And of course the patch got mangled...
Index: Makefile
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvs/ports/www/mozilla-firefox/Makefile,v
retrieving revision 1.394
diff -u -p -u -p -r1.394 Makefile
--- Makefile 18 Sep 2019 16:58:05 -0000 1.394
+++ Makefile 20 Sep 2019 02:13:42 -0000
@@ -10,6 +10,8 @@ MOZILLA_BRANCH =3D release
MOZILLA_PROJECT =3D firefox
MOZILLA_CODENAME =3D browser
=20
+REVISION =3D 0
+
WRKDIST =3D ${WRKDIR}/${MOZILLA_DIST}-${MOZILLA_DIST_VERSION:C/b[0-9]*//}
HOMEPAGE =3D https://www.mozilla.org/firefox/
SO_VERSION =3D 84.0
Index: patches/patch-browser_app_profile_firefox_js
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: patches/patch-browser_app_profile_firefox_js
diff -N patches/patch-browser_app_profile_firefox_js
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-browser_app_profile_firefox_js 20 Sep 2019 02:13:42
-0000
@@ -0,0 +1,33 @@
+$OpenBSD$
+
+sandbox GPU process on OpenBSD with pledge()
+https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580268
+
+enhance sandbox on OpenBSD with unveil()
+https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580271
+
+Index: browser/app/profile/firefox.js
+--- browser/app/profile/firefox.js.orig
++++ browser/app/profile/firefox.js
+@@ -1130,11 +1130,18 @@ pref("security.sandbox.content.syscall_whitelist",=
"")
+ #endif
+=20
+ #if defined(XP_OPENBSD) && defined(MOZ_SANDBOX)
++pref("security.sandbox.content.level", 1);
++
+ // default pledge strings for the main & content processes, cf bug 1457092
+-// broad list for now, has to be refined over time
+ pref("security.sandbox.pledge.main", "stdio rpath wpath cpath inet proc e=
xec prot_exec flock ps sendfd recvfd dns vminfo tty drm unix fattr getpw mc=
ast");
+-pref("security.sandbox.content.level", 1);
+-pref("security.sandbox.pledge.content", "stdio rpath wpath cpath inet rec=
vfd sendfd prot_exec unix drm ps");
++pref("security.sandbox.pledge.content", "stdio rpath wpath cpath recvfd s=
endfd prot_exec unix drm ps");
++// and for gpu, bug 1580268
++pref("security.sandbox.pledge.gpu", "stdio rpath wpath cpath ps sendfd re=
cvfd drm dns unix prot_exec");
++
++// default file paths unveiled to each process, bug 1580271
++pref("security.sandbox.unveil.main", "/dev/urandom r,/dev/video rw,/etc/f=
onts r,/etc/machine-id r,/etc/mailcap r,/tmp rwc,/usr/bin/lpr rx,/usr/local=
/bin/gio-launch-desktop rx,/usr/local/lib r,/usr/local/firefox r,/usr/local=
/lib/firefox rx,/usr/local/share r,/usr/share/locale r,/var/cache/fontconfi=
g r,/usr/X11R6/lib r,/usr/X11R6/share r,/var/run rw,~/.XCompose r,~/.Xautho=
rity r,~/.Xdefaults r,~/.fontconfig r,~/.fonts r,~/.fonts.conf r,~/.fonts.c=
onf.d r,~/.icons r,~/.mailcap r,~/.mime.types r,~/.mozilla rwc,~/.pki rwc,~=
/.sndio rwc,~/.terminfo r,$XDG_CACHE_HOME/dconf rwc,$XDG_CACHE_HOME/thumbna=
ils rwc,$XDG_CONFIG_HOME/dconf r,$XDG_CONFIG_HOME/fontconfig r,$XDG_CONFIG_=
HOME/gtk-3.0 r,$XDG_CONFIG_HOME/mimeapps.list r,$XDG_CONFIG_HOME/mozilla rw=
c,$XDG_CONFIG_HOME/user-dirs.dirs r,$XDG_DATA_HOME/applications rwc,$XDG_DA=
TA_HOME/applnk r,$XDG_DATA_HOME/fonts r,$XDG_DATA_HOME/glib-2.0 r,$XDG_DATA=
_HOME/icons r,$XDG_DATA_HOME/mime r,$XDG_DATA_HOME/recently-used.xbel rwc,$=
XDG_DATA_HOME/themes r,~/Downloads rwc");
