On 2019/12/27 07:18, Evan Tann wrote:
> On Fri Dec 27, 2019 at 10:00 AM, Solène Rapenne wrote:
> > Le 2019-12-26 16:53, open...@evantann.com a écrit :
> > >> Synopsis: "1Password X" extension on Firefox shows 0 passwords
> > >> Category:
> > >> Environment:
> > > System : OpenBSD 6.6
> > > Details : OpenBSD 6.6-current (GENERIC.MP) #565: Tue Dec 24
> > > 13:18:50 MST 2019
> > >
> > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> > >
> > > Architecture: OpenBSD.amd64
> > > Machine : amd64
> > >> Description:
> > > When logging into the 1Password X extension, you'll see a brief flash
> > > of your vault items (passwords), but after ~100ms they disappear and
> > > are replaced with the text "No items in this vault." As a result I'm
> > > unable to access any of my passwords on any OpenBSD device running
> > > -current.
> > >
> > > After communicating with a 1Password dev, he confirmed that all
> > > 1Password X storage is within Firefox's cache visible in about:cache.
> > >
> > > If it helps debug, Chrome also experiences this same issue, but it has
> > > been a problem in Chrome for longer.
> > >> How-To-Repeat:
> > > Install Firefox and the 1Password X extension. Save a password (vault
> > > item) into the extension. Log into the extension. You'll see the vault
> > > item briefly flash onto the screen then disappear.
> > >> Fix:
> > > Unknown. Initially I thought this could be related to the unveil
> > > changes that happened around the same time, since Chrome also has the
> > > same issue. I modified the /etc/firefox/unveil.main file to have
> > > `/ rwc` for testing but that did not change the behavior. I found no
> > > indications of a pledge-permission problem in dmesg.
> > >
> > >
> >
> >
> > you want to try disabling unveil and pledge first, but adding / rwc
> > is not the correct way to do so.
> >
> >
> > disabling unveil/pledge is explained in the pkg-readme firefox file
> > installed under /usr/local/share/doc/pkg-readmes/firefox
>
> I don't have that directory on my machine. `man firefox` was the first
> place I looked, however it doesn't mention anything about pledge/unveil
> (or much of anything outside of flags), and SEE ALSO was not helpful.
Here are the contents, however something is strangely wrong with your
installation if you have installed firefox from ports/packages and this
doesn't exist.
$ cat /usr/local/share/doc/pkg-readmes/firefox
$OpenBSD: README,v 1.25 2019/12/03 17:00:46 landry Exp $
+-----------------------------------------------------------------------
| Running firefox on OpenBSD
+-----------------------------------------------------------------------
If you encounter strange problems relating to bookmarks, downloads,
window placement, toolbars, history, or other settings, it is
recommended that you create a new profile and attempt to
reproduce the problem before filing bugs. To create a new profile,
start Firefox with the -ProfileManager switch, e.g.
firefox -ProfileManager, and click "Create Profile".
If Firefox doesn't start at all, try starting it with -safe-mode
switch, which disables extensions and themes for your session.
pledge(2) and unveil(2) Support
===============================
Firefox on OpenBSD is secured with pledge(2) and unveil(2) to limit
the system calls and filesystem access that each of Firefox's three
process types (main, content, and GPU) is permitted. By default,
only ~/Downloads and /tmp can be written to when downloading files,
or when viewing local files as file:// URLs.
Files containing pledge promises and unveil paths and permissions
for each type of process are located in
/usr/local/lib/firefox/browser/defaults/preferences/.
Each file can be overridden by copying it to /etc/firefox/
and modifying it.
