Merge pull request #163484 from mweinelt/firefox-rlbox

firefox: enable RLBox sandboxing

pkgs/applications/networking/browsers/firefox/common.nix

@@ -15,7 +15,9 @@
 , rust-cbindgen, nodejs, nasm, fetchpatch
 , gnum4
 , gtk3, wrapGAppsHook
+, pkgsCross
 , debugBuild ? false
+, runCommand
 
 ### optionals
 
@@ -121,6 +123,15 @@ let
                 })
                 else stdenv;
 
+  # Compile the wasm32 sysroot to build the RLBox Sandbox
+  # https://hacks.mozilla.org/2021/12/webassembly-and-back-again-fine-grained-sandboxing-in-firefox-95/
+  # We only link c++ libs here, our compiler wrapper can find wasi libc and crt itself.
+  wasiSysRoot = runCommand "wasi-sysroot" {} ''
+    mkdir -p $out/lib/wasm32-wasi
+    for lib in ${pkgsCross.wasi32.llvmPackages.libcxx}/lib/* ${pkgsCross.wasi32.llvmPackages.libcxxabi}/lib/*; do
+      ln -s $lib $out/lib/wasm32-wasi
+    done
+  '';
 in
 
 buildStdenv.mkDerivation ({
@@ -213,7 +224,11 @@ buildStdenv.mkDerivation ({
     configureScript="$(realpath ./mach) configure"
     export MOZBUILD_STATE_PATH=$(pwd)/mozbuild
 
-  '' + (lib.optionalString googleAPISupport ''
+  '' + (lib.optionalString (lib.versionAtLeast version "95.0") ''
+    # RBox WASM Sandboxing
+    export WASM_CC=${pkgsCross.wasi32.stdenv.cc}/bin/${pkgsCross.wasi32.stdenv.cc.targetPrefix}cc
+    export WASM_CXX=${pkgsCross.wasi32.stdenv.cc}/bin/${pkgsCross.wasi32.stdenv.cc.targetPrefix}c++
+  '') + (lib.optionalString googleAPISupport ''
     # Google API key used by Chromium and Firefox.
     # Note: These are for NixOS/nixpkgs use ONLY. For your own distribution,
     # please get your own set of keys.
@@ -258,6 +273,7 @@ buildStdenv.mkDerivation ({
   ++ lib.optional ltoSupport "--enable-lto=cross" # Cross-language LTO.
   ++ lib.optional (ltoSupport && (buildStdenv.isAarch32 || buildStdenv.isi686 || buildStdenv.isx86_64)) "--disable-elf-hack"
   ++ lib.optional (ltoSupport && !buildStdenv.isDarwin) "--enable-linker=lld"
+  ++ lib.optional (lib.versionAtLeast version "95") "--with-wasi-sysroot=${wasiSysRoot}"
 
   ++ flag alsaSupport "alsa"
   ++ flag pulseaudioSupport "pulseaudio"
@@ -277,7 +293,6 @@ buildStdenv.mkDerivation ({
   ++ lib.optionals enableDebugSymbols [ "--disable-strip" "--disable-install-strip" ]
 
   ++ lib.optional enableOfficialBranding "--enable-official-branding"
-  ++ lib.optional (lib.versionAtLeast version "95") "--without-wasm-sandboxed-libraries"
   ++ extraConfigureFlags;
 
   postConfigure = ''
@@ -356,6 +371,7 @@ buildStdenv.mkDerivation ({
     inherit applicationName;
     inherit tests;
     inherit gtk3;
+    inherit wasiSysRoot;
   } // extraPassthru;
 
   hardeningDisable = [ "format" ]; # -Werror=format-security

pkgs/development/libraries/wasilibc/default.nix

@@ -1,14 +1,27 @@
-{ stdenv, fetchFromGitHub, lib }:
+{ stdenv, buildPackages, fetchFromGitHub, lib }:
 
 stdenv.mkDerivation {
   pname = "wasilibc";
-  version = "20190712";
+  version = "unstable-2021-09-23";
-  src = fetchFromGitHub {
+
-    owner = "CraneStation";
+  src = buildPackages.fetchFromGitHub {
+    owner = "WebAssembly";
     repo = "wasi-libc";
-    rev = "8df0d4cd6a559b58d4a34b738a5a766b567448cf";
+    rev = "ad5133410f66b93a2381db5b542aad5e0964db96";
-    sha256 = "1n4gvgzacpagar2mx8g9950q0brnhwz7jg2q44sa5mnjmlnkiqhh";
+    hash = "sha256-RiIClVXrb18jF9qCt+5iALHPCZKYcnad7JsILHBV0pA=";
+    fetchSubmodules = true;
   };
+
+  # clang-13: error: argument unused during compilation: '-rtlib=compiler-rt' [-Werror,-Wunused-command-line-argument]
+  postPatch = ''
+    substituteInPlace Makefile \
+      --replace "-Werror" ""
+  '';
+
+  preBuild = ''
+    export NIX_CFLAGS_COMPILE="-I$(pwd)/sysroot/include $NIX_CFLAGS_COMPILE"
+  '';
+
   makeFlags = [
     "WASM_CC=${stdenv.cc.targetPrefix}cc"
     "WASM_NM=${stdenv.cc.targetPrefix}nm"
@@ -16,6 +29,8 @@ stdenv.mkDerivation {
     "INSTALL_DIR=${placeholder "out"}"
   ];
 
+  enableParallelBuilding = true;
+
   postInstall = ''
     mv $out/lib/*/* $out/lib
     ln -s $out/share/wasm32-wasi/undefined-symbols.txt $out/lib/wasi.imports
@@ -23,9 +38,9 @@ stdenv.mkDerivation {
 
   meta = with lib; {
     description = "WASI libc implementation for WebAssembly";
-    homepage    = "https://wasi.dev";
+    homepage = "https://wasi.dev";
-    platforms   = platforms.wasi;
+    platforms = platforms.wasi;
-    maintainers = [ maintainers.matthewbauer ];
+    maintainers = with maintainers; [ matthewbauer ];
     license = with licenses; [ asl20 mit llvm-exception ];
   };
 }

pkgs/top-level/all-packages.nix

@@ -12908,7 +12908,7 @@ with pkgs;
       else if platform.isFreeBSD then 7
       else if platform.isAndroid then 12
       else if platform.isLinux then 11
-      else if platform.isWasm then 8
+      else if platform.isWasm then 12
       else latest_version;
     # We take the "max of the mins". Why? Since those are lower bounds of the
     # supported version set, this is like intersecting those sets and then