On Wed, Sep 25, 2019 at 11:25:59AM -0500, joshua stein wrote:
> This patchset goes back to files in /etc/firefox for unveil file 
> lists, and goes further and moves the pledge strings to separate 
> files too.  This should be the most secure version that is still 
> tweakable at runtime.
> 
> I switched away from using Firefox's NS_LOCAL_FILE_CONTRACTID/ 
> NS_LOCALFILEINPUTSTREAM_CONTRACTID mechanisms to read a file, since 
> they require a lot of internal setup to be done before they can be 
> used (which is otherwise a good thing, because other things later in 
> Firefox shouldn't have raw file access).  Instead of those, I'm 
> using the normal C++ API for reading the /etc/firefox files and this 
> way I have been able to move the pledge/unveil calls earlier in the 
> process startup.  Unfortunately this also means that I can't 
> dynamically detect the localized ~/Downloads directory, so if you 
> use a different directory, you'll just need to modify the 
> unveil.content and unveil.main files to change it.
> 
> I tried the $TMPDIR shenanigans with the main process mkdtemp'ing 
> somewhere in $TMPDIR (or /tmp), and then exporting TMPDIR as that 
> directory so that everything else within Firefox uses that 
> subdirectory as its temp directory, allowing /tmp to be removed from 
> the unveil lists and only that subdirectory visible.  Unfortunately 
> the first thing to break was our own shm_open() which hard-codes 
> /tmp and doesn't honor $TMPDIR.  So that all was ripped out and 
> we're back to full access to /tmp.
> 
> If the mailing list mangles this again, it's at 
> https://jcs.org/patches/firefox-port-unveil8.diff
> 
> 
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/www/mozilla-firefox/Makefile,v
> retrieving revision 1.395
> diff -u -p -u -p -r1.395 Makefile
> --- Makefile  22 Sep 2019 17:19:06 -0000      1.395
> +++ Makefile  25 Sep 2019 16:23:36 -0000
> @@ -10,6 +10,8 @@ MOZILLA_BRANCH =    release
>  MOZILLA_PROJECT =    firefox
>  MOZILLA_CODENAME =   browser
>  
> +REVISION=    0
> +
>  WRKDIST =    ${WRKDIR}/${MOZILLA_DIST}-${MOZILLA_DIST_VERSION:C/b[0-9]*//}
>  HOMEPAGE =   https://www.mozilla.org/firefox/
>  SO_VERSION = 84.0
> @@ -93,5 +95,10 @@ post-install:
>  
>       # link default48.png to default.png to be used by default by non-icccm 
> compliant wm
>       ln 
> ${PREFIX}/lib/${MOZILLA_PROJECT}/browser/chrome/icons/default/default{48,}.png
> +
> +     ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/${MOZILLA_PROJECT}
> +.for f in unveil.content unveil.gpu unveil.main pledge.content pledge.gpu 
> pledge.main
> +     ${INSTALL_DATA} ${FILESDIR}/${f} 
> ${PREFIX}/share/examples/${MOZILLA_PROJECT}/
> +.endfor
>  
>  .include <bsd.port.mk>
> Index: files/all-openbsd.js
> ===================================================================
> RCS file: /cvs/ports/www/mozilla-firefox/files/all-openbsd.js,v
> retrieving revision 1.10
> diff -u -p -u -p -r1.10 all-openbsd.js
> --- files/all-openbsd.js      9 Sep 2019 18:50:35 -0000       1.10
> +++ files/all-openbsd.js      25 Sep 2019 16:23:36 -0000
> @@ -5,10 +5,6 @@ pref("app.normandy.enabled",false);
>  pref("browser.safebrowsing.enabled", false);
>  pref("browser.safebrowsing.malware.enabled", false);
>  pref("spellchecker.dictionary_path", "${LOCALBASE}/share/mozilla-dicts/");
> -// enable pledging the content process
> -pref("security.sandbox.content.level", 1);
> -pref("security.sandbox.pledge.main","stdio rpath wpath cpath inet proc exec 