3rd-Party MIME Handlers
=======================
Due to unveil(2) limiting filesystem access, only the default MIME
handler registered for a given type can be chosen when opening a
downloaded file. For example, to use the mupdf package to read
PDFs, it must be registered as the default with XDG:
$ xdg-mime default mupdf.desktop application/pdf
The current default for a given type can be viewed with xdg-mime's
query command:
$ xdg-mime query default application/pdf
The older mailcap-format handlers are also supported, but the path
being executed must be explicitly added to the unveil.main file
with "rx" permissions. For example, a ~/.mailcap file specifying:
application/pdf; /usr/local/bin/xpdf %s
must have "/usr/local/bin/xpdf rx" added to unveil.main for it to
appear as an option in the "Open With" drop-down.
Using mailto: links
===================
To enable mailto: links in Firefox to open in your mail program,
you may have to set a mailto protocol handler. Type "about:config"
in Firefox's URL text field. Type "mailto" in the filter. If there
is a string called "network.protocol-handler.app.mailto", its value
names the application for mailto URLs. If present, right click,
choose Modify, and enter the path to your mail program, e.g.,
"/usr/local/bin/thunderbird" or "/usr/local/bin/kmail" (other
programs may work, but these two have been tested). If absent,
right click, choose New String. Set the name to
"network.protocol-handler.app.mailto" and the value to the path to
your mailer.
Debugging
=========
If you encounter crashes, you might want to build the debug FLAVOR of
this package, and run firefox inside egdb, so that you can gather
debugging logs and traces (for all threads!).
If this is a pledge violation, you should figure out which codepath
in which process leads to calling a forbidden syscall, and which pledge
is missing from the sets configured according to the section above.
Setting MOZ_LOG=OpenBSDSandbox:5 should help. Bug reports without
enough information will be ignored.
To disable pledge and/or unveil support when troubleshooting, set the
corresponding pledge or unveil file in
/etc/firefox/{unveil,pledge}.{main,content,gpu} to contain
just "disable".
D-BUS
=====
For proper integration with various desktop-oriented components, firefox
needs a session bus instance running.
If you're not running a desktop environment that takes care of it,
refer to /usr/local/share/doc/pkg-readmes/dbus-* to configure your
session startup script to start one.
Without a session bus running, the port is faking one (see
https://bugzilla.mozilla.org/show_bug.cgi?id=1466593), but GLIB might still try
to spawn one which might lead to a 'proc' pledge violation in the content
process.
HTML5 audio/video support
=========================
For a full multimedia experience, such as playing MP3 audio or MPEG
videos, install the "ffmpeg" package. It will be used at runtime if
firefox finds it.
# pkg_add ffmpeg
WebRTC support
==============
For WebRTC to properly work, it is required to enable audio recording:
# sysctl kern.audio.record=1
It is also required to change the ownership of the video(4) device so that your
regular user can access the webcam device.
# chown youruser /dev/video0
KerberosV support
=================
To use Kerberized Firefox, first manually install the "heimdal" package
and configure the Kerberos client.
Firefox will load the libraries at runtime if required. On OpenBSD, they
are installed in a non-standard location; to allow Firefox to find them,
either set LD_LIBRARY_PATH=/usr/local/heimdal/lib in your environment
(possibly via a shell alias or wrapper script if you only want to
set this for Firefox), or modify 'shlib_dirs' in /etc/rc.conf.local.
To instruct Firefox to use Kerberos for specific domains, open
'about:config' and modify the following key:
network.negotiate-auth.trusted-uris: .example.com
Graphic Acceleration
====================
By default on unices the OpenGL acceleration is disabled. One can enable it by
setting MOZ_ACCELERATED=1 in the environment, or by switching the about:config
layers.acceleration.force-enable knob to true. Check the 'Decision log'
section in about:support to see whether HW_COMPOSITING and OPENGL_COMPOSITING
are enabled.
Similarly, for the rust-based WebRender compositor, it is enabled by setting
MOZ_WEBRENDER=1 in the environment, or by switching the about:config
gfx.webrender.enabled knob to true. Check it is enabled in the 'Features'
section of about:support. For this feature, WebGL2 is necessary, so your
hardware must support at least OpenGL 4.
Check
https://wiki.mozilla.org/Platform/GFX/Quantum_Render for more details.
