firefox: unveil and pledge enhancements [11]

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

firefox: unveil and pledge enhancements [11]

joshua stein-3
If you're following along at home, here's an update for Firefox 70.

Now uses an external PATCHFILE so I can keep my feature patches
together as separate commits, which are still waiting on upstream
integration.


Index: Makefile
===================================================================
RCS file: /cvs/ports/www/mozilla-firefox/Makefile,v
retrieving revision 1.400
diff -u -p -u -p -r1.400 Makefile
--- Makefile 23 Oct 2019 19:38:07 -0000 1.400
+++ Makefile 27 Oct 2019 18:14:58 -0000
@@ -10,6 +10,11 @@ MOZILLA_BRANCH = release
 MOZILLA_PROJECT = firefox
 MOZILLA_CODENAME = browser
 
+REVISION= 0
+
+MASTER_SITES0= https://jcs.org/patches/
+PATCHFILES+= firefox70-unveil0.diff:0
+
 WRKDIST = ${WRKDIR}/${MOZILLA_DIST}-${MOZILLA_DIST_VERSION:C/b[0-9]*//}
 HOMEPAGE = https://www.mozilla.org/firefox/
 SO_VERSION = 85.0
@@ -53,6 +58,8 @@ BUILD_DEPENDS += devel/cbindgen>=0.9.1
 # 67 requires nasm for bundled libdav1d
 BUILD_DEPENDS += devel/nasm
 .endif
+# unveil support relies on xdg-open
+RUN_DEPENDS += devel/xdg-utils
 
 WANTLIB += X11-xcb Xcursor Xi intl xcb xcb-shm ${COMPILER_LIBCXX}
 
@@ -66,7 +73,7 @@ MAKE_ENV += BUILD_VERBOSE_LOG="1" CARGO
 CONFIGURE_ARGS += --enable-release #1386371
 CONFIGURE_ARGS += --enable-sandbox
 CONFIGURE_ARGS += --with-libclang-path=${LOCALBASE}/lib
-SUBST_VARS += LOCALBASE X11BASE
+SUBST_VARS += LOCALBASE X11BASE MOZILLA_PROJECT
 
 show-commit:
  @curl -s https://releases.mozilla.org/pub/mozilla.org/firefox/releases/${MOZILLA_VERSION}/SOURCE| awk -F / '/^https:\/\/hg/ {print $$7 }'
@@ -94,6 +101,10 @@ post-install:
  ${PREFIX}/share/pixmaps/firefox.png
 
  # link default48.png to default.png to be used by default by non-icccm compliant wm
- ln ${PREFIX}/lib/${MOZILLA_PROJECT}/browser/chrome/icons/default/default{48,}.png
+ ln -f ${PREFIX}/lib/${MOZILLA_PROJECT}/browser/chrome/icons/default/default{48,}.png
+
+.for f in unveil.content unveil.gpu unveil.main pledge.content pledge.gpu pledge.main
+ ${INSTALL_DATA} ${FILESDIR}/${f} ${PREFIX}/lib/${MOZILLA_PROJECT}/browser/defaults/preferences/
+.endfor
 
