$OpenBSD: patch-dom_ipc_ContentChild_cpp,v 1.3 2018/09/05 16:19:01 landry Exp $

https://hg.mozilla.org/mozilla-central/rev/8f5c17ac83aa
https://bugzilla.mozilla.org/show_bug.cgi?id=1466593

Index: dom/ipc/ContentChild.cpp
--- dom/ipc/ContentChild.cpp.orig
+++ dom/ipc/ContentChild.cpp
@@ -1745,6 +1745,10 @@ ContentChild::RecvSetProcessSandbox(const MaybeFileDes
   mozilla::SandboxTarget::Instance()->StartSandbox();
 #elif defined(XP_MACOSX)
   sandboxEnabled = StartMacOSContentSandbox();
+#elif defined(__OpenBSD__)
+  sandboxEnabled = StartOpenBSDSandbox(GeckoProcessType_Content);
+  /* dont overwrite an existing session dbus address, but ensure it is set */
+  setenv("DBUS_SESSION_BUS_ADDRESS","",0);
 #endif
 
   CrashReporter::AnnotateCrashReport(
@@ -3810,6 +3814,55 @@ ContentChild::OnMessageReceived(const Message& aMsg, M
 #endif
 
 } // namespace dom
+
+#if defined(__OpenBSD__) && defined(MOZ_CONTENT_SANDBOX)
+#include <unistd.h>
+
+static LazyLogModule sPledgeLog("SandboxPledge");
+
+bool
+StartOpenBSDSandbox(GeckoProcessType type)
+{
+  nsAutoCString promisesString;
+  nsAutoCString processTypeString;
+
+  switch (type) {
+    case GeckoProcessType_Default:
+      processTypeString = "main";
+      Preferences::GetCString("security.sandbox.pledge.main",
+                              promisesString);
+      break;
+
+    case GeckoProcessType_Content:
+      processTypeString = "content";
+      Preferences::GetCString("security.sandbox.pledge.content",
+                              promisesString);
+      break;
+
+    default:
+      MOZ_ASSERT(false, "unknown process type");
+      return false;
+  };
+
+  if (pledge(promisesString.get(), NULL) == -1) {
+    if (errno == EINVAL) {
+        MOZ_LOG(sPledgeLog, LogLevel::Error,
+               ("pledge promises for %s process is a malformed string: '%s'\n",
+                processTypeString.get(), promisesString.get()));
+    } else if (errno == EPERM) {
+        MOZ_LOG(sPledgeLog, LogLevel::Error,
+               ("pledge promises for %s process can't elevate priviledges: '%s'\n",
+                processTypeString.get(), promisesString.get()));
+    }
+    return false;
+  } else {
+      MOZ_LOG(sPledgeLog, LogLevel::Debug,
+             ("pledged %s process with promises: '%s'\n",
+              processTypeString.get(), promisesString.get()));
+  }
+  return true;
+}
+#endif
 
 #if !defined(XP_WIN)
 bool IsDevelopmentBuild()
