summaryrefslogtreecommitdiff
path: root/repo/qt5-qtwebengine/musl-sandbox.patch
diff options
context:
space:
mode:
authordavidovski <david@davidovski.xyz>2023-02-02 14:10:02 +0000
committerdavidovski <david@davidovski.xyz>2023-02-02 14:10:02 +0000
commitf29d569cd33a73da5ad675f43a34ad53c5cc9bc6 (patch)
tree76fe6267f8307e7630fc6f53ff99a9767ad40de0 /repo/qt5-qtwebengine/musl-sandbox.patch
parent05d004dfe0c9a9d898fac8a4a0292ca2a74ca391 (diff)
Work
Diffstat (limited to 'repo/qt5-qtwebengine/musl-sandbox.patch')
-rw-r--r--repo/qt5-qtwebengine/musl-sandbox.patch181
1 files changed, 0 insertions, 181 deletions
diff --git a/repo/qt5-qtwebengine/musl-sandbox.patch b/repo/qt5-qtwebengine/musl-sandbox.patch
deleted file mode 100644
index ad01ea8..0000000
--- a/repo/qt5-qtwebengine/musl-sandbox.patch
+++ /dev/null
@@ -1,181 +0,0 @@
-diff --git a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
-index 348ab6e8c..2eac6ef82 100644
---- a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
-+++ b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
-@@ -127,21 +127,11 @@ namespace sandbox {
- // present (as in newer versions of posix_spawn).
- ResultExpr RestrictCloneToThreadsAndEPERMFork() {
- const Arg<unsigned long> flags(0);
--
-- // TODO(mdempsky): Extend DSL to support (flags & ~mask1) == mask2.
-- const uint64_t kAndroidCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES |
-- CLONE_SIGHAND | CLONE_THREAD |
-- CLONE_SYSVSEM;
-- const uint64_t kObsoleteAndroidCloneMask = kAndroidCloneMask | CLONE_DETACHED;
--
-- const uint64_t kGlibcPthreadFlags =
-- CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD |
-- CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
-- const BoolExpr glibc_test = flags == kGlibcPthreadFlags;
--
-- const BoolExpr android_test =
-- AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
-- flags == kGlibcPthreadFlags);
-+ const int required = CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
-+ CLONE_THREAD | CLONE_SYSVSEM;
-+ const int safe = CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID |
-+ CLONE_DETACHED;
-+ const BoolExpr thread_clone_ok = (flags&~safe)==required;
-
- // The following two flags are the two important flags in any vfork-emulating
- // clone call. EPERM any clone call that contains both of them.
-@@ -151,7 +141,7 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
- AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
- (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
-
-- return If(IsAndroid() ? android_test : glibc_test, Allow())
-+ return If(thread_clone_ok, Allow())
- .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
- .Else(CrashSIGSYSClone());
- }
-diff --git a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
-index 6e2bd4fee..9f9e4ad8a 100644
---- a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
-+++ b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
-@@ -392,6 +392,7 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
- #if defined(__i386__)
- case __NR_waitpid:
- #endif
-+ case __NR_set_tid_address:
- return true;
- case __NR_clone: // Should be parameter-restricted.
- case __NR_setns: // Privileged.
-@@ -404,7 +405,6 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
- #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
- case __NR_set_thread_area:
- #endif
-- case __NR_set_tid_address:
- case __NR_unshare:
- #if !defined(__mips__) && !defined(__aarch64__)
- case __NR_vfork:
-@@ -514,6 +514,8 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
- case __NR_mlock:
- case __NR_munlock:
- case __NR_munmap:
-+ case __NR_mremap:
-+ case __NR_membarrier:
- return true;
- case __NR_madvise:
- case __NR_mincore:
-@@ -531,7 +533,6 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
- case __NR_modify_ldt:
- #endif
- case __NR_mprotect:
-- case __NR_mremap:
- case __NR_msync:
- case __NR_munlockall:
- case __NR_readahead:
-diff --git a/src/3rdparty/chromium/sandbox/linux/system_headers/arm64_linux_syscalls.h b/src/3rdparty/chromium/sandbox/linux/system_headers/arm64_linux_syscalls.h
-index 59d0eab8e..7ae700213 100644
---- a/src/3rdparty/chromium/sandbox/linux/system_headers/arm64_linux_syscalls.h
-+++ b/src/3rdparty/chromium/sandbox/linux/system_headers/arm64_linux_syscalls.h
-@@ -1119,4 +1119,8 @@
- #define __NR_rseq 293
- #endif
-
-+#if !defined(__NR_membarrier)
-+#define __NR_membarrier 283
-+#endif
-+
- #endif // SANDBOX_LINUX_SYSTEM_HEADERS_ARM64_LINUX_SYSCALLS_H_
-diff --git a/src/3rdparty/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h b/src/3rdparty/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h
-index 1addd5384..d8811ce87 100644
---- a/src/3rdparty/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h
-+++ b/src/3rdparty/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h
-@@ -1441,6 +1441,11 @@
- #define __NR_io_pgetevents (__NR_SYSCALL_BASE+399)
- #endif
-
-+#if !defined(__NR_membarrier)
-+#define __NR_membarrier (__NR_SYSCALL_BASE+389)
-+#endif
-+
-+
- // ARM private syscalls.