> prot_exec flock ps sendfd recvfd dns vminfo tty drm unix fattr getpw mcast 
> video");
> -pref("security.sandbox.pledge.content","stdio rpath wpath cpath inet recvfd 
> sendfd prot_exec unix drm ps");
>  pref("extensions.pocket.enabled", false);
>  pref("browser.newtabpage.enabled", false);
>  pref("browser.startup.homepage", "about:blank");
> Index: files/pledge.content
> ===================================================================
> RCS file: files/pledge.content
> diff -N files/pledge.content
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ files/pledge.content      25 Sep 2019 16:23:36 -0000
> @@ -0,0 +1,10 @@
> +stdio
> +rpath
> +wpath
> +cpath
> +recvfd
> +sendfd
> +prot_exec
> +unix
> +drm
> +ps
> Index: files/pledge.gpu
> ===================================================================
> RCS file: files/pledge.gpu
> diff -N files/pledge.gpu
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ files/pledge.gpu  25 Sep 2019 16:23:36 -0000
> @@ -0,0 +1,11 @@
> +stdio
> +rpath
> +wpath
> +cpath
> +ps
> +sendfd
> +recvfd
> +drm
> +dns
> +unix
> +prot_exec
> Index: files/pledge.main
> ===================================================================
> RCS file: files/pledge.main
> diff -N files/pledge.main
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ files/pledge.main 25 Sep 2019 16:23:36 -0000
> @@ -0,0 +1,20 @@
> +stdio
> +rpath
> +wpath
> +cpath
> +inet
> +proc
> +exec
> +prot_exec
> +flock
> +ps
> +sendfd
> +recvfd
> +dns
> +vminfo
> +tty
> +drm
> +unix
> +fattr
> +getpw
> +mcast
> Index: files/unveil.content
> ===================================================================
> RCS file: files/unveil.content
> diff -N files/unveil.content
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ files/unveil.content      25 Sep 2019 16:23:36 -0000
> @@ -0,0 +1,43 @@
> +/dev/drm0 rw
> +
> +/etc/fonts r
> +/etc/machine-id r
> +/usr/local/lib r
> +/usr/local/firefox r
> +/usr/local/share r
> +/usr/share/locale r
> +/var/cache/fontconfig r
> +/usr/X11R6/lib r
> +/usr/X11R6/share r
> +/var/run r
> +
> +~/.XCompose r
> +~/.Xauthority r
> +~/.Xdefaults r
> +~/.fontconfig r
> +~/.fonts r
> +~/.fonts.conf r
> +~/.fonts.conf.d r
> +~/.icons r
> +~/.pki rwc
> +~/.sndio rwc
> +~/.terminfo r
> +
> +~/.mozilla r
> +~/Downloads r
> +
> +/tmp rwc
> +
> +$XDG_CONFIG_HOME/dconf r
> +$XDG_CONFIG_HOME/fontconfig r
> +$XDG_CONFIG_HOME/gtk-3.0 r
> +$XDG_CONFIG_HOME/mimeapps.list r
> +$XDG_CONFIG_HOME/mozilla rwc
> +$XDG_CONFIG_HOME/user-dirs.dirs r
> +$XDG_DATA_HOME/applications r
> +$XDG_DATA_HOME/applnk r
> +$XDG_DATA_HOME/fonts r
> +$XDG_DATA_HOME/glib-2.0 r
> +$XDG_DATA_HOME/icons r
> +$XDG_DATA_HOME/mime r
> +$XDG_DATA_HOME/themes r
> Index: files/unveil.gpu
> ===================================================================
> RCS file: files/unveil.gpu
> diff -N files/unveil.gpu
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ files/unveil.gpu  25 Sep 2019 16:23:36 -0000
> @@ -0,0 +1,11 @@
> +/dev/drm0 rw
> +
> +/usr/local/lib/firefox r
> +/usr/local/lib/gdk-pixbuf-2.0 r
> +/usr/X11R6/lib r
> +/usr/share/locale r
> +/usr/local/share r
> +
> +/tmp rw
> +
> +~/.Xauthority r
> Index: files/unveil.main
> ===================================================================
> RCS file: files/unveil.main
> diff -N files/unveil.main
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ files/unveil.main 25 Sep 2019 16:23:36 -0000
> @@ -0,0 +1,63 @@
> +# for uuid generation?
