summaryrefslogtreecommitdiff
path: root/extra/chromium/musl-sandbox.patch
diff options
context:
space:
mode:
Diffstat (limited to 'extra/chromium/musl-sandbox.patch')
-rw-r--r--extra/chromium/musl-sandbox.patch176
1 files changed, 0 insertions, 176 deletions
diff --git a/extra/chromium/musl-sandbox.patch b/extra/chromium/musl-sandbox.patch
deleted file mode 100644
index 4fe0098..0000000
--- a/extra/chromium/musl-sandbox.patch
+++ /dev/null
@@ -1,176 +0,0 @@
-diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
-index ff5a1c0..da56b9b 100644
---- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
-+++ ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
-@@ -139,21 +139,11 @@ namespace sandbox {
- // present (as in newer versions of posix_spawn).
- ResultExpr RestrictCloneToThreadsAndEPERMFork() {
- const Arg<unsigned long> flags(0);
--
-- // TODO(mdempsky): Extend DSL to support (flags & ~mask1) == mask2.
-- const uint64_t kAndroidCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES |
-- CLONE_SIGHAND | CLONE_THREAD |
-- CLONE_SYSVSEM;
-- const uint64_t kObsoleteAndroidCloneMask = kAndroidCloneMask | CLONE_DETACHED;
--
-- const uint64_t kGlibcPthreadFlags =
-- CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD |
-- CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
-- const BoolExpr glibc_test = flags == kGlibcPthreadFlags;
--
-- const BoolExpr android_test =
-- AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
-- flags == kGlibcPthreadFlags);
-+ const int required = CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
-+ CLONE_THREAD | CLONE_SYSVSEM;
-+ const int safe = CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID |
-+ CLONE_DETACHED;
-+ const BoolExpr thread_clone_ok = (flags&~safe)==required;
-
- // The following two flags are the two important flags in any vfork-emulating
- // clone call. EPERM any clone call that contains both of them.
-@@ -163,7 +153,7 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
- AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
- (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
-
-- return If(IsAndroid() ? android_test : glibc_test, Allow())
-+ return If(thread_clone_ok, Allow())
- .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
- .Else(CrashSIGSYSClone());
- }
-diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
-index d9d1882..0567557 100644
---- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
-+++ ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
-@@ -392,6 +392,7 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
- #if defined(__i386__)
- case __NR_waitpid:
- #endif
-+ case __NR_set_tid_address:
- return true;
- case __NR_clone: // Should be parameter-restricted.
- case __NR_setns: // Privileged.
-@@ -404,7 +405,6 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
- #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
- case __NR_set_thread_area:
- #endif
-- case __NR_set_tid_address:
- case __NR_unshare:
- #if !defined(__mips__) && !defined(__aarch64__)
- case __NR_vfork:
-@@ -514,6 +514,8 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
- case __NR_mlock:
- case __NR_munlock:
- case __NR_munmap:
-+ case __NR_mremap:
-+ case __NR_membarrier:
- return true;
- case __NR_madvise:
- case __NR_mincore:
-@@ -531,7 +533,6 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
- case __NR_modify_ldt:
- #endif
- case __NR_mprotect:
-- case __NR_mremap:
- case __NR_msync:
- case __NR_munlockall:
- case __NR_readahead:
-diff --git a/sandbox/linux/system_headers/arm64_linux_syscalls.h ./sandbox/linux/system_headers/arm64_linux_syscalls.h
-index 59d0eab..7ae7002 100644
---- a/sandbox/linux/system_headers/arm64_linux_syscalls.h
-+++ ./sandbox/linux/system_headers/arm64_linux_syscalls.h
-@@ -1063,4 +1063,8 @@
- #define __NR_memfd_create 279
- #endif
-
-+#if !defined(__NR_membarrier)
-+#define __NR_membarrier 283
-+#endif
-+
- #endif // SANDBOX_LINUX_SYSTEM_HEADERS_ARM64_LINUX_SYSCALLS_H_
-diff --git a/sandbox/linux/system_headers/arm_linux_syscalls.h ./sandbox/linux/system_headers/arm_linux_syscalls.h
-index 1addd53..7843b5e 100644
---- a/sandbox/linux/system_headers/arm_linux_syscalls.h
-+++ ./sandbox/linux/system_headers/arm_linux_syscalls.h
-@@ -1385,6 +1385,10 @@
- #define __NR_memfd_create (__NR_SYSCALL_BASE+385)
- #endif
-
-+#if !defined(__NR_membarrier)
-+#define __NR_membarrier (__NR_SYSCALL_BASE+389)
-+#endif
-+
- // ARM private syscalls.
