And of course the patch got mangled...
Index: Makefile =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /cvs/ports/www/mozilla-firefox/Makefile,v retrieving revision 1.394 diff -u -p -u -p -r1.394 Makefile --- Makefile 18 Sep 2019 16:58:05 -0000 1.394 +++ Makefile 20 Sep 2019 02:13:42 -0000 @@ -10,6 +10,8 @@ MOZILLA_BRANCH =3D release MOZILLA_PROJECT =3D firefox MOZILLA_CODENAME =3D browser =20 +REVISION =3D 0 + WRKDIST =3D ${WRKDIR}/${MOZILLA_DIST}-${MOZILLA_DIST_VERSION:C/b[0-9]*//} HOMEPAGE =3D https://www.mozilla.org/firefox/ SO_VERSION =3D 84.0 Index: patches/patch-browser_app_profile_firefox_js =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: patches/patch-browser_app_profile_firefox_js diff -N patches/patch-browser_app_profile_firefox_js --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-browser_app_profile_firefox_js 20 Sep 2019 02:13:42 -0000 @@ -0,0 +1,33 @@ +$OpenBSD$ + +sandbox GPU process on OpenBSD with pledge() +https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580268 + +enhance sandbox on OpenBSD with unveil() +https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580271 + +Index: browser/app/profile/firefox.js +--- browser/app/profile/firefox.js.orig ++++ browser/app/profile/firefox.js +@@ -1130,11 +1130,18 @@ pref("security.sandbox.content.syscall_whitelist",= "") + #endif +=20 + #if defined(XP_OPENBSD) && defined(MOZ_SANDBOX) ++pref("security.sandbox.content.level", 1); ++ + // default pledge strings for the main & content processes, cf bug 1457092 +-// broad list for now, has to be refined over time + pref("security.sandbox.pledge.main", "stdio rpath wpath cpath inet proc e= xec prot_exec flock ps sendfd recvfd dns vminfo tty drm unix fattr getpw mc= ast"); +-pref("security.sandbox.content.level", 1); +-pref("security.sandbox.pledge.content", "stdio rpath wpath cpath inet rec= vfd sendfd prot_exec unix drm ps"); ++pref("security.sandbox.pledge.content", "stdio rpath wpath cpath recvfd s= endfd prot_exec unix drm ps"); ++// and for gpu, bug 1580268 ++pref("security.sandbox.pledge.gpu", "stdio rpath wpath cpath ps sendfd re= cvfd drm dns unix prot_exec"); ++ ++// default file paths unveiled to each process, bug 1580271 ++pref("security.sandbox.unveil.main", "/dev/urandom r,/dev/video rw,/etc/f= onts r,/etc/machine-id r,/etc/mailcap r,/tmp rwc,/usr/bin/lpr rx,/usr/local= /bin/gio-launch-desktop rx,/usr/local/lib r,/usr/local/firefox r,/usr/local= /lib/firefox rx,/usr/local/share r,/usr/share/locale r,/var/cache/fontconfi= g r,/usr/X11R6/lib r,/usr/X11R6/share r,/var/run rw,~/.XCompose r,~/.Xautho= rity r,~/.Xdefaults r,~/.fontconfig r,~/.fonts r,~/.fonts.conf r,~/.fonts.c= onf.d r,~/.icons r,~/.mailcap r,~/.mime.types r,~/.mozilla rwc,~/.pki rwc,~= /.sndio rwc,~/.terminfo r,$XDG_CACHE_HOME/dconf rwc,$XDG_CACHE_HOME/thumbna= ils rwc,$XDG_CONFIG_HOME/dconf r,$XDG_CONFIG_HOME/fontconfig r,$XDG_CONFIG_= HOME/gtk-3.0 r,$XDG_CONFIG_HOME/mimeapps.list r,$XDG_CONFIG_HOME/mozilla rw= c,$XDG_CONFIG_HOME/user-dirs.dirs r,$XDG_DATA_HOME/applications rwc,$XDG_DA= TA_HOME/applnk r,$XDG_DATA_HOME/fonts r,$XDG_DATA_HOME/glib-2.0 r,$XDG_DATA= _HOME/icons r,$XDG_DATA_HOME/mime r,$XDG_DATA_HOME/recently-used.xbel rwc,$= XDG_DATA_HOME/themes r,~/Downloads