> +/dev/urandom r
> +/dev/video rw
> +
> +/etc/fonts r
> +/etc/machine-id r
> +
> +/usr/local/lib r
> +/usr/local/firefox r
> +/usr/local/lib/firefox rx
> +/usr/local/share r
> +/usr/share/locale r
> +/var/cache/fontconfig r
> +/usr/X11R6/lib r
> +/usr/X11R6/share r
> +/var/run r
> +
> +# printing
> +/usr/bin/lpr rx
> +
> +# for launching registered 3rd party applications like pdf readers
> +/usr/local/bin/gio-launch-desktop rx
> +/etc/mailcap r
> +~/.mailcap r
> +~/.mime.types r
> +
> +~/.XCompose r
> +~/.Xauthority r
> +~/.Xdefaults r
> +~/.fontconfig r
> +~/.fonts r
> +~/.fonts.conf r
> +~/.fonts.conf.d r
> +~/.icons r
> +~/.pki rwc
> +~/.sndio rwc
> +~/.terminfo r
> +
> +~/.mozilla rwc
> +~/Downloads rwc
> +
> +# for at least shm_open (for now)
> +/tmp rwc
> +
> +# $XDG_CACHE_HOME, $XDG_CONFIG_HOME, and $XDG_DATA_HOME will expand to the
> +# given variable if it exists in the environment, otherwise defaulting to
> +# ~/.cache, ~/.config, and ~/.local/share
> +$XDG_CACHE_HOME/dconf rwc
> +$XDG_CACHE_HOME/thumbnails rwc
> +$XDG_CONFIG_HOME/dconf rw
> +$XDG_CONFIG_HOME/fontconfig r
> +$XDG_CONFIG_HOME/gtk-3.0 r
> +$XDG_CONFIG_HOME/mimeapps.list r
> +$XDG_CONFIG_HOME/mozilla rwc
> +$XDG_CONFIG_HOME/user-dirs.dirs r
> +$XDG_DATA_HOME/applications rwc
> +$XDG_DATA_HOME/applnk r
> +$XDG_DATA_HOME/fonts r
> +$XDG_DATA_HOME/glib-2.0 r
> +$XDG_DATA_HOME/icons r
> +$XDG_DATA_HOME/mime r
> +$XDG_DATA_HOME/recently-used.xbel rwc
> +$XDG_DATA_HOME/themes r
> Index: patches/patch-browser_app_profile_firefox_js
> ===================================================================
> RCS file: patches/patch-browser_app_profile_firefox_js
> diff -N patches/patch-browser_app_profile_firefox_js
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-browser_app_profile_firefox_js      25 Sep 2019 16:23:36 
> -0000
> @@ -0,0 +1,18 @@
> +$OpenBSD$
> +
> +Index: browser/app/profile/firefox.js
> +--- browser/app/profile/firefox.js.orig
> ++++ browser/app/profile/firefox.js
> +@@ -1130,11 +1130,8 @@ pref("security.sandbox.content.syscall_whitelist", "")
> + #endif
> + 
> + #if defined(XP_OPENBSD) && defined(MOZ_SANDBOX)
> +-// default pledge strings for the main & content processes, cf bug 1457092
> +-// broad list for now, has to be refined over time
> +-pref("security.sandbox.pledge.main", "stdio rpath wpath cpath inet proc 
> exec prot_exec flock ps sendfd recvfd dns vminfo tty drm unix fattr getpw 
> mcast");
> + pref("security.sandbox.content.level", 1);
> +-pref("security.sandbox.pledge.content", "stdio rpath wpath cpath inet 
> recvfd sendfd prot_exec unix drm ps");
> ++// Custom sandboxing done in StartOpenBSDSandbox()
> + #endif
> + 
> + #if defined(MOZ_SANDBOX)
> Index: patches/patch-dom_ipc_ContentChild_cpp
> ===================================================================
> RCS file: patches/patch-dom_ipc_ContentChild_cpp
> diff -N patches/patch-dom_ipc_ContentChild_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-dom_ipc_ContentChild_cpp    25 Sep 2019 16:23:36 -0000
> @@ -0,0 +1,252 @@
> +$OpenBSD$
> +
> +Index: dom/ipc/ContentChild.cpp
> +--- dom/ipc/ContentChild.cpp.orig
> ++++ dom/ipc/ContentChild.cpp
> +@@ -126,6 +126,10 @@
> + #    include "mozilla/Sandbox.h"
> + #  elif defined(__OpenBSD__)
> + #    include <unistd.h>
> ++#    include <err.h>
> ++#    include <fstream>
> ++#    include "nsILineInputStream.h"
> ++#    include "SpecialSystemDirectory.h"
