glib-2.0 r
+$XDG_DATA_HOME/icons r
+$XDG_DATA_HOME/mime r
+$XDG_DATA_HOME/recently-used.xbel rwc
+$XDG_DATA_HOME/themes r
Index: patches/patch-browser_app_profile_firefox_js
===================================================================
RCS file: patches/patch-browser_app_profile_firefox_js
diff -N patches/patch-browser_app_profile_firefox_js
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-browser_app_profile_firefox_js 4 Oct 2019 01:49:27 -0000
@@ -0,0 +1,20 @@
+$OpenBSD$
+
+https://bugzilla.mozilla.org/show_bug.cgi?id=1584839
+
+Index: browser/app/profile/firefox.js
+--- browser/app/profile/firefox.js.orig
++++ browser/app/profile/firefox.js
+@@ -1130,11 +1130,8 @@ pref("security.sandbox.content.syscall_whitelist", "")
+
No comments:
Post a Comment