++pref("security.sandbox.unveil.content", "/dev/drm0 rw,/etc/fonts r,/etc/m=
achine-id r,/tmp rwc,/usr/local/lib r,/usr/local/firefox r,/usr/local/lib/f=
irefox rx,/usr/local/share r,/usr/share/locale r,/var/cache/fontconfig r,/u=
sr/X11R6/lib r,/usr/X11R6/share r,/var/run rw,~/.XCompose r,~/.Xauthority r=
,~/.Xdefaults r,~/.fontconfig r,~/.fonts r,~/.fonts.conf r,~/.fonts.conf.d =
r,~/.icons r,~/.mozilla rwc,~/.pki rwc,~/.sndio rwc,~/.terminfo r,$XDG_CACH=
E_HOME/dconf rwc,$XDG_CACHE_HOME/thumbnails rwc,$XDG_CONFIG_HOME/dconf r,$X=
DG_CONFIG_HOME/fontconfig r,$XDG_CONFIG_HOME/gtk-3.0 r,$XDG_CONFIG_HOME/mim=
eapps.list r,$XDG_CONFIG_HOME/mozilla rwc,$XDG_CONFIG_HOME/user-dirs.dirs r=
,$XDG_DATA_HOME/applications r,$XDG_DATA_HOME/applnk r,$XDG_DATA_HOME/fonts=
r,$XDG_DATA_HOME/glib-2.0 r,$XDG_DATA_HOME/icons r,$XDG_DATA_HOME/mime r,$=
XDG_DATA_HOME/themes r,~/Downloads r");
++pref("security.sandbox.unveil.gpu", "/dev/drm0 rw,/tmp rwc,/usr/local/lib=
/firefox r,/usr/local/lib/gdk-pixbuf-2.0 r,/usr/X11R6/lib r,/usr/share/loca=
le r,/usr/local/share r,~/.Xauthority r");
+ #endif
+=20
+ #if defined(MOZ_SANDBOX)
Index: patches/patch-dom_ipc_ContentChild_cpp
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: patches/patch-dom_ipc_ContentChild_cpp
diff -N patches/patch-dom_ipc_ContentChild_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-dom_ipc_ContentChild_cpp 20 Sep 2019 02:13:42 -0000
@@ -0,0 +1,170 @@
+$OpenBSD$
+
+sandbox GPU process on OpenBSD with pledge()
+https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580268
+
+enhance sandbox on OpenBSD with unveil()
+https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580271
+
+Index: dom/ipc/ContentChild.cpp
+--- dom/ipc/ContentChild.cpp.orig
++++ dom/ipc/ContentChild.cpp
+@@ -126,6 +126,7 @@
+ # include "mozilla/Sandbox.h"
+ # elif defined(__OpenBSD__)
+ # include <unistd.h>
++# include "SpecialSystemDirectory.h"
+ # endif
+ #endif
+=20
+@@ -4048,47 +4049,132 @@ void ContentChild::HoldBrowsingContextGroup(Brows=
ingCo
+ } // namespace dom
+=20
+ #if defined(__OpenBSD__) && defined(MOZ_SANDBOX)
+-# include <unistd.h>
+=20
+ static LazyLogModule sPledgeLog("SandboxPledge");
+=20
+ bool StartOpenBSDSandbox(GeckoProcessType type) {
+ nsAutoCString promisesString;
+ nsAutoCString processTypeString;
++ nsAutoCString unveilString;
+=20
+ switch (type) {
+ case GeckoProcessType_Default:
+ processTypeString =3D "main";
+ Preferences::GetCString("security.sandbox.pledge.main", promisesStr=
ing);
++ Preferences::GetCString("security.sandbox.unveil.main", unveilStrin=
g);
+ break;
+=20
+ case GeckoProcessType_Content:
+ processTypeString =3D "content";
+- Preferences::GetCString("security.sandbox.pledge.content",
+- promisesString);
++ Preferences::GetCString("security.sandbox.pledge.content", promises=
String);
++ Preferences::GetCString("security.sandbox.unveil.content", unveilSt=
ring);
+ break;
+=20
++ case GeckoProcessType_GPU:
++ processTypeString =3D "gpu";
++ Preferences::GetCString("security.sandbox.pledge.gpu", promisesStri=
ng);
++ Preferences::GetCString("security.sandbox.unveil.gpu", unveilString=
);
++ break;
++
+ default:
+ MOZ_ASSERT(false, "unknown process type");
+ return false;
+- };
++ }
+=20
+- if (pledge(promisesString.get(), NULL) =3D=3D -1) {
