diff options
| author | Max Rees <maxcrees@me.com> | 2020-06-02 15:42:44 -0500 |
|---|---|---|
| committer | Max Rees <maxcrees@me.com> | 2020-06-03 19:39:48 -0500 |
| commit | 98a725069b0538ef835c6aed5895425b52db7e0e (patch) | |
| tree | 3e58543d7cd9fb610e500cc419d7249b4f192828 /user/firefox-esr/seccomp-musl.patch | |
| parent | bc1df8faf643506b42ca8545312ab8c566adb68b (diff) | |
| download | packages-98a725069b0538ef835c6aed5895425b52db7e0e.tar.gz packages-98a725069b0538ef835c6aed5895425b52db7e0e.tar.bz2 packages-98a725069b0538ef835c6aed5895425b52db7e0e.tar.xz packages-98a725069b0538ef835c6aed5895425b52db7e0e.zip | |
[CVE] user/firefox-esr: bump to 68.9.0 and fix seccomp for time64 (#284)
Also "fix" statx support by pulling upstream patch to replace our
membarrier patch
Dropped rust-config.patch in the hopes it is no longer needed...
Diffstat (limited to 'user/firefox-esr/seccomp-musl.patch')
| -rw-r--r-- | user/firefox-esr/seccomp-musl.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/user/firefox-esr/seccomp-musl.patch b/user/firefox-esr/seccomp-musl.patch new file mode 100644 index 000000000..edd4a3024 --- /dev/null +++ b/user/firefox-esr/seccomp-musl.patch @@ -0,0 +1,49 @@ +Backport of https://hg.mozilla.org/mozilla-central/rev/a0be746532f437055e4190cc8db802ad1239405e + +diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp +--- a/security/sandbox/linux/SandboxFilter.cpp ++++ b/security/sandbox/linux/SandboxFilter.cpp +@@ -419,16 +419,20 @@ class SandboxPolicyCommon : public Sandb + case __NR_faccessat: + return Trap(AccessAtTrap, mBroker); + CASES_FOR_stat: + return Trap(StatTrap, mBroker); + CASES_FOR_lstat: + return Trap(LStatTrap, mBroker); + CASES_FOR_fstatat: + return Trap(StatAtTrap, mBroker); ++ // Used by new libc and Rust's stdlib, if available. ++ // We don't have broker support yet so claim it does not exist. ++ case __NR_statx: ++ return Error(ENOSYS); + case __NR_chmod: + return Trap(ChmodTrap, mBroker); + case __NR_link: + return Trap(LinkTrap, mBroker); + case __NR_mkdir: + return Trap(MkdirTrap, mBroker); + case __NR_symlink: + return Trap(SymlinkTrap, mBroker); +@@ -538,16 +542,20 @@ class SandboxPolicyCommon : public Sandb + .ElseIf(advice == MADV_HUGEPAGE, Allow()) + .ElseIf(advice == MADV_NOHUGEPAGE, Allow()) + #ifdef MOZ_ASAN + .ElseIf(advice == MADV_DONTDUMP, Allow()) + #endif + .Else(InvalidSyscall()); + } + ++ // musl libc will set this up in pthreads support. ++ case __NR_membarrier: ++ return Allow(); ++ + // Signal handling + #if defined(ANDROID) || defined(MOZ_ASAN) + case __NR_sigaltstack: + #endif + CASES_FOR_sigreturn: + CASES_FOR_sigprocmask: + CASES_FOR_sigaction: + return Allow(); + + |