> + #  endif
> + #endif
> + 
> +@@ -701,6 +705,10 @@ bool ContentChild::Init(MessageLoop* aIOLoop, base::Pr
> +     ProcessChild::QuickExit();
> +   }
> + 
> ++#if defined(__OpenBSD__) && defined(MOZ_SANDBOX)
> ++  StartOpenBSDSandbox(GeckoProcessType_Content);
> ++#endif
> ++
> + #ifdef MOZ_X11
> + #  ifdef MOZ_WIDGET_GTK
> +   if (GDK_IS_X11_DISPLAY(gdk_display_get_default()) &&
> +@@ -1743,15 +1751,6 @@ mozilla::ipc::IPCResult ContentChild::RecvSetProcessSa
> +   mozilla::SandboxTarget::Instance()->StartSandbox();
> + #  elif defined(XP_MACOSX)
> +   sandboxEnabled = StartMacOSContentSandbox();
> +-#  elif defined(__OpenBSD__)
> +-  sandboxEnabled = StartOpenBSDSandbox(GeckoProcessType_Content);
> +-  /* dont overwrite an existing session dbus address, but ensure it is set 
> */
> +-  if (!PR_GetEnv("DBUS_SESSION_BUS_ADDRESS")) {
> +-    static LazyLogModule sPledgeLog("SandboxPledge");
> +-    MOZ_LOG(sPledgeLog, LogLevel::Debug,
> +-            ("no session dbus found, faking one\n"));
> +-    PR_SetEnv("DBUS_SESSION_BUS_ADDRESS=");
> +-  }
> + #  endif
> + 
> +   CrashReporter::AnnotateCrashReport(
> +@@ -4048,48 +4047,184 @@ void 
> ContentChild::HoldBrowsingContextGroup(BrowsingCo
> + }  // namespace dom
> + 
> + #if defined(__OpenBSD__) && defined(MOZ_SANDBOX)
> +-#  include <unistd.h>
> + 
> +-static LazyLogModule sPledgeLog("SandboxPledge");
> ++#define PLEDGE_FILE_MAIN     "/etc/firefox/pledge.main"
> ++#define PLEDGE_FILE_CONTENT  "/etc/firefox/pledge.content"
> ++#define PLEDGE_FILE_GPU      "/etc/firefox/pledge.gpu"
> + 
> ++#define UNVEIL_FILE_MAIN     "/etc/firefox/unveil.main"
> ++#define UNVEIL_FILE_CONTENT  "/etc/firefox/unveil.content"
> ++#define UNVEIL_FILE_GPU      "/etc/firefox/unveil.gpu"
> ++
> ++static LazyLogModule sPledgeLog("OpenBSDSandbox");
> ++
> ++NS_IMETHODIMP
> ++OpenBSDUnveilPaths(const nsACString& aPath, const nsACString& pledgePath) {
> ++  nsresult rv;
> ++
> ++  nsCOMPtr<nsIFile> homeDir;
> ++  rv = GetSpecialSystemDirectory(Unix_HomeDirectory, 
> getter_AddRefs(homeDir));
> ++  if (NS_FAILED(rv)) {
> ++    errx(1, "failed getting home directory");
> ++  }
> ++
> ++  // Using NS_LOCAL_FILE_CONTRACTID/NS_LOCALFILEINPUTSTREAM_CONTRACTID 
> requires
> ++  // a lot of setup before they are allowed/supported and we want to pledge 
> and
> ++  // unveil early on before all of that is setup
> ++  std::ifstream input(PromiseFlatCString(aPath).get());
> ++
> ++  int linenum = 0;
> ++  for (std::string tLine; std::getline(input, tLine); ) {
> ++    nsAutoCString line(tLine.c_str());
> ++    nsAutoCString uPath, perms;
> ++    linenum++;
> ++
> ++    // Cut off any comments at the end of the line, also catches lines
> ++    // that are entirely a comment
> ++    int32_t hash = line.FindChar('#');
> ++    if (hash >= 0) {
> ++      line = Substring(line, 0, hash);
> ++    }
> ++    line.CompressWhitespace(true, true);
> ++    if (line.IsEmpty()) {
> ++      continue;
> ++    }
> ++
> ++    int32_t space = line.FindChar(' ');
> ++    if (space <= 0) {
> ++      errx(1, "%s: line %d: invalid format", 
> PromiseFlatCString(aPath).get(),
> ++        linenum);
> ++    }
> ++
> ++    uPath = Substring(line, 0, space);
> ++    perms = Substring(line, space + 1, line.Length() - space - 1);
> ++
> ++    // Expand $XDG_CONFIG_HOME to the environment variable, or ~/.config
> ++    nsCString xdgConfigHome(PR_GetEnv("XDG_CONFIG_HOME"));
