diff options
Diffstat (limited to 'community/chromium/musl-sandbox.patch')
-rw-r--r-- | community/chromium/musl-sandbox.patch | 156 |
1 files changed, 52 insertions, 104 deletions
diff --git a/community/chromium/musl-sandbox.patch b/community/chromium/musl-sandbox.patch index f485f6cc75a..52c3b210503 100644 --- a/community/chromium/musl-sandbox.patch +++ b/community/chromium/musl-sandbox.patch @@ -1,6 +1,9 @@ -diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc -index 348ab6e..4550f9e 100644 ---- ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc +musl uses different syscalls from glibc for some functions, so the sandbox has +to account for that +-- +diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc +index ff5a1c0..da56b9b 100644 +--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc +++ ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc @@ -139,21 +139,11 @@ namespace sandbox { // present (as in newer versions of posix_spawn). @@ -38,11 +41,11 @@ index 348ab6e..4550f9e 100644 .ElseIf(is_fork_or_clone_vfork, Error(EPERM)) .Else(CrashSIGSYSClone()); } -diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc -index 7dbcc87..589262f 100644 ---- ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc +diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc +index d9d1882..0567557 100644 +--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc +++ ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc -@@ -391,6 +391,7 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) { +@@ -392,6 +392,7 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) { #if defined(__i386__) case __NR_waitpid: #endif @@ -50,7 +53,7 @@ index 7dbcc87..589262f 100644 return true; case __NR_clone: // Should be parameter-restricted. case __NR_setns: // Privileged. -@@ -403,7 +404,6 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) { +@@ -404,7 +405,6 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) { #if defined(__i386__) || defined(__x86_64__) || defined(__mips__) case __NR_set_thread_area: #endif @@ -58,7 +61,7 @@ index 7dbcc87..589262f 100644 case __NR_unshare: #if !defined(__mips__) && !defined(__aarch64__) case __NR_vfork: -@@ -513,6 +513,8 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) { +@@ -514,6 +514,8 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) { case __NR_mlock: case __NR_munlock: case __NR_munmap: @@ -67,7 +70,7 @@ index 7dbcc87..589262f 100644 return true; case __NR_madvise: case __NR_mincore: -@@ -530,7 +532,6 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) { +@@ -531,7 +533,6 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) { case __NR_modify_ldt: #endif case __NR_mprotect: @@ -75,102 +78,47 @@ index 7dbcc87..589262f 100644 case __NR_msync: case __NR_munlockall: case __NR_readahead: -diff --git a/sandbox/linux/system_headers/arm64_linux_syscalls.h b/sandbox/linux/system_headers/arm64_linux_syscalls.h -index 59d0eab..7ae7002 100644 ---- ./sandbox/linux/system_headers/arm64_linux_syscalls.h -+++ ./sandbox/linux/system_headers/arm64_linux_syscalls.h -@@ -1063,4 +1063,8 @@ - #define __NR_memfd_create 279 - #endif - -+#if !defined(__NR_membarrier) -+#define __NR_membarrier 283 -+#endif -+ - #endif // SANDBOX_LINUX_SYSTEM_HEADERS_ARM64_LINUX_SYSCALLS_H_ -diff --git a/sandbox/linux/system_headers/arm_linux_syscalls.h b/sandbox/linux/system_headers/arm_linux_syscalls.h -index 1addd53..7843b5e 100644 ---- ./sandbox/linux/system_headers/arm_linux_syscalls.h -+++ ./sandbox/linux/system_headers/arm_linux_syscalls.h -@@ -1385,6 +1385,10 @@ - #define __NR_memfd_create (__NR_SYSCALL_BASE+385) - #endif +diff --git a/sandbox/linux/system_headers/linux_syscalls.h ./sandbox/linux/system_headers/linux_syscalls.h +index 2b78a0c..b6fedb5 100644 +--- a/sandbox/linux/system_headers/linux_syscalls.h ++++ b/sandbox/linux/system_headers/linux_syscalls.h +@@ -10,6 +10,7 @@ + #define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SYSCALLS_H_ -+#if !defined(__NR_membarrier) -+#define __NR_membarrier (__NR_SYSCALL_BASE+389) -+#endif -+ - // ARM private syscalls. - #if !defined(__ARM_NR_BASE) - #define __ARM_NR_BASE (__NR_SYSCALL_BASE + 0xF0000) -diff --git a/sandbox/linux/system_headers/mips64_linux_syscalls.h b/sandbox/linux/system_headers/mips64_linux_syscalls.h -index ec75815..612fcfa 100644 ---- ./sandbox/linux/system_headers/mips64_linux_syscalls.h -+++ ./sandbox/linux/system_headers/mips64_linux_syscalls.h -@@ -1271,4 +1271,8 @@ - #define __NR_memfd_create (__NR_Linux + 314) - #endif + #include "build/build_config.h" ++#include <sys/syscall.h> -+#if !defined(__NR_membarrier) -+#define __NR_membarrier (__NR_Linux + 318) -+#endif -+ - #endif // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS64_LINUX_SYSCALLS_H_ -diff --git a/sandbox/linux/system_headers/mips_linux_syscalls.h b/sandbox/linux/system_headers/mips_linux_syscalls.h -index ddbf97f..1742acd 100644 ---- ./sandbox/linux/system_headers/mips_linux_syscalls.h -+++ ./sandbox/linux/system_headers/mips_linux_syscalls.h -@@ -1433,4 +1433,8 @@ - #define __NR_memfd_create (__NR_Linux + 354) - #endif - -+#if !defined(__NR_membarrier) -+#define __NR_membarrier (__NR_Linux + 358) -+#endif -+ - #endif // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS_LINUX_SYSCALLS_H_ -diff --git a/sandbox/linux/system_headers/x86_32_linux_syscalls.h b/sandbox/linux/system_headers/x86_32_linux_syscalls.h -index a6afc62..7ed0a3b 100644 ---- ./sandbox/linux/system_headers/x86_32_linux_syscalls.h -+++ ./sandbox/linux/system_headers/x86_32_linux_syscalls.h -@@ -1422,5 +1422,9 @@ - #define __NR_memfd_create 356 - #endif - -+#if !defined(__NR_membarrier) -+#define __NR_membarrier 375 -+#endif -+ - #endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_32_LINUX_SYSCALLS_H_ - -diff --git a/sandbox/linux/system_headers/x86_64_linux_syscalls.h b/sandbox/linux/system_headers/x86_64_linux_syscalls.h -index 349504a..ea3c7c9 100644 ---- ./sandbox/linux/system_headers/x86_64_linux_syscalls.h -+++ ./sandbox/linux/system_headers/x86_64_linux_syscalls.h -@@ -1290,5 +1290,9 @@ - #define __NR_memfd_create 319 - #endif - -+#if !defined(__NR_membarrier) -+#define __NR_membarrier 324 -+#endif -+ - #endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_ - -diff --git a/services/service_manager/sandbox/linux/bpf_renderer_policy_linux.cc b/services/service_manager/sandbox/linux/bpf_renderer_policy_linux.cc -index 017f13c..50aeec3 100644 ---- ./services/service_manager/sandbox/linux/bpf_renderer_policy_linux.cc -+++ ./services/service_manager/sandbox/linux/bpf_renderer_policy_linux.cc -@@ -88,10 +88,10 @@ ResultExpr RendererProcessPolicy::EvaluateSyscall(int sysno) const { + #if defined(__x86_64__) + #include "sandbox/linux/system_headers/x86_64_linux_syscalls.h" +--- a/sandbox/policy/linux/bpf_renderer_policy_linux.cc ++++ b/sandbox/policy/linux/bpf_renderer_policy_linux.cc +@@ -94,6 +94,9 @@ + case __NR_pwrite64: + case __NR_sched_get_priority_max: + case __NR_sched_get_priority_min: ++ case __NR_sched_getparam: ++ case __NR_sched_getscheduler: ++ case __NR_sched_setscheduler: case __NR_sysinfo: case __NR_times: case __NR_uname: -- return Allow(); -- case __NR_sched_getaffinity: - case __NR_sched_getparam: - case __NR_sched_getscheduler: -+ return Allow(); -+ case __NR_sched_getaffinity: - case __NR_sched_setscheduler: - return sandbox::RestrictSchedTarget(GetPolicyPid(), sysno); - case __NR_prlimit64: +--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc ++++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +@@ -225,10 +225,15 @@ + if (sysno == __NR_getpriority || sysno ==__NR_setpriority) + return RestrictGetSetpriority(current_pid); + ++ // XXX: hacks for musl sandbox, calls needed? ++ if (sysno == __NR_sched_getparam || sysno == __NR_sched_getscheduler || ++ sysno == __NR_sched_setscheduler) { ++ return Allow(); ++ } ++ + // The scheduling syscalls are used in threading libraries and also heavily in + // abseil. See for example https://crbug.com/1370394. +- if (sysno == __NR_sched_getaffinity || sysno == __NR_sched_getparam || +- sysno == __NR_sched_getscheduler || sysno == __NR_sched_setscheduler) { ++ if (sysno == __NR_sched_getaffinity) { + return RestrictSchedTarget(current_pid, sysno); + } + |