diff options
author | Timo Teräs <timo.teras@iki.fi> | 2017-07-11 07:40:24 +0000 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2017-07-11 08:28:25 +0000 |
commit | 45f1983a73da1a7f785d8110cce63bbf2240fc18 (patch) | |
tree | 798f997b929594f03fd22c8ef6303cf8c0b94c3a /testing/firefox | |
parent | 79120c4cde882291dfae5eb28d5c7ecf73c00708 (diff) | |
download | aports-45f1983a73da1a7f785d8110cce63bbf2240fc18.tar.bz2 aports-45f1983a73da1a7f785d8110cce63bbf2240fc18.tar.xz |
testing/firefox: improve seccomp, use pthread_setname_np
ref #7454
Diffstat (limited to 'testing/firefox')
-rw-r--r-- | testing/firefox/APKBUILD | 6 | ||||
-rw-r--r-- | testing/firefox/fix-seccomp-bpf.patch | 31 | ||||
-rw-r--r-- | testing/firefox/musl-pthread-setname.patch | 14 |
3 files changed, 33 insertions, 18 deletions
diff --git a/testing/firefox/APKBUILD b/testing/firefox/APKBUILD index c90a686e66..392037fa8b 100644 --- a/testing/firefox/APKBUILD +++ b/testing/firefox/APKBUILD @@ -4,7 +4,7 @@ pkgname=firefox pkgver=54.0.1 _pkgver=$pkgver _xulver=$pkgver -pkgrel=0 +pkgrel=1 pkgdesc="Firefox web browser" url="http://www.firefox.com" # limited by rust and cargo @@ -60,7 +60,6 @@ source="https://ftp.mozilla.org/pub/firefox/releases/$pkgver/source/firefox-$pkg fix-toolkit.patch fix-tools.patch mallinfo.patch - musl-pthread-setname.patch fix-fortify-system-wrappers.patch fix-arm-atomics-grsec.patch @@ -223,11 +222,10 @@ sha512sums="43607c2c0af995a21dc7f0f68b24b7e5bdb3faa5ee06025901c826bfe4d169256ea1 7e123144bc2b1efed149dfb41b255c447d43ea93a63ebe114d01945e6a6d69edc2f2a3c36980a93279106c1842355851b8b6c1d96679ee6be7b9b30513e0b1a8 0002-Use-C99-math-isfinite.patch 09bc32cf9ee81b9cc6bb58ddbc66e6cc5c344badff8de3435cde5848e5a451e0172153231db85c2385ff05b5d9c20760cb18e4138dfc99060a9e960de2befbd5 fix-fortify-inline.patch 0fcc647af53a3ce21c2bc36e5631eb0935e7243ebb3ab59b5719542cc54a6ac023a4a857b43b75756efb9ed80c0aecaa94dc5679a3b3792f82e87bf2c1af82e1 disable-hunspell_hooks.patch -70863b985427b9653ce5e28d6064f078fb6d4ccf43dd1b68e72f97f44868fc0ce063161c39a4e77a0a1a207b7365d5dc7a7ca5e68c726825eba814f2b93e2f5d fix-seccomp-bpf.patch +5e7722b8899bf25f5a941980de9a4e9e9a1efcfa9ce12edb70e525e6022bc0e8ef284804be622e8d17eb3bbc1d99c1554b54cfd4d066ea639de810d30005267f fix-seccomp-bpf.patch a2925045154f4fd34e5fc056656f4f9da100341529e5d4104d249154db0c7863384083f421ce6e47e0f20566a8b20787fa35444c7933c03cd03f96f06dcd4532 fix-toolkit.patch 94884c11ff4b38ed33cd890c21956f956fadc9b53c78891074501388cb2c95674a143a0109cbd7cc2b7f4035d6514cd800686f56778fc3711603dc0187c1b703 fix-tools.patch bdcd1b402d2ec94957ba5d08cbad7b1a7f59c251c311be9095208491a05abb05a956c79f27908e1f26b54a3679387b2f33a51e945b650671ad85c0a2d59a5a29 mallinfo.patch -3f535b1e4e9a5a0506ef6f6d9427a84fae1efa3c8e8d6b25b21046d2d04c132bde1a7a98e415067e5c542f699d89249b8cc3d925e0be4e96db498037429691ef musl-pthread-setname.patch 2a967e4619fd89a046bd40be7fdcef646fcb1eba5e47afc96aa1d59c25bcc8747cb07baee6c11f3b803db0981aced181534b806778e4d21e74958f5f4d74c784 fix-fortify-system-wrappers.patch ed0d344c66fc8e1cc83a11e9858b32c42e841cbeedd9eb9438811e9fcc3593dc824a8336d00058d55836cedc970aeadd6a82c6dcd7bc0fb746e564d8b478cc6c fix-arm-atomics-grsec.patch 015e1ff6dbf920033982b5df95d869a0b7bf56c6964e45e50649ddf46d1ce09563458e45240c3ecb92808662b1300b67507f7af272ba184835d91068a9e7d5b0 fix-arm-version-detect.patch diff --git a/testing/firefox/fix-seccomp-bpf.patch b/testing/firefox/fix-seccomp-bpf.patch index 47cde56c74..aaf6b563aa 100644 --- a/testing/firefox/fix-seccomp-bpf.patch +++ b/testing/firefox/fix-seccomp-bpf.patch @@ -12,3 +12,34 @@ namespace { struct arch_sigsys { +--- firefox-54.0.1/security/sandbox/linux/SandboxFilter.cpp.orig 2017-07-11 07:51:56.342122784 +0000 ++++ firefox-54.0.1/security/sandbox/linux/SandboxFilter.cpp 2017-07-11 08:05:27.553930300 +0000 +@@ -134,6 +134,7 @@ + .Case(flags_common | CLONE_DETACHED, Allow()) // <= JB 4.2 + .Case(flags_common, Allow()) // JB 4.3 or KK 4.4 + #endif ++ .Case(flags_modern | CLONE_DETACHED, Allow()) // musl + .Case(flags_modern, Allow()) // Android L or glibc + .Default(failPolicy); + } +@@ -241,6 +242,9 @@ + // Polyfill with tgkill; see above. + case __NR_tkill: + return Trap(TKillCompatTrap, nullptr); ++#elseif !defined(__GLIBC__) ++ case __NR_tkill: ++ return Allow(); + #endif + + // Yield +--- firefox-54.0.1/security/sandbox/linux/SandboxFilterUtil.h.orig 2017-07-11 08:05:38.380798447 +0000 ++++ firefox-54.0.1/security/sandbox/linux/SandboxFilterUtil.h 2017-07-11 08:06:20.274911403 +0000 +@@ -118,7 +118,7 @@ + #define CASES_FOR_fstatfs case __NR_fstatfs + #define CASES_FOR_statfs case __NR_statfs + #define CASES_FOR_fcntl case __NR_fcntl +-#define CASES_FOR_getdents case __NR_getdents ++#define CASES_FOR_getdents case __NR_getdents64: case __NR_getdents + #define CASES_FOR_lseek case __NR_lseek + #define CASES_FOR_ftruncate case __NR_ftruncate + #endif diff --git a/testing/firefox/musl-pthread-setname.patch b/testing/firefox/musl-pthread-setname.patch deleted file mode 100644 index 3bf620219b..0000000000 --- a/testing/firefox/musl-pthread-setname.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- a/js/src/threading/posix/Thread.cpp.orig 2016-09-20 22:19:46.368622126 +0200 -+++ b/js/src/threading/posix/Thread.cpp 2016-09-20 22:23:35.495823534 +0200 -@@ -153,8 +153,10 @@ - rv = 0; - #elif defined(__NetBSD__) - rv = pthread_setname_np(pthread_self(), "%s", (void*)name); --#else -+#elif defined(__GLIBC__) - rv = pthread_setname_np(pthread_self(), name); -+#else -+ rv = 0; - #endif - MOZ_RELEASE_ASSERT(!rv); - } |