- #if !defined(__ARM_NR_BASE)
- #define __ARM_NR_BASE (__NR_SYSCALL_BASE + 0xF0000)
-diff --git a/sandbox/linux/system_headers/linux_syscalls.h ./sandbox/linux/system_headers/linux_syscalls.h
-index 2b78a0c..b6fedb5 100644
---- a/sandbox/linux/system_headers/linux_syscalls.h
-+++ ./sandbox/linux/system_headers/linux_syscalls.h
-@@ -10,6 +10,7 @@
- #define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SYSCALLS_H_
-
- #include "build/build_config.h"
-+#include <sys/syscall.h>
-
- #if defined(__x86_64__)
- #include "sandbox/linux/system_headers/x86_64_linux_syscalls.h"
-diff --git a/sandbox/linux/system_headers/mips64_linux_syscalls.h ./sandbox/linux/system_headers/mips64_linux_syscalls.h
-index ec75815..5515270 100644
---- a/sandbox/linux/system_headers/mips64_linux_syscalls.h
-+++ ./sandbox/linux/system_headers/mips64_linux_syscalls.h
-@@ -1271,4 +1271,8 @@
- #define __NR_memfd_create (__NR_Linux + 314)
- #endif
-
-+#if !defined(__NR_membarrier)
-+#define __NR_membarrier (__NR_Linux 318)
-+#endif
-+
- #endif // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS64_LINUX_SYSCALLS_H_
-diff --git a/sandbox/linux/system_headers/mips_linux_syscalls.h ./sandbox/linux/system_headers/mips_linux_syscalls.h
-index ddbf97f..ad3d64b 100644
---- a/sandbox/linux/system_headers/mips_linux_syscalls.h
-+++ ./sandbox/linux/system_headers/mips_linux_syscalls.h
-@@ -1433,4 +1433,8 @@
- #define __NR_memfd_create (__NR_Linux + 354)
- #endif
-
-+#if !defined(__NR_membarrier)
-+#define __NR_membarrier (__NR_Linux 358)
-+#endif
-+
- #endif // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS_LINUX_SYSCALLS_H_
-diff --git a/sandbox/linux/system_headers/x86_64_linux_syscalls.h ./sandbox/linux/system_headers/x86_64_linux_syscalls.h
-index b0ae0a2..8b12029 100644
---- a/sandbox/linux/system_headers/x86_64_linux_syscalls.h
-+++ ./sandbox/linux/system_headers/x86_64_linux_syscalls.h
-@@ -1350,5 +1350,9 @@
- #define __NR_rseq 334
- #endif
-
-+#if !defined(__NR_membarrier)
-+#define __NR_membarrier 324
-+#endif
-+
- #endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_
-
-diff --git a/services/service_manager/sandbox/linux/bpf_renderer_policy_linux.cc ./services/service_manager/sandbox/linux/bpf_renderer_policy_linux.cc
-index a85c0ea..715aa1e 100644
---- a/sandbox/policy/linux/bpf_renderer_policy_linux.cc
-+++ ./sandbox/policy/linux/bpf_renderer_policy_linux.cc
-@@ -93,11 +93,11 @@
- case __NR_sysinfo:
- case __NR_times:
- case __NR_uname:
-- return Allow();
-- case __NR_sched_getaffinity:
- case __NR_sched_getparam:
- case __NR_sched_getscheduler:
- case __NR_sched_setscheduler:
-+ return Allow();
-+ case __NR_sched_getaffinity:
- return RestrictSchedTarget(GetPolicyPid(), sysno);
- case __NR_prlimit64:
- // See crbug.com/662450 and setrlimit comment above.
-
generated by cgit v1.2.1 (git 2.18.0) at 2024-11-11 08:51:47 +0000