[PR PATCH] firefox: fix sandbox for fcntl

[PR PATCH] firefox: fix sandbox for fcntl

[jnbr]

[-- Attachment #1: Type: text/plain, Size: 338 bytes --]

There is a new pull request by jnbr against master on the void-packages repository

https://github.com/jnbr/void-packages fiefox-dbg
https://github.com/void-linux/void-packages/pull/26663

firefox: fix sandbox for fcntl
fixes #26639 

[ci skip]

A patch file from https://github.com/void-linux/void-packages/pull/26663.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-fiefox-dbg-26663.patch --]
[-- Type: text/x-diff, Size: 1818 bytes --]

From b62dfffaf18a177d6d9c51a8ae1aac1ad0d30f7d Mon Sep 17 00:00:00 2001
From: Johannes <johannes.brechtmann@gmail.com>
Date: Mon, 23 Nov 2020 22:45:51 +0100
Subject: [PATCH] firefox: fix sandbox for fcntl

The assumption that O_LARGEFILE is 0 is only true on glibc,
setting it to 00100000 is wrong for many architectures.
---
 .../firefox/patches/sandbox-largefile.patch    | 18 ++++++++++++++++++
 srcpkgs/firefox/template                       |  2 +-
 2 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 srcpkgs/firefox/patches/sandbox-largefile.patch

diff --git a/srcpkgs/firefox/patches/sandbox-largefile.patch b/srcpkgs/firefox/patches/sandbox-largefile.patch
new file mode 100644
index 00000000000..eb10510a90c
--- /dev/null
+++ b/srcpkgs/firefox/patches/sandbox-largefile.patch
@@ -0,0 +1,18 @@
+in case O_LARGEFILE is not set to 0, use the real value
+
+--- security/sandbox/linux/SandboxFilter.cpp	2020-11-23 22:41:14.556378950 +0100
++++ security/sandbox/linux/SandboxFilter.cpp	2020-11-23 22:40:23.595806444 +0100
+@@ -66,9 +66,13 @@
+ #  define PR_SET_PTRACER 0x59616d61
+ #endif
+ 
++#if O_LARGEFILE == 0
+ // The headers define O_LARGEFILE as 0 on x86_64, but we need the
+ // actual value because it shows up in file flags.
+ #define O_LARGEFILE_REAL 00100000
++#else
++#define O_LARGEFILE_REAL O_LARGEFILE
++#endif
+ 
+ // Not part of UAPI, but userspace sees it in F_GETFL; see bug 1650751.
+ #define FMODE_NONOTIFY 0x4000000
diff --git a/srcpkgs/firefox/template b/srcpkgs/firefox/template
index 8383fcc952f..7d792ca84e7 100644
--- a/srcpkgs/firefox/template
+++ b/srcpkgs/firefox/template
@@ -4,7 +4,7 @@
 #
 pkgname=firefox
 version=83.0
-revision=1
+revision=2
 build_helper="rust"
 short_desc="Mozilla Firefox web browser"
 maintainer="Johannes <johannes.brechtmann@gmail.com>"

Re: firefox: fix sandbox for fcntl

[q66]

[-- Attachment #1: Type: text/plain, Size: 477 bytes --]

New comment by q66 on void-packages repository

https://github.com/void-linux/void-packages/pull/26663#issuecomment-732634494

Comment:
this is not entirely correct, as the value is not `0100000` on all platforms

the block should look like this:

```
#if defined(__x86_64__) || defined(__i386__) || defined(__mips__)
#define O_LARGEFILE_REAL 0100000
#elif defined(__powerpc__)
#define O_LARGEFILE_REAL 0200000
#else
#define O_LARGEFILE_REAL O_LARGEFILE
#endif
```

Re: firefox: fix sandbox for fcntl

[q66]

[-- Attachment #1: Type: text/plain, Size: 542 bytes --]

New comment by q66 on void-packages repository

https://github.com/void-linux/void-packages/pull/26663#issuecomment-732634494

Comment:
this is not entirely correct, as the value is not `0100000` on all platforms

the block should look like this:

```
#if defined(__x86_64__) || defined(__i386__) || defined(__mips__)
#define O_LARGEFILE_REAL 0100000
#elif defined(__powerpc__)
#define O_LARGEFILE_REAL 0200000
#else
#define O_LARGEFILE_REAL O_LARGEFILE
#endif
```

(this is equivalent to how it's done and working in chromium)

Re: [PR PATCH] [Updated] firefox: fix sandbox for fcntl

[jnbr]

[-- Attachment #1: Type: text/plain, Size: 343 bytes --]

There is an updated pull request by jnbr against master on the void-packages repository

https://github.com/jnbr/void-packages fiefox-dbg
https://github.com/void-linux/void-packages/pull/26663

firefox: fix sandbox for fcntl
fixes #26639 

[ci skip]

A patch file from https://github.com/void-linux/void-packages/pull/26663.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-fiefox-dbg-26663.patch --]
[-- Type: text/x-diff, Size: 1857 bytes --]