+- if (errno =3D=3D EINVAL) {
+- MOZ_LOG(sPledgeLog, LogLevel::Error,
+- ("pledge promises for %s process is a malformed string: '%s=
'\n",
+- processTypeString.get(), promisesString.get()));
+- } else if (errno =3D=3D EPERM) {
+- MOZ_LOG(
+- sPledgeLog, LogLevel::Error,
+- ("pledge promises for %s process can't elevate privileges: '%s'=
\n",
+- processTypeString.get(), promisesString.get()));
++ if (!PR_GetEnv("MOZ_DISABLE_UNVEIL")) {
++ nsresult rv;
++
++ nsCOMPtr<nsIFile> homeDir;
++ rv =3D GetSpecialSystemDirectory(Unix_HomeDirectory, getter_AddRefs(h=
omeDir));
++ if (NS_FAILED(rv)) {
++ mozilla::ipc::FatalError("failed getting home directory", false);
+ }
+- return false;
+- } else {
+- MOZ_LOG(sPledgeLog, LogLevel::Debug,
+- ("pledged %s process with promises: '%s'\n",
++
++ bool anyUnveils =3D false;
++
++ for (const nsACString& tChunk : unveilString.Split(',')) {
++ nsAutoCString chunk;
++ chunk.Append(tChunk);
++
++ chunk.CompressWhitespace(true, true);
++ if (chunk.IsEmpty()) {
++ continue;
++ }
++
++ int32_t space =3D chunk.FindChar(' ');
++ if (space <=3D 0) {
++ mozilla::ipc::FatalError(nsPrintfCString("%s: invalid unveil "
++ "format \"%s\"", PromiseFlatCString(processTypeString).get(),
++ chunk.get()).get(), false);
++ }
++
++ nsCString uPath(Substring(chunk, 0, space));
++ nsCString perms(Substring(chunk, space + 1, chunk.Length() - space =
- 1));
++
++ // Expand $XDG_CONFIG_HOME to the environment variable, or ~/.config
++ nsCString xdgConfigHome(PR_GetEnv("XDG_CONFIG_HOME"));
++ if (xdgConfigHome.IsEmpty()) {
++ xdgConfigHome =3D "~/.config";
++ }
++ uPath.ReplaceSubstring("$XDG_CONFIG_HOME", xdgConfigHome.get());
++
++ // Expand $XDG_CACHE_HOME to the environment variable, or ~/.cache
++ nsCString xdgCacheHome(PR_GetEnv("XDG_CACHE_HOME"));
++ if (xdgCacheHome.IsEmpty()) {
++ xdgCacheHome =3D "~/.cache";
++ }
++ uPath.ReplaceSubstring("$XDG_CACHE_HOME", xdgCacheHome.get());
++
++ // Expand $XDG_DATA_HOME to the environment variable, or ~/.local/s=
hare
++ nsCString xdgDataHome(PR_GetEnv("XDG_DATA_HOME"));
++ if (xdgDataHome.IsEmpty()) {
++ xdgDataHome =3D "~/.local/share";
++ }
++ uPath.ReplaceSubstring("$XDG_DATA_HOME", xdgDataHome.get());
++
++ // Expand leading ~ to the user's home directory
++ if (uPath.FindChar('~') =3D=3D 0) {
++ nsCString tHome(homeDir->NativePath());
++ tHome.Append(Substring(uPath, 1, uPath.Length() - 1));
++ uPath =3D tHome.get();
++ }
++
++ MOZ_LOG(sPledgeLog, LogLevel::Debug, ("%s: unveil(%s, %s)\n",
++ processTypeString.get(), uPath.get(), perms.get()));
++ int ret =3D unveil(uPath.get(), perms.get());
++ if (ret !=3D 0 && ret !=3D ENOENT) {
++ mozilla::ipc::FatalError(nsPrintfCString("%s: unveil(%s, %s) fail=
ed: %d",
++ processTypeString.get(), uPath.get(), perms.get(), errno).get(),
++ false);
++ }
++
++ anyUnveils =3D true;
++ }
++
++ if (!anyUnveils) {
++ mozilla::ipc::FatalError(nsPrintfCString("failed parsing unveil str=
ing "
++ "\"%s\"", unveilString.get()).get(), false);
++ }
++ }
++
++ if (!PR_GetEnv("MOZ_DISABLE_PLEDGE")) {
++ if (pledge(promisesString.get(), nullptr) =3D=3D -1) {
++ if (errno =3D=3D EINVAL) {
++ MOZ_LOG(sPledgeLog, LogLevel::Error,
++ ("pledge promises for %s process is a malformed string: '=
%s'\n",
