(Sorry, e-mail problems mangled the first attempt at this.)
I've been working on enhancing the security of our Firefox port over
the past couple weeks and would like some wider testing.
- Firefox's GPU process gains pledge(2) support, now all three
process types (main, content, and gpu) are pledged.
- The inet permission is removed from content processes as they work
without it.
- All three process types gain unveil(2) support to limit filesystem
access. Similar to our Chrome port, ~/Downloads and /tmp become
the only major directories that the main process can read from and
write to (aside from some other Firefox- and Gtk-specific
cache/support directories like ~/.mozilla) and that the content
process can read from for viewing files as file:// URLs.
While the Chrome port uses separate files in /etc/chromium for
unveil file lists, these patches use new comma-separated
about:config keys for them. These are security.sandbox.unveil.main,
security.sandbox.unveil.content, and security.sandbox.unveil.gpu.
These file lists support expanding XDG_{CONFIG,DATA,CACHE}_HOME
environment variables if set.
See the new notes in pkg/README for adding additional upload or
download directories and for information on changing which 3rd party
programs are used to open certain MIME types like PDFs.
These patches are being tracked upstream and landry@ will help to
get them integrated once they are stable, although this review
process may take a while and it will probably take a while before
they reach a mainline release:
- sandbox GPU process on OpenBSD with pledge():
https://bugzilla.mozilla.org/show_bug.cgi?id=3D3D3D3D3D1580268
- enhance sandbox on OpenBSD with unveil():
https://bugzilla.mozilla.org/show_bug.cgi?id=3D3D3D3D3D1580271
As for testing, please try all of your normal Firefox usage as
everything should still work. I've tested all of these things:
- Launching with an existing profile or letting it create a new one
in ~/.mozilla
- Basic multi-tabbed and multi-window browsing
- Add-ons (Bitwarden, uBlock Origin, Tunnelbear VPN, etc.)
- Playing a YouTube video with sound
- Webcam access
- Accelerated graphics with MOZ_ACCELERATED=3D3D3D3D3D1 (verifying
about:support shows HW_COMPOSITING enabled and detailed GPU #1
info), viewing some WebGL benchmark sites
- File->Open, can only view ~/Downloads (this is the main process)
- When a file is selected, it is able to be opened as a file://
URL (this is a content process reading it)
- When uploading a file, only ~/Downloads can be seen (or a
read-only directory like ~/Photos specifically added to the
security.sandbox.unveil.main list)
- Executing a 3rd party app via GIO/XDG such as mupdf for opening
PDFs
- Executing a 3rd party app from ~/.mailcap such as xpdf for PDFs
- Printing via CUPS
Index: Makefile
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvs/ports/www/mozilla-firefox/Makefile,v
retrieving revision 1.394
diff -u -p -u -p -r1.394 Makefile
--- Makefile 18 Sep 2019 16:58:05 -0000 1.394
+++ Makefile 20 Sep 2019 02:13:42 -0000
@@ -10,6 +10,8 @@ MOZILLA_BRANCH =3D release
MOZILLA_PROJECT =3D firefox
MOZILLA_CODENAME =3D browser
=20
+REVISION =3D 0
+
WRKDIST =3D ${WRKDIR}/${MOZILLA_DIST}-${MOZILLA_DIST_VERSION:C/b[0-9]*//}