From b884a5e0f8f2b604aa28de76938618ad9cf9f407 Mon Sep 17 00:00:00 2001
From: Johannes <johannes.brechtmann@gmail.com>
Date: Mon, 23 Nov 2020 22:45:51 +0100
Subject: [PATCH] firefox: fix sandbox for fcntl

The assumption that O_LARGEFILE is 0 is only true on glibc,
setting it to 00100000 is wrong for many architectures.
---
 srcpkgs/firefox/patches/sandbox-largefile.patch | 17 +++++++++++++++++
 srcpkgs/firefox/template                        |  2 +-
 2 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 srcpkgs/firefox/patches/sandbox-largefile.patch

diff --git a/srcpkgs/firefox/patches/sandbox-largefile.patch b/srcpkgs/firefox/patches/sandbox-largefile.patch
new file mode 100644
index 00000000000..494ca82df5a
--- /dev/null
+++ b/srcpkgs/firefox/patches/sandbox-largefile.patch
@@ -0,0 +1,17 @@
+--- security/sandbox/linux/SandboxFilter.cpp	2020-11-23 22:41:14.556378950 +0100
++++ security/sandbox/linux/SandboxFilter.cpp	2020-11-23 22:40:23.595806444 +0100
+@@ -68,7 +68,13 @@
+ 
+ // The headers define O_LARGEFILE as 0 on x86_64, but we need the
+ // actual value because it shows up in file flags.
+-#define O_LARGEFILE_REAL 00100000
++#if defined(__x86_64__) || defined(__i386__) || defined(__mips__)
++#define O_LARGEFILE_REAL 0100000
++#elif defined(__powerpc__)
++#define O_LARGEFILE_REAL 0200000
++#else
++#define O_LARGEFILE_REAL O_LARGEFILE
++#endif
+ 
+ // Not part of UAPI, but userspace sees it in F_GETFL; see bug 1650751.
+ #define FMODE_NONOTIFY 0x4000000
diff --git a/srcpkgs/firefox/template b/srcpkgs/firefox/template
index 8383fcc952f..7d792ca84e7 100644
--- a/srcpkgs/firefox/template
+++ b/srcpkgs/firefox/template
@@ -4,7 +4,7 @@
 #
 pkgname=firefox
 version=83.0
-revision=1
+revision=2
 build_helper="rust"
 short_desc="Mozilla Firefox web browser"
 maintainer="Johannes <johannes.brechtmann@gmail.com>"

Re: firefox: fix sandbox for fcntl

[jnbr]

[-- Attachment #1: Type: text/plain, Size: 154 bytes --]

New comment by jnbr on void-packages repository

https://github.com/void-linux/void-packages/pull/26663#issuecomment-733160937

Comment:
Thanks, updated.

Re: [PR PATCH] [Merged]: firefox: fix sandbox for fcntl

[jnbr]

[-- Attachment #1: Type: text/plain, Size: 190 bytes --]

There's a merged pull request on the void-packages repository

firefox: fix sandbox for fcntl
https://github.com/void-linux/void-packages/pull/26663

Description:
fixes #26639 

[ci skip]

Re: firefox: fix sandbox for fcntl

[pullmoll]

[-- Attachment #1: Type: text/plain, Size: 321 bytes --]

New comment by pullmoll on void-packages repository

https://github.com/void-linux/void-packages/pull/26663#issuecomment-733196394

Comment:
This same patch applies and is certainly required for `firexfox-esr` and thus also `icecat` as well.
I'll add it and push the updates once the builders are done with `firefox`.

Re: firefox: fix sandbox for fcntl

[jnbr]

[-- Attachment #1: Type: text/plain, Size: 171 bytes --]

New comment by jnbr on void-packages repository

https://github.com/void-linux/void-packages/pull/26663#issuecomment-733221167

Comment:
Good point. Same for thunderbird.

Re: firefox: fix sandbox for fcntl

[q66]

[-- Attachment #1: Type: text/plain, Size: 280 bytes --]

New comment by q66 on void-packages repository

https://github.com/void-linux/void-packages/pull/26663#issuecomment-733277343

Comment:
why would it be required? these are all ESR, i.e. 78, and the patch was not needed until 83 (I have 82 still running on aarch64 with no issues)

Re: firefox: fix sandbox for fcntl

[jnbr]

[-- Attachment #1: Type: text/plain, Size: 516 bytes --]

New comment by jnbr on void-packages repository

https://github.com/void-linux/void-packages/pull/26663#issuecomment-733285061

Comment:
In general, it is mostly a problem on musl because musl passes O_NONBLOCK to fcntl().
On glibc, this is (usually?) not the case, so the bug won't be triggered there.
Only because the bug was not triggered as reliable before doesn't mean it's not there.
Patching the esr versions won't hurt, not sure if we need rebuilds, we could also do it with the next round of minor bumps

Re: firefox: fix sandbox for fcntl

[q66]

[-- Attachment #1: Type: text/plain, Size: 317 bytes --]

New comment by q66 on void-packages repository

https://github.com/void-linux/void-packages/pull/26663#issuecomment-733330428

Comment:
let's add the patch (for correctness) in the esr stuff, but i don't think there are issues with 78.x on aarch64 (even musl, iirc i tested it a while back), so we don't need to bump