OpenBSD Archive › openbsd user - ports

[wip] firefox 71.0b8 with unveil integration

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

10 messages Options

Landry Breuil-5

[wip] firefox 71.0b8 with unveil integration

Hi,

now that jcs@'s work has been commited upstream and will be in firefox
72 (cf https://bugzilla.mozilla.org/show_bug.cgi?id=1580268,
https://bugzilla.mozilla.org/show_bug.cgi?id=1584839 &
https://bugzilla.mozilla.org/show_bug.cgi?id=1580271) i've backported
all the corresponding commits to the upcoming 71 release (due beginning
of december) in my git repo (in the unveil branch) and adapted the
corresponding pledge/unveil per-process configs - cf
https://cgit.rhaalovely.net/mozilla-firefox/?h=unveil

see
https://cgit.rhaalovely.net/mozilla-firefox/tree/pkg/README?h=unveil#n17
for the details on the configuration, and note that this will
break/ignore the file associations configured in firefox, relying on
xdg-open to rely on the file associations configured via xdg-mime.
https://cgit.rhaalovely.net/mozilla-firefox/tree/pkg/README?h=unveil#n68
has more bits on specific logging/debugging.

https://packages.rhaalovely.net/ has amd64 pkgs for 71.0b8 built from
this branch, and i'm running it now. This needs more testing from anyone
actually using firefox in weird environments so that we figure out more
missing paths.

Landry

Solene Rapenne

Re: [wip] firefox 71.0b8 with unveil integration

If someone can confirm a behavior I had with firefox patched for pledge and unveil
I was not able to delete extensions, but it wasn't triggering a pledge error and I've not been able to deal with the huge ktrace...Le 8 nov. 2019 23:48, Landry Breuil <[hidden email]> a écrit :

>
> Hi,
>
> now that jcs@'s work has been commited upstream and will be in firefox
> 72 (cf https://bugzilla.mozilla.org/show_bug.cgi?id=1580268,
> https://bugzilla.mozilla.org/show_bug.cgi?id=1584839 &
> https://bugzilla.mozilla.org/show_bug.cgi?id=1580271) i've backported
> all the corresponding commits to the upcoming 71 release (due beginning
> of december) in my git repo (in the unveil branch) and adapted the
> corresponding pledge/unveil per-process configs - cf
> https://cgit.rhaalovely.net/mozilla-firefox/?h=unveil
>
> see
> https://cgit.rhaalovely.net/mozilla-firefox/tree/pkg/README?h=unveil#n17
> for the details on the configuration, and note that this will
> break/ignore the file associations configured in firefox, relying on
> xdg-open to rely on the file associations configured via xdg-mime.
> https://cgit.rhaalovely.net/mozilla-firefox/tree/pkg/README?h=unveil#n68
> has more bits on specific logging/debugging.
>
> https://packages.rhaalovely.net/ has amd64 pkgs for 71.0b8 built from
> this branch, and i'm running it now. This needs more testing from anyone
> actually using firefox in weird environments so that we figure out more
> missing paths.
>
> Landry
>

joshua stein-3

Re: [wip] firefox 71.0b8 with unveil integration

On Sat, 09 Nov 2019 at 00:02:55 +0100, Solène Rapenne wrote:
> If someone can confirm a behavior I had with firefox patched for pledge and unveil
> I was not able to delete extensions, but it wasn't triggering a pledge error and I've not been able to deal with the huge ktrace...

I just installed Landry's beta package and ran it with my existing
profile, installed a random extension, then uninstalled it, and it
performed as expected.

Tim van der Molen-4

Re: [wip] firefox 71.0b8 with unveil integration

In reply to this post by Landry Breuil-5

Landry Breuil (2019-11-08 23:48 +0100):
> https://packages.rhaalovely.net/ has amd64 pkgs for 71.0b8 built from
> this branch, and i'm running it now. This needs more testing from anyone
> actually using firefox in weird environments so that we figure out more
> missing paths.

Firefox doesn't play audio unless I add "/usr/lib r" to unveil.content.
I can reproduce this with an empty homedir and an audio-only .ogg file
in /tmp.