HOMEPAGE =3D https://www.mozilla.org/firefox/
SO_VERSION =3D 84.0
Index: patches/patch-browser_app_profile_firefox_js
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: patches/patch-browser_app_profile_firefox_js
diff -N patches/patch-browser_app_profile_firefox_js
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-browser_app_profile_firefox_js 20 Sep 2019 02:13:42
-0000
@@ -0,0 +1,33 @@
+$OpenBSD$
+
+sandbox GPU process on OpenBSD with pledge()
+https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580268
+
+enhance sandbox on OpenBSD with unveil()
+https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580271
+
+Index: browser/app/profile/firefox.js
+--- browser/app/profile/firefox.js.orig
++++ browser/app/profile/firefox.js
+@@ -1130,11 +1130,18 @@ pref("security.sandbox.content.syscall_whitelist",=
"")
+ #endif
+=20
+ #if defined(XP_OPENBSD) && defined(MOZ_SANDBOX)
++pref("security.sandbox.content.level", 1);
++
+ // default pledge strings for the main & content processes, cf bug 1457092
+-// broad list for now, has to be refined over time
+ pref("security.sandbox.pledge.main", "stdio rpath wpath cpath inet proc e=
xec prot_exec flock ps sendfd recvfd dns vminfo tty drm unix fattr getpw mc=
ast");
+-pref("security.sandbox.content.level", 1);
+-pref("security.sandbox.pledge.content", "stdio rpath wpath cpath inet rec=
vfd sendfd prot_exec unix drm ps");
++pref("security.sandbox.pledge.content", "stdio rpath wpath cpath recvfd s=
endfd prot_exec unix drm ps");
++// and for gpu, bug 1580268
++pref("security.sandbox.pledge.gpu", "stdio rpath wpath cpath ps sendfd re=
cvfd drm dns unix prot_exec");
++
++// default file paths unveiled to each process, bug 1580271
++pref("security.sandbox.unveil.main", "/dev/urandom r,/dev/video rw,/etc/f=
onts r,/etc/machine-id r,/etc/mailcap r,/tmp rwc,/usr/bin/lpr rx,/usr/local=
/bin/gio-launch-desktop rx,/usr/local/lib r,/usr/local/firefox r,/usr/local=
/lib/firefox rx,/usr/local/share r,/usr/share/locale r,/var/cache/fontconfi=
g r,/usr/X11R6/lib r,/usr/X11R6/share r,/var/run rw,~/.XCompose r,~/.Xautho=
rity r,~/.Xdefaults r,~/.fontconfig r,~/.fonts r,~/.fonts.conf r,~/.fonts.c=
onf.d r,~/.icons r,~/.mailcap r,~/.mime.types r,~/.mozilla rwc,~/.pki rwc,~=
/.sndio rwc,~/.terminfo r,$XDG_CACHE_HOME/dconf rwc,$XDG_CACHE_HOME/thumbna=
ils rwc,$XDG_CONFIG_HOME/dconf r,$XDG_CONFIG_HOME/fontconfig r,$XDG_CONFIG_=
HOME/gtk-3.0 r,$XDG_CONFIG_HOME/mimeapps.list r,$XDG_CONFIG_HOME/mozilla rw=
c,$XDG_CONFIG_HOME/user-dirs.dirs r,$XDG_DATA_HOME/applications rwc,$XDG_DA=
TA_HOME/applnk r,$XDG_DATA_HOME/fonts r,$XDG_DATA_HOME/glib-2.0 r,$XDG_DATA=
_HOME/icons r,$XDG_DATA_HOME/mime r,$XDG_DATA_HOME/recently-used.xbel rwc,$=
XDG_DATA_HOME/themes r,~/Downloads rwc");
++pref("security.sandbox.unveil.content", "/dev/drm0 rw,/etc/fonts r,/etc/m=
achine-id r,/tmp rwc,/usr/local/lib r,/usr/local/firefox r,/usr/local/lib/f=
irefox rx,/usr/local/share r,/usr/share/locale r,/var/cache/fontconfig r,/u=
sr/X11R6/lib r,/usr/X11R6/share r,/var/run rw,~/.XCompose r,~/.Xauthority r=
,~/.Xdefaults r,~/.fontconfig r,~/.fonts r,~/.fonts.conf r,~/.fonts.conf.d =
r,~/.icons r,~/.mozilla rwc,~/.pki rwc,~/.sndio rwc,~/.terminfo r,$XDG_CACH=
