summaryrefslogtreecommitdiff
path: root/D146274.diff
diff options
context:
space:
mode:
authorMartin Stransky <stransky@redhat.com>2022-06-09 11:14:27 +0200
committerMartin Stransky <stransky@redhat.com>2022-06-09 11:14:27 +0200
commitfc1bf47cd86638b08e03b90b60b0bc80dd1d6c28 (patch)
treea546c6ae63cb2698f65388be7b3e60b6e913533c /D146274.diff
parentEnabled VA-API by default (+ added VA-API fixes from upstream), Fixed WebGL p... (diff)
downloadlibrewolf-fedora-ff-fc1bf47cd86638b08e03b90b60b0bc80dd1d6c28.tar.gz
librewolf-fedora-ff-fc1bf47cd86638b08e03b90b60b0bc80dd1d6c28.tar.bz2
librewolf-fedora-ff-fc1bf47cd86638b08e03b90b60b0bc80dd1d6c28.zip
Updated to 101.0.1, More VA-API sandbox fixes (mzbz#1769182)
Diffstat (limited to 'D146274.diff')
-rw-r--r--D146274.diff158
1 files changed, 158 insertions, 0 deletions
diff --git a/D146274.diff b/D146274.diff
new file mode 100644
index 0000000..8943ac4
--- /dev/null
+++ b/D146274.diff
@@ -0,0 +1,158 @@
+diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
++++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+@@ -325,30 +325,84 @@
+ policy->AddDynamic(perms, trimPath.get());
+ }
+ }
+ }
+
++static void AddX11Dependencies(SandboxBroker::Policy* policy) {
++ // Allow Primus to contact the Bumblebee daemon to manage GPU
++ // switching on NVIDIA Optimus systems.
++ const char* bumblebeeSocket = PR_GetEnv("BUMBLEBEE_SOCKET");
++ if (bumblebeeSocket == nullptr) {
++ bumblebeeSocket = "/var/run/bumblebee.socket";
++ }
++ policy->AddPath(SandboxBroker::MAY_CONNECT, bumblebeeSocket);
++
++#if defined(MOZ_WIDGET_GTK) && defined(MOZ_X11)
++ // Allow local X11 connections, for several purposes:
++ //
++ // * for content processes to use WebGL when the browser is in headless
++ // mode, by opening the X display if/when needed
++ //
++ // * if Primus or VirtualGL is used, to contact the secondary X server
++ static const bool kIsX11 =
++ !mozilla::widget::GdkIsWaylandDisplay() && PR_GetEnv("DISPLAY");
++ if (kIsX11) {
++ policy->AddPrefix(SandboxBroker::MAY_CONNECT, "/tmp/.X11-unix/X");
++ if (auto* const xauth = PR_GetEnv("XAUTHORITY")) {
++ policy->AddPath(rdonly, xauth);
++ } else if (auto* const home = PR_GetEnv("HOME")) {
++ // This follows the logic in libXau: append "/.Xauthority",
++ // even if $HOME ends in a slash, except in the special case
++ // where HOME=/ because POSIX allows implementations to treat
++ // an initial double slash specially.
++ nsAutoCString xauth(home);
++ if (xauth != "/"_ns) {
++ xauth.Append('/');
++ }
++ xauth.AppendLiteral(".Xauthority");
++ policy->AddPath(rdonly, xauth.get());
++ }
++ }
++#endif
++}
++
++static void AddGLDependencies(SandboxBroker::Policy* policy) {
++ // Devices
++ policy->AddDir(rdwr, "/dev/dri");
++ policy->AddFilePrefix(rdwr, "/dev", "nvidia");
++
++ // Hardware info
++ AddDriPaths(policy);
++
++ // /etc and /usr/share (glvnd, libdrm, drirc, ...?)
++ policy->AddDir(rdonly, "/etc");
++ policy->AddDir(rdonly, "/usr/share");
++ policy->AddDir(rdonly, "/usr/local/share");
++
++ // Note: This function doesn't do anything about Mesa's shader
++ // cache, because the details can vary by process type, including
++ // whether caching is enabled.
