This patchset goes back to files in /etc/firefox for unveil file lists, and goes further and moves the pledge strings to separate files too. This should be the most secure version that is still tweakable at runtime.
I switched away from using Firefox's NS_LOCAL_FILE_CONTRACTID/ NS_LOCALFILEINPUTSTREAM_CONTRACTID mechanisms to read a file, since they require a lot of internal setup to be done before they can be used (which is otherwise a good thing, because other things later in Firefox shouldn't have raw file access). Instead of those, I'm using the normal C++ API for reading the /etc/firefox files and this way I have been able to move the pledge/unveil calls earlier in the process startup. Unfortunately this also means that I can't dynamically detect the localized ~/Downloads directory, so if you use a different directory, you'll just need to modify the unveil.content and unveil.main files to change it. I tried the $TMPDIR shenanigans with the main process mkdtemp'ing somewhere in $TMPDIR (or /tmp), and then exporting TMPDIR as that directory so that everything else within Firefox uses that subdirectory as its temp directory, allowing /tmp to be removed from the unveil lists and only that subdirectory visible. Unfortunately the first thing to break was our own shm_open() which hard-codes /tmp and doesn't honor $TMPDIR. So that all was ripped out and we're back to full access to /tmp. If the mailing list mangles this again, it's at https://jcs.org/patches/firefox-port-unveil8.diff Index: Makefile =================================================================== RCS file: /cvs/ports/www/mozilla-firefox/Makefile,v retrieving revision 1.395 diff -u -p -u -p -r1.395 Makefile --- Makefile 22 Sep 2019 17:19:06 -0000 1.395 +++ Makefile 25 Sep 2019 16:23:36 -0000 @@ -10,6 +10,8 @@ MOZILLA_BRANCH = release MOZILLA_PROJECT = firefox MOZILLA_CODENAME = browser +REVISION= 0 + WRKDIST = ${WRKDIR}/${MOZILLA_DIST}-${MOZILLA_DIST_VERSION:C/b[0-9]*//} HOMEPAGE = https://www.mozilla.org/firefox/ SO_VERSION = 84.0 @@ -93,5 +95,10 @@ post-install: # link default48.png to default.png to be used by default by non-icccm compliant wm ln ${PREFIX}/lib/${MOZILLA_PROJECT}/browser/chrome/icons/default/default{48,}.png + + ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/${MOZILLA_PROJECT} +.for f in unveil.content unveil.gpu unveil.main pledge.content pledge.gpu pledge.main + ${INSTALL_DATA} ${FILESDIR}/${f} ${PREFIX}/share/examples/${MOZILLA_PROJECT}/ +.endfor .include <bsd.port.mk> Index: files/all-openbsd.js =================================================================== RCS file: /cvs/ports/www/mozilla-firefox/files/all-openbsd.js,v retrieving revision 1.10 diff -u -p -u -p -r1.10 all-openbsd.js --- files/all-openbsd.js 9 Sep 2019 18:50:35 -0000 1.10 +++ files/all-openbsd.js 25 Sep 2019 16:23:36 -0000 @@ -5,10 +5,6 @@ pref("app.normandy.enabled",false); pref("browser.safebrowsing.enabled", false); pref("browser.safebrowsing.malware.enabled", false); pref("spellchecker.dictionary_path", "${LOCALBASE}/share/mozilla-dicts/"); -// enable pledging the content process -pref("security.sandbox.content.level", 1); -pref("security.sandbox.pledge.main","stdio rpath wpath cpath inet proc exec prot_exec flock ps sendfd recvfd dns vminfo tty drm unix fattr getpw mcast video"); -pref("security.sandbox.pledge.content","stdio rpath wpath cpath inet recvfd sendfd prot_exec unix drm