From 98a725069b0538ef835c6aed5895425b52db7e0e Mon Sep 17 00:00:00 2001
From: Max Rees <maxcrees@me.com>
Date: Tue, 2 Jun 2020 15:42:44 -0500
Subject: [CVE] user/firefox-esr: bump to 68.9.0 and fix seccomp for time64
 (#284)

Also "fix" statx support by pulling upstream patch to replace our
membarrier patch

Dropped rust-config.patch in the hopes it is no longer needed...
---
 user/firefox-esr/seccomp-musl.patch | 49 +++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 user/firefox-esr/seccomp-musl.patch

(limited to 'user/firefox-esr/seccomp-musl.patch')

diff --git a/user/firefox-esr/seccomp-musl.patch b/user/firefox-esr/seccomp-musl.patch
new file mode 100644
index 000000000..edd4a3024
--- /dev/null
+++ b/user/firefox-esr/seccomp-musl.patch
@@ -0,0 +1,49 @@
+Backport of https://hg.mozilla.org/mozilla-central/rev/a0be746532f437055e4190cc8db802ad1239405e
+
+diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
+--- a/security/sandbox/linux/SandboxFilter.cpp
++++ b/security/sandbox/linux/SandboxFilter.cpp
+@@ -419,16 +419,20 @@ class SandboxPolicyCommon : public Sandb
+         case __NR_faccessat:
+           return Trap(AccessAtTrap, mBroker);
+         CASES_FOR_stat:
+           return Trap(StatTrap, mBroker);
+         CASES_FOR_lstat:
+           return Trap(LStatTrap, mBroker);
+         CASES_FOR_fstatat:
+           return Trap(StatAtTrap, mBroker);
++        // Used by new libc and Rust's stdlib, if available.
++        // We don't have broker support yet so claim it does not exist.
++        case __NR_statx:
++          return Error(ENOSYS);
+         case __NR_chmod:
+           return Trap(ChmodTrap, mBroker);
+         case __NR_link:
+           return Trap(LinkTrap, mBroker);
+         case __NR_mkdir:
+           return Trap(MkdirTrap, mBroker);
+         case __NR_symlink:
+           return Trap(SymlinkTrap, mBroker);
+@@ -538,16 +542,20 @@ class SandboxPolicyCommon : public Sandb
+             .ElseIf(advice == MADV_HUGEPAGE, Allow())
+             .ElseIf(advice == MADV_NOHUGEPAGE, Allow())
+ #ifdef MOZ_ASAN
+             .ElseIf(advice == MADV_DONTDUMP, Allow())
+ #endif
+             .Else(InvalidSyscall());
+       }
+ 
++        // musl libc will set this up in pthreads support.
++      case __NR_membarrier:
++        return Allow();
++
+       // Signal handling
+ #if defined(ANDROID) || defined(MOZ_ASAN)
+       case __NR_sigaltstack:
+ #endif
+       CASES_FOR_sigreturn:
+       CASES_FOR_sigprocmask:
+       CASES_FOR_sigaction:
+         return Allow();
+
+
-- 
cgit v1.2.3-70-g09d2