Added check for the membarrier system call. Also added documentation about the new requirement.

Dockerfile

@@ -4,6 +4,14 @@
 # https://github.com/jlesage/docker-firefox
 #
 
+# Build the membarrier check tool.
+FROM alpine:3.12
+WORKDIR /tmp
+COPY membarrier_check.c .
+RUN apk --no-cache add build-base linux-headers
+RUN gcc -static -o membarrier_check membarrier_check.c
+RUN strip membarrier_check
+
 # Pull base image.
 FROM jlesage/baseimage-gui:alpine-3.10-v3.5.3
 
@@ -93,7 +101,7 @@ RUN \
 RUN \
     add-pkg yad && \
     sed-patch 's|LOG_FILES=|LOG_FILES=/config/log/firefox/error.log|' /etc/logmonitor/logmonitor.conf && \
-    sed-patch 's|STATUS_FILES=|STATUS_FILES=/tmp/.firefox_shm_check|' /etc/logmonitor/logmonitor.conf
+    sed-patch 's|STATUS_FILES=|STATUS_FILES=/tmp/.firefox_shm_check,/tmp/.firefox_membarrier_check|' /etc/logmonitor/logmonitor.conf
 
 # Adjust the openbox config.
 RUN \
@@ -111,6 +119,7 @@ RUN \
 
 # Add files.
 COPY rootfs/ /
+COPY --from=0 /tmp/membarrier_check /usr/bin/
 
 # Set environment variables.
 ENV APP_NAME="Firefox"

README.md

@@ -38,6 +38,7 @@ Mozilla Firefox is a free and open-source web browser developed by Mozilla Found
          * [Routing Based on URL Path](#routing-based-on-url-path)
       * [Shell Access](#shell-access)
       * [Increasing Shared Memory Size](#increasing-shared-memory-size)
+      * [Allowing the membarrier System Call](#allowing-the-membarrier-system-call)
       * [Sound Support](#sound-support)
       * [Setting Firefox Preferences Via Environment Variables](#setting-firefox-preferences-via-environment-variables)
       * [Troubleshooting](#troubleshooting)
@@ -456,6 +457,27 @@ size of `/dev/shm` can be done via two method:
   - By using shared memory of the host, by mapping `/dev/shm` via the parameter
     `-v /dev/shm:/dev/shm` of the `docker run` command.
 
+## Allowing the membarrier System Call
+
+To properly work, recent versions of Firefox need the
+`membarrier` system call.  Without it, tabs would frequently crash.
+
+Docker uses [seccomp profile] to restrict system calls available to the
+container.  Before Docker version `20.03.0`, the `membarrier` system call was
+not allowed in the default profile.  If you run a such version, you can use one
+of the following solutions, from the most to the least secure, to provide the
+container permission to use this sytem call:
+
+  1. Run the container with a custom seccomp profile allowing the `membarrier`
+     system call.  The [latest official seccomp profile] can be used.  Download
+     the file and then add the following parameter when creating the container:
+     `--security-opt seccomp=/path/to/seccomp_profile.json`.
+  2. Run the container without the default seccomp profile (thus allowing all
+     system calls). Use the following parameter when creating the container:
+     `--security-opt seccomp=unconfined`.
+  3. Run the container in privileged mode.  This effectively disables usage of
+     seccomp.  Add the `--privileged` parameter when creating the container.
+
 ## Sound Support
 
 For Firefox to be able to use the audio device available on
@@ -477,6 +499,7 @@ its value.  A value can be one of the following types:
   - string
   - integer
   - boolean
+
 It is important to note that a value of type `string` should be surrounded by
 double quotes.  Other types don't need them.
 
@@ -502,13 +525,18 @@ via Firefox directly.
 
 ### Crashes
 
-If Firefox is crashing frequently, make sure the size of
+If Firefox is crashing frequently, make sure that:
-the shared memory located at `/dev/shm` has been increased.  See
+  - The size of the shared memory located at `/dev/shm` has been increased.  See
-[Increasing Shared Memory Size](#increasing-shared-memory-size) section for more
+    the [Increasing Shared Memory Size](#increasing-shared-memory-size) section
-details.
+    for more details.
+  - The `membarrier` system call is not blocked by Docker.  See the
+    [Allowing the membarrier System Call](#allowing-the-membarrier-system-call)
+    for more details.
 
 [TimeZone]: http://en.wikipedia.org/wiki/List_of_tz_database_time_zones
 [here]: https://bugzilla.mozilla.org/show_bug.cgi?id=1338771#c10
+[seccomp profile]: https://docs.docker.com/engine/security/seccomp/
+[latest official seccomp profile]: https://github.com/moby/moby/blob/master/profiles/seccomp/default.json
 