ps"); pref("extensions.pocket.enabled", false); pref("browser.newtabpage.enabled", false); pref("browser.startup.homepage", "about:blank"); Index: files/pledge.content =================================================================== RCS file: files/pledge.content diff -N files/pledge.content --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/pledge.content 25 Sep 2019 16:23:36 -0000 @@ -0,0 +1,10 @@ +stdio +rpath +wpath +cpath +recvfd +sendfd +prot_exec +unix +drm +ps Index: files/pledge.gpu =================================================================== RCS file: files/pledge.gpu diff -N files/pledge.gpu --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/pledge.gpu 25 Sep 2019 16:23:36 -0000 @@ -0,0 +1,11 @@ +stdio +rpath +wpath +cpath +ps +sendfd +recvfd +drm +dns +unix +prot_exec Index: files/pledge.main =================================================================== RCS file: files/pledge.main diff -N files/pledge.main --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/pledge.main 25 Sep 2019 16:23:36 -0000 @@ -0,0 +1,20 @@ +stdio +rpath +wpath +cpath +inet +proc +exec +prot_exec +flock +ps +sendfd +recvfd +dns +vminfo +tty +drm +unix +fattr +getpw +mcast Index: files/unveil.content =================================================================== RCS file: files/unveil.content diff -N files/unveil.content --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/unveil.content 25 Sep 2019 16:23:36 -0000 @@ -0,0 +1,43 @@ +/dev/drm0 rw + +/etc/fonts r +/etc/machine-id r +/usr/local/lib r +/usr/local/firefox r +/usr/local/share r +/usr/share/locale r +/var/cache/fontconfig r +/usr/X11R6/lib r +/usr/X11R6/share r +/var/run r + +~/.XCompose r +~/.Xauthority r +~/.Xdefaults r +~/.fontconfig r +~/.fonts r +~/.fonts.conf r +~/.fonts.conf.d r +~/.icons r +~/.pki rwc +~/.sndio rwc +~/.terminfo r + +~/.mozilla r +~/Downloads r + +/tmp rwc + +$XDG_CONFIG_HOME/dconf r +$XDG_CONFIG_HOME/fontconfig r +$XDG_CONFIG_HOME/gtk-3.0 r +$XDG_CONFIG_HOME/mimeapps.list r +$XDG_CONFIG_HOME/mozilla rwc +$XDG_CONFIG_HOME/user-dirs.dirs r +$XDG_DATA_HOME/applications r +$XDG_DATA_HOME/applnk r +$XDG_DATA_HOME/fonts r +$XDG_DATA_HOME/glib-2.0 r +$XDG_DATA_HOME/icons r +$XDG_DATA_HOME/mime r +$XDG_DATA_HOME/themes r Index: files/unveil.gpu =================================================================== RCS file: files/unveil.gpu diff -N files/unveil.gpu --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/unveil.gpu 25 Sep 2019 16:23:36 -0000 @@ -0,0 +1,11 @@ +/dev/drm0 rw + +/usr/local/lib/firefox r +/usr/local/lib/gdk-pixbuf-2.0 r +/usr/X11R6/lib r +/usr/share/locale r +/usr/local/share r + +/tmp rw + +~/.Xauthority r Index: files/unveil.main =================================================================== RCS file: files/unveil.main diff -N files/unveil.main --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/unveil.main 25 Sep 2019 16:23:36 -0000 @@ -0,0 +1,63 @@ +# for uuid generation? +/dev/urandom r +/dev/video rw + +/etc/fonts r +/etc/machine-id r + +/usr/local/lib r +/usr/local/firefox r +/usr/local/lib/firefox rx +/usr/local/share r +/usr/share/locale r +/var/cache/fontconfig r +/usr/X11R6/lib r +/usr/X11R6/share r +/var/run r + +# printing +/usr/bin/lpr rx + +# for launching registered 3rd party applications like pdf readers +/usr/local/bin/gio-launch-desktop rx +/etc/mailcap r +~/.mailcap r +~/.mime.types r + +~/.XCompose r +~/.Xauthority r +~/.Xdefaults r +~/.fontconfig r +~/.fonts r +~/.fonts.conf r +~/.fonts.conf.d r +~/.icons r +~/.pki