E_HOME/dconf rwc,$XDG_CACHE_HOME/thumbnails rwc,$XDG_CONFIG_HOME/dconf r,$X=
DG_CONFIG_HOME/fontconfig r,$XDG_CONFIG_HOME/gtk-3.0 r,$XDG_CONFIG_HOME/mim=
eapps.list r,$XDG_CONFIG_HOME/mozilla rwc,$XDG_CONFIG_HOME/user-dirs.dirs r=
,$XDG_DATA_HOME/applications r,$XDG_DATA_HOME/applnk r,$XDG_DATA_HOME/fonts=
r,$XDG_DATA_HOME/glib-2.0 r,$XDG_DATA_HOME/icons r,$XDG_DATA_HOME/mime r,$=
XDG_DATA_HOME/themes r,~/Downloads r");
++pref("security.sandbox.unveil.gpu", "/dev/drm0 rw,/tmp rwc,/usr/local/lib=
/firefox r,/usr/local/lib/gdk-pixbuf-2.0 r,/usr/X11R6/lib r,/usr/share/loca=
le r,/usr/local/share r,~/.Xauthority r");
+ #endif
+=20
+ #if defined(MOZ_SANDBOX)
Index: patches/patch-dom_ipc_ContentChild_cpp
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: patches/patch-dom_ipc_ContentChild_cpp
diff -N patches/patch-dom_ipc_ContentChild_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-dom_ipc_ContentChild_cpp 20 Sep 2019 02:13:42 -0000
@@ -0,0 +1,170 @@
+$OpenBSD$
+
+sandbox GPU process on OpenBSD with pledge()
+https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580268
+
+enhance sandbox on OpenBSD with unveil()
+https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580271
+
+Index: dom/ipc/ContentChild.cpp
+--- dom/ipc/ContentChild.cpp.orig
++++ dom/ipc/ContentChild.cpp
+@@ -126,6 +126,7 @@
+ # include "mozilla/Sandbox.h"
+ # elif defined(__OpenBSD__)
+ # include <unistd.h>
++# include "SpecialSystemDirectory.h"
+ # endif
+ #endif
+=20
+@@ -4048,47 +4049,132 @@ void ContentChild::HoldBrowsingContextGroup(Brows=
ingCo
+ } // namespace dom
+=20
+ #if defined(__OpenBSD__) && defined(MOZ_SANDBOX)
+-# include <unistd.h>
+=20
+ static LazyLogModule sPledgeLog("SandboxPledge");
+=20
+ bool StartOpenBSDSandbox(GeckoProcessType type) {
+ nsAutoCString promisesString;
+ nsAutoCString processTypeString;
++ nsAutoCString unveilString;
+=20
+ switch (type) {
+ case GeckoProcessType_Default:
+ processTypeString =3D "main";
+ Preferences::GetCString("security.sandbox.pledge.main", promisesStr=
ing);
++ Preferences::GetCString("security.sandbox.unveil.main", unveilStrin=
g);
+ break;
+=20
+ case GeckoProcessType_Content:
+ processTypeString =3D "content";
+- Preferences::GetCString("security.sandbox.pledge.content",
+- promisesString);
++ Preferences::GetCString("security.sandbox.pledge.content", promises=
String);
++ Preferences::GetCString("security.sandbox.unveil.content", unveilSt=
ring);
+ break;
+=20
++ case GeckoProcessType_GPU:
++ processTypeString =3D "gpu";
++ Preferences::GetCString("security.sandbox.pledge.gpu", promisesStri=
ng);
++ Preferences::GetCString("security.sandbox.unveil.gpu", unveilString=
);
++ break;
++
+ default:
+ MOZ_ASSERT(false, "unknown process type");
+ return false;
+- };
++ }
+=20
+- if (pledge(promisesString.get(), NULL) =3D=3D -1) {
+- if (errno =3D=3D EINVAL) {
+- MOZ_LOG(sPledgeLog, LogLevel::Error,
+- ("pledge promises for %s process is a malformed string: '%s=
'\n",
+- processTypeString.get(), promisesString.get()));
+- } else if (errno =3D=3D EPERM) {
+- MOZ_LOG(
+- sPledgeLog, LogLevel::Error,
+- ("pledge promises for %s process can't elevate privileges: '%s'=
\n",