- #if !defined(__ARM_NR_BASE)
- #define __ARM_NR_BASE (__NR_SYSCALL_BASE + 0xF0000)
-diff --git a/src/3rdparty/chromium/sandbox/linux/system_headers/mips64_linux_syscalls.h b/src/3rdparty/chromium/sandbox/linux/system_headers/mips64_linux_syscalls.h
-index ec75815a8..612fcfaa9 100644
---- a/src/3rdparty/chromium/sandbox/linux/system_headers/mips64_linux_syscalls.h
-+++ b/src/3rdparty/chromium/sandbox/linux/system_headers/mips64_linux_syscalls.h
-@@ -1271,4 +1271,8 @@
- #define __NR_memfd_create (__NR_Linux + 314)
- #endif
-
-+#if !defined(__NR_membarrier)
-+#define __NR_membarrier (__NR_Linux + 318)
-+#endif
-+
- #endif // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS64_LINUX_SYSCALLS_H_
-diff --git a/src/3rdparty/chromium/sandbox/linux/system_headers/mips_linux_syscalls.h b/src/3rdparty/chromium/sandbox/linux/system_headers/mips_linux_syscalls.h
-index ddbf97f3d..1742acd4c 100644
---- a/src/3rdparty/chromium/sandbox/linux/system_headers/mips_linux_syscalls.h
-+++ b/src/3rdparty/chromium/sandbox/linux/system_headers/mips_linux_syscalls.h
-@@ -1433,4 +1433,8 @@
- #define __NR_memfd_create (__NR_Linux + 354)
- #endif
-
-+#if !defined(__NR_membarrier)
-+#define __NR_membarrier (__NR_Linux + 358)
-+#endif
-+
- #endif // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS_LINUX_SYSCALLS_H_
-diff --git a/src/3rdparty/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h b/src/3rdparty/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h
-index a6afc62d9..6ab7740de 100644
---- a/src/3rdparty/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h
-+++ b/src/3rdparty/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h
-@@ -1710,5 +1710,10 @@
- #define __NR_clone3 435
- #endif
-
-+#if !defined(__NR_membarrier)
-+#define __NR_membarrier 375
-+#endif
-+
-+
- #endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_32_LINUX_SYSCALLS_H_
-
-
-diff --git a/src/3rdparty/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h b/src/3rdparty/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h
-index 349504aee..6a6d4756f 100644
---- a/src/3rdparty/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h
-+++ b/src/3rdparty/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h
-@@ -1350,5 +1350,10 @@
- #define __NR_rseq 334
- #endif
-
-+#if !defined(__NR_membarrier)
-+#define __NR_membarrier 324
-+#endif
-+
-+
- #endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_
-
-diff --git a/src/3rdparty/chromium/sandbox/policy/linux/bpf_renderer_policy_linux.cc b/src/3rdparty/chromium/sandbox/policy/linux/bpf_renderer_policy_linux.cc
-index 9fe9575eb..fa1a946f6 100644
---- a/src/3rdparty/chromium/sandbox/policy/linux/bpf_renderer_policy_linux.cc
-+++ b/src/3rdparty/chromium/sandbox/policy/linux/bpf_renderer_policy_linux.cc
-@@ -93,11 +93,11 @@ ResultExpr RendererProcessPolicy::EvaluateSyscall(int sysno) const {
- case __NR_sysinfo:
- case __NR_times:
- case __NR_uname:
-- return Allow();
-- case __NR_sched_getaffinity:
- case __NR_sched_getparam:
- case __NR_sched_getscheduler:
- case __NR_sched_setscheduler:
-+ return Allow();
-+ case __NR_sched_getaffinity:
- return RestrictSchedTarget(GetPolicyPid(), sysno);
- case __NR_prlimit64:
- // See crbug.com/662450 and setrlimit comment above.
generated by cgit v1.2.1 (git 2.18.0) at 2024-11-11 11:53:05 +0000