 .include <bsd.port.mk>
Index: distinfo
===================================================================
RCS file: /cvs/ports/www/mozilla-firefox/distinfo,v
retrieving revision 1.201
diff -u -p -u -p -r1.201 distinfo
--- distinfo 23 Oct 2019 19:38:07 -0000 1.201
+++ distinfo 27 Oct 2019 18:14:58 -0000
@@ -1,2 +1,4 @@
 SHA256 (mozilla/firefox-70.0.source.tar.xz) = zZ8pAnU4McB8Sy7mT3gm8zyhEjrdZEDcNKvj/xc6DMY=
+SHA256 (mozilla/firefox70-unveil0.diff) = EnnlfBPb9tIp2YX4SmDSGPzOK6pE3AEbKtyXxVf6JuU=
 SIZE (mozilla/firefox-70.0.source.tar.xz) = 321160764
+SIZE (mozilla/firefox70-unveil0.diff) = 17276
Index: files/all-openbsd.js
===================================================================
RCS file: /cvs/ports/www/mozilla-firefox/files/all-openbsd.js,v
retrieving revision 1.10
diff -u -p -u -p -r1.10 all-openbsd.js
--- files/all-openbsd.js 9 Sep 2019 18:50:35 -0000 1.10
+++ files/all-openbsd.js 27 Oct 2019 18:14:58 -0000
@@ -5,10 +5,6 @@ pref("app.normandy.enabled",false);
 pref("browser.safebrowsing.enabled", false);
 pref("browser.safebrowsing.malware.enabled", false);
 pref("spellchecker.dictionary_path", "${LOCALBASE}/share/mozilla-dicts/");
-// enable pledging the content process
-pref("security.sandbox.content.level", 1);
-pref("security.sandbox.pledge.main","stdio rpath wpath cpath inet proc exec prot_exec flock ps sendfd recvfd dns vminfo tty drm unix fattr getpw mcast video");
-pref("security.sandbox.pledge.content","stdio rpath wpath cpath inet recvfd sendfd prot_exec unix drm ps");
 pref("extensions.pocket.enabled", false);
 pref("browser.newtabpage.enabled", false);
 pref("browser.startup.homepage", "about:blank");
Index: files/pledge.content
===================================================================
RCS file: files/pledge.content
diff -N files/pledge.content
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/pledge.content 27 Oct 2019 18:14:58 -0000
@@ -0,0 +1,10 @@
+stdio
+rpath
+wpath
+cpath
+recvfd
+sendfd
+prot_exec
+unix
+drm
+ps
Index: files/pledge.gpu
===================================================================
RCS file: files/pledge.gpu
diff -N files/pledge.gpu
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/pledge.gpu 27 Oct 2019 18:14:58 -0000
@@ -0,0 +1,11 @@
+stdio
+rpath
+wpath
+cpath
+ps
+sendfd
+recvfd
+drm
+dns
+unix
+prot_exec
Index: files/pledge.main
===================================================================
RCS file: files/pledge.main
diff -N files/pledge.main
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/pledge.main 27 Oct 2019 18:14:58 -0000
@@ -0,0 +1,21 @@
+stdio
+rpath
+wpath
+cpath
+inet
+proc
+exec
+prot_exec
+flock
+ps
+sendfd
+recvfd
+dns
+vminfo
+tty
+drm
+unix
+fattr
+getpw
+mcast
+video
Index: files/unveil.content
===================================================================
RCS file: files/unveil.content
diff -N files/unveil.content
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/unveil.content 27 Oct 2019 18:14:58 -0000
@@ -0,0 +1,43 @@
+/dev/drm0 rw
+
+/etc/fonts r
+/etc/machine-id r
+/usr/local/lib r
+/usr/local/firefox r
+/usr/local/share r
+/usr/share/locale r
+/var/cache/fontconfig r
+/usr/X11R6/lib r
+/usr/X11R6/share r
+/var/run r
+
+~/.XCompose r
+~/.Xauthority r
+~/.Xdefaults r
+~/.fontconfig r
+~/.fonts r
+~/.fonts.conf r
+~/.fonts.conf.d r
+~/.icons r
+~/.pki rwc
+~/.sndio rwc
+~/.terminfo r
+
+~/.mozilla r
+~/Downloads r
+
+/tmp rwc
+
+$XDG_CONFIG_HOME/dconf rwc
+$XDG_CONFIG_HOME/fontconfig r
+$XDG_CONFIG_HOME/gtk-3.0 r
+$XDG_CONFIG_HOME/mimeapps.list r
+$XDG_CONFIG_HOME/mozilla rwc
+$XDG_CONFIG_HOME/user-dirs.dirs r
+$XDG_DATA_HOME/applications r
+$XDG_DATA_HOME/applnk r
+$XDG_DATA_HOME/fonts r
+$XDG_DATA_HOME/glib-2.0 r
+$XDG_DATA_HOME/icons r
+$XDG_DATA_HOME/mime r
+$XDG_DATA_HOME/themes r
Index: files/unveil.gpu
===================================================================
RCS file: files/unveil.gpu
diff -N files/unveil.gpu
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/unveil.gpu 27 Oct 2019 18:14:58 -0000
@@ -0,0 +1,11 @@
+/dev/drm0 rw
+
+/usr/local/lib/firefox r
+/usr/local/lib/gdk-pixbuf-2.0 r
+/usr/X11R6/lib r
+/usr/share/locale r
+/usr/local/share r
+
+/tmp rwc
+
+~/.Xauthority r
Index: files/unveil.main
===================================================================
RCS file: files/unveil.main
diff -N files/unveil.main
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/unveil.main 27 Oct 2019 18:14:58 -0000
@@ -0,0 +1,63 @@
+# for uuid generation?
+/dev/urandom r
+/dev/video rw
+
+/etc/fonts r
+/etc/machine-id r
+
+/usr/local/lib r
+/usr/local/firefox r
+/usr/local/lib/firefox rx
+/usr/local/share r
+/usr/share/locale r
+/var/cache/fontconfig r
+/usr/X11R6/lib r
+/usr/X11R6/share r
+/var/run r
+
+# printing
+/usr/bin/lpr rx
+
+# for launching registered 3rd party applications like pdf readers
+/usr/local/bin/gio-launch-desktop rx
+/etc/mailcap r
+~/.mailcap r
+~/.mime.types r
+
+~/.XCompose r
+~/.Xauthority r
+~/.Xdefaults r
+~/.fontconfig r
+~/.fonts r
+~/.fonts.conf r
+~/.fonts.conf.d r
+~/.icons r
+~/.pki rwc
+~/.sndio rwc
+~/.terminfo r
+
+~/.mozilla rwc
+~/Downloads rwc
+
+# for at least shm_open (for now)
+/tmp rwc
+
+# $XDG_CACHE_HOME, $XDG_CONFIG_HOME, and $XDG_DATA_HOME will expand to the
+# given variable if it exists in the environment, otherwise defaulting to
+# ~/.cache, ~/.config, and ~/.local/share
+$XDG_CACHE_HOME/dconf rwc
+$XDG_CACHE_HOME/thumbnails rwc
+$XDG_CONFIG_HOME/dconf rw
+$XDG_CONFIG_HOME/fontconfig r
+$XDG_CONFIG_HOME/gtk-3.0 r
+$XDG_CONFIG_HOME/mimeapps.list r
+$XDG_CONFIG_HOME/mozilla rwc
+$XDG_CONFIG_HOME/user-dirs.dirs r
+$XDG_DATA_HOME/applications rwc
+$XDG_DATA_HOME/applnk r
+$XDG_DATA_HOME/fonts r
+$XDG_DATA_HOME/glib-2.0 r
+$XDG_DATA_HOME/icons r
+$XDG_DATA_HOME/mime r
+$XDG_DATA_HOME/recently-used.xbel rwc
+$XDG_DATA_HOME/themes r
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/www/mozilla-firefox/pkg/PLIST,v
retrieving revision 1.81
diff -u -p -u -p -r1.81 PLIST
--- pkg/PLIST 23 Oct 2019 19:38:08 -0000 1.81
+++ pkg/PLIST 27 Oct 2019 18:14:58 -0000
@@ -28,6 +28,12 @@ lib/${MOZILLA_PROJECT}/browser/chrome/ic
 lib/${MOZILLA_PROJECT}/browser/defaults/
 lib/${MOZILLA_PROJECT}/browser/defaults/preferences/
 lib/${MOZILLA_PROJECT}/browser/defaults/preferences/all-openbsd.js
+lib/${MOZILLA_PROJECT}/browser/defaults/preferences/pledge.content
+lib/${MOZILLA_PROJECT}/browser/defaults/preferences/pledge.gpu
+lib/${MOZILLA_PROJECT}/browser/defaults/preferences/pledge.main
+lib/${MOZILLA_PROJECT}/browser/defaults/preferences/unveil.content
+lib/${MOZILLA_PROJECT}/browser/defaults/preferences/unveil.gpu
+lib/${MOZILLA_PROJECT}/browser/defaults/preferences/unveil.main
 lib/${MOZILLA_PROJECT}/browser/features/
 lib/${MOZILLA_PROJECT}/browser/features/[hidden email]
 lib/${MOZILLA_PROJECT}/browser/features/[hidden email]
Index: pkg/README
===================================================================
RCS file: /cvs/ports/www/mozilla-firefox/pkg/README,v
retrieving revision 1.24
diff -u -p -u -p -r1.24 README
--- pkg/README 11 Jun 2019 06:01:20 -0000 1.24
+++ pkg/README 27 Oct 2019 18:14:58 -0000
@@ -14,6 +14,43 @@ firefox -ProfileManager, and click "Crea
 If Firefox doesn't start at all, try starting it with -safe-mode
 switch, which disables extensions and themes for your session.
 