+- processTypeString.get(), promisesString.get()));
++ if (!PR_GetEnv("MOZ_DISABLE_UNVEIL")) {
++ nsresult rv;
++
++ nsCOMPtr<nsIFile> homeDir;
++ rv =3D GetSpecialSystemDirectory(Unix_HomeDirectory, getter_AddRefs(h=
omeDir));
++ if (NS_FAILED(rv)) {
++ mozilla::ipc::FatalError("failed getting home directory", false);
+ }
+- return false;
+- } else {
+- MOZ_LOG(sPledgeLog, LogLevel::Debug,
+- ("pledged %s process with promises: '%s'\n",
++
++ bool anyUnveils =3D false;
++
++ for (const nsACString& tChunk : unveilString.Split(',')) {
++ nsAutoCString chunk;
++ chunk.Append(tChunk);
++
++ chunk.CompressWhitespace(true, true);
++ if (chunk.IsEmpty()) {
++ continue;
++ }
++
++ int32_t space =3D chunk.FindChar(' ');
++ if (space <=3D 0) {
++ mozilla::ipc::FatalError(nsPrintfCString("%s: invalid unveil "
++ "format \"%s\"", PromiseFlatCString(processTypeString).get(),
++ chunk.get()).get(), false);
++ }
++
++ nsCString uPath(Substring(chunk, 0, space));
++ nsCString perms(Substring(chunk, space + 1, chunk.Length() - space =
- 1));
++
++ // Expand $XDG_CONFIG_HOME to the environment variable, or ~/.config
++ nsCString xdgConfigHome(PR_GetEnv("XDG_CONFIG_HOME"));
++ if (xdgConfigHome.IsEmpty()) {
++ xdgConfigHome =3D "~/.config";
++ }
++ uPath.ReplaceSubstring("$XDG_CONFIG_HOME", xdgConfigHome.get());
++
++ // Expand $XDG_CACHE_HOME to the environment variable, or ~/.cache
++ nsCString xdgCacheHome(PR_GetEnv("XDG_CACHE_HOME"));
++ if (xdgCacheHome.IsEmpty()) {
++ xdgCacheHome =3D "~/.cache";
++ }
++ uPath.ReplaceSubstring("$XDG_CACHE_HOME", xdgCacheHome.get());
++
++ // Expand $XDG_DATA_HOME to the environment variable, or ~/.local/s=
hare
++ nsCString xdgDataHome(PR_GetEnv("XDG_DATA_HOME"));
++ if (xdgDataHome.IsEmpty()) {
++ xdgDataHome =3D "~/.local/share";
++ }
++ uPath.ReplaceSubstring("$XDG_DATA_HOME", xdgDataHome.get());
++
++ // Expand leading ~ to the user's home directory
++ if (uPath.FindChar('~') =3D=3D 0) {
++ nsCString tHome(homeDir->NativePath());
++ tHome.Append(Substring(uPath, 1, uPath.Length() - 1));
++ uPath =3D tHome.get();
++ }
++
++ MOZ_LOG(sPledgeLog, LogLevel::Debug, ("%s: unveil(%s, %s)\n",
++ processTypeString.get(), uPath.get(), perms.get()));
++ int ret =3D unveil(uPath.get(), perms.get());
++ if (ret !=3D 0 && ret !=3D ENOENT) {
++ mozilla::ipc::FatalError(nsPrintfCString("%s: unveil(%s, %s) fail=
ed: %d",
++ processTypeString.get(), uPath.get(), perms.get(), errno).get(),
++ false);
++ }
++
++ anyUnveils =3D true;
++ }
++
++ if (!anyUnveils) {
++ mozilla::ipc::FatalError(nsPrintfCString("failed parsing unveil str=
ing "
++ "\"%s\"", unveilString.get()).get(), false);
++ }
++ }
++
++ if (!PR_GetEnv("MOZ_DISABLE_PLEDGE")) {
++ if (pledge(promisesString.get(), nullptr) =3D=3D -1) {
++ if (errno =3D=3D EINVAL) {
++ MOZ_LOG(sPledgeLog, LogLevel::Error,
++ ("pledge promises for %s process is a malformed string: '=
%s'\n",
++ processTypeString.get(), promisesString.get()));
++ } else if (errno =3D=3D EPERM) {
++ MOZ_LOG(
++ sPledgeLog, LogLevel::Error,
++ ("pledge promises for %s process can't elevate privileges: '%=
s'\n",
+ processTypeString.get(), promisesString.get()));
++ }
++ return false;
++ } else {
++ MOZ_LOG(sPledgeLog, LogLevel::Debug,
