If you're following along at home, here's an update for Firefox 70. Now uses an external PATCHFILE so I can keep my feature patches together as separate commits, which are still waiting on upstream integration.
Index: Makefile =================================================================== RCS file: /cvs/ports/www/mozilla-firefox/Makefile,v retrieving revision 1.400 diff -u -p -u -p -r1.400 Makefile --- Makefile 23 Oct 2019 19:38:07 -0000 1.400 +++ Makefile 27 Oct 2019 18:14:58 -0000 @@ -10,6 +10,11 @@ MOZILLA_BRANCH = release MOZILLA_PROJECT = firefox MOZILLA_CODENAME = browser +REVISION= 0 + +MASTER_SITES0= https://jcs.org/patches/ +PATCHFILES+= firefox70-unveil0.diff:0 + WRKDIST = ${WRKDIR}/${MOZILLA_DIST}-${MOZILLA_DIST_VERSION:C/b[0-9]*//} HOMEPAGE = https://www.mozilla.org/firefox/ SO_VERSION = 85.0 @@ -53,6 +58,8 @@ BUILD_DEPENDS += devel/cbindgen>=0.9.1 # 67 requires nasm for bundled libdav1d BUILD_DEPENDS += devel/nasm .endif +# unveil support relies on xdg-open +RUN_DEPENDS += devel/xdg-utils WANTLIB += X11-xcb Xcursor Xi intl xcb xcb-shm ${COMPILER_LIBCXX} @@ -66,7 +73,7 @@ MAKE_ENV += BUILD_VERBOSE_LOG="1" CARGO CONFIGURE_ARGS += --enable-release #1386371 CONFIGURE_ARGS += --enable-sandbox CONFIGURE_ARGS += --with-libclang-path=${LOCALBASE}/lib -SUBST_VARS += LOCALBASE X11BASE +SUBST_VARS += LOCALBASE X11BASE MOZILLA_PROJECT show-commit: @curl -s https://releases.mozilla.org/pub/mozilla.org/firefox/releases/${MOZILLA_VERSION}/SOURCE| awk -F / '/^https:\/\/hg/ {print $$7 }' @@ -94,6 +101,10 @@ post-install: ${PREFIX}/share/pixmaps/firefox.png # link default48.png to default.png to be used by default by non-icccm compliant wm - ln ${PREFIX}/lib/${MOZILLA_PROJECT}/browser/chrome/icons/default/default{48,}.png + ln -f ${PREFIX}/lib/${MOZILLA_PROJECT}/browser/chrome/icons/default/default{48,}.png + +.for f in unveil.content unveil.gpu unveil.main pledge.content pledge.gpu pledge.main + ${INSTALL_DATA} ${FILESDIR}/${f} ${PREFIX}/lib/${MOZILLA_PROJECT}/browser/defaults/preferences/ +.endfor .include <bsd.port.mk> Index: distinfo =================================================================== RCS file: /cvs/ports/www/mozilla-firefox/distinfo,v retrieving revision 1.201 diff -u -p -u -p -r1.201 distinfo --- distinfo 23 Oct 2019 19:38:07 -0000 1.201 +++ distinfo 27 Oct 2019 18:14:58 -0000 @@ -1,2 +1,4 @@ SHA256 (mozilla/firefox-70.0.source.tar.xz) = zZ8pAnU4McB8Sy7mT3gm8zyhEjrdZEDcNKvj/xc6DMY= +SHA256 (mozilla/firefox70-unveil0.diff) = EnnlfBPb9tIp2YX4SmDSGPzOK6pE3AEbKtyXxVf6JuU= SIZE (mozilla/firefox-70.0.source.tar.xz) = 321160764 +SIZE (mozilla/firefox70-unveil0.diff) = 17276 Index: files/all-openbsd.js =================================================================== RCS file: /cvs/ports/www/mozilla-firefox/files/all-openbsd.js,v retrieving revision 1.10 diff -u -p -u -p -r1.10 all-openbsd.js --- files/all-openbsd.js 9 Sep 2019 18:50:35 -0000 1.10 +++ files/all-openbsd.js 27 Oct 2019 18:14:58 -0000 @@ -5,10 +5,6 @@ pref("app.normandy.enabled",false); pref("browser.safebrowsing.enabled", false); pref("browser.safebrowsing.malware.enabled", false); pref("spellchecker.dictionary_path", "${LOCALBASE}/share/mozilla-dicts/"); -// enable pledging the content process -pref("security.sandbox.content.level", 1); -pref("security.sandbox.pledge.main","stdio rpath wpath cpath inet proc exec prot_exec flock ps sendfd recvfd dns vminfo tty drm unix fattr getpw mcast video"); -pref("security.sandbox.pledge.content","stdio rpath wpath cpath inet recvfd sendfd prot_exec unix drm ps"); pref("extensions.pocket.enabled", false); pref("browser.newtabpage.enabled", false); pref("browser.startup.homepage", "about:blank"); Index: files/pledge.content =================================================================== RCS file: files/pledge.content diff -N files/pledge.content --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/pledge.content 27 Oct 2019 18:14:58 -0000 @@ -0,0 +1,10 @@ +stdio +rpath +wpath +cpath +recvfd +sendfd +prot_exec +unix +drm +ps Index: files/pledge.gpu =================================================================== RCS file: files/pledge.gpu diff -N files/pledge.gpu --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/pledge.gpu 27 Oct 2019 18:14:58 -0000 @@ -0,0 +1,11 @@ +stdio +rpath +wpath +cpath +ps +sendfd +recvfd +drm +dns +unix +prot_exec Index: files/pledge.main =================================================================== RCS file: files/pledge.main diff -N files/pledge.main --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/pledge.main 27 Oct 2019 18:14:58 -0000 @@ -0,0 +1,21 @@ +stdio +rpath +wpath +cpath +inet +proc +exec +prot_exec +flock +ps +sendfd +recvfd +dns +vminfo +tty +drm +unix +fattr +getpw +mcast +video Index: files/unveil.content =================================================================== RCS file: files/unveil.content diff -N files/unveil.content --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/unveil.content 27 Oct 2019 18:14:58 -0000 @@ -0,0 +1,43 @@ +/dev/drm0 rw + +/etc/fonts r +/etc/machine-id r +/usr/local/lib r +/usr/local/firefox r +/usr/local/share r +/usr/share/locale r +/var/cache/fontconfig r +/usr/X11R6/lib r +/usr/X11R6/share r +/var/run r + +~/.XCompose r +~/.Xauthority r +~/.Xdefaults r +~/.fontconfig r +~/.fonts r +~/.fonts.conf r +~/.fonts.conf.d r +~/.icons r +~/.pki rwc +~/.sndio rwc +~/.terminfo r + +~/.mozilla r +~/Downloads r + +/tmp rwc + +$XDG_CONFIG_HOME/dconf rwc +$XDG_CONFIG_HOME/fontconfig r +$XDG_CONFIG_HOME/gtk-3.0 r +$XDG_CONFIG_HOME/mimeapps.list r +$XDG_CONFIG_HOME/mozilla rwc +$XDG_CONFIG_HOME/user-dirs.dirs r +$XDG_DATA_HOME/applications r +$XDG_DATA_HOME/applnk r +$XDG_DATA_HOME/fonts r +$XDG_DATA_HOME/glib-2.0 r +$XDG_DATA_HOME/icons r +$XDG_DATA_HOME/mime r +$XDG_DATA_HOME/themes r Index: files/unveil.gpu =================================================================== RCS file: files/unveil.gpu diff -N files/unveil.gpu --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/unveil.gpu 27 Oct 2019 18:14:58 -0000 @@ -0,0 +1,11 @@ +/dev/drm0 rw + +/usr/local/lib/firefox r +/usr/local/lib/gdk-pixbuf-2.0 r +/usr/X11R6/lib r +/usr/share/locale r +/usr/local/share r + +/tmp rwc + +~/.Xauthority r Index: files/unveil.main =================================================================== RCS file: files/unveil.main diff -N files/unveil.main --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/unveil.main 27 Oct 2019 18:14:58 -0000 @@ -0,0 +1,63 @@ +# for uuid generation? +/dev/urandom r +/dev/video rw + +/etc/fonts r +/etc/machine-id r + +/usr/local/lib r +/usr/local/firefox r +/usr/local/lib/firefox rx +/usr/local/share r +/usr/share/locale r +/var/cache/fontconfig r +/usr/X11R6/lib r +/usr/X11R6/share r +/var/run r + +# printing +/usr/bin/lpr rx + +# for launching registered 3rd party applications like pdf readers +/usr/local/bin/gio-launch-desktop rx +/etc/mailcap r +~/.mailcap r +~/.mime.types r + +~/.XCompose r +~/.Xauthority r +~/.Xdefaults r +~/.fontconfig r +~/.fonts r +~/.fonts.conf r +~/.fonts.conf.d r +~/.icons r +~/.pki rwc +~/.sndio rwc +~/.terminfo r + +~/.mozilla rwc +~/Downloads rwc + +# for at least shm_open (for now) +/tmp rwc + +# $XDG_CACHE_HOME, $XDG_CONFIG_HOME, and $XDG_DATA_HOME will expand to the +# given variable if it exists in the environment, otherwise defaulting to +# ~/.cache, ~/.config, and ~/.local/share +$XDG_CACHE_HOME/dconf rwc +$XDG_CACHE_HOME/thumbnails rwc +$XDG_CONFIG_HOME/dconf rw +$XDG_CONFIG_HOME/fontconfig r +$XDG_CONFIG_HOME/gtk-3.0 r +$XDG_CONFIG_HOME/mimeapps.list r +$XDG_CONFIG_HOME/mozilla rwc +$XDG_CONFIG_HOME/user-dirs.dirs r +$XDG_DATA_HOME/applications rwc +$XDG_DATA_HOME/applnk r +$XDG_DATA_HOME/fonts r +$XDG_DATA_HOME/glib-2.0 r +$XDG_DATA_HOME/icons r +$XDG_DATA_HOME/mime r +$XDG_DATA_HOME/recently-used.xbel rwc +$XDG_DATA_HOME/themes r Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/www/mozilla-firefox/pkg/PLIST,v retrieving revision 1.81 diff -u -p -u -p -r1.81 PLIST --- pkg/PLIST 23 Oct 2019 19:38:08 -0000 1.81 +++ pkg/PLIST 27 Oct 2019 18:14:58 -0000 @@ -28,6 +28,12 @@ lib/${MOZILLA_PROJECT}/browser/chrome/ic lib/${MOZILLA_PROJECT}/browser/defaults/ lib/${MOZILLA_PROJECT}/browser/defaults/preferences/ lib/${MOZILLA_PROJECT}/browser/defaults/preferences/all-openbsd.js +lib/${MOZILLA_PROJECT}/browser/defaults/preferences/pledge.content +lib/${MOZILLA_PROJECT}/browser/defaults/preferences/pledge.gpu +lib/${MOZILLA_PROJECT}/browser/defaults/preferences/pledge.main +lib/${MOZILLA_PROJECT}/browser/defaults/preferences/unveil.content +lib/${MOZILLA_PROJECT}/browser/defaults/preferences/unveil.gpu +lib/${MOZILLA_PROJECT}/browser/defaults/preferences/unveil.main lib/${MOZILLA_PROJECT}/browser/features/ lib/${MOZILLA_PROJECT}/browser/features/formautof...