Firefox writes this to stderr:

[Child 99779, MediaDecoderStateMachine #1] WARNING: 17d3e855100 Can't get cubeb context!: file /usr/ports/pobj/firefox-71.0beta8/firefox-71.0/dom/media/AudioStream.cpp, line 281
[Child 99779, MediaDecoderStateMachine #1] WARNING: Decoder=17d3db0c800 [OnMediaSinkAudioError]: file /usr/ports/pobj/firefox-71.0beta8/firefox-71.0/dom/media/MediaDecoderStateMachine.cpp, line 3639
[Child 99779, MediaDecoderStateMachine #1] WARNING: Decoder=17d3db0c800 Decode error: NS_ERROR_DOM_MEDIA_MEDIASINK_ERR (0x806e000b) - OnMediaSinkAudioError: file /usr/ports/pobj/firefox-71.0beta8/firefox-71.0/dom/media/MediaDecoderStateMachine.cpp, line 3308
[Parent 6521, Gecko_IOThread] WARNING: pipe error: Broken pipe: file /usr/ports/pobj/firefox-71.0beta8/firefox-71.0/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 728

ktrace -di shows this:

99779 firefox NAMI "/usr/lib/libsndio.so.7.0"
99779 firefox RET open -1 errno 2 No such file or directory

Tim van der Molen-4

Re: [wip] firefox 71.0b8 with unveil integration

Tim van der Molen (2019-11-10 12:58 +0100):

> Landry Breuil (2019-11-08 23:48 +0100):
> > https://packages.rhaalovely.net/ has amd64 pkgs for 71.0b8 built from
> > this branch, and i'm running it now. This needs more testing from anyone
> > actually using firefox in weird environments so that we figure out more
> > missing paths.
>
> Firefox doesn't play audio unless I add "/usr/lib r" to unveil.content.
> I can reproduce this with an empty homedir and an audio-only .ogg file
> in /tmp.
>
> Firefox writes this to stderr:
>
> [Child 99779, MediaDecoderStateMachine #1] WARNING: 17d3e855100 Can't get cubeb context!: file /usr/ports/pobj/firefox-71.0beta8/firefox-71.0/dom/media/AudioStream.cpp, line 281
> [Child 99779, MediaDecoderStateMachine #1] WARNING: Decoder=17d3db0c800 [OnMediaSinkAudioError]: file /usr/ports/pobj/firefox-71.0beta8/firefox-71.0/dom/media/MediaDecoderStateMachine.cpp, line 3639
> [Child 99779, MediaDecoderStateMachine #1] WARNING: Decoder=17d3db0c800 Decode error: NS_ERROR_DOM_MEDIA_MEDIASINK_ERR (0x806e000b) - OnMediaSinkAudioError: file /usr/ports/pobj/firefox-71.0beta8/firefox-71.0/dom/media/MediaDecoderStateMachine.cpp, line 3308
> [Parent 6521, Gecko_IOThread] WARNING: pipe error: Broken pipe: file /usr/ports/pobj/firefox-71.0beta8/firefox-71.0/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 728
>
> ktrace -di shows this:
>

I missed this line:

99779 firefox CALL open(0x17e0b204289,0x10000<O_RDONLY|O_CLOEXEC>)

> 99779 firefox NAMI "/usr/lib/libsndio.so.7.0"
> 99779 firefox RET open -1 errno 2 No such file or directory

By the way, I also noticed this:

99779 firefox CALL open(0x17ddbbba1e0,0x30000<O_RDONLY|O_CLOEXEC|O_DIRECTORY>)
99779 firefox NAMI "/usr/local/lib/firefox"
99779 firefox RET open -1 errno 2 No such file or directory

unveil.gpu and unveil.main have a line for that dir, but unveil.content
does not.

Landry Breuil-5

Re: [wip] firefox 71.0b8 with unveil integration

In reply to this post by Tim van der Molen-4

On Sun, Nov 10, 2019 at 12:58:50PM +0100, Tim van der Molen wrote:

I finally had time to properly dig ainto this, and indeed it tries to
dlopen this file in
https://searchfox.org/mozilla-central/source/media/libcubeb/src/cubeb_sndio.c#285
- i dont really remember this parts, alex was it here last you worked on
the cubeb sndio backend ? this code is coming from
https://bugzilla.mozilla.org/show_bug.cgi?id=1575883, which comes
from upstream cubeb in
https://github.com/kinetiknz/cubeb/commit/9eb4c89535fdf3726900231a804aa35e19b9f93c,
which in the end came from https://github.com/kinetiknz/cubeb/pull/539
where jan beich (the freebsd mozilla porter, in cc) moved from linking to libsndio
to dlopening at runtime.

