diff options
Diffstat (limited to 'community/chromium/musl-sandbox.patch')
-rw-r--r-- | community/chromium/musl-sandbox.patch | 116 |
1 files changed, 32 insertions, 84 deletions
diff --git a/community/chromium/musl-sandbox.patch b/community/chromium/musl-sandbox.patch index 4fe0098cd2b..52c3b210503 100644 --- a/community/chromium/musl-sandbox.patch +++ b/community/chromium/musl-sandbox.patch @@ -1,3 +1,6 @@ +musl uses different syscalls from glibc for some functions, so the sandbox has +to account for that +-- diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc index ff5a1c0..da56b9b 100644 --- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc @@ -75,38 +78,10 @@ index d9d1882..0567557 100644 case __NR_msync: case __NR_munlockall: case __NR_readahead: -diff --git a/sandbox/linux/system_headers/arm64_linux_syscalls.h ./sandbox/linux/system_headers/arm64_linux_syscalls.h -index 59d0eab..7ae7002 100644 ---- a/sandbox/linux/system_headers/arm64_linux_syscalls.h -+++ ./sandbox/linux/system_headers/arm64_linux_syscalls.h -@@ -1063,4 +1063,8 @@ - #define __NR_memfd_create 279 - #endif - -+#if !defined(__NR_membarrier) -+#define __NR_membarrier 283 -+#endif -+ - #endif // SANDBOX_LINUX_SYSTEM_HEADERS_ARM64_LINUX_SYSCALLS_H_ -diff --git a/sandbox/linux/system_headers/arm_linux_syscalls.h ./sandbox/linux/system_headers/arm_linux_syscalls.h -index 1addd53..7843b5e 100644 ---- a/sandbox/linux/system_headers/arm_linux_syscalls.h -+++ ./sandbox/linux/system_headers/arm_linux_syscalls.h -@@ -1385,6 +1385,10 @@ - #define __NR_memfd_create (__NR_SYSCALL_BASE+385) - #endif - -+#if !defined(__NR_membarrier) -+#define __NR_membarrier (__NR_SYSCALL_BASE+389) -+#endif -+ - // ARM private syscalls. - #if !defined(__ARM_NR_BASE) - #define __ARM_NR_BASE (__NR_SYSCALL_BASE + 0xF0000) diff --git a/sandbox/linux/system_headers/linux_syscalls.h ./sandbox/linux/system_headers/linux_syscalls.h index 2b78a0c..b6fedb5 100644 --- a/sandbox/linux/system_headers/linux_syscalls.h -+++ ./sandbox/linux/system_headers/linux_syscalls.h ++++ b/sandbox/linux/system_headers/linux_syscalls.h @@ -10,6 +10,7 @@ #define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SYSCALLS_H_ @@ -115,62 +90,35 @@ index 2b78a0c..b6fedb5 100644 #if defined(__x86_64__) #include "sandbox/linux/system_headers/x86_64_linux_syscalls.h" -diff --git a/sandbox/linux/system_headers/mips64_linux_syscalls.h ./sandbox/linux/system_headers/mips64_linux_syscalls.h -index ec75815..5515270 100644 ---- a/sandbox/linux/system_headers/mips64_linux_syscalls.h -+++ ./sandbox/linux/system_headers/mips64_linux_syscalls.h -@@ -1271,4 +1271,8 @@ - #define __NR_memfd_create (__NR_Linux + 314) - #endif - -+#if !defined(__NR_membarrier) -+#define __NR_membarrier (__NR_Linux 318) -+#endif -+ - #endif // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS64_LINUX_SYSCALLS_H_ -diff --git a/sandbox/linux/system_headers/mips_linux_syscalls.h ./sandbox/linux/system_headers/mips_linux_syscalls.h -index ddbf97f..ad3d64b 100644 ---- a/sandbox/linux/system_headers/mips_linux_syscalls.h -+++ ./sandbox/linux/system_headers/mips_linux_syscalls.h -@@ -1433,4 +1433,8 @@ - #define __NR_memfd_create (__NR_Linux + 354) - #endif - -+#if !defined(__NR_membarrier) -+#define __NR_membarrier (__NR_Linux 358) -+#endif -+ - #endif // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS_LINUX_SYSCALLS_H_ -diff --git a/sandbox/linux/system_headers/x86_64_linux_syscalls.h ./sandbox/linux/system_headers/x86_64_linux_syscalls.h -index b0ae0a2..8b12029 100644 ---- a/sandbox/linux/system_headers/x86_64_linux_syscalls.h -+++ ./sandbox/linux/system_headers/x86_64_linux_syscalls.h -@@ -1350,5 +1350,9 @@ - #define __NR_rseq 334 - #endif - -+#if !defined(__NR_membarrier) -+#define __NR_membarrier 324 -+#endif -+ - #endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_ - -diff --git a/services/service_manager/sandbox/linux/bpf_renderer_policy_linux.cc ./services/service_manager/sandbox/linux/bpf_renderer_policy_linux.cc -index a85c0ea..715aa1e 100644 --- a/sandbox/policy/linux/bpf_renderer_policy_linux.cc -+++ ./sandbox/policy/linux/bpf_renderer_policy_linux.cc -@@ -93,11 +93,11 @@ ++++ b/sandbox/policy/linux/bpf_renderer_policy_linux.cc +@@ -94,6 +94,9 @@ + case __NR_pwrite64: + case __NR_sched_get_priority_max: + case __NR_sched_get_priority_min: ++ case __NR_sched_getparam: ++ case __NR_sched_getscheduler: ++ case __NR_sched_setscheduler: case __NR_sysinfo: case __NR_times: case __NR_uname: -- return Allow(); -- case __NR_sched_getaffinity: - case __NR_sched_getparam: - case __NR_sched_getscheduler: - case __NR_sched_setscheduler: -+ return Allow(); -+ case __NR_sched_getaffinity: - return RestrictSchedTarget(GetPolicyPid(), sysno); - case __NR_prlimit64: - // See crbug.com/662450 and setrlimit comment above. - +--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc ++++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +@@ -225,10 +225,15 @@ + if (sysno == __NR_getpriority || sysno ==__NR_setpriority) + return RestrictGetSetpriority(current_pid); + ++ // XXX: hacks for musl sandbox, calls needed? ++ if (sysno == __NR_sched_getparam || sysno == __NR_sched_getscheduler || ++ sysno == __NR_sched_setscheduler) { ++ return Allow(); ++ } ++ + // The scheduling syscalls are used in threading libraries and also heavily in + // abseil. See for example https://crbug.com/1370394. +- if (sysno == __NR_sched_getaffinity || sysno == __NR_sched_getparam || +- sysno == __NR_sched_getscheduler || sysno == __NR_sched_setscheduler) { ++ if (sysno == __NR_sched_getaffinity) { + return RestrictSchedTarget(current_pid, sysno); + } + |