++ ("pledged %s process with promises: '%s'\n",
++ processTypeString.get(), promisesString.get()));
++ }
+ }
+ return true;
+ }
Index: patches/patch-gfx_ipc_GPUParent_cpp
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: patches/patch-gfx_ipc_GPUParent_cpp
diff -N patches/patch-gfx_ipc_GPUParent_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-gfx_ipc_GPUParent_cpp 20 Sep 2019 02:13:42 -0000
@@ -0,0 +1,28 @@
+$OpenBSD$
+
+sandbox GPU process on OpenBSD with pledge()
+https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580268
+
+Index: gfx/ipc/GPUParent.cpp
+--- gfx/ipc/GPUParent.cpp.orig
++++ gfx/ipc/GPUParent.cpp
+@@ -57,6 +57,8 @@
+ # include "mozilla/WindowsVersion.h"
+ # include <process.h>
+ # include <dwrite.h>
++#elif defined(__OpenBSD__) && defined(MOZ_SANDBOX)
++# include "mozilla/SandboxSettings.h"
+ #endif
+ #ifdef MOZ_WIDGET_GTK
+ # include <gtk/gtk.h>
+@@ -122,6 +124,10 @@ bool GPUParent::Init(base::ProcessId aParentPid, const
+ mlg::InitializeMemoryReporters();
+ #if defined(XP_WIN)
+ DeviceManagerDx::Init();
++#endif
++
++#if defined(__OpenBSD__) && defined(MOZ_SANDBOX)
++ StartOpenBSDSandbox(GeckoProcessType_GPU);
+ #endif
+=20
+ CompositorThreadHolder::Start();
Index: patches/patch-toolkit_system_gnome_nsGIOService_cpp
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: patches/patch-toolkit_system_gnome_nsGIOService_cpp
diff -N patches/patch-toolkit_system_gnome_nsGIOService_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-toolkit_system_gnome_nsGIOService_cpp 20 Sep 2019 02:13:4=
2 -0000
@@ -0,0 +1,29 @@
+$OpenBSD$
+
+enhance sandbox on OpenBSD with unveil()
+https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580271
+
+Index: toolkit/system/gnome/nsGIOService.cpp
+--- toolkit/system/gnome/nsGIOService.cpp.orig
++++ toolkit/system/gnome/nsGIOService.cpp
+@@ -497,7 +497,20 @@ nsGIOService::GetAppForMimeType(const nsACString& aMim
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+=20
++#if defined(__OpenBSD__) && defined(MOZ_SANDBOX)
++ // g_app_info_get_default_for_type will fail on OpenBSD's veiled filesy=
stem
++ // since we most likely don't have direct access to the binaries that a=
re
++ // registered as defaults for this type. Fake it up by just executing
++ // xdg-open via gio-launch-desktop (which we do have access to) and let=
ting
++ // it figure out which program to execute for this MIME type
++ GAppInfo* app_info =3D g_app_info_create_from_commandline(
++ "/usr/local/bin/xdg-open",
++ nsPrintfCString("System default for %s", content_type).get(),
++ G_APP_INFO_CREATE_NONE, NULL);
++#else
+ GAppInfo* app_info =3D g_app_info_get_default_for_type(content_type, fa=
lse);
++#endif
++
+ if (app_info) {
+ nsGIOMimeApp* mozApp =3D new nsGIOMimeApp(app_info);
+ NS_ENSURE_TRUE(mozApp, NS_ERROR_OUT_OF_MEMORY);
Index: pkg/README
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvs/ports/www/mozilla-firefox/pkg/README,v
retrieving revision 1.24
diff -u -p -u -p -r1.24 README
--- pkg/README 11 Jun 2019 06:01:20 -0000 1.24
+++ pkg/README 20 Sep 2019 02:13:42 -0000
@@ -28,6 +28,46 @@ right click, choose New String. Set the=20
"network.protocol-handler.app.mailto" and the value to the path to
your mailer.