rwc +~/.sndio rwc +~/.terminfo r + +~/.mozilla rwc +~/Downloads rwc + +# for at least shm_open (for now) +/tmp rwc + +# $XDG_CACHE_HOME, $XDG_CONFIG_HOME, and $XDG_DATA_HOME will expand to the +# given variable if it exists in the environment, otherwise defaulting to +# ~/.cache, ~/.config, and ~/.local/share +$XDG_CACHE_HOME/dconf rwc +$XDG_CACHE_HOME/thumbnails rwc +$XDG_CONFIG_HOME/dconf rw +$XDG_CONFIG_HOME/fontconfig r +$XDG_CONFIG_HOME/gtk-3.0 r +$XDG_CONFIG_HOME/mimeapps.list r +$XDG_CONFIG_HOME/mozilla rwc +$XDG_CONFIG_HOME/user-dirs.dirs r +$XDG_DATA_HOME/applications rwc +$XDG_DATA_HOME/applnk r +$XDG_DATA_HOME/fonts r +$XDG_DATA_HOME/glib-2.0 r +$XDG_DATA_HOME/icons r +$XDG_DATA_HOME/mime r +$XDG_DATA_HOME/recently-used.xbel rwc +$XDG_DATA_HOME/themes r Index: patches/patch-browser_app_profile_firefox_js =================================================================== RCS file: patches/patch-browser_app_profile_firefox_js diff -N patches/patch-browser_app_profile_firefox_js --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-browser_app_profile_firefox_js 25 Sep 2019 16:23:36 -0000 @@ -0,0 +1,18 @@ +$OpenBSD$ + +Index: browser/app/profile/firefox.js +--- browser/app/profile/firefox.js.orig ++++ browser/app/profile/firefox.js +@@ -1130,11 +1130,8 @@ pref("security.sandbox.content.syscall_whitelist", "") + #endif + + #if defined(XP_OPENBSD) && defined(MOZ_SANDBOX) +-// default pledge strings for the main & content processes, cf bug 1457092 +-// broad list for now, has to be refined over time +-pref("security.sandbox.pledge.main", "stdio rpath wpath cpath inet proc exec prot_exec flock ps sendfd recvfd dns vminfo tty drm unix fattr getpw mcast"); + pref("security.sandbox.content.level", 1); +-pref("security.sandbox.pledge.content", "stdio rpath wpath cpath inet recvfd sendfd prot_exec unix drm ps"); ++// Custom sandboxing done in StartOpenBSDSandbox() + #endif + + #if defined(MOZ_SANDBOX) Index: patches/patch-dom_ipc_ContentChild_cpp =================================================================== RCS file: patches/patch-dom_ipc_ContentChild_cpp diff -N patches/patch-dom_ipc_ContentChild_cpp --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-dom_ipc_ContentChild_cpp 25 Sep 2019 16:23:36 -0000 @@ -0,0 +1,252 @@ +$OpenBSD$ + +Index: dom/ipc/ContentChild.cpp +--- dom/ipc/ContentChild.cpp.orig ++++ dom/ipc/ContentChild.cpp +@@ -126,6 +126,10 @@ + # include "mozilla/Sandbox.h" + # elif defined(__OpenBSD__) + # include <unistd.h> ++# include <err.h> ++# include <fstream> ++# include "nsILineInputStream.h" ++# include "SpecialSystemDirectory.h" + # endif + #endif + +@@ -701,6 +705,10 @@ bool ContentChild::Init(MessageLoop* aIOLoop, base::Pr + ProcessChild::QuickExit(); + } + ++#if defined(__OpenBSD__) && defined(MOZ_SANDBOX) ++ StartOpenBSDSandbox(GeckoProcessType_Content); ++#endif ++ + #ifdef MOZ_X11 + # ifdef MOZ_WIDGET_GTK + if (GDK_IS_X11_DISPLAY(gdk_display_get_default()) && +@@ -1743,15 +1751,6 @@ mozilla::ipc::IPCResult ContentChild::RecvSetProcessSa + mozilla::SandboxTarget::Instance()->StartSandbox(); + # elif defined(XP_MACOSX) + sandboxEnabled = StartMacOSContentSandbox(); +-# elif defined(__OpenBSD__) +- sandboxEnabled = StartOpenBSDSandbox(GeckoProcessType_Content); +- /* dont overwrite an existing session dbus address, but ensure it is set */ +- if (!PR_GetEnv("DBUS_SESSION_BUS_ADDRESS")) { +- static LazyLogModule sPledgeLog("SandboxPledge"); +- MOZ_LOG(sPledgeLog, LogLevel::Debug, +- ("no