+pledge(2) and unveil(2) Support
+===============================
+Firefox on OpenBSD is secured with pledge(2) and unveil(2) to limit
+the system calls and filesystem access that each of Firefox's three
+process types (main, content, and GPU) is permitted.  By default,
+only ~/Downloads and /tmp can be written to when downloading files,
+or when viewing local files as file:// URLs.
+
+Files containing pledge promises and unveil paths and permissions
+for each type of process are located in
+${LOCALBASE}/lib/${MOZILLA_PROJECT}/browser/defaults/preferences/.
+Each file can be overridden by copying it to ${SYSCONFDIR}/firefox/
+and modifying it.
+
+3rd-Party MIME Handlers
+=======================
+Due to unveil(2) limiting filesystem access, only the default MIME
+handler registered for a given type can be chosen when opening a
+downloaded file.  For example, to use the mupdf package to read
+PDFs, it must be registered as the default with XDG:
+
+ $ xdg-mime default mupdf.desktop application/pdf
+
+The current default for a given type can be viewed with xdg-mime's
+query command:
+
+ $ xdg-mime query default application/pdf
+
+The older mailcap-format handlers are also supported, but the path
+being executed must be explicitly added to the unveil.main file
+with "rx" permissions.  For example, a ~/.mailcap file specifying:
+
+ application/pdf; ${LOCALBASE}/bin/xpdf %s
+
+must have "${LOCALBASE}/bin/xpdf rx" added to unveil.main for it to
+appear as an option in the "Open With" drop-down.
+
 Using mailto: links
 ===================
 To enable mailto: links in Firefox to open in your mail program,
@@ -33,22 +70,25 @@ Debugging
 If you encounter crashes, you might want to build the debug FLAVOR of
 this package, and run firefox inside egdb, so that you can gather
 debugging logs and traces (for all threads!).
+
 If this is a pledge violation, you should figure out which codepath
 in which process leads to calling a forbidden syscall, and which pledge
-is missing from the two default sets configured in
-security.sandbox.pledge.main and security.sandbox.pledge.content
-about:config keys. MOZ_LOG=SandboxPledge:5 should help.
-Bug reports without enough information will be ignored.
+is missing from the sets configured according to the section above.
+Setting MOZ_LOG=SandboxPledge:5 should help.  Bug reports without
+enough information will be ignored.
 
