diff --git a/Dockerfile b/Dockerfile
index 677ec82..19e9690 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,6 +4,14 @@
# https://github.com/jlesage/docker-firefox
#
+# Build the membarrier check tool.
+FROM alpine:3.12
+WORKDIR /tmp
+COPY membarrier_check.c .
+RUN apk --no-cache add build-base linux-headers
+RUN gcc -static -o membarrier_check membarrier_check.c
+RUN strip membarrier_check
+
# Pull base image.
FROM jlesage/baseimage-gui:alpine-3.10-v3.5.3
@@ -93,7 +101,7 @@ RUN \
RUN \
add-pkg yad && \
sed-patch 's|LOG_FILES=|LOG_FILES=/config/log/firefox/error.log|' /etc/logmonitor/logmonitor.conf && \
- sed-patch 's|STATUS_FILES=|STATUS_FILES=/tmp/.firefox_shm_check|' /etc/logmonitor/logmonitor.conf
+ sed-patch 's|STATUS_FILES=|STATUS_FILES=/tmp/.firefox_shm_check,/tmp/.firefox_membarrier_check|' /etc/logmonitor/logmonitor.conf
# Adjust the openbox config.
RUN \
@@ -111,6 +119,7 @@ RUN \
# Add files.
COPY rootfs/ /
+COPY --from=0 /tmp/membarrier_check /usr/bin/
# Set environment variables.
ENV APP_NAME="Firefox"
diff --git a/README.md b/README.md
index 765579c..04f3283 100644
--- a/README.md
+++ b/README.md
@@ -38,6 +38,7 @@ Mozilla Firefox is a free and open-source web browser developed by Mozilla Found
* [Routing Based on URL Path](#routing-based-on-url-path)
* [Shell Access](#shell-access)
* [Increasing Shared Memory Size](#increasing-shared-memory-size)
+ * [Allowing the membarrier System Call](#allowing-the-membarrier-system-call)
* [Sound Support](#sound-support)
* [Setting Firefox Preferences Via Environment Variables](#setting-firefox-preferences-via-environment-variables)
* [Troubleshooting](#troubleshooting)
@@ -456,6 +457,27 @@ size of `/dev/shm` can be done via two method:
- By using shared memory of the host, by mapping `/dev/shm` via the parameter
`-v /dev/shm:/dev/shm` of the `docker run` command.
+## Allowing the membarrier System Call
+
+To properly work, recent versions of Firefox need the
+`membarrier` system call. Without it, tabs would frequently crash.
+
+Docker uses [seccomp profile] to restrict system calls available to the
+container. Before Docker version `20.03.0`, the `membarrier` system call was
+not allowed in the default profile. If you run a such version, you can use one
+of the following solutions, from the most to the least secure, to provide the
+container permission to use this sytem call:
+
+ 1. Run the container with a custom seccomp profile allowing the `membarrier`
+ system call. The [latest official seccomp profile] can be used. Download
+ the file and then add the following parameter when creating the container:
+ `--security-opt seccomp=/path/to/seccomp_profile.json`.
+ 2. Run the container without the default seccomp profile (thus allowing all
+ system calls). Use the following parameter when creating the container:
+ `--security-opt seccomp=unconfined`.
+ 3. Run the container in privileged mode. This effectively disables usage of
+ seccomp. Add the `--privileged` parameter when creating the container.
+
## Sound Support
For Firefox to be able to use the audio device available on
@@ -477,6 +499,7 @@ its value. A value can be one of the following types:
- string
- integer
- boolean
+
It is important to note that a value of type `string` should be surrounded by
double quotes. Other types don't need them.
@@ -502,13 +525,18 @@ via Firefox directly.
### Crashes
-If Firefox is crashing frequently, make sure the size of
-the shared memory located at `/dev/shm` has been increased. See
-[Increasing Shared Memory Size](#increasing-shared-memory-size) section for more
-details.
+If Firefox is crashing frequently, make sure that:
+ - The size of the shared memory located at `/dev/shm` has been increased. See
+ the [Increasing Shared Memory Size](#increasing-shared-memory-size) section
+ for more details.
+ - The `membarrier` system call is not blocked by Docker. See the
+ [Allowing the membarrier System Call](#allowing-the-membarrier-system-call)
+ for more details.
[TimeZone]: http://en.wikipedia.org/wiki/List_of_tz_database_time_zones
[here]: https://bugzilla.mozilla.org/show_bug.cgi?id=1338771#c10
+[seccomp profile]: https://docs.docker.com/engine/security/seccomp/
+[latest official seccomp profile]: https://github.com/moby/moby/blob/master/profiles/seccomp/default.json
## Support or Contact
diff --git a/appdefs.xml b/appdefs.xml
index 34b8321..d68f0c0 100644
--- a/appdefs.xml
+++ b/appdefs.xml
@@ -41,14 +41,37 @@ size of `/dev/shm` can be done via two method:
`-v /dev/shm:/dev/shm` of the `docker run` command.
-
- Sound Support
-
+
+ Allowing the membarrier System Call
+
+To properly work, recent versions of {{ defs.app.friendly_name }} need the
+`membarrier` system call. Without it, tabs would frequently crash.
+
+Docker uses [seccomp profile] to restrict system calls available to the
+container. Before Docker version `20.03.0`, the `membarrier` system call was
+not allowed in the default profile. If you run a such version, you can use one
+of the following solutions, from the most to the least secure, to provide the
+container permission to use this sytem call:
+
+ 1. Run the container with a custom seccomp profile allowing the `membarrier`
+ system call. The [latest official seccomp profile] can be used. Download
+ the file and then add the following parameter when creating the container:
+ `--security-opt seccomp=/path/to/seccomp_profile.json`.
