From: Stuart Henderson Subject: Re: firefox aarch64 pledge crashes To: Landry Breuil , ports Cc: Theo de Raadt Date: Mon, 23 Sep 2024 22:10:16 +0100 > > On 2024/09/23 20:26, Stuart Henderson wrote: > > > This is done in a content process: > > > > > > firefox(1142): pledge sysctl 2: 7 3 > > > firefox[1142]: pledge "", syscall 202 > > > > > > Looking at sys/arch/arm64/include/cpu.h I think this translates to > > > machdep.id_aa64isar1 (I tried running it under ktrace but I just get > > > very fast-running fans and a frozen machine). The normal ports version of dav1d uses elf_aux_info (handled by ld.so/libc so unrestricted by pledge afaik), but the (newer) one bundled with Firefox has some OpenBSD-specific code added using this sysctl. The diff below at least helps with the pledge and, seeing as CPU_ID_AA64ISAR0 is already permitted, I don't think there's much reason not to permit CPU_ID_AA64ISAR1 too. Even with this, Firefox crashes not long afterwards anyway (e.g. if opening www.theguardian.com) and that doesn't seem BTCFI-related so I suppose this diff is not urgent for fixing Firefox unless the further SIGILL problem can be tracked down. For other software, looking at codesearch.debian.net: - golang.org/x/sys/cpu/cpu_openbsd_arm64 uses this sysctl too (at least in some versions) and some go software is pledged. Not sure how much that cpu detect code is exposed though. - rust library/stdarch/crates/std_detect too; rust code is less likely to be pledged itself, but is more likely to find its way into a shared library which is then run from a pledged proc. Again not sure how much it's exposed. Still, I think this probably makes sense to allow. Index: kern_pledge.c =================================================================== RCS file: /cvs/src/sys/kern/kern_pledge.c,v diff -u -p -r1.319 kern_pledge.c --- kern_pledge.c 4 Sep 2024 07:45:08 -0000 1.319 +++ kern_pledge.c 23 Sep 2024 20:46:28 -0000 @@ -998,6 +998,12 @@ pledge_sysctl(struct proc *p, int miblen return (0); #endif /* CPU_ID_AA64ISAR0 */ +#ifdef CPU_ID_AA64ISAR1 + if (miblen == 2 && /* arm64 firefox/dav1d inspects CPU features */ + mib[0] == CTL_MACHDEP && mib[1] == CPU_ID_AA64ISAR1) + return (0); +#endif /* CPU_ID_AA64ISAR1 */ + snprintf(buf, sizeof(buf), "%s(%d): pledge sysctl %d:", p->p_p->ps_comm, p->p_p->ps_pid, miblen); for (i = 0; i < miblen; i++) {