I have to admit that now that we move towards unveil, dlopen() feels awkward,
especially with the version number hardcoded. I dont want to hardcode
libsndio.so.7.0 in the unveil config... and i dunno if having
/usr/lib/libsndio.so would work.

I guess one of the options is to set DISABLE_LIBSNDIO_DLOPEN (cf
https://searchfox.org/mozilla-central/source/media/libcubeb/src/cubeb_sndio.c#26)
but then one would need to readd sndio to the libs linked (i dont see
this done in the build system yet), and i'm not sure this codepath was
tested much.. alex, what's your take on this ?

Landry

Theo de Raadt-2

Re: [wip] firefox 71.0b8 with unveil integration

Landry Breuil <[hidden email]> wrote:

> I have to admit that now that we move towards unveil, dlopen() feels awkward,
> especially with the version number hardcoded. I dont want to hardcode
> libsndio.so.7.0 in the unveil config... and i dunno if having
> /usr/lib/libsndio.so would work.

Yes, it should make you feel uncomfortable.

dlopen() will also put you in a position of needing pledge "prot_exec",
so ld.so can PROT_EXEC the loaded text segments. Of course there's few
things an attacker wants as much as a fully operational mprotect system
call to rop-pivot through.

There are no programs trying to act this way in base, and the other
major pledge/unveil program in ports are organized to avoid late
dlopen().

Landry Breuil-5

Re: [wip] firefox 71.0b8 with unveil integration

In reply to this post by Landry Breuil-5

On Tue, Nov 12, 2019 at 08:32:29AM +0100, Landry Breuil wrote:

> On Sun, Nov 10, 2019 at 12:58:50PM +0100, Tim van der Molen wrote:
> > Landry Breuil (2019-11-08 23:48 +0100):
> > > https://packages.rhaalovely.net/ has amd64 pkgs for 71.0b8 built from
> > > this branch, and i'm running it now. This needs more testing from anyone
> > > actually using firefox in weird environments so that we figure out more
> > > missing paths.
> >
> > Firefox doesn't play audio unless I add "/usr/lib r" to unveil.content.
> > I can reproduce this with an empty homedir and an audio-only .ogg file
> > in /tmp.
> >
> > Firefox writes this to stderr:
> >
> > [Child 99779, MediaDecoderStateMachine #1] WARNING: 17d3e855100 Can't get cubeb context!: file /usr/ports/pobj/firefox-71.0beta8/firefox-71.0/dom/media/AudioStream.cpp, line 281
> > [Child 99779, MediaDecoderStateMachine #1] WARNING: Decoder=17d3db0c800 [OnMediaSinkAudioError]: file /usr/ports/pobj/firefox-71.0beta8/firefox-71.0/dom/media/MediaDecoderStateMachine.cpp, line 3639
> > [Child 99779, MediaDecoderStateMachine #1] WARNING: Decoder=17d3db0c800 Decode error: NS_ERROR_DOM_MEDIA_MEDIASINK_ERR (0x806e000b) - OnMediaSinkAudioError: file /usr/ports/pobj/firefox-71.0beta8/firefox-71.0/dom/media/MediaDecoderStateMachine.cpp, line 3308
> > [Parent 6521, Gecko_IOThread] WARNING: pipe error: Broken pipe: file /usr/ports/pobj/firefox-71.0beta8/firefox-71.0/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 728
> >
> > ktrace -di shows this:
> >
> > 99779 firefox NAMI "/usr/lib/libsndio.so.7.0"
> > 99779 firefox RET open -1 errno 2 No such file or directory
>
> I finally had time to properly dig ainto this, and indeed it tries to
> dlopen this file in
> https://searchfox.org/mozilla-central/source/media/libcubeb/src/cubeb_sndio.c#285
> - i dont really remember this parts, alex was it here last you worked on
> the cubeb sndio backend ? this code is coming from
> https://bugzilla.mozilla.org/show_bug.cgi?id=1575883, which comes
> from upstream cubeb in
> https://github.com/kinetiknz/cubeb/commit/9eb4c89535fdf3726900231a804aa35e19b9f93c,
> which in the end came from https://github.com/kinetiknz/cubeb/pull/539
> where jan beich (the freebsd mozilla porter, in cc) moved from linking to libsndio
> to dlopening at runtime.
>
> I have to admit that now that we move towards unveil, dlopen() feels awkward,
> especially with the version number hardcoded. I dont want to hardcode
> libsndio.so.7.0 in the unveil config... and i dunno if having
> /usr/lib/libsndio.so would work.

