On Thu, Oct 03, 2019 at 09:02:53PM -0500, joshua stein wrote:
> Are you tired of compiling Firefox yet?
>
> The preference keys for pledge and unveil settings were concerning
> from a security standpoint, so I've taken a new direction and moved
> them both to root-owned files. Landry and I are discussing this
> with upstream:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1584839
>
> These files are now installed to
> /usr/local/lib/firefox/browser/defaults/preferences/ and you can put
> your own versions in /etc/firefox if you need to override them (but
> you shouldn't).
>
> This also changes the way unveil or pledge are disabled for testing,
> because the environment variable mechanism was scaring me by
> allowing a potentially compromised main process to influence a new
> content process. Now the only way to disable it is by modifying
> those root-owned files to just contain "disable".
>
> This also does essentially a 'mkdir -p $XDG_CACHE_HOME/dconf' on
> startup from the main process if needed (like on a fresh login
> account) because otherwise lots of things complain.
>
> This also adds back the video pledge to the main process which got
> lost along the way.
>
> I would really like to commit this version to ports so we can at
> least get snapshot packages out with this for testing before 6.6.
>
>
I confirm youtube works, and firefox works on a fresh user.
I can still reproduce the inet pledge violation with my certificate.
I tried various cases and everything seems to work.
No comments:
Post a Comment