configure: default to --with-system-nss on Linux

NSS is very ABI compatible and part of current LSB 5.0 and so it should
just work to use the one from the system, i'm not aware of a Linux that
doesn't ship it.

There used to be some feature patch in external/nss but this was removed
years ago, now it just contains build fixes.

Problems can occur if a mixture of system and bundled NSS libraries is
loaded, if first an old version .so is loaded and then newer version .so
depends on it but can't find some required symbol.

See for example:
https://www.mail-archive.com/libreoffice@lists.freedesktop.org/msg287043.html

Another issue is that e.g. Fedora ships libnsspem.so in the nss-pem
package, which may cause trouble in ASAN builds, where the internal NSS
is built to call __asan_poison_memory_region but the system
libnss-pem.so doesn't call __asan_unpoison_memory_region so we get:

  ==2568944==ERROR: AddressSanitizer: use-after-poison on address 0x61d0019afab0
  WRITE of size 192 at 0x61d0019afab0 thread T28 (utl::Moderator)
    0 in __interceptor_memset.part.0 (instdir/program/soffice.bin+0x466460)
    1  (/lib64/libnsspem.so+0x15f3d)
    2  (/lib64/libnsspem.so+0x16185)
    3  (/lib64/libnsspem.so+0x8a9b)
    4  (/lib64/libnsspem.so+0xe13b)
    5 in secmod_ModuleInit workdir/UnpackedTarball/nss/nss/lib/pk11wrap/pk11load.c:244:11
    ..
    21 in curl_easy_perform workdir/UnpackedTarball/curl/lib/easy.c:715:10

Also, with system NSS, things like p11-kit integration become
responsibility of the OS.

Change-Id: I50caedd46914dd5d6905c5d32d44a599cd78119e
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/120388
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>

bin/check-elf-dynamic-objects

@@ -88,7 +88,7 @@ programfiles=$(echo ${files} | grep -o '/program/[^/]* ' | xargs -n 1 basename)
 # of maintaining ABI stability
 # allow extending the allowlist using the environment variable to be able to work
 # on the installer stuff without the need for a baseline setup
-globalallowlist="ld-linux-x86-64.so.2 ld-linux.so.2 libc.so.6 libm.so.6 libdl.so.2 libpthread.so.0 librt.so.1 libutil.so.1 libnsl.so.1 libcrypt.so.1 libgcc_s.so.1 libstdc++.so.6 libz.so.1 libfontconfig.so.1 libfreetype.so.6 libxml2.so.2 libxslt.so.1 libexslt.so.0 ${LO_ELFCHECK_ALLOWLIST-}"
+globalallowlist="ld-linux-x86-64.so.2 ld-linux.so.2 libc.so.6 libm.so.6 libdl.so.2 libpthread.so.0 librt.so.1 libutil.so.1 libnsl.so.1 libcrypt.so.1 libgcc_s.so.1 libstdc++.so.6 libz.so.1 libfontconfig.so.1 libfreetype.so.6 libxml2.so.2 libxslt.so.1 libexslt.so.0 libnspr4.so libnss3.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libssl3.so ${LO_ELFCHECK_ALLOWLIST-}"
 x11allowlist="libX11.so.6 libX11-xcb.so.1 libXext.so.6 libSM.so.6 libICE.so.6 libXinerama.so.1 libXrender.so.1 libXrandr.so.2 libcairo.so.2"
 openglallowlist="libGL.so.1"
 gobjectallowlist="libgobject-2.0.so.0 libglib-2.0.so.0"

configure.ac

@@ -10591,7 +10591,7 @@ dnl ===================================================================
 dnl Check for system NSS
 dnl ===================================================================
 if test "$enable_fuzzers" != "yes" -a "$enable_nss" = "yes"; then
-    libo_CHECK_SYSTEM_MODULE([nss],[NSS],[nss >= 3.9.3 nspr >= 4.8])
+    libo_CHECK_SYSTEM_MODULE([nss],[NSS],[nss >= 3.9.3 nspr >= 4.8],,system-if-linux)
     AC_DEFINE(HAVE_FEATURE_NSS)
     ENABLE_NSS=TRUE
 elif test $_os != iOS ; then

m4/libo_externals.m4

@@ -10,11 +10,11 @@ dnl -*- Mode: Autoconf; tab-width: 4; indent-tabs-mode: nil; fill-column: 102 -*
 # <$2 uppercase variable part - used for configure.ac and make variables>
 # <$3 pkg-config query string>
 # [$4 if optional, default to: enabled, disabled or fixed (default: fixed)]
-# [$5 which is preferred: (fixed-|test-)system or (fixed-)internal (default: internal)]
+# [$5 which is preferred: (fixed-|test-)system or (fixed-)internal or system-if-linux (default: internal)]
 # [$6 ignore $with_system_libs: TRUE or blank (default: blank/false)]
 #
 # $4 fixed: fixed-enabled, as fixed-disabled makes no sense.
-# $5 test-system: follows $test_system_$1, ignors $with_system_libs; no configure switch
+# $5 test-system: follows $test_system_$1, ignores $with_system_libs; no configure switch
 #
 # Used configure.ac variables:
 #  - $2_(CFLAGS|LIBS)_internal: must be filled to match the internal build
@@ -71,9 +71,20 @@ m4_if(
         with_system_$1=yes
     ],[$5],[fixed-internal],[
         with_system_$1=no
+    ],[$5],[system-if-linux],[
+        AC_ARG_WITH(system-$1,
+            AS_HELP_STRING([--with-system-$1],[Use $1 from the operating system.]),
+        ,[case "$_os" in
+            Linux)
+                with_system_nss=yes
+            ;;
+            *)
+                with_system_nss=no
+            ;;
+          esac])
     ],[
         m4_if([$5],[internal],,[m4_ifnblank([$5],
-              [m4_fatal([$$5 ($5) must be "(fixed-|test-)system", "(fixed-)internal" or empty (=internal)])])])
+              [m4_fatal([$$5 ($5) must be "(fixed-|test-)system", "(fixed-)internal", "system-if-linux" or empty (=internal)])])])
         AC_ARG_WITH(system-$1,
             AS_HELP_STRING([--with-system-$1],[Use $1 from the operating system.]),
         ,[csm_default_with($1,no,$6)])