 Note that if you're using NIS or your profile is located on a NFS share,
-you might need to add 'getpw' to security.sandbox.pledge.content in
-about:config.
+you might need to add 'getpw' to the the pledge.content file.
+
+If using the amdgpu driver, you might need to add 'ioctl' to the
+pledge.content file.
 
-If using the amdgpu driver, you might need to add 'ioctl' to
-security.sandbox.pledge.content in about:config.
+If you're not running sndiod(8) you will need to add 'audio' to the
+pledge.main file.
 
-If you're not running sndiod(8) you will need to add 'audio' to
-security.sandbox.pledge.main in about:config.
+To disable pledge and/or unveil support when troubleshooting, set
+the corresponding pledge or unveil file to just contain the string
+"disable".
 
 D-BUS
 =====

Reply | Threaded
Open this post in threaded view
|

Re: firefox: unveil and pledge enhancements [11]

Solene Rapenne
On Sun, Oct 27, 2019 at 01:18:11PM -0500, joshua stein wrote:
> If you're following along at home, here's an update for Firefox 70.
>
> Now uses an external PATCHFILE so I can keep my feature patches
> together as separate commits, which are still waiting on upstream
> integration.
>
>

I've been using it for one day, no issue so far.

I have no opinion about the patch itself.

Reply | Threaded
Open this post in threaded view
|

Re: firefox: unveil and pledge enhancements [11]

Solene Rapenne
In reply to this post by joshua stein-3
On Sun, Oct 27, 2019 at 01:18:11PM -0500, joshua stein wrote:
> If you're following along at home, here's an update for Firefox 70.
>
> Now uses an external PATCHFILE so I can keep my feature patches
> together as separate commits, which are still waiting on upstream
> integration.
>
>

I had a weird bug with this patch, opening a new tab/window was crashing
the tab, firefox became unusable except for already opened tabs.

Oct 30 22:21:47 solene /bsd: firefox[19433]: pledge "fattr", syscall 15

this happened after I deleted some packages, maybe this is related to
the .libs-firefox-69.0.2p0 deletion?

Killing firefox and restarting it did not solve the issue, restarting my
X session did not solve anything. A reboot did.