+ 2. Run the container without the default seccomp profile (thus allowing all
+ system calls). Use the following parameter when creating the container:
+ `--security-opt seccomp=unconfined`.
+ 3. Run the container in privileged mode. This effectively disables usage of
+ seccomp. Add the `--privileged` parameter when creating the container.
+
+
+
+ Sound Support
+
For {{ defs.app.friendly_name }} to be able to use the audio device available on
the host, `/dev/snd` must be exposed to the container by adding the
`--device /dev/snd` parameter to the `docker run` command.
-
-
+
+ Setting {{ defs.app.friendly_name }} Preferences Via Environment Variables
@@ -95,16 +118,27 @@ via {{ defs.app.friendly_name }} directly.
Crashes
-If {{ defs.app.friendly_name }} is crashing frequently, make sure the size of
-the shared memory located at `/dev/shm` has been increased. See
-[Increasing Shared Memory Size](#increasing-shared-memory-size) section for more
-details.
+If {{ defs.app.friendly_name }} is crashing frequently, make sure that:
+ - The size of the shared memory located at `/dev/shm` has been increased. See
+ the [Increasing Shared Memory Size](#increasing-shared-memory-size) section
+ for more details.
+ - The `membarrier` system call is not blocked by Docker. See the
+ [Allowing the membarrier System Call](#allowing-the-membarrier-system-call)
+ for more details.
herehttps://bugzilla.mozilla.org/show_bug.cgi?id=1338771#c10
+
+ seccomp profile
+ https://docs.docker.com/engine/security/seccomp/
+
+
+ latest official seccomp profile
+ https://github.com/moby/moby/blob/master/profiles/seccomp/default.json
+
diff --git a/membarrier_check.c b/membarrier_check.c
new file mode 100644
index 0000000..7027d5e
--- /dev/null
+++ b/membarrier_check.c
@@ -0,0 +1,14 @@
+#include
+#include
+#include
+#include
+
+int main()
+{
+ int rc = membarrier(MEMBARRIER_CMD_QUERY, 0);
+ if (rc < 0) {
+ perror("membarrier");
+ exit(EXIT_FAILURE);
+ }
+ exit(EXIT_SUCCESS);
+}
diff --git a/rootfs/etc/cont-init.d/firefox.sh b/rootfs/etc/cont-init.d/firefox.sh
index 660a5e5..ef1336d 100755
--- a/rootfs/etc/cont-init.d/firefox.sh
+++ b/rootfs/etc/cont-init.d/firefox.sh
@@ -25,6 +25,12 @@ else
echo 'PASS' > /tmp/.firefox_shm_check
fi
+if /usr/bin/membarrier_check 2>/dev/null; then
+ echo 'MEMBARRIER_CHECK_PASS' > /tmp/.firefox_membarrier_check
+else
+ echo 'MEMBARRIER_CHECK_FAIL' > /tmp/.firefox_membarrier_check
+fi
+
# Clean/optimize Firefox databases.
#if [ -d /config/.mozilla/firefox ] && [ -d /config/profile ]; then
# [ -f /config/.mozilla/firefox/profiles.ini ] || cp /defaults/profiles.ini /config/.mozilla/firefox/
diff --git a/rootfs/etc/logmonitor/notifications.d/membarrier/desc b/rootfs/etc/logmonitor/notifications.d/membarrier/desc
new file mode 100755
index 0000000..70f9767
--- /dev/null
+++ b/rootfs/etc/logmonitor/notifications.d/membarrier/desc
@@ -0,0 +1,2 @@
+#!/usr/bin/with-contenv sh
+echo "$APP_NAME is likely to crash because it requires the membarrier system call. See the documentation of this Docker container to find out how this system call can be allowed."
diff --git a/rootfs/etc/logmonitor/notifications.d/membarrier/filter b/rootfs/etc/logmonitor/notifications.d/membarrier/filter
new file mode 100755
index 0000000..9d76b41
--- /dev/null
+++ b/rootfs/etc/logmonitor/notifications.d/membarrier/filter
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -e # Exit immediately if a command exits with a non-zero status.
+set -u # Treat unset variables as an error.
+
+LINE="$1"
+
+if [ "$LINE" = "MEMBARRIER_CHECK_FAIL" ]; then
+ echo 'MEMBARRIER_CHECK_ACK' > /tmp/.firefox_membarrier_check
+ exit 0
+fi
+
+# No match found.
+exit 1
+
+# vim: set ft=sh :
diff --git a/rootfs/etc/logmonitor/notifications.d/membarrier/level b/rootfs/etc/logmonitor/notifications.d/membarrier/level
new file mode 100644
index 0000000..e2500fa
--- /dev/null
+++ b/rootfs/etc/logmonitor/notifications.d/membarrier/level
@@ -0,0 +1 @@
+WARNING
diff --git a/rootfs/etc/logmonitor/notifications.d/membarrier/title b/rootfs/etc/logmonitor/notifications.d/membarrier/title
new file mode 100755
index 0000000..fd47e05
--- /dev/null
+++ b/rootfs/etc/logmonitor/notifications.d/membarrier/title
@@ -0,0 +1,2 @@
+#!/usr/bin/with-contenv sh
+echo "$APP_NAME requires the membarrier system call."