session dbus found, faking one\n")); +- PR_SetEnv("DBUS_SESSION_BUS_ADDRESS="); +- } + # endif + + CrashReporter::AnnotateCrashReport( +@@ -4048,48 +4047,184 @@ void ContentChild::HoldBrowsingContextGroup(BrowsingCo + } // namespace dom + + #if defined(__OpenBSD__) && defined(MOZ_SANDBOX) +-# include <unistd.h> + +-static LazyLogModule sPledgeLog("SandboxPledge"); ++#define PLEDGE_FILE_MAIN "/etc/firefox/pledge.main" ++#define PLEDGE_FILE_CONTENT "/etc/firefox/pledge.content" ++#define PLEDGE_FILE_GPU "/etc/firefox/pledge.gpu" + ++#define UNVEIL_FILE_MAIN "/etc/firefox/unveil.main" ++#define UNVEIL_FILE_CONTENT "/etc/firefox/unveil.content" ++#define UNVEIL_FILE_GPU "/etc/firefox/unveil.gpu" ++ ++static LazyLogModule sPledgeLog("OpenBSDSandbox"); ++ ++NS_IMETHODIMP ++OpenBSDUnveilPaths(const nsACString& aPath, const nsACString& pledgePath) { ++ nsresult rv; ++ ++ nsCOMPtr<nsIFile> homeDir; ++ rv = GetSpecialSystemDirectory(Unix_HomeDirectory, getter_AddRefs(homeDir)); ++ if (NS_FAILED(rv)) { ++ errx(1, "failed getting home directory"); ++ } ++ ++ // Using NS_LOCAL_FILE_CONTRACTID/NS_LOCALFILEINPUTSTREAM_CONTRACTID requires ++ // a lot of setup before they are allowed/supported and we want to pledge and ++ // unveil early on before all of that is setup ++ std::ifstream input(PromiseFlatCString(aPath).get()); ++ ++ int linenum = 0; ++ for (std::string tLine; std::getline(input, tLine); ) { ++ nsAutoCString line(tLine.c_str()); ++ nsAutoCString uPath, perms; ++ linenum++; ++ ++ // Cut off any comments at the end of the line, also catches lines ++ // that are entirely a comment ++ int32_t hash = line.FindChar('#'); ++ if (hash >= 0) { ++ line = Substring(line, 0, hash); ++ } ++ line.CompressWhitespace(true, true); ++ if (line.IsEmpty()) { ++ continue; ++ } ++ ++ int32_t space = line.FindChar(' '); ++ if (space <= 0) { ++ errx(1, "%s: line %d: invalid format", PromiseFlatCString(aPath).get(), ++ linenum); ++ } ++ ++ uPath = Substring(line, 0, space); ++ perms = Substring(line, space + 1, line.Length() - space - 1); ++ ++ // Expand $XDG_CONFIG_HOME to the environment variable, or ~/.config ++ nsCString xdgConfigHome(PR_GetEnv("XDG_CONFIG_HOME")); ++ if (xdgConfigHome.IsEmpty()) { ++ xdgConfigHome = "~/.config"; ++ } ++ uPath.ReplaceSubstring("$XDG_CONFIG_HOME", xdgConfigHome.get()); ++ ++ // Expand $XDG_CACHE_HOME to the environment variable, or ~/.cache ++ nsCString xdgCacheHome(PR_GetEnv("XDG_CACHE_HOME")); ++ if (xdgCacheHome.IsEmpty()) { ++ xdgCacheHome = "~/.cache"; ++ } ++ uPath.ReplaceSubstring("$XDG_CACHE_HOME", xdgCacheHome.get()); ++ ++ // Expand $XDG_DATA_HOME to the environment variable, or ~/.local/share ++ nsCString xdgDataHome(PR_GetEnv("XDG_DATA_HOME")); ++ if (xdgDataHome.IsEmpty()) { ++ xdgDataHome = "~/.local/share"; ++ } ++ uPath.ReplaceSubstring("$XDG_DATA_HOME", xdgDataHome.get()); ++ ++ // Expand leading ~ to the user's home directory ++ if (uPath.FindChar('~') == 0) { ++ nsCString tHome(homeDir->NativePath()); ++ tHome.Append(Substring(uPath, 1, uPath.Length() - 1)); ++ uPath = tHome.get(); ++ } ++ ++ MOZ_LOG(sPledgeLog, LogLevel::Debug, ("%s: unveil(%s, %s)\n", ++ PromiseFlatCString(aPath).get(), uPath.get(), perms.get())); ++ int ret = unveil(uPath.get(), perms.get()); ++ if (ret != 0 && ret != ENOENT) { ++ err(1, "%s: unveil(%s, %s) failed", PromiseFlatCString(aPath).get(), ++ uPath.get(), perms.get()); ++ } ++ } ++ input.close(); ++ ++ int ret = unveil(PromiseFlatCString(pledgePath).get(), "r"); ++ if (ret != 0) { ++ err(1, "unveil(%s, r) failed", PromiseFlatCString(pledgePath).get()); ++ } ++ ++ return NS_OK; ++} ++ ++NS_IMETHODIMP ++OpenBSDPledgePromises(const nsACString& aPath) { ++ // Build up one line of pledge promises without comments ++ nsAutoCString promises; ++ ++ std::ifstream input(PromiseFlatCString(aPath).get()); ++ ++ for (std::string tLine; std::getline(input, tLine); ) { ++ nsAutoCString line(tLine.c_str()); ++ nsAutoCString uPath, perms; ++ ++ // Cut off any comments at the end of the line, also catches lines ++ // that are entirely a comment ++ int32_t hash = line.FindChar('#'); ++ if (hash >= 0) { ++ line = Substring(line, 0, hash); ++ } ++ line.CompressWhitespace(true, true); ++ if (line.IsEmpty()) { ++ continue; ++ } ++ ++ if (!promises.IsEmpty()) { ++ promises.Append(" "); ++ } ++ promises.Append(line); ++ } ++ input.close(); ++ ++ MOZ_LOG(sPledgeLog, LogLevel::Debug, ("%s: pledge(%s)\n", ++ PromiseFlatCString(aPath).get(), promises.get())); ++ if (pledge(promises.get(), nullptr) != 0) { ++ err(1, "%s: pledge(%s) failed", PromiseFlatCString(aPath).get(), ++ promises.get()); ++ } ++ ++ return NS_OK; ++} ++ + bool StartOpenBSDSandbox(GeckoProcessType type) { ++ nsAutoCString pledgeFilePath; + nsAutoCString promisesString; +- nsAutoCString processTypeString; ++ nsAutoCString unveilFilePath; + + switch (type) { + case GeckoProcessType_Default: +- processTypeString = "main"; +- Preferences::GetCString("security.sandbox.pledge.main", promisesString); ++ pledgeFilePath = PLEDGE_FILE_MAIN; ++ unveilFilePath = UNVEIL_FILE_MAIN; + break; + + case GeckoProcessType_Content: +- processTypeString = "content"; +- Preferences::GetCString("security.sandbox.pledge.content", +- promisesString); ++ pledgeFilePath = PLEDGE_FILE_CONTENT; ++ unveilFilePath = UNVEIL_FILE_CONTENT; + break; + ++ case GeckoProcessType_GPU: ++ pledgeFilePath = PLEDGE_FILE_GPU; ++ unveilFilePath = UNVEIL_FILE_GPU; ++ break; ++ + default: + MOZ_ASSERT(false, "unknown process type"); + return false; +- }; ++ } + +- if (pledge(promisesString.get(), NULL) == -1) { +- if (errno == EINVAL) { +- MOZ_LOG(sPledgeLog, LogLevel::Error, +- ("pledge promises for %s process is a malformed string: '%s'\n", +- processTypeString.get(), promisesString.get())); +- } else if (errno == EPERM) { +- MOZ_LOG( +- sPledgeLog, LogLevel::Error, +- ("pledge promises for %s process can't elevate privileges: '%s'\n", +- processTypeString.get(), promisesString.get())); +- } +- return false; +- } else { ++ /* dont overwrite an existing session dbus address, but ensure it is set */ ++ if (!PR_GetEnv("DBUS_SESSION_BUS_ADDRESS")) { + MOZ_LOG(sPledgeLog, LogLevel::Debug, +- ("pledged %s process with promises: '%s'\n", +- processTypeString.get(), promisesString.get())); ++ ("no session dbus found, faking one\n")); ++ PR_SetEnv("DBUS_SESSION_BUS_ADDRESS="); + } ++ ++ if (NS_WARN_IF(NS_FAILED(OpenBSDUnveilPaths(unveilFilePath, pledgeFilePath)))) { ++ errx(1, "failed reading/parsing %s", unveilFilePath.get()); ++ } ++ ++ if (NS_WARN_IF(NS_FAILED(OpenBSDPledgePromises(pledgeFilePath)))) { ++ errx(1, "failed reading/parsing %s", pledgeFilePath.get()); ++ } ++ + return true; + } + #endif Index: patches/patch-gfx_ipc_GPUProcessImpl_cpp =================================================================== RCS file: patches/patch-gfx_ipc_GPUProcessImpl_cpp diff -N patches/patch-gfx_ipc_GPUProcessImpl_cpp --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-gfx_ipc_GPUProcessImpl_cpp 