Oct 30 22:16:18 solene pkg_delete: Removed emacs-26.3-no_x11
Oct 30 22:16:18 solene pkg_delete: Removed llvm-8.0.1p0
Oct 30 22:16:19 solene pkg_delete: Removed rust-1.38.0
Oct 30 22:16:34 solene pkg_delete: Removed neverball-1.6.0p2v0
Oct 30 22:16:34 solene pkg_delete: Removed neverball-data-1.6.0v0
Oct 30 22:16:39 solene pkg_delete: Removed spatialindex-1.8.5p1
Oct 30 22:16:40 solene pkg_delete: Removed noto-fonts-20171024
Oct 30 22:16:40 solene pkg_delete: Removed gtk+3-cups-3.24.12
Oct 30 22:16:41 solene pkg_delete: Removed colord-1.3.5p1
Oct 30 22:16:41 solene pkg_delete: Removed luajit-2.0.5p1
Oct 30 22:16:41 solene pkg_delete: Removed libgit2-0.28.1
Oct 30 22:16:41 solene pkg_delete: Removed ninja-1.9.0
Oct 30 22:16:42 solene pkg_delete: Removed autoconf-2.13p4
Oct 30 22:16:42 solene pkg_delete: Removed libtool-2.4.2p0
Oct 30 22:16:42 solene pkg_delete: Removed cbindgen-0.9.1p0
Oct 30 22:16:42 solene pkg_delete: Removed libgnome-keyring-3.12.0p6
Oct 30 22:16:42 solene pkg_delete: Removed gtest-1.8.0p3
Oct 30 22:16:42 solene pkg_delete: Removed noto-emoji-20180810
Oct 30 22:16:43 solene pkg_delete: Removed yasm-1.3.0p1
Oct 30 22:16:43 solene pkg_delete: Removed .libs-icu4c-64.2p0
Oct 30 22:16:43 solene pkg_delete: Removed .libs1-firefox-69.0.2p0
Oct 30 22:16:43 solene pkg_delete: Removed enet-1.3.13p0

the ktrace of this error is the following

 69879 firefox  CALL  close(40)
 69879 firefox  RET   close 0
 69879 firefox  CALL  mmap(0,0x11000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0)
 69879 firefox  RET   mmap 32581767426048/0x1da208ac7000
 69879 firefox  CALL  access(0x1da1923a1960,0x2<W_OK>)
 69879 firefox  NAMI  "/var/cache/fontconfig"
 69879 firefox  RET   access -1 errno 13 Permission denied
 69879 firefox  CALL  access(0x1da1923a1960,0<F_OK>)
 69879 firefox  NAMI  "/var/cache/fontconfig"
 69879 firefox  RET   access 0
 69879 firefox  CALL  kbind(0x7f7ffffec9d8,24,0x130d5ec3a798b908)
 69879 firefox  RET   kbind 0
 69879 firefox  CALL  chmod(0x1da1923a1960,0755<S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH>)
 69879 firefox  PLDG  chmod, "fattr", errno 1 Operation not permitted
 69879 firefox  PSIG  SIGABRT SIG_DFL
 69879 firefox  NAMI  "firefox.core"
 69879 firefox  STRU  struct pollfd { fd=16, events=0x3<POLLIN|POLLPRI>, revents=0<> }
 58643 firefox  CALL  wait4(69879,0x38dfee4c21c,0x1<WNOHANG>,0)
 58643 firefox  RET   wait4 69879/0x110f7


my /var/cache/fontconfig permission was 755 for root:wheel , after
reboot it was the same.

After reboot, I tried reinstalling the packages and delete them again,
this did not trigger the error again.

Reply | Threaded
Open this post in threaded view
|

Re: firefox: unveil and pledge enhancements [11]

Theo de Raadt-2
This problem was just fixed by matthieu in X:

CVSROOT:        /cvs
Module name:    xenocara
Changes by:     [hidden email]        2019/10/28 13:38:47

Modified files:
        dist/fontconfig/src: fccompat.c fccache.c

Log message:
Stop calling chmod() in cache update code.
These calls are useless to toxic and come in the way of adding pledge
to applications (would require 'fattr' which is quite wide).
Discussed with deraadt, millert and jcs.
Submitted upstreams too.

The problem was specifically discover in firefox with pledge and
fattr, just as you experienced, but too close to 6.6 to fix for the
newfangled pledge/unveil stuff that is coming.

Surely you are probably running older code.  And your pkg changes
caused a font input to change, and therefore the library wanted to
do a silly chmod.

