community/firefox-esr: inhibit musl isatty() sandbox violations

2 files changed, 19 insertions, 7 deletions

diff --git a/community/firefox-esr/APKBUILD b/community/firefox-esr/APKBUILD
index e5aa416f85..b4407048cd 100644
--- a/community/firefox-esr/APKBUILD
+++ b/community/firefox-esr/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=firefox-esr
 pkgver=60.4.0
-pkgrel=0
+pkgrel=1
 pkgdesc="Firefox web browser - Extended Support Release"
 url="https://www.mozilla.org/en-US/firefox/organizations/"
 # limited by rust and cargo
@@ -228,7 +228,7 @@ sha512sums="8119f52b2fc06f76868bf0781fec9d46c8551f0a3ca832ac9bdef6aa6d77c1d785e5
 2f4f15974d52de4bb273b62a332d13620945d284bbc6fe6bd0a1f58ff7388443bc1d3bf9c82cc31a8527aad92b0cd3a1bc41d0af5e1800e0dcbd7033e58ffd71  fix-fortify-system-wrappers.patch
 09bc32cf9ee81b9cc6bb58ddbc66e6cc5c344badff8de3435cde5848e5a451e0172153231db85c2385ff05b5d9c20760cb18e4138dfc99060a9e960de2befbd5  fix-fortify-inline.patch
 0fcc647af53a3ce21c2bc36e5631eb0935e7243ebb3ab59b5719542cc54a6ac023a4a857b43b75756efb9ed80c0aecaa94dc5679a3b3792f82e87bf2c1af82e1  disable-hunspell_hooks.patch
-70863b985427b9653ce5e28d6064f078fb6d4ccf43dd1b68e72f97f44868fc0ce063161c39a4e77a0a1a207b7365d5dc7a7ca5e68c726825eba814f2b93e2f5d  fix-seccomp-bpf.patch
+2f713a270f7d1588ec4a0b9c21e5a0d20823954e6a64293ee1a391f80d38af6c0a80b3d35c3ada59b605f6032fb2af3040cd8ca7f424b0e620cc53fd12674fd9  fix-seccomp-bpf.patch
 a2925045154f4fd34e5fc056656f4f9da100341529e5d4104d249154db0c7863384083f421ce6e47e0f20566a8b20787fa35444c7933c03cd03f96f06dcd4532  fix-toolkit.patch
 b46cb90d4fdd1a925a61e2c6c545489cd542f5d82980c529361c02042eed31d5c26972b5e237c1a020f87ffcfd12736d1f4f6e33eaa83ae156d523c808c718cb  fix-tools.patch
 bdcd1b402d2ec94957ba5d08cbad7b1a7f59c251c311be9095208491a05abb05a956c79f27908e1f26b54a3679387b2f33a51e945b650671ad85c0a2d59a5a29  mallinfo.patch
diff --git a/community/firefox-esr/fix-seccomp-bpf.patch b/community/firefox-esr/fix-seccomp-bpf.patch
index 47cde56c74..ee6d666400 100644
--- a/community/firefox-esr/fix-seccomp-bpf.patch
+++ b/community/firefox-esr/fix-seccomp-bpf.patch
@@ -1,8 +1,9 @@
---- a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc.orig	2015-09-23 09:10:08.812740571 +0200
-+++ b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc	2015-09-23 09:11:38.404746155 +0200
-@@ -23,6 +23,11 @@
- #include "sandbox/linux/services/android_ucontext.h"
- #endif
+diff -ru firefox-62.0.3.orig/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc firefox-62.0.3/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc
+--- firefox-62.0.3.orig/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc	2018-12-14 08:53:46.083976137 +0000
++++ firefox-62.0.3/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc	2018-12-14 08:51:22.084596411 +0000
+@@ -25,6 +25,11 @@
+ #include "sandbox/linux/system_headers/linux_seccomp.h"
+ #include "sandbox/linux/system_headers/linux_signal.h"
  
 +// musl libc defines siginfo_t __si_fields instead of _sifields
 +#if defined(OS_LINUX) && !defined(__GLIBC__)
@@ -12,3 +13,14 @@
  namespace {
  
  struct arch_sigsys {
+diff -ru firefox-62.0.3.orig/security/sandbox/linux/SandboxFilter.cpp firefox-62.0.3/security/sandbox/linux/SandboxFilter.cpp
+--- firefox-62.0.3.orig/security/sandbox/linux/SandboxFilter.cpp	2018-10-01 18:35:28.000000000 +0000
++++ firefox-62.0.3/security/sandbox/linux/SandboxFilter.cpp	2018-12-14 08:57:50.645264590 +0000
+@@ -1005,6 +1005,7 @@
+         // ffmpeg, and anything else that calls isatty(), will be told
+         // that nothing is a typewriter:
+         .ElseIf(request == TCGETS, Error(ENOTTY))
++        .ElseIf(request == TIOCGWINSZ, Error(ENOTTY))
+         // Allow anything that isn't a tty ioctl, for now; bug 1302711
+         // will cover changing this to a default-deny policy.
+         .ElseIf(shifted_type != kTtyIoctls, Allow())