rwc"); ++pref("security.sandbox.unveil.content", "/dev/drm0 rw,/etc/fonts r,/etc/m= achine-id r,/tmp rwc,/usr/local/lib r,/usr/local/firefox r,/usr/local/lib/f= irefox rx,/usr/local/share r,/usr/share/locale r,/var/cache/fontconfig r,/u= sr/X11R6/lib r,/usr/X11R6/share r,/var/run rw,~/.XCompose r,~/.Xauthority r= ,~/.Xdefaults r,~/.fontconfig r,~/.fonts r,~/.fonts.conf r,~/.fonts.conf.d = r,~/.icons r,~/.mozilla rwc,~/.pki rwc,~/.sndio rwc,~/.terminfo r,$XDG_CACH= E_HOME/dconf rwc,$XDG_CACHE_HOME/thumbnails rwc,$XDG_CONFIG_HOME/dconf r,$X= DG_CONFIG_HOME/fontconfig r,$XDG_CONFIG_HOME/gtk-3.0 r,$XDG_CONFIG_HOME/mim= eapps.list r,$XDG_CONFIG_HOME/mozilla rwc,$XDG_CONFIG_HOME/user-dirs.dirs r= ,$XDG_DATA_HOME/applications r,$XDG_DATA_HOME/applnk r,$XDG_DATA_HOME/fonts= r,$XDG_DATA_HOME/glib-2.0 r,$XDG_DATA_HOME/icons r,$XDG_DATA_HOME/mime r,$= XDG_DATA_HOME/themes r,~/Downloads r"); ++pref("security.sandbox.unveil.gpu", "/dev/drm0 rw,/tmp rwc,/usr/local/lib= /firefox r,/usr/local/lib/gdk-pixbuf-2.0 r,/usr/X11R6/lib r,/usr/share/loca= le r,/usr/local/share r,~/.Xauthority r"); + #endif +=20 + #if defined(MOZ_SANDBOX) Index: patches/patch-dom_ipc_ContentChild_cpp =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: patches/patch-dom_ipc_ContentChild_cpp diff -N patches/patch-dom_ipc_ContentChild_cpp --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-dom_ipc_ContentChild_cpp 20 Sep 2019 02:13:42 -0000 @@ -0,0 +1,170 @@ +$OpenBSD$ + +sandbox GPU process on OpenBSD with pledge() +https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580268 + +enhance sandbox on OpenBSD with unveil() +https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580271 + +Index: dom/ipc/ContentChild.cpp +--- dom/ipc/ContentChild.cpp.orig ++++ dom/ipc/ContentChild.cpp +@@ -126,6 +126,7 @@ + # include "mozilla/Sandbox.h" + # elif defined(__OpenBSD__) + # include <unistd.h> ++# include "SpecialSystemDirectory.h" + # endif + #endif +=20 +@@ -4048,47 +4049,132 @@ void ContentChild::HoldBrowsingContextGroup(Brows= ingCo + } // namespace dom +=20 + #if defined(__OpenBSD__) && defined(MOZ_SANDBOX) +-# include <unistd.h> +=20 + static LazyLogModule sPledgeLog("SandboxPledge"); +=20 + bool StartOpenBSDSandbox(GeckoProcessType type) { + nsAutoCString promisesString; + nsAutoCString processTypeString; ++ nsAutoCString unveilString; +=20 + switch (type) { + case GeckoProcessType_Default: + processTypeString =3D "main"; + Preferences::GetCString("security.sandbox.pledge.main", promisesStr= ing); ++ Preferences::GetCString("security.sandbox.unveil.main", unveilStrin= g); + break; +=20 + case GeckoProcessType_Content: + processTypeString =3D "content"; +- Preferences::GetCString("security.sandbox.pledge.content", +- promisesString); ++ Preferences::GetCString("security.sandbox.pledge.content", promises= String); ++ Preferences::GetCString("security.sandbox.unveil.content", unveilSt= ring); + break; +=20 ++ case GeckoProcessType_GPU: ++ processTypeString =3D "gpu"; ++ Preferences::GetCString("security.sandbox.pledge.gpu", promisesStri= ng); ++ Preferences::GetCString("security.sandbox.unveil.gpu", unveilString= ); ++ break; ++ + default: + MOZ_ASSERT(false, "unknown process type"); + return false; +- }; ++ } +=20 +- if (pledge(promisesString.get(), NULL) =3D=3D -1) { +- if (errno =3D=3D EINVAL) { +- MOZ_LOG(sPledgeLog, LogLevel::Error, +- ("pledge promises for %s process is a malformed string: '%s= '\n", +- processTypeString.get(), promisesString.get())); +- } else if (errno =3D=3D EPERM) { +- MOZ_LOG( +- sPledgeLog, LogLevel::Error, +- ("pledge promises for %s process can't elevate privileges: '%s'= \n", +- processTypeString.get(), promisesString.get())); ++ if (!PR_GetEnv("MOZ_DISABLE_UNVEIL")) { ++ nsresult rv; ++ ++ nsCOMPtr<nsIFile> homeDir; ++ rv =3D GetSpecialSystemDirectory(Unix_HomeDirectory, getter_AddRefs(h= omeDir)); ++ if (NS_FAILED(rv)) { ++ mozilla::ipc::FatalError("failed getting home directory", false); + } +- return false; +- } else { +- MOZ_LOG(sPledgeLog, LogLevel::Debug, +- ("pledged %s process with promises: '%s'\n", ++ ++ bool anyUnveils =3D false; ++ ++ for (const nsACString& tChunk : unveilString.Split(',')) { ++ nsAutoCString chunk; ++ chunk.Append(tChunk); ++ ++ chunk.CompressWhitespace(true, true); ++ if (chunk.IsEmpty()) { ++ continue; ++ } ++ ++ int32_t space =3D chunk.FindChar(' '); ++ if (space <=3D 0) { ++ mozilla::ipc::FatalError(nsPrintfCString("%s: invalid unveil " ++ "format \"%s\"", PromiseFlatCString(processTypeString).get(), ++ chunk.get()).get(), false); ++ } ++ ++ nsCString uPath(Substring(chunk, 0, space)); ++ nsCString perms(Substring(chunk, space + 1, chunk.Length() - space = - 1)); ++ ++ // Expand $XDG_CONFIG_HOME to the environment variable, or ~/.config ++ nsCString xdgConfigHome(PR_GetEnv("XDG_CONFIG_HOME")); ++ if (xdgConfigHome.IsEmpty()) { ++ xdgConfigHome =3D "~/.config"; ++ } ++ uPath.ReplaceSubstring("$XDG_CONFIG_HOME", xdgConfigHome.get()); ++ ++ // Expand $XDG_CACHE_HOME to the environment variable, or ~/.cache ++ nsCString xdgCacheHome(PR_GetEnv("XDG_CACHE_HOME")); ++ if (xdgCacheHome.IsEmpty()) { ++ xdgCacheHome =3D "~/.cache"; ++ } ++ uPath.ReplaceSubstring("$XDG_CACHE_HOME", xdgCacheHome.get()); ++ ++ // Expand $XDG_DATA_HOME to the environment variable, or ~/.local/s= hare ++ nsCString xdgDataHome(PR_GetEnv("XDG_DATA_HOME")); ++ if (xdgDataHome.IsEmpty()) { ++ xdgDataHome =3D "~/.local/share"; ++ } ++ uPath.ReplaceSubstring("$XDG_DATA_HOME", xdgDataHome.get()); ++ ++ // Expand leading ~ to the user's home directory ++ if (uPath.FindChar('~') =3D=3D 0) { ++ nsCString tHome(homeDir->NativePath()); ++ tHome.Append(Substring(uPath, 1, uPath.Length() - 1)); ++ uPath =3D tHome.get(); ++ } ++ ++ MOZ_LOG(sPledgeLog, LogLevel::Debug, ("%s: unveil(%s, %s)\n", ++ processTypeString.get(), uPath.get(), perms.get())); ++ int ret =3D unveil(uPath.get(), perms.get()); ++ if (ret !=3D 0 && ret !=3D ENOENT) { ++ mozilla::ipc::FatalError(nsPrintfCString("%s: unveil(%s, %s) fail= ed: %d", ++ processTypeString.get(), uPath.get(), perms.get(), errno).get(), ++ false); ++ } ++ ++ anyUnveils =3D true; ++ } ++ ++ if (!anyUnveils) { ++ mozilla::ipc::FatalError(nsPrintfCString("failed parsing unveil str= ing " ++ "\"%s\"", unveilString.get()).get(), false); ++ } ++ } ++ ++ if (!PR_GetEnv("MOZ_DISABLE_PLEDGE")) { ++ if (pledge(promisesString.get(), nullptr) =3D=3D -1) { ++ if (errno =3D=3D EINVAL) { ++ MOZ_LOG(sPledgeLog, LogLevel::Error, ++ ("pledge promises for %s process is a malformed string: '= %s'\n", ++ processTypeString.get(), promisesString.get())); ++ } else if (errno =3D=3D EPERM) { ++ MOZ_LOG( ++ sPledgeLog, LogLevel::Error, ++ ("pledge promises for %s process can't elevate privileges: '%= s'\n", + processTypeString.get(), promisesString.get())); ++ } ++ return false; ++ } else { ++ MOZ_LOG(sPledgeLog, LogLevel::Debug, ++ ("pledged %s process with promises: '%s'\n", ++ processTypeString.get(), promisesString.get())); ++ } + } + return true; + } Index: patches/patch-gfx_ipc_GPUParent_cpp =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: patches/patch-gfx_ipc_GPUParent_cpp diff -N patches/patch-gfx_ipc_GPUParent_cpp --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-gfx_ipc_GPUParent_cpp 20 Sep 2019 02:13:42 -0000 @@ -0,0 +1,28 @@ +$OpenBSD$ + +sandbox GPU process on OpenBSD with pledge() +https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580268 + +Index: gfx/ipc/GPUParent.cpp +--- gfx/ipc/GPUParent.cpp.orig ++++ gfx/ipc/GPUParent.cpp +@@ -57,6 +57,8 @@ + # include "mozilla/WindowsVersion.h" + # include <process.h> + # include <dwrite.h> ++#elif defined(__OpenBSD__) && defined(MOZ_SANDBOX) ++# include "mozilla/SandboxSettings.h" + #endif + #ifdef MOZ_WIDGET_GTK + # include <gtk/gtk.h> +@@ -122,6 +124,10 @@ bool GPUParent::Init(base::ProcessId aParentPid, const + mlg::InitializeMemoryReporters(); + #if defined(XP_WIN) + DeviceManagerDx::Init(); ++#endif ++ ++#if defined(__OpenBSD__) && defined(MOZ_SANDBOX) ++ StartOpenBSDSandbox(GeckoProcessType_GPU); + #endif +=20 + CompositorThreadHolder::Start(); Index: patches/patch-toolkit_system_gnome_nsGIOService_cpp =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: patches/patch-toolkit_system_gnome_nsGIOService_cpp diff -N patches/patch-toolkit_system_gnome_nsGIOService_cpp --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-toolkit_system_gnome_nsGIOService_cpp 20 Sep 2019 02:13:4= 2 -0000 @@ -0,0 +1,29 @@ +$OpenBSD$ + +enhance sandbox on OpenBSD with unveil() +https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580271 + +Index: toolkit/system/gnome/nsGIOService.cpp +--- toolkit/system/gnome/nsGIOService.cpp.orig ++++ toolkit/system/gnome/nsGIOService.cpp +@@ -497,7 +497,20 @@ nsGIOService::GetAppForMimeType(const nsACString& aMim + return NS_ERROR_NOT_AVAILABLE; + } +=20 ++#if defined(__OpenBSD__) && defined(MOZ_SANDBOX) ++ // g_app_info_get_default_for_type will fail on OpenBSD's veiled filesy= stem ++ // since we most likely don't have direct access to the binaries that a= re ++ // registered as defaults for this type. Fake it up by just executing ++ // xdg-open via gio-launch-desktop (which we do have access to) and let= ting ++ // it figure out which program to execute for this MIME type ++ GAppInfo* app_info =3D g_app_info_create_from_commandline( ++ "/usr/local/bin/xdg-open", ++ nsPrintfCString("System default for %s", content_type).get(), ++ G_APP_INFO_CREATE_NONE, NULL); ++#else + GAppInfo* app_info =3D g_app_info_get_default_for_type(content_type, fa= lse); ++#endif ++ + if (app_info) { + nsGIOMimeApp* mozApp =3D new nsGIOMimeApp(app_info); + NS_ENSURE_TRUE(mozApp, NS_ERROR_OUT_OF_MEMORY); Index: pkg/README =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /cvs/ports/www/mozilla-firefox/pkg/README,v