Tested, and unveiling /usr/lib/libsndio.so didnt work.

> I guess one of the options is to set DISABLE_LIBSNDIO_DLOPEN (cf
> https://searchfox.org/mozilla-central/source/media/libcubeb/src/cubeb_sndio.c#26)
> but then one would need to readd sndio to the libs linked (i dont see
> this done in the build system yet), and i'm not sure this codepath was
> tested much.. alex, what's your take on this ?

The following (completely untested) diff might achieve that:

diff --git a/media/libcubeb/src/moz.build b/media/libcubeb/src/moz.build
--- a/media/libcubeb/src/moz.build
+++ b/media/libcubeb/src/moz.build
@@ -44,16 +44,17 @@ if CONFIG['MOZ_JACK']:
]
DEFINES['USE_JACK'] = True

if CONFIG['OS_ARCH'] == 'OpenBSD':
SOURCES += [
'cubeb_sndio.c',
]
DEFINES['USE_SNDIO'] = True
+ DEFINES['DISABLE_LIBSNDIO_DLOPEN'] = True

if CONFIG['OS_TARGET'] == 'Darwin':
SOURCES += [
'cubeb_audiounit.cpp',
'cubeb_resampler.cpp'
]
if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'cocoa':
SOURCES += [
diff --git a/toolkit/library/moz.build b/toolkit/library/moz.build
--- a/toolkit/library/moz.build
+++ b/toolkit/library/moz.build
@@ -260,16 +260,21 @@ if not CONFIG['MOZ_TREE_PIXMAN']:
if CONFIG['HAVE_CLOCK_MONOTONIC']:
OS_LIBS += CONFIG['REALTIME_LIBS']

OS_LIBS += CONFIG['ICONV_LIBS']

if CONFIG['MOZ_WIDGET_TOOLKIT'] in ('cocoa', 'uikit'):
OS_LIBS += CONFIG['TK_LIBS']

+if CONFIG['OS_ARCH'] == 'OpenBSD':
+ OS_LIBS += [
+ 'sndio',
+ ]
+
if CONFIG['MOZ_ENABLE_DBUS']:
OS_LIBS += CONFIG['MOZ_DBUS_GLIB_LIBS']

if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'gtk':
OS_LIBS += [l for l in CONFIG['TK_LIBS']
if l not in ('-lgtk-3', '-lgdk-3')]
OS_LIBS += CONFIG['XLDFLAGS']
OS_LIBS += CONFIG['XLIBS']

Alexandre Ratchov-2

Re: [wip] firefox 71.0b8 with unveil integration

In reply to this post by Landry Breuil-5

On Tue, Nov 12, 2019 at 08:32:29AM +0100, Landry Breuil wrote:

This part is new, I've seen Jan Beich diff, but missed the
DISABLE_LIBSNDIO_DLOPEN bits.

> I guess one of the options is to set DISABLE_LIBSNDIO_DLOPEN (cf
> https://searchfox.org/mozilla-central/source/media/libcubeb/src/cubeb_sndio.c#26)
> but then one would need to readd sndio to the libs linked (i dont see
> this done in the build system yet), and i'm not sure this codepath was
> tested much.. alex, what's your take on this ?

IMHO we should use DISABLE_LIBSNDIO_DLOPEN as in the diff you proposed
in your other mail; this would also help catching bugs by not
disabling compiler type checks.