> ++    if (xdgConfigHome.IsEmpty()) {
> ++      xdgConfigHome = "~/.config";
> ++    }
> ++    uPath.ReplaceSubstring("$XDG_CONFIG_HOME", xdgConfigHome.get());
> ++
> ++    // Expand $XDG_CACHE_HOME to the environment variable, or ~/.cache
> ++    nsCString xdgCacheHome(PR_GetEnv("XDG_CACHE_HOME"));
> ++    if (xdgCacheHome.IsEmpty()) {
> ++      xdgCacheHome = "~/.cache";
> ++    }
> ++    uPath.ReplaceSubstring("$XDG_CACHE_HOME", xdgCacheHome.get());
> ++
> ++    // Expand $XDG_DATA_HOME to the environment variable, or ~/.local/share
> ++    nsCString xdgDataHome(PR_GetEnv("XDG_DATA_HOME"));
> ++    if (xdgDataHome.IsEmpty()) {
> ++      xdgDataHome = "~/.local/share";
> ++    }
> ++    uPath.ReplaceSubstring("$XDG_DATA_HOME", xdgDataHome.get());
> ++
> ++    // Expand leading ~ to the user's home directory
> ++    if (uPath.FindChar('~') == 0) {
> ++      nsCString tHome(homeDir->NativePath());
> ++      tHome.Append(Substring(uPath, 1, uPath.Length() - 1));
> ++      uPath = tHome.get();
> ++    }
> ++
> ++    MOZ_LOG(sPledgeLog, LogLevel::Debug, ("%s: unveil(%s, %s)\n",
> ++      PromiseFlatCString(aPath).get(), uPath.get(), perms.get()));
> ++    int ret = unveil(uPath.get(), perms.get());
> ++    if (ret != 0 && ret != ENOENT) {
> ++      err(1, "%s: unveil(%s, %s) failed", PromiseFlatCString(aPath).get(),
> ++        uPath.get(), perms.get());
> ++    }
> ++  }
> ++  input.close();
> ++
> ++  int ret = unveil(PromiseFlatCString(pledgePath).get(), "r");
> ++  if (ret != 0) {
> ++    err(1, "unveil(%s, r) failed", PromiseFlatCString(pledgePath).get());
> ++  }
> ++
> ++  return NS_OK;
> ++}
> ++
> ++NS_IMETHODIMP
> ++OpenBSDPledgePromises(const nsACString& aPath) {
> ++  // Build up one line of pledge promises without comments
> ++  nsAutoCString promises;
> ++
> ++  std::ifstream input(PromiseFlatCString(aPath).get());
> ++
> ++  for (std::string tLine; std::getline(input, tLine); ) {
> ++    nsAutoCString line(tLine.c_str());
> ++    nsAutoCString uPath, perms;
> ++
> ++    // Cut off any comments at the end of the line, also catches lines
> ++    // that are entirely a comment
> ++    int32_t hash = line.FindChar('#');
> ++    if (hash >= 0) {
> ++      line = Substring(line, 0, hash);
> ++    }
> ++    line.CompressWhitespace(true, true);
> ++    if (line.IsEmpty()) {
> ++      continue;
> ++    }
> ++
> ++    if (!promises.IsEmpty()) {
> ++      promises.Append(" ");
> ++    }
> ++    promises.Append(line);
> ++  }
> ++  input.close();
> ++
> ++  MOZ_LOG(sPledgeLog, LogLevel::Debug, ("%s: pledge(%s)\n",
> ++    PromiseFlatCString(aPath).get(), promises.get()));
> ++  if (pledge(promises.get(), nullptr) != 0) {
> ++    err(1, "%s: pledge(%s) failed", PromiseFlatCString(aPath).get(),
> ++      promises.get());
> ++  }
> ++
> ++  return NS_OK;
> ++}
> ++
> + bool StartOpenBSDSandbox(GeckoProcessType type) {
> ++  nsAutoCString pledgeFilePath;
> +   nsAutoCString promisesString;
> +-  nsAutoCString processTypeString;
> ++  nsAutoCString unveilFilePath;
> + 
> +   switch (type) {
> +     case GeckoProcessType_Default:
> +-      processTypeString = "main";
> +-      Preferences::GetCString("security.sandbox.pledge.main", 
> promisesString);
> ++      pledgeFilePath = PLEDGE_FILE_MAIN;
> ++      unveilFilePath = UNVEIL_FILE_MAIN;
> +       break;
> + 
> +     case GeckoProcessType_Content:
> +-      processTypeString = "content";