++ processTypeString.get(), promisesString.get()));
++ } else if (errno =3D=3D EPERM) {
++ MOZ_LOG(
++ sPledgeLog, LogLevel::Error,
++ ("pledge promises for %s process can't elevate privileges: '%=
s'\n",
+ processTypeString.get(), promisesString.get()));
++ }
++ return false;
++ } else {
++ MOZ_LOG(sPledgeLog, LogLevel::Debug,
++ ("pledged %s process with promises: '%s'\n",
++ processTypeString.get(), promisesString.get()));
++ }
+ }
+ return true;
+ }
Index: patches/patch-gfx_ipc_GPUParent_cpp
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: patches/patch-gfx_ipc_GPUParent_cpp
diff -N patches/patch-gfx_ipc_GPUParent_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-gfx_ipc_GPUParent_cpp 20 Sep 2019 02:13:42 -0000
@@ -0,0 +1,28 @@
+$OpenBSD$
+
+sandbox GPU process on OpenBSD with pledge()
+https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580268
+
+Index: gfx/ipc/GPUParent.cpp
+--- gfx/ipc/GPUParent.cpp.orig
++++ gfx/ipc/GPUParent.cpp
+@@ -57,6 +57,8 @@
+ # include "mozilla/WindowsVersion.h"
+ # include <process.h>
+ # include <dwrite.h>
++#elif defined(__OpenBSD__) && defined(MOZ_SANDBOX)
++# include "mozilla/SandboxSettings.h"
+ #endif
+ #ifdef MOZ_WIDGET_GTK
+ # include <gtk/gtk.h>
+@@ -122,6 +124,10 @@ bool GPUParent::Init(base::ProcessId aParentPid, const
+ mlg::InitializeMemoryReporters();
+ #if defined(XP_WIN)
+ DeviceManagerDx::Init();
++#endif
++
++#if defined(__OpenBSD__) && defined(MOZ_SANDBOX)
++ StartOpenBSDSandbox(GeckoProcessType_GPU);
+ #endif
+=20
+ CompositorThreadHolder::Start();
Index: patches/patch-toolkit_system_gnome_nsGIOService_cpp
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: patches/patch-toolkit_system_gnome_nsGIOService_cpp
diff -N patches/patch-toolkit_system_gnome_nsGIOService_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-toolkit_system_gnome_nsGIOService_cpp 20 Sep 2019 02:13:4=
2 -0000
@@ -0,0 +1,29 @@
+$OpenBSD$
+
+enhance sandbox on OpenBSD with unveil()
+https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580271
+
+Index: toolkit/system/gnome/nsGIOService.cpp
+--- toolkit/system/gnome/nsGIOService.cpp.orig
++++ toolkit/system/gnome/nsGIOService.cpp
+@@ -497,7 +497,20 @@ nsGIOService::GetAppForMimeType(const nsACString& aMim
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+=20
++#if defined(__OpenBSD__) && defined(MOZ_SANDBOX)
++ // g_app_info_get_default_for_type will fail on OpenBSD's veiled filesy=
stem
++ // since we most likely don't have direct access to the binaries that a=
re
++ // registered as defaults for this type. Fake it up by just executing
++ // xdg-open via gio-launch-desktop (which we do have access to) and let=
ting
++ // it figure out which program to execute for this MIME type
++ GAppInfo* app_info =3D g_app_info_create_from_commandline(
++ "/usr/local/bin/xdg-open",
++ nsPrintfCString("System default for %s", content_type).get(),
++ G_APP_INFO_CREATE_NONE, NULL);
++#else
+ GAppInfo* app_info =3D g_app_info_get_default_for_type(content_type, fa=
lse);
++#endif
++
+ if (app_info) {
+ nsGIOMimeApp* mozApp =3D new nsGIOMimeApp(app_info);
+ NS_ENSURE_TRUE(mozApp, NS_ERROR_OUT_OF_MEMORY);
Index: pkg/README
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvs/ports/www/mozilla-firefox/pkg/README,v
