aboutsummaryrefslogtreecommitdiffstats
path: root/community/chromium/musl-sandbox.patch
diff options
context:
space:
mode:
Diffstat (limited to 'community/chromium/musl-sandbox.patch')
-rw-r--r--community/chromium/musl-sandbox.patch156
1 files changed, 52 insertions, 104 deletions
diff --git a/community/chromium/musl-sandbox.patch b/community/chromium/musl-sandbox.patch
index f485f6cc75a..52c3b210503 100644
--- a/community/chromium/musl-sandbox.patch
+++ b/community/chromium/musl-sandbox.patch
@@ -1,6 +1,9 @@
-diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
-index 348ab6e..4550f9e 100644
---- ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+musl uses different syscalls from glibc for some functions, so the sandbox has
+to account for that
+--
+diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+index ff5a1c0..da56b9b 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+++ ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
@@ -139,21 +139,11 @@ namespace sandbox {
// present (as in newer versions of posix_spawn).
@@ -38,11 +41,11 @@ index 348ab6e..4550f9e 100644
.ElseIf(is_fork_or_clone_vfork, Error(EPERM))
.Else(CrashSIGSYSClone());
}
-diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
-index 7dbcc87..589262f 100644
---- ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+index d9d1882..0567557 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+++ ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
-@@ -391,6 +391,7 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
+@@ -392,6 +392,7 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
#if defined(__i386__)
case __NR_waitpid:
#endif
@@ -50,7 +53,7 @@ index 7dbcc87..589262f 100644
return true;
case __NR_clone: // Should be parameter-restricted.
case __NR_setns: // Privileged.
-@@ -403,7 +404,6 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
+@@ -404,7 +405,6 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
case __NR_set_thread_area:
#endif
@@ -58,7 +61,7 @@ index 7dbcc87..589262f 100644
case __NR_unshare:
#if !defined(__mips__) && !defined(__aarch64__)
case __NR_vfork:
-@@ -513,6 +513,8 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
+@@ -514,6 +514,8 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
case __NR_mlock:
case __NR_munlock:
case __NR_munmap:
@@ -67,7 +70,7 @@ index 7dbcc87..589262f 100644
return true;
case __NR_madvise:
case __NR_mincore:
-@@ -530,7 +532,6 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
+@@ -531,7 +533,6 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
case __NR_modify_ldt:
#endif
case __NR_mprotect:
@@ -75,102 +78,47 @@ index 7dbcc87..589262f 100644
case __NR_msync:
case __NR_munlockall:
case __NR_readahead:
-diff --git a/sandbox/linux/system_headers/arm64_linux_syscalls.h b/sandbox/linux/system_headers/arm64_linux_syscalls.h
-index 59d0eab..7ae7002 100644
---- ./sandbox/linux/system_headers/arm64_linux_syscalls.h
-+++ ./sandbox/linux/system_headers/arm64_linux_syscalls.h
-@@ -1063,4 +1063,8 @@
- #define __NR_memfd_create 279
- #endif
-
-+#if !defined(__NR_membarrier)
-+#define __NR_membarrier 283
-+#endif
-+
- #endif // SANDBOX_LINUX_SYSTEM_HEADERS_ARM64_LINUX_SYSCALLS_H_
-diff --git a/sandbox/linux/system_headers/arm_linux_syscalls.h b/sandbox/linux/system_headers/arm_linux_syscalls.h
-index 1addd53..7843b5e 100644
---- ./sandbox/linux/system_headers/arm_linux_syscalls.h
-+++ ./sandbox/linux/system_headers/arm_linux_syscalls.h
-@@ -1385,6 +1385,10 @@
- #define __NR_memfd_create (__NR_SYSCALL_BASE+385)
- #endif
+diff --git a/sandbox/linux/system_headers/linux_syscalls.h ./sandbox/linux/system_headers/linux_syscalls.h
+index 2b78a0c..b6fedb5 100644
+--- a/sandbox/linux/system_headers/linux_syscalls.h
++++ b/sandbox/linux/system_headers/linux_syscalls.h
+@@ -10,6 +10,7 @@
+ #define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SYSCALLS_H_
-+#if !defined(__NR_membarrier)
-+#define __NR_membarrier (__NR_SYSCALL_BASE+389)
-+#endif
-+
- // ARM private syscalls.