> +-      Preferences::GetCString("security.sandbox.pledge.content",
> +-                              promisesString);
> ++      pledgeFilePath = PLEDGE_FILE_CONTENT;
> ++      unveilFilePath = UNVEIL_FILE_CONTENT;
> +       break;
> + 
> ++    case GeckoProcessType_GPU:
> ++      pledgeFilePath = PLEDGE_FILE_GPU;
> ++      unveilFilePath = UNVEIL_FILE_GPU;
> ++      break;
> ++
> +     default:
> +       MOZ_ASSERT(false, "unknown process type");
> +       return false;
> +-  };
> ++  }
> + 
> +-  if (pledge(promisesString.get(), NULL) == -1) {
> +-    if (errno == EINVAL) {
> +-      MOZ_LOG(sPledgeLog, LogLevel::Error,
> +-              ("pledge promises for %s process is a malformed string: 
> '%s'\n",
> +-               processTypeString.get(), promisesString.get()));
> +-    } else if (errno == EPERM) {
> +-      MOZ_LOG(
> +-          sPledgeLog, LogLevel::Error,
> +-          ("pledge promises for %s process can't elevate privileges: 
> '%s'\n",
> +-           processTypeString.get(), promisesString.get()));
> +-    }
> +-    return false;
> +-  } else {
> ++  /* dont overwrite an existing session dbus address, but ensure it is set 
> */
> ++  if (!PR_GetEnv("DBUS_SESSION_BUS_ADDRESS")) {
> +     MOZ_LOG(sPledgeLog, LogLevel::Debug,
> +-            ("pledged %s process with promises: '%s'\n",
> +-             processTypeString.get(), promisesString.get()));
> ++            ("no session dbus found, faking one\n"));
> ++    PR_SetEnv("DBUS_SESSION_BUS_ADDRESS=");
> +   }
> ++
> ++  if (NS_WARN_IF(NS_FAILED(OpenBSDUnveilPaths(unveilFilePath, 
> pledgeFilePath)))) {
> ++    errx(1, "failed reading/parsing %s", unveilFilePath.get());
> ++  }
> ++
> ++  if (NS_WARN_IF(NS_FAILED(OpenBSDPledgePromises(pledgeFilePath)))) {
> ++    errx(1, "failed reading/parsing %s", pledgeFilePath.get());
> ++  }
> ++
> +   return true;
> + }
> + #endif
> Index: patches/patch-gfx_ipc_GPUProcessImpl_cpp
> ===================================================================
> RCS file: patches/patch-gfx_ipc_GPUProcessImpl_cpp
> diff -N patches/patch-gfx_ipc_GPUProcessImpl_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-gfx_ipc_GPUProcessImpl_cpp  25 Sep 2019 16:23:36 -0000
> @@ -0,0 +1,23 @@
> +$OpenBSD$
> +
> +Index: gfx/ipc/GPUProcessImpl.cpp
> +--- gfx/ipc/GPUProcessImpl.cpp.orig
> ++++ gfx/ipc/GPUProcessImpl.cpp
> +@@ -10,6 +10,8 @@
> + 
> + #if defined(OS_WIN) && defined(MOZ_SANDBOX)
> + #  include "mozilla/sandboxTarget.h"
> ++#elif defined(__OpenBSD__) && defined(MOZ_SANDBOX)
> ++#  include "mozilla/SandboxSettings.h"
> + #endif
> + 
> + namespace mozilla {
> +@@ -25,6 +27,8 @@ GPUProcessImpl::~GPUProcessImpl() {}
> + bool GPUProcessImpl::Init(int aArgc, char* aArgv[]) {
> + #if defined(MOZ_SANDBOX) && defined(OS_WIN)
> +   mozilla::SandboxTarget::Instance()->StartSandbox();
> ++#elif defined(__OpenBSD__) && defined(MOZ_SANDBOX)
> ++  StartOpenBSDSandbox(GeckoProcessType_GPU);
> + #endif
> +   char* parentBuildID = nullptr;
> +   char* prefsHandle = nullptr;
> Index: patches/patch-toolkit_system_gnome_nsGIOService_cpp
> ===================================================================
> RCS file: patches/patch-toolkit_system_gnome_nsGIOService_cpp
> diff -N patches/patch-toolkit_system_gnome_nsGIOService_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-toolkit_system_gnome_nsGIOService_cpp       25 Sep 2019 
> 16:23:36 -0000