Landry Breuil-5

Re: [wip] firefox 71.0b8 with unveil integration

On Tue, Nov 12, 2019 at 12:21:04PM +0100, Alexandre Ratchov wrote:

> On Tue, Nov 12, 2019 at 08:32:29AM +0100, Landry Breuil wrote:
> > On Sun, Nov 10, 2019 at 12:58:50PM +0100, Tim van der Molen wrote:
> > > Landry Breuil (2019-11-08 23:48 +0100):
> > > > https://packages.rhaalovely.net/ has amd64 pkgs for 71.0b8 built from
> > > > this branch, and i'm running it now. This needs more testing from anyone
> > > > actually using firefox in weird environments so that we figure out more
> > > > missing paths.
> > >
> > > Firefox doesn't play audio unless I add "/usr/lib r" to unveil.content.
> > > I can reproduce this with an empty homedir and an audio-only .ogg file
> > > in /tmp.
> > >
> > > Firefox writes this to stderr:
> > >
> > > [Child 99779, MediaDecoderStateMachine #1] WARNING: 17d3e855100 Can't get cubeb context!: file /usr/ports/pobj/firefox-71.0beta8/firefox-71.0/dom/media/AudioStream.cpp, line 281
> > > [Child 99779, MediaDecoderStateMachine #1] WARNING: Decoder=17d3db0c800 [OnMediaSinkAudioError]: file /usr/ports/pobj/firefox-71.0beta8/firefox-71.0/dom/media/MediaDecoderStateMachine.cpp, line 3639
> > > [Child 99779, MediaDecoderStateMachine #1] WARNING: Decoder=17d3db0c800 Decode error: NS_ERROR_DOM_MEDIA_MEDIASINK_ERR (0x806e000b) - OnMediaSinkAudioError: file /usr/ports/pobj/firefox-71.0beta8/firefox-71.0/dom/media/MediaDecoderStateMachine.cpp, line 3308
> > > [Parent 6521, Gecko_IOThread] WARNING: pipe error: Broken pipe: file /usr/ports/pobj/firefox-71.0beta8/firefox-71.0/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 728
> > >
> > > ktrace -di shows this:
> > >
> > > 99779 firefox NAMI "/usr/lib/libsndio.so.7.0"
> > > 99779 firefox RET open -1 errno 2 No such file or directory
> >
> > I finally had time to properly dig ainto this, and indeed it tries to
> > dlopen this file in
> > https://searchfox.org/mozilla-central/source/media/libcubeb/src/cubeb_sndio.c#285
> > - i dont really remember this parts, alex was it here last you worked on
> > the cubeb sndio backend ? this code is coming from
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1575883, which comes
> > from upstream cubeb in
> > https://github.com/kinetiknz/cubeb/commit/9eb4c89535fdf3726900231a804aa35e19b9f93c,
> > which in the end came from https://github.com/kinetiknz/cubeb/pull/539
> > where jan beich (the freebsd mozilla porter, in cc) moved from linking to libsndio
> > to dlopening at runtime.
>
> This part is new, I've seen Jan Beich diff, but missed the
> DISABLE_LIBSNDIO_DLOPEN bits.
>
> > I guess one of the options is to set DISABLE_LIBSNDIO_DLOPEN (cf
> > https://searchfox.org/mozilla-central/source/media/libcubeb/src/cubeb_sndio.c#26)
> > but then one would need to readd sndio to the libs linked (i dont see
> > this done in the build system yet), and i'm not sure this codepath was
> > tested much.. alex, what's your take on this ?
>
> IMHO we should use DISABLE_LIBSNDIO_DLOPEN as in the diff you proposed
> in your other mail; this would also help catching bugs by not
> disabling compiler type checks.

I've tested the proposed diff and it indeed does the right thing, ie it
links libxul.so with libsndio, and i can play sound with unveil enabled
without having to unveil /usr/lib/libsndio.so.7.0.

If ppl want to test it, the firefox-71.0beta9 package on my repo
contains
https://cgit.rhaalovely.net/mozilla-firefox/commit/?h=unveil&id=ed3d4671090ec2449cb9ab935a923862275f43d6
which i'm going to push upstream. Or rebuild the port from the git
branch..

Landry