PKGBUILDs/extra/chromium/0002-Linux-Sandbox-whitelist-arm64-syscalls.patch

From 25d42d8e806a4a38fe5e3fec7d52a896f7b7de42 Mon Sep 17 00:00:00 2001
From: "riku.voipio" <riku.voipio@linaro.org>
Date: Tue, 1 Mar 2016 08:02:43 -0800
Subject: [PATCH 2/2] Linux Sandbox: whitelist arm64 syscalls

On debian/arm64, two syscalls needed whitelisting for chromium to work with seccomp:

epoll_pwait, replacing epoll_wait which is a legacy syscall not available on arm64. epoll_wait implmentation in glibc calls epoll_pwait behind scenes, so this needs to be enabled.

getrlimit, missing #ifdef for arm64 in several policy definitions. test for arm64 added for each case.

BUG=581018
R=keescook@chromium.org,jln@chromium.org,rsesek@chromium.org
TEST=Start chrome on arm64 with seccomp enabled kernel

Review URL: https://codereview.chromium.org/1613883002

Cr-Commit-Position: refs/heads/master@{#378440}
---
 mojo/shell/runner/host/linux_sandbox.cc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/mojo/shell/runner/host/linux_sandbox.cc b/mojo/shell/runner/host/linux_sandbox.cc
index 9e9dbc7..0d9082c 100644
--- a/mojo/shell/runner/host/linux_sandbox.cc
+++ b/mojo/shell/runner/host/linux_sandbox.cc
@@ -39,12 +39,14 @@ intptr_t SandboxSIGSYSHandler(const struct sandbox::arch_seccomp_data& args,
   const sandbox::syscall_broker::BrokerProcess* broker_process =
       static_cast<const sandbox::syscall_broker::BrokerProcess*>(aux);
   switch (args.nr) {
+#if !defined(__aarch64__)
     case __NR_access:
       return broker_process->Access(reinterpret_cast<const char*>(args.args[0]),
                                     static_cast<int>(args.args[1]));
     case __NR_open:
       return broker_process->Open(reinterpret_cast<const char*>(args.args[0]),
                                   static_cast<int>(args.args[1]));
+#endif
     case __NR_faccessat:
       if (static_cast<int>(args.args[0]) == AT_FDCWD) {
         return broker_process->Access(
-- 
2.7.2
extra/chromium: v8 fix 2016-05-28 00:56:32 +00:00			`From 25d42d8e806a4a38fe5e3fec7d52a896f7b7de42 Mon Sep 17 00:00:00 2001`
			`From: "riku.voipio" <riku.voipio@linaro.org>`
			`Date: Tue, 1 Mar 2016 08:02:43 -0800`
			`Subject: [PATCH 2/2] Linux Sandbox: whitelist arm64 syscalls`

			`On debian/arm64, two syscalls needed whitelisting for chromium to work with seccomp:`

			`epoll_pwait, replacing epoll_wait which is a legacy syscall not available on arm64. epoll_wait implmentation in glibc calls epoll_pwait behind scenes, so this needs to be enabled.`

			`getrlimit, missing #ifdef for arm64 in several policy definitions. test for arm64 added for each case.`

			`BUG=581018`
			`R=keescook@chromium.org,jln@chromium.org,rsesek@chromium.org`
			`TEST=Start chrome on arm64 with seccomp enabled kernel`

			`Review URL: https://codereview.chromium.org/1613883002`

			`Cr-Commit-Position: refs/heads/master@{#378440}`
			`---`
			`mojo/shell/runner/host/linux_sandbox.cc \| 2 ++`
			`1 file changed, 2 insertions(+)`

			`diff --git a/mojo/shell/runner/host/linux_sandbox.cc b/mojo/shell/runner/host/linux_sandbox.cc`
			`index 9e9dbc7..0d9082c 100644`
			`--- a/mojo/shell/runner/host/linux_sandbox.cc`
			`+++ b/mojo/shell/runner/host/linux_sandbox.cc`
			`@@ -39,12 +39,14 @@ intptr_t SandboxSIGSYSHandler(const struct sandbox::arch_seccomp_data& args,`
			`const sandbox::syscall_broker::BrokerProcess* broker_process =`
			`static_cast<const sandbox::syscall_broker::BrokerProcess*>(aux);`
			`switch (args.nr) {`
			`+#if !defined(__aarch64__)`
			`case __NR_access:`
			`return broker_process->Access(reinterpret_cast<const char*>(args.args[0]),`
			`static_cast<int>(args.args[1]));`
			`case __NR_open:`
			`return broker_process->Open(reinterpret_cast<const char*>(args.args[0]),`
			`static_cast<int>(args.args[1]));`
			`+#endif`
			`case __NR_faccessat:`
			`if (static_cast<int>(args.args[0]) == AT_FDCWD) {`
			`return broker_process->Access(`
			`--`
			`2.7.2`