> @@ -0,0 +1,26 @@
> +$OpenBSD$
> +
> +Index: toolkit/system/gnome/nsGIOService.cpp
> +--- toolkit/system/gnome/nsGIOService.cpp.orig
> ++++ toolkit/system/gnome/nsGIOService.cpp
> +@@ -497,7 +497,20 @@ nsGIOService::GetAppForMimeType(const nsACString& aMim
> +     return NS_ERROR_NOT_AVAILABLE;
> +   }
> + 
> ++#if defined(__OpenBSD__) && defined(MOZ_SANDBOX)
> ++  // g_app_info_get_default_for_type will fail on OpenBSD's veiled 
> filesystem
> ++  // since we most likely don't have direct access to the binaries that are
> ++  // registered as defaults for this type.  Fake it up by just executing
> ++  // xdg-open via gio-launch-desktop (which we do have access to) and 
> letting
> ++  // it figure out which program to execute for this MIME type
> ++  GAppInfo* app_info = g_app_info_create_from_commandline(
> ++    "/usr/local/bin/xdg-open",
> ++    nsPrintfCString("System default for %s", content_type).get(),
> ++    G_APP_INFO_CREATE_NONE, NULL);
> ++#else
> +   GAppInfo* app_info = g_app_info_get_default_for_type(content_type, false);
> ++#endif
> ++
> +   if (app_info) {
> +     nsGIOMimeApp* mozApp = new nsGIOMimeApp(app_info);
> +     NS_ENSURE_TRUE(mozApp, NS_ERROR_OUT_OF_MEMORY);
> Index: pkg/PLIST
> ===================================================================
> RCS file: /cvs/ports/www/mozilla-firefox/pkg/PLIST,v
> retrieving revision 1.80
> diff -u -p -u -p -r1.80 PLIST
> --- pkg/PLIST 21 May 2019 16:51:12 -0000      1.80
> +++ pkg/PLIST 25 Sep 2019 16:23:36 -0000
> @@ -64,6 +64,20 @@ lib/${MOZILLA_PROJECT}/removed-files
>  @man man/man1/mozilla-${MOZILLA_PROJECT}.1
>  share/applications/${MOZILLA_PROJECT}.desktop
>  share/doc/pkg-readmes/${PKGSTEM}
> +share/examples/${MOZILLA_PROJECT}/
> +@sample ${SYSCONFDIR}/${MOZILLA_PROJECT}/
> +share/examples/${MOZILLA_PROJECT}/pledge.content
> +@sample ${SYSCONFDIR}/${MOZILLA_PROJECT}/pledge.content
> +share/examples/${MOZILLA_PROJECT}/pledge.gpu
> +@sample ${SYSCONFDIR}/${MOZILLA_PROJECT}/pledge.gpu
> +share/examples/${MOZILLA_PROJECT}/pledge.main
> +@sample ${SYSCONFDIR}/${MOZILLA_PROJECT}/pledge.main
> +share/examples/${MOZILLA_PROJECT}/unveil.content
> +@sample ${SYSCONFDIR}/${MOZILLA_PROJECT}/unveil.content
> +share/examples/${MOZILLA_PROJECT}/unveil.gpu
> +@sample ${SYSCONFDIR}/${MOZILLA_PROJECT}/unveil.gpu
> +share/examples/${MOZILLA_PROJECT}/unveil.main
> +@sample ${SYSCONFDIR}/${MOZILLA_PROJECT}/unveil.main
>  share/pixmaps/
>  share/pixmaps/${MOZILLA_PROJECT}.png
>  @tag update-desktop-database
> 

In a very particular case, I get a
firefox[4133]: pledge "inet", syscall 97

to do so, I make a ssh tunnel to a Proxmox web interface with default
certificate (auto generated)

ssh -L 44444:10.4.5.6:8006 some_remote_machine

then, open https://localhost:44444 on firefox, and I get a pledge error
with firefox showing "Gah. Your tab just crashed."

Sadly, I've not been able to reproduce this with any other certificate.
It may certainly not be related to ssh tunneling, but I can't try on direct lan
access.

In case this can help, here is the output of openssl s_client

solene@t480 ~/ $ openssl s_client -connect localhost:44444
CONNECTED(00000003)
depth=0 OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = 
remote_server
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = 
remote_server
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=remote_server
   i:/CN=Proxmox Virtual 