25 Sep 2019 16:23:36 -0000 @@ -0,0 +1,23 @@ +$OpenBSD$ + +Index: gfx/ipc/GPUProcessImpl.cpp +--- gfx/ipc/GPUProcessImpl.cpp.orig ++++ gfx/ipc/GPUProcessImpl.cpp +@@ -10,6 +10,8 @@ + + #if defined(OS_WIN) && defined(MOZ_SANDBOX) + # include "mozilla/sandboxTarget.h" ++#elif defined(__OpenBSD__) && defined(MOZ_SANDBOX) ++# include "mozilla/SandboxSettings.h" + #endif + + namespace mozilla { +@@ -25,6 +27,8 @@ GPUProcessImpl::~GPUProcessImpl() {} + bool GPUProcessImpl::Init(int aArgc, char* aArgv[]) { + #if defined(MOZ_SANDBOX) && defined(OS_WIN) + mozilla::SandboxTarget::Instance()->StartSandbox(); ++#elif defined(__OpenBSD__) && defined(MOZ_SANDBOX) ++ StartOpenBSDSandbox(GeckoProcessType_GPU); + #endif + char* parentBuildID = nullptr; + char* prefsHandle = nullptr; Index: patches/patch-toolkit_system_gnome_nsGIOService_cpp =================================================================== RCS file: patches/patch-toolkit_system_gnome_nsGIOService_cpp diff -N patches/patch-toolkit_system_gnome_nsGIOService_cpp --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-toolkit_system_gnome_nsGIOService_cpp 25 Sep 2019 16:23:36 -0000 @@ -0,0 +1,26 @@ +$OpenBSD$ + +Index: toolkit/system/gnome/nsGIOService.cpp +--- toolkit/system/gnome/nsGIOService.cpp.orig ++++ toolkit/system/gnome/nsGIOService.cpp +@@ -497,7 +497,20 @@ nsGIOService::GetAppForMimeType(const nsACString& aMim + return NS_ERROR_NOT_AVAILABLE; + } + ++#if defined(__OpenBSD__) && defined(MOZ_SANDBOX) ++ // g_app_info_get_default_for_type will fail on OpenBSD's veiled filesystem ++ // since we most likely don't have direct access to the binaries that are ++ // registered as defaults for this type. Fake it up by just executing ++ // xdg-open via gio-launch-desktop (which we do have access to) and letting ++ // it figure out which program to execute for this MIME type ++ GAppInfo* app_info = g_app_info_create_from_commandline( ++ "/usr/local/bin/xdg-open", ++ nsPrintfCString("System default for %s", content_type).get(), ++ G_APP_INFO_CREATE_NONE, NULL); ++#else + GAppInfo* app_info = g_app_info_get_default_for_type(content_type, false); ++#endif ++ + if (app_info) { + nsGIOMimeApp* mozApp = new nsGIOMimeApp(app_info); + NS_ENSURE_TRUE(mozApp, NS_ERROR_OUT_OF_MEMORY); Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/www/mozilla-firefox/pkg/PLIST,v retrieving revision 1.80 diff -u -p -u -p -r1.80 PLIST --- pkg/PLIST 21 May 2019 16:51:12 -0000 1.80 +++ pkg/PLIST 25 Sep 2019 16:23:36 -0000 @@ -64,6 +64,20 @@ lib/${MOZILLA_PROJECT}/removed-files @man man/man1/mozilla-${MOZILLA_PROJECT}.1 share/applications/${MOZILLA_PROJECT}.desktop share/doc/pkg-readmes/${PKGSTEM} +share/examples/${MOZILLA_PROJECT}/ +@sample ${SYSCONFDIR}/${MOZILLA_PROJECT}/ +share/examples/${MOZILLA_PROJECT}/pledge.content +@sample ${SYSCONFDIR}/${MOZILLA_PROJECT}/pledge.content +share/examples/${MOZILLA_PROJECT}/pledge.gpu +@sample ${SYSCONFDIR}/${MOZILLA_PROJECT}/pledge.gpu +share/examples/${MOZILLA_PROJECT}/pledge.main +@sample ${SYSCONFDIR}/${MOZILLA_PROJECT}/pledge.main +share/examples/${MOZILLA_PROJECT}/unveil.content +@sample ${SYSCONFDIR}/${MOZILLA_PROJECT}/unveil.content +share/examples/${MOZILLA_PROJECT}/unveil.gpu +@sample ${SYSCONFDIR}/${MOZILLA_PROJECT}/unveil.gpu +share/examples/${MOZILLA_PROJECT}/unveil.main +@sample ${SYSCONFDIR}/${MOZILLA_PROJECT}/unveil.main share/pixmaps/ share/pixmaps/${MOZILLA_PROJECT}.png @tag update-desktop-database