Solene Rapenne <[hidden email]> wrote:

> On Sun, Oct 27, 2019 at 01:18:11PM -0500, joshua stein wrote:
> > If you're following along at home, here's an update for Firefox 70.
> >
> > Now uses an external PATCHFILE so I can keep my feature patches
> > together as separate commits, which are still waiting on upstream
> > integration.
> >
> >
>
> I had a weird bug with this patch, opening a new tab/window was crashing
> the tab, firefox became unusable except for already opened tabs.
>
> Oct 30 22:21:47 solene /bsd: firefox[19433]: pledge "fattr", syscall 15
>
> this happened after I deleted some packages, maybe this is related to
> the .libs-firefox-69.0.2p0 deletion?
>
> Killing firefox and restarting it did not solve the issue, restarting my
> X session did not solve anything. A reboot did.
>
> Oct 30 22:16:18 solene pkg_delete: Removed emacs-26.3-no_x11
> Oct 30 22:16:18 solene pkg_delete: Removed llvm-8.0.1p0
> Oct 30 22:16:19 solene pkg_delete: Removed rust-1.38.0
> Oct 30 22:16:34 solene pkg_delete: Removed neverball-1.6.0p2v0
> Oct 30 22:16:34 solene pkg_delete: Removed neverball-data-1.6.0v0
> Oct 30 22:16:39 solene pkg_delete: Removed spatialindex-1.8.5p1
> Oct 30 22:16:40 solene pkg_delete: Removed noto-fonts-20171024
> Oct 30 22:16:40 solene pkg_delete: Removed gtk+3-cups-3.24.12
> Oct 30 22:16:41 solene pkg_delete: Removed colord-1.3.5p1
> Oct 30 22:16:41 solene pkg_delete: Removed luajit-2.0.5p1
> Oct 30 22:16:41 solene pkg_delete: Removed libgit2-0.28.1
> Oct 30 22:16:41 solene pkg_delete: Removed ninja-1.9.0
> Oct 30 22:16:42 solene pkg_delete: Removed autoconf-2.13p4
> Oct 30 22:16:42 solene pkg_delete: Removed libtool-2.4.2p0
> Oct 30 22:16:42 solene pkg_delete: Removed cbindgen-0.9.1p0
> Oct 30 22:16:42 solene pkg_delete: Removed libgnome-keyring-3.12.0p6
> Oct 30 22:16:42 solene pkg_delete: Removed gtest-1.8.0p3
> Oct 30 22:16:42 solene pkg_delete: Removed noto-emoji-20180810
> Oct 30 22:16:43 solene pkg_delete: Removed yasm-1.3.0p1
> Oct 30 22:16:43 solene pkg_delete: Removed .libs-icu4c-64.2p0
> Oct 30 22:16:43 solene pkg_delete: Removed .libs1-firefox-69.0.2p0
> Oct 30 22:16:43 solene pkg_delete: Removed enet-1.3.13p0
>
> the ktrace of this error is the following
>
>  69879 firefox  CALL  close(40)
>  69879 firefox  RET   close 0
>  69879 firefox  CALL  mmap(0,0x11000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0)
>  69879 firefox  RET   mmap 32581767426048/0x1da208ac7000
>  69879 firefox  CALL  access(0x1da1923a1960,0x2<W_OK>)
>  69879 firefox  NAMI  "/var/cache/fontconfig"
>  69879 firefox  RET   access -1 errno 13 Permission denied
>  69879 firefox  CALL  access(0x1da1923a1960,0<F_OK>)
>  69879 firefox  NAMI  "/var/cache/fontconfig"
>  69879 firefox  RET   access 0
>  69879 firefox  CALL  kbind(0x7f7ffffec9d8,24,0x130d5ec3a798b908)
>  69879 firefox  RET   kbind 0
>  69879 firefox  CALL  chmod(0x1da1923a1960,0755<S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH>)
>  69879 firefox  PLDG  chmod, "fattr", errno 1 Operation not permitted
>  69879 firefox  PSIG  SIGABRT SIG_DFL
>  69879 firefox  NAMI  "firefox.core"
>  69879 firefox  STRU  struct pollfd { fd=16, events=0x3<POLLIN|POLLPRI>, revents=0<> }
>  58643 firefox  CALL  wait4(69879,0x38dfee4c21c,0x1<WNOHANG>,0)
>  58643 firefox  RET   wait4 69879/0x110f7
>
>
> my /var/cache/fontconfig permission was 755 for root:wheel , after
> reboot it was the same.
>
> After reboot, I tried reinstalling the packages and delete them again,
> this did not trigger the error again.
>