Environment/OU=b52ee0d8-fa71-4c57-938b-efaffe312e12/O=PVE Cluster Manager CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvzCCAqegAwIBAgIBATANBgkqhkiG9w0BAQsFADB2MSQwIgYDVQQDDBtQcm94
bW94IFZpcnR1YWwgRW52aXJvbm1lbnQxLTArBgNVBAsMJGI1MmVlMGQ4LWZhNzEt
NGM1Ny05MzhiLWVmYWZmZTMxMmUxMjEfMB0GA1UECgwWUFZFIENsdXN0ZXIgTWFu
YWdlciBDQTAeFw0xNzA5MDUwNzIxMDZaFw0yNzA5MDMwNzIxMDZaMFwxGTAXBgNV
BAsTEFBWRSBDbHVzdGVyIE5vZGUxJDAiBgNVBAoTG1Byb3htb3ggVmlydHVhbCBF
bnZpcm9ubWVudDEZMBcGA1UEAxMQY2JjcHJvZDEuYXRyLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMr+/F5Nr1rl58gWHtjoLegcHhe2+cmkJGDg
loA1epRZ0/m9CQ9yxoLGlNUpilBNYqR+JehyV8VYxev2AF+opjaymtHj+KT7x1L4
dRb4yGCfEX/VpfWcmvmL6QQDaMJvrtTsiSvRHIQGn47/lqDxm62J7Zrs/K/pMWcv
7rf3OuWg1xPG1CPMnioh4QL0h2D868HiwvqzW7bX4rng8Cs3DJ+SNuxtBBmIVM+D
3C2lpBTGXA+aN6Vbuq/W7JPvUi8nQkCa7TYIjmlzyexjLgQv1hKLFPCXvDzTpD2v
dTvPkBtJ5qBAF3MUkcZEzKgJ6ewydoMj+qLdUV9Iy8ryP2u7GTcCAwEAAaNyMHAw
CQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcDATBOBgNVHREERzBFhwR/AAAB
hxAAAAAAAAAAAAAAAAAAAAABgglsb2NhbGhvc3SHBMCoDOSCCGNiY3Byb2QxghBj
YmNwcm9kMS5hdHIuY29tMA0GCSqGSIb3DQEBCwUAA4ICAQAaX/uCFliqAFJGLlzy
dXDpx5RWzoiTw1An+do0aF9XrsqCHmQ4VE5BHG+C1UXyDrXcOoT86mitOUN7iA4g
BnheosVKI9+sLBeEF6R+d2mOduhWdA+lTybLwHKoAQ6Fsvv7P0feM53omiXMCBPx
xE7TRVBsoaa4IPtI8L26MpBKLHgJxDYO8ogzRBA+bGulQqFdcddfWgG+4aVhHsIW
V9Sd6UjTJ0sKRfrQF9Gew4B3U19M8DLlHwmXgcblwNmElkl9XDdruzjz5Jx7F4yB
HKWt+RjOqTtHW7+OELGBmU6nh/GNzC/kR3gwQ3160OBr88e6CqnVw4ng0/nmj3oo
DT1MKJR4/DLJSVyQVtLiqAeFkuoq3q1fDLc2SqA9dAqSQ4HPDSkeBUPSSty4tZmY
zKshR3AMNftqloHLGIAICQ5X1HkYVaHsXdr31acI4AJZVpBOTXWVC22YZYKBZDSQ
gPt52FO0+b1xDWGDbDDAxmD9CopGjcPf4cr/X4Bg002fPjRqH3+qizVyVt8rEh45
YcIIKlkmGsXR57bU6aw7cFWGpI+RehNYn5QDZQT98wmlgrmAEaRt0BZzPoPXxohf
hrz/XhRZZbmNlHwMngjpV4Ti8jxtRltf68C2Y3KBp0JDBEY9FtijoW8i//aWWW/9
wNO52BsQHpU6XWo1uJEhCPC9PQ==
-----END CERTIFICATE-----
subject=/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=remote_server
issuer=/CN=Proxmox Virtual 
Environment/OU=b52ee0d8-fa71-4c57-938b-efaffe312e12/O=PVE Cluster Manager CA
---
No client certificate CA names sent
---
SSL handshake has read 1840 bytes and written 285 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: F15F9B11C93BE92989985B0F51F212AF97E969225659E907B5C5B5DD5F6774AB
    Session-ID-ctx:
    Master-Key: 
0EE8CFFE53CC5D7A32F450C3C60BB8C39F38FC3C23D2F23CA36796FD5E671299923D32AF80BEAA50120F3AF5D377D08E
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - d7 0d e6 12 1e f7 1d c0-78 e6 ea 63 69 ea 69 33   ........x..ci.i3
    0010 - b4 31 37 1b f5 6f 76 18-38 6f 73 d6 d4 79 d1 1e   .17..ov.8os..y..
    0020 - 81 d6 f9 72 33 16 08 d6-36 17 de 8f 81 28 c6 ac   ...r3...6....(..
    0030 - fc b3 64 56 58 ec 5a 77-4d df 8f 3f 7b 2c 14 3d   ..dVX.ZwM..?{,.=
    0040 - 96 a6 aa 8a b9 61 00 af-21 5d ea 31 ad 37 b4 08   .....a..!].1.7..
    0050 - ce 97 65 19 e9 c0 22 0f-07 77 8b f5 56 d2 a5 50   ..e..."..w..V..P
    0060 - 2a e8 35 aa 8c d3 9f 8a-f1 fd ec 2c f1 74 6f f7   *.5........,.to.
    0070 - 71 c6 6c dd 2e 21 9c ba-5b 4a 33 2d c9 e3 10 4d   q.l..!..[J3-...M
    0080 - 2b 36 cd e2 bb 5b 32 69-e9 d1 f4 c2 47 6a e1 84   +6...[2i....Gj..
    0090 - 34 5b 29 c6 84 09 23 54-74 f7 2f e7 44 f6 ce a5   4[)...#Tt./.D...

    Start Time: 1570006336
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

7362462955640:error:10FFF067:elliptic curve routines:CRYPTO_internal:invalid 
field:/usr/src/lib/libcrypto/ec/ec_lib.c:342:

Reply via email to