@mozilla.org.xpi lib/${MOZILLA_PROJECT}/browser/features/screensh...@mozilla.org.xpi Index: pkg/README =================================================================== RCS file: /cvs/ports/www/mozilla-firefox/pkg/README,v retrieving revision 1.24 diff -u -p -u -p -r1.24 README --- pkg/README 11 Jun 2019 06:01:20 -0000 1.24 +++ pkg/README 27 Oct 2019 18:14:58 -0000 @@ -14,6 +14,43 @@ firefox -ProfileManager, and click "Crea If Firefox doesn't start at all, try starting it with -safe-mode switch, which disables extensions and themes for your session. +pledge(2) and unveil(2) Support +=============================== +Firefox on OpenBSD is secured with pledge(2) and unveil(2) to limit +the system calls and filesystem access that each of Firefox's three +process types (main, content, and GPU) is permitted. By default, +only ~/Downloads and /tmp can be written to when downloading files, +or when viewing local files as file:// URLs. + +Files containing pledge promises and unveil paths and permissions +for each type of process are located in +${LOCALBASE}/lib/${MOZILLA_PROJECT}/browser/defaults/preferences/. +Each file can be overridden by copying it to ${SYSCONFDIR}/firefox/ +and modifying it. + +3rd-Party MIME Handlers +======================= +Due to unveil(2) limiting filesystem access, only the default MIME +handler registered for a given type can be chosen when opening a +downloaded file. For example, to use the mupdf package to read +PDFs, it must be registered as the default with XDG: + + $ xdg-mime default mupdf.desktop application/pdf + +The current default for a given type can be viewed with xdg-mime's +query command: + + $ xdg-mime query default application/pdf + +The older mailcap-format handlers are also supported, but the path +being executed must be explicitly added to the unveil.main file +with "rx" permissions. For example, a ~/.mailcap file specifying: + + application/pdf; ${LOCALBASE}/bin/xpdf %s + +must have "${LOCALBASE}/bin/xpdf rx" added to unveil.main for it to +appear as an option in the "Open With" drop-down. + Using mailto: links =================== To enable mailto: links in Firefox to open in your mail program, @@ -33,22 +70,25 @@ Debugging If you encounter crashes, you might want to build the debug FLAVOR of this package, and run firefox inside egdb, so that you can gather debugging logs and traces (for all threads!). + If this is a pledge violation, you should figure out which codepath in which process leads to calling a forbidden syscall, and which pledge -is missing from the two default sets configured in -security.sandbox.pledge.main and security.sandbox.pledge.content -about:config keys. MOZ_LOG=SandboxPledge:5 should help. -Bug reports without enough information will be ignored. +is missing from the sets configured according to the section above. +Setting MOZ_LOG=SandboxPledge:5 should help. Bug reports without +enough information will be ignored. Note that if you're using NIS or your profile is located on a NFS share, -you might need to add 'getpw' to security.sandbox.pledge.content in -about:config. +you might need to add 'getpw' to the the pledge.content file. + +If using the amdgpu driver, you might need to add 'ioctl' to the +pledge.content file. -If using the amdgpu driver, you might need to add 'ioctl' to -security.sandbox.pledge.content in about:config. +If you're not running sndiod(8) you will need to add 'audio' to the +pledge.main file. -If you're not running sndiod(8) you will need to add 'audio' to -security.sandbox.pledge.main in about:config. +To disable pledge and/or unveil support when troubleshooting, set +the corresponding pledge or unveil file to just contain the string +"disable". D-BUS =====