retrieving revision 1.24 diff -u -p -u -p -r1.24 README --- pkg/README 11 Jun 2019 06:01:20 -0000 1.24 +++ pkg/README 20 Sep 2019 02:13:42 -0000 @@ -28,6 +28,46 @@ right click, choose New String. Set the=20 "network.protocol-handler.app.mailto" and the value to the path to your mailer. =20 +pledge(2) and unveil(2) Support +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D +Firefox on OpenBSD is secured with pledge(2) and unveil(2) to limit +the system calls and filesystem access that each of Firefox's three +process types (main, content, and GPU) is permitted. By default, +only ~/Downloads and /tmp can be written to when downloading files, +or viewing them as file:// URLs. + +To add a specific path as writable for downloads, add it to the +security.sandbox.unveil.main about:config key with "rw" permissions. +To add a directory from which files can be uploaded, add it with just +the "r" permission. +To add a path that can be viewed as a file:// URL, it must also be +added to the security.sandbox.unveil.content about:config key with +"r" permissions. + +3rd-Party MIME Handlers +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +Due to unveil(2) limiting filesystem access, only the default MIME +handler registered for a given type can be chosen when opening a +downloaded file. For example, to use the mupdf package to read +PDFs, it must be registered as the default with XDG: + + $ xdg-mime default mupdf.desktop application/pdf + +The current default for a given type can be viewed with xdg-mime's +query command: + + $ xdg-mime query default application/pdf + +The older mailcap-format handlers are also supported, but the path +being executed must be explicitly added to the +security.sandbox.unveil.main about:config key with "rx" permissions. +For example, a ~/.mailcap file specifying: + + application/pdf; /usr/local/bin/xpdf %s + +must have "/usr/local/bin/xpdf rx" added to the unveil list for it to +appear as an option in the "Open With" drop-down. + Debugging =3D=3D=3D=3D=3D=3D=3D=3D=3D If you encounter crashes, you might want to build the debug FLAVOR of @@ -35,9 +75,10 @@ this package, and run firefox inside egd debugging logs and traces (for all threads!). If this is a pledge violation, you should figure out which codepath in which process leads to calling a forbidden syscall, and which pledge -is missing from the two default sets configured in -security.sandbox.pledge.main and security.sandbox.pledge.content -about:config keys. MOZ_LOG=3DSandboxPledge:5 should help. +is missing from the three default sets configured in +security.sandbox.pledge.main, security.sandbox.pledge.content, and +security.sandbox.pledge.gpu about:config keys. +MOZ_LOG=3DSandboxPledge:5 should help. Bug reports without enough information will be ignored. =20 Note that if you're using NIS or your profile is located on a NFS share, @@ -49,6 +90,10 @@ security.sandbox.pledge.content in about =20 If you're not running sndiod(8) you will need to add 'audio' to security.sandbox.pledge.main in about:config. + +To disable pledge support when troubleshooting, set the +MOZ_DISABLE_PLEDGE environment variable before starting Firefox. +Similarly, to disable unveil support, set MOZ_DISABLE_UNVEIL. =20 D-BUS =3D=3D=3D=3D=3D