++
++ AddX11Dependencies(policy);
++}
++
+ void SandboxBrokerPolicyFactory::InitContentPolicy() {
+ const bool headless =
+ StaticPrefs::security_sandbox_content_headless_AtStartup();
+
+ // Policy entries that are the same in every process go here, and
+ // are cached over the lifetime of the factory.
+ SandboxBroker::Policy* policy = new SandboxBroker::Policy;
+ // Write permssions
+- //
+- if (!headless) {
+- // Bug 1308851: NVIDIA proprietary driver when using WebGL
+- policy->AddFilePrefix(rdwr, "/dev", "nvidia");
+-
+- // Bug 1312678: Mesa with DRI when using WebGL
+- policy->AddDir(rdwr, "/dev/dri");
+- }
+
+ // Bug 1575985: WASM library sandbox needs RW access to /dev/null
+ policy->AddPath(rdwr, "/dev/null");
+
++ if (!headless) {
++ AddGLDependencies(policy);
++ }
++
+ // Read permissions
+ policy->AddPath(rdonly, "/dev/urandom");
+ policy->AddPath(rdonly, "/dev/random");
+ policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
+ policy->AddPath(rdonly, "/proc/cpuinfo");
+@@ -370,13 +424,10 @@
+ policy->AddDir(rdonly, "/run/host/fonts");
+ policy->AddDir(rdonly, "/run/host/user-fonts");
+ policy->AddDir(rdonly, "/run/host/local-fonts");
+ policy->AddDir(rdonly, "/var/cache/fontconfig");
+
+- if (!headless) {
+- AddDriPaths(policy);
+- }
+ AddLdconfigPaths(policy);
+ AddLdLibraryEnvPaths(policy);
+
+ if (!headless) {
+ // Bug 1385715: NVIDIA PRIME support
+@@ -569,45 +620,11 @@
+ }
+ }
+ #endif
+
+ if (!headless) {
+- // Allow Primus to contact the Bumblebee daemon to manage GPU
+- // switching on NVIDIA Optimus systems.
+- const char* bumblebeeSocket = PR_GetEnv("BUMBLEBEE_SOCKET");
+- if (bumblebeeSocket == nullptr) {
+- bumblebeeSocket = "/var/run/bumblebee.socket";
+- }
+- policy->AddPath(SandboxBroker::MAY_CONNECT, bumblebeeSocket);
+-
+-#if defined(MOZ_WIDGET_GTK) && defined(MOZ_X11)
+- // Allow local X11 connections, for several purposes:
+- //
+- // * for content processes to use WebGL when the browser is in headless
+- // mode, by opening the X display if/when needed
+- //
+- // * if Primus or VirtualGL is used, to contact the secondary X server
+- static const bool kIsX11 =
+- !mozilla::widget::GdkIsWaylandDisplay() && PR_GetEnv("DISPLAY");
+- if (kIsX11) {
+- policy->AddPrefix(SandboxBroker::MAY_CONNECT, "/tmp/.X11-unix/X");
+- if (auto* const xauth = PR_GetEnv("XAUTHORITY")) {
+- policy->AddPath(rdonly, xauth);
+- } else if (auto* const home = PR_GetEnv("HOME")) {
+- // This follows the logic in libXau: append "/.Xauthority",
+- // even if $HOME ends in a slash, except in the special case
+- // where HOME=/ because POSIX allows implementations to treat
+- // an initial double slash specially.
+- nsAutoCString xauth(home);
+- if (xauth != "/"_ns) {
+- xauth.Append('/');
+- }
+- xauth.AppendLiteral(".Xauthority");
+- policy->AddPath(rdonly, xauth.get());
+- }
+- }
+-#endif
++ AddX11Dependencies(policy);
+ }
+
+ // Bug 1732580: when packaged as a strictly confined snap, may need
+ // read-access to configuration files under $SNAP/.
+ const char* snap = PR_GetEnv("SNAP");
+
bgstack15