- #if !defined(__ARM_NR_BASE)
- #define __ARM_NR_BASE (__NR_SYSCALL_BASE + 0xF0000)
-diff --git a/sandbox/linux/system_headers/mips64_linux_syscalls.h b/sandbox/linux/system_headers/mips64_linux_syscalls.h
-index ec75815..612fcfa 100644
---- ./sandbox/linux/system_headers/mips64_linux_syscalls.h
-+++ ./sandbox/linux/system_headers/mips64_linux_syscalls.h
-@@ -1271,4 +1271,8 @@
- #define __NR_memfd_create (__NR_Linux + 314)
- #endif
+ #include "build/build_config.h"
++#include <sys/syscall.h>
-+#if !defined(__NR_membarrier)
-+#define __NR_membarrier (__NR_Linux + 318)
-+#endif
-+
- #endif // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS64_LINUX_SYSCALLS_H_
-diff --git a/sandbox/linux/system_headers/mips_linux_syscalls.h b/sandbox/linux/system_headers/mips_linux_syscalls.h
-index ddbf97f..1742acd 100644
---- ./sandbox/linux/system_headers/mips_linux_syscalls.h
-+++ ./sandbox/linux/system_headers/mips_linux_syscalls.h
-@@ -1433,4 +1433,8 @@
- #define __NR_memfd_create (__NR_Linux + 354)
- #endif
-
-+#if !defined(__NR_membarrier)
-+#define __NR_membarrier (__NR_Linux + 358)
-+#endif
-+
- #endif // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS_LINUX_SYSCALLS_H_
-diff --git a/sandbox/linux/system_headers/x86_32_linux_syscalls.h b/sandbox/linux/system_headers/x86_32_linux_syscalls.h
-index a6afc62..7ed0a3b 100644
---- ./sandbox/linux/system_headers/x86_32_linux_syscalls.h
-+++ ./sandbox/linux/system_headers/x86_32_linux_syscalls.h
-@@ -1422,5 +1422,9 @@
- #define __NR_memfd_create 356
- #endif
-
-+#if !defined(__NR_membarrier)
-+#define __NR_membarrier 375
-+#endif
-+
- #endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_32_LINUX_SYSCALLS_H_
-
-diff --git a/sandbox/linux/system_headers/x86_64_linux_syscalls.h b/sandbox/linux/system_headers/x86_64_linux_syscalls.h
-index 349504a..ea3c7c9 100644
---- ./sandbox/linux/system_headers/x86_64_linux_syscalls.h
-+++ ./sandbox/linux/system_headers/x86_64_linux_syscalls.h
-@@ -1290,5 +1290,9 @@
- #define __NR_memfd_create 319
- #endif
-
-+#if !defined(__NR_membarrier)
-+#define __NR_membarrier 324
-+#endif
-+
- #endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_
-
-diff --git a/services/service_manager/sandbox/linux/bpf_renderer_policy_linux.cc b/services/service_manager/sandbox/linux/bpf_renderer_policy_linux.cc
-index 017f13c..50aeec3 100644
---- ./services/service_manager/sandbox/linux/bpf_renderer_policy_linux.cc
-+++ ./services/service_manager/sandbox/linux/bpf_renderer_policy_linux.cc
-@@ -88,10 +88,10 @@ ResultExpr RendererProcessPolicy::EvaluateSyscall(int sysno) const {
+ #if defined(__x86_64__)
+ #include "sandbox/linux/system_headers/x86_64_linux_syscalls.h"
+--- a/sandbox/policy/linux/bpf_renderer_policy_linux.cc
++++ b/sandbox/policy/linux/bpf_renderer_policy_linux.cc
+@@ -94,6 +94,9 @@
+ case __NR_pwrite64:
+ case __NR_sched_get_priority_max:
+ case __NR_sched_get_priority_min:
++ case __NR_sched_getparam:
++ case __NR_sched_getscheduler:
++ case __NR_sched_setscheduler:
case __NR_sysinfo:
case __NR_times:
case __NR_uname:
-- return Allow();
-- case __NR_sched_getaffinity:
- case __NR_sched_getparam:
- case __NR_sched_getscheduler:
-+ return Allow();
-+ case __NR_sched_getaffinity:
- case __NR_sched_setscheduler:
- return sandbox::RestrictSchedTarget(GetPolicyPid(), sysno);
- case __NR_prlimit64:
+--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
++++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+@@ -225,10 +225,15 @@
+ if (sysno == __NR_getpriority || sysno ==__NR_setpriority)
+ return RestrictGetSetpriority(current_pid);
+
++ // XXX: hacks for musl sandbox, calls needed?
++ if (sysno == __NR_sched_getparam || sysno == __NR_sched_getscheduler ||
++ sysno == __NR_sched_setscheduler) {
++ return Allow();
++ }
++
+ // The scheduling syscalls are used in threading libraries and also heavily in
+ // abseil. See for example https://crbug.com/1370394.
+- if (sysno == __NR_sched_getaffinity || sysno == __NR_sched_getparam ||
+- sysno == __NR_sched_getscheduler || sysno == __NR_sched_setscheduler) {
++ if (sysno == __NR_sched_getaffinity) {
+ return RestrictSchedTarget(current_pid, sysno);
+ }
+
generated by cgit v1.2.3 (git 2.41.0) at 2024-04-25 15:06:51 +0000