 ## Support or Contact
 

appdefs.xml

@@ -41,14 +41,37 @@ size of `/dev/shm` can be done via two method:
     `-v /dev/shm:/dev/shm` of the `docker run` command.
         </content>
       </section>
-    <section>
+      <section>
-      <title level="2">Sound Support</title>
+        <title level="2">Allowing the membarrier System Call</title>
-      <content>
+        <content>
+To properly work, recent versions of {{ defs.app.friendly_name }} need the
+`membarrier` system call.  Without it, tabs would frequently crash.
+
+Docker uses [seccomp profile] to restrict system calls available to the
+container.  Before Docker version `20.03.0`, the `membarrier` system call was
+not allowed in the default profile.  If you run a such version, you can use one
+of the following solutions, from the most to the least secure, to provide the
+container permission to use this sytem call:
+
+  1. Run the container with a custom seccomp profile allowing the `membarrier`
+     system call.  The [latest official seccomp profile] can be used.  Download
+     the file and then add the following parameter when creating the container:
+     `--security-opt seccomp=/path/to/seccomp_profile.json`.
+  2. Run the container without the default seccomp profile (thus allowing all
+     system calls). Use the following parameter when creating the container:
+     `--security-opt seccomp=unconfined`.
+  3. Run the container in privileged mode.  This effectively disables usage of
+     seccomp.  Add the `--privileged` parameter when creating the container.
+        </content>
+      </section>
+      <section>
+        <title level="2">Sound Support</title>
+          <content>
 For {{ defs.app.friendly_name }} to be able to use the audio device available on
 the host, `/dev/snd` must be exposed to the container by adding the
 `--device /dev/snd` parameter to the `docker run` command.
-      </content>
+          </content>
-    </section>
+      </section>
       <section>
         <title level="2">Setting {{ defs.app.friendly_name }} Preferences Via Environment Variables</title>
         <content>
@@ -95,16 +118,27 @@ via {{ defs.app.friendly_name }} directly.
       <section>
         <title level="3">Crashes</title>
         <content>
-If {{ defs.app.friendly_name }} is crashing frequently, make sure the size of
+If {{ defs.app.friendly_name }} is crashing frequently, make sure that:
-the shared memory located at `/dev/shm` has been increased.  See
+  - The size of the shared memory located at `/dev/shm` has been increased.  See
-[Increasing Shared Memory Size](#increasing-shared-memory-size) section for more
+    the [Increasing Shared Memory Size](#increasing-shared-memory-size) section
-details.
+    for more details.
+  - The `membarrier` system call is not blocked by Docker.  See the
+    [Allowing the membarrier System Call](#allowing-the-membarrier-system-call)
+    for more details.
         </content>
       </section>
       <link>
         <name>here</name>
         <url>https://bugzilla.mozilla.org/show_bug.cgi?id=1338771#c10</url>
       </link>
+      <link>
+        <name>seccomp profile</name>
+        <url>https://docs.docker.com/engine/security/seccomp/</url>
+      </link>
+      <link>
+        <name>latest official seccomp profile</name>
+        <url>https://github.com/moby/moby/blob/master/profiles/seccomp/default.json</url>
+      </link>
     </documentation>
     <!-- Changelog of the application. -->
     <history>

membarrier_check.c

@@ -0,0 +1,14 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <linux/membarrier.h>
+#include <sys/membarrier.h>
+
+int main()
+{
+    int rc = membarrier(MEMBARRIER_CMD_QUERY, 0);
+    if (rc < 0) {
+        perror("membarrier");
+        exit(EXIT_FAILURE);
+    }
+    exit(EXIT_SUCCESS);
+}

rootfs/etc/cont-init.d/firefox.sh

@@ -25,6 +25,12 @@ else
    echo 'PASS' > /tmp/.firefox_shm_check
 fi
 
+if /usr/bin/membarrier_check 2>/dev/null; then
+   echo 'MEMBARRIER_CHECK_PASS' > /tmp/.firefox_membarrier_check
+else
+   echo 'MEMBARRIER_CHECK_FAIL' > /tmp/.firefox_membarrier_check
+fi
+
 # Clean/optimize Firefox databases.
 #if [ -d /config/.mozilla/firefox ] && [ -d /config/profile ]; then
 #    [ -f /config/.mozilla/firefox/profiles.ini ] || cp /defaults/profiles.ini /config/.mozilla/firefox/

rootfs/etc/logmonitor/notifications.d/membarrier/desc

@@ -0,0 +1,2 @@
+#!/usr/bin/with-contenv sh
+echo "$APP_NAME is likely to crash because it requires the membarrier system call.  See the documentation of this Docker container to find out how this system call can be allowed."

rootfs/etc/logmonitor/notifications.d/membarrier/filter

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -e # Exit immediately if a command exits with a non-zero status.
+set -u # Treat unset variables as an error.
+
+LINE="$1"
+
+if [ "$LINE" = "MEMBARRIER_CHECK_FAIL" ]; then
+    echo 'MEMBARRIER_CHECK_ACK' > /tmp/.firefox_membarrier_check
+    exit 0
+fi
+
+# No match found.
+exit 1
+
+# vim: set ft=sh :

rootfs/etc/logmonitor/notifications.d/membarrier/level

@@ -0,0 +1 @@
+WARNING

rootfs/etc/logmonitor/notifications.d/membarrier/title

@@ -0,0 +1,2 @@
+#!/usr/bin/with-contenv sh
+echo "$APP_NAME requires the membarrier system call."