retrieving revision 1.24
diff -u -p -u -p -r1.24 README
--- pkg/README 11 Jun 2019 06:01:20 -0000 1.24
+++ pkg/README 20 Sep 2019 02:13:42 -0000
@@ -28,6 +28,46 @@ right click, choose New String. Set the=20
"network.protocol-handler.app.mailto" and the value to the path to
your mailer.
=20
+pledge(2) and unveil(2) Support
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
+Firefox on OpenBSD is secured with pledge(2) and unveil(2) to limit
+the system calls and filesystem access that each of Firefox's three
+process types (main, content, and GPU) is permitted. By default,
+only ~/Downloads and /tmp can be written to when downloading files,
+or viewing them as file:// URLs.
+
+To add a specific path as writable for downloads, add it to the
+security.sandbox.unveil.main about:config key with "rw" permissions.
+To add a directory from which files can be uploaded, add it with just
+the "r" permission.
+To add a path that can be viewed as a file:// URL, it must also be
+added to the security.sandbox.unveil.content about:config key with
+"r" permissions.
+
+3rd-Party MIME Handlers
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+Due to unveil(2) limiting filesystem access, only the default MIME
+handler registered for a given type can be chosen when opening a
+downloaded file. For example, to use the mupdf package to read
+PDFs, it must be registered as the default with XDG:
+
+ $ xdg-mime default mupdf.desktop application/pdf
+
+The current default for a given type can be viewed with xdg-mime's
+query command:
+
+ $ xdg-mime query default application/pdf
+
+The older mailcap-format handlers are also supported, but the path
+being executed must be explicitly added to the
+security.sandbox.unveil.main about:config key with "rx" permissions.
+For example, a ~/.mailcap file specifying:
+
+ application/pdf; /usr/local/bin/xpdf %s
+
+must have "/usr/local/bin/xpdf rx" added to the unveil list for it to
+appear as an option in the "Open With" drop-down.
+
Debugging
=3D=3D=3D=3D=3D=3D=3D=3D=3D
If you encounter crashes, you might want to build the debug FLAVOR of
@@ -35,9 +75,10 @@ this package, and run firefox inside egd
debugging logs and traces (for all threads!).
If this is a pledge violation, you should figure out which codepath
in which process leads to calling a forbidden syscall, and which pledge
-is missing from the two default sets configured in
-security.sandbox.pledge.main and security.sandbox.pledge.content
-about:config keys. MOZ_LOG=3DSandboxPledge:5 should help.
+is missing from the three default sets configured in
+security.sandbox.pledge.main, security.sandbox.pledge.content, and
+security.sandbox.pledge.gpu about:config keys.
+MOZ_LOG=3DSandboxPledge:5 should help.
Bug reports without enough information will be ignored.
=20
Note that if you're using NIS or your profile is located on a NFS share,
@@ -49,6 +90,10 @@ security.sandbox.pledge.content in about
=20
If you're not running sndiod(8) you will need to add 'audio' to
security.sandbox.pledge.main in about:config.
+
+To disable pledge support when troubleshooting, set the
+MOZ_DISABLE_PLEDGE environment variable before starting Firefox.
+Similarly, to disable unveil support, set MOZ_DISABLE_UNVEIL.
=20
D-BUS
=3D=3D=3D=3D=3D