=20
+pledge(2) and unveil(2) Support
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
+Firefox on OpenBSD is secured with pledge(2) and unveil(2) to limit
+the system calls and filesystem access that each of Firefox's three
+process types (main, content, and GPU) is permitted. By default,
+only ~/Downloads and /tmp can be written to when downloading files,
+or viewing them as file:// URLs.
+
+To add a specific path as writable for downloads, add it to the
+security.sandbox.unveil.main about:config key with "rw" permissions.
+To add a directory from which files can be uploaded, add it with just
+the "r" permission.
+To add a path that can be viewed as a file:// URL, it must also be
+added to the security.sandbox.unveil.content about:config key with
+"r" permissions.
+
+3rd-Party MIME Handlers
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+Due to unveil(2) limiting filesystem access, only the default MIME
+handler registered for a given type can be chosen when opening a
+downloaded file. For example, to use the mupdf package to read
+PDFs, it must be registered as the default with XDG:
+
+ $ xdg-mime default mupdf.desktop application/pdf
+
+The current default for a given type can be viewed with xdg-mime's
+query command:
+
+ $ xdg-mime query default application/pdf
+
+The older mailcap-format handlers are also supported, but the path
+being executed must be explicitly added to the
+security.sandbox.unveil.main about:config key with "rx" permissions.
+For example, a ~/.mailcap file specifying:
+
+ application/pdf; /usr/local/bin/xpdf %s
+
+must have "/usr/local/bin/xpdf rx" added to the unveil list for it to
+appear as an option in the "Open With" drop-down.
+
Debugging
=3D=3D=3D=3D=3D=3D=3D=3D=3D
If you encounter crashes, you might want to build the debug FLAVOR of
@@ -35,9 +75,10 @@ this package, and run firefox inside egd
debugging logs and traces (for all threads!).
If this is a pledge violation, you should figure out which codepath
in which process leads to calling a forbidden syscall, and which pledge
-is missing from the two default sets configured in
-security.sandbox.pledge.main and security.sandbox.pledge.content
-about:config keys. MOZ_LOG=3DSandboxPledge:5 should help.
+is missing from the three default sets configured in
+security.sandbox.pledge.main, security.sandbox.pledge.content, and
+security.sandbox.pledge.gpu about:config keys.
+MOZ_LOG=3DSandboxPledge:5 should help.
Bug reports without enough information will be ignored.
=20
Note that if you're using NIS or your profile is located on a NFS share,
@@ -49,6 +90,10 @@ security.sandbox.pledge.content in about
=20
If you're not running sndiod(8) you will need to add 'audio' to
security.sandbox.pledge.main in about:config.
+
+To disable pledge support when troubleshooting, set the
+MOZ_DISABLE_PLEDGE environment variable before starting Firefox.
+Similarly, to disable unveil support, set MOZ_DISABLE_UNVEIL.
=20
D-BUS
=3D=3D=3D=3D=3D
