archlinuxarm/PKGBUILDs
1
0
Fork 0
mirror of https://github.com/archlinuxarm/PKGBUILDs.git synced 2024-11-28 22:57:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

extra/qt5-webengine to 5.12.3-2

Browse source
This commit is contained in:
Kevin Mihelich 2019-05-05 22:49:54 +00:00
parent 9e117e609b
commit 02e33be6c4
2 changed files with 112 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
extra/qt5-webengine/PKGBUILD
View file

@ -10,7 +10,7 @@ highmem=1
pkgname=qt5-webengine
_qtver=5.12.3
pkgver=${_qtver/-/}
pkgrel=1
pkgrel=2
arch=('x86_64')
url='https://www.qt.io'
license=('LGPL3' 'LGPL2.1' 'BSD')
@ -21,10 +21,11 @@ makedepends=('python2' 'git' 'gperf' 'jsoncpp' 'ninja' 'qt5-tools' 'poppler')
groups=('qt' 'qt5')
_pkgfqn="${pkgname/5-/}-everywhere-src-${_qtver}"
source=("https://download.qt.io/official_releases/qt/${pkgver%.*}/${_qtver}/submodules/${_pkgfqn}.tar.xz"
qtwebengine-harmony.patch
qtwebengine-harmony.patch qtwebengine-glibc-2.29.patch
0001-ARM-toolchain-fixes.patch)
sha256sums=('3ff3bac12d75aa0f3fd993bb7077fe411f7b0e6a3993af6f8b039d48e3dc4317'
'feca54ab09ac0fc9d0626770a6b899a6ac5a12173c7d0c1005bc3964ec83e7b3'
'dd791f154b48e69cd47fd94753c45448655b529590995fd71ac1591c53a3d60c'
'8202b09a1caa82538a2eacd79b62b61d8661c65cdfb275560d231aa31a362b12')
prepare() {
@ -39,7 +40,10 @@ prepare() {
# FreeType 2.8.1
patch -Np1 -i ../qtwebengine-harmony.patch
cd src/3rdparty
cd src/3rdparty/chromium
patch -p1 -i "$srcdir"/qtwebengine-glibc-2.29.patch # Fix PPAPI plugins with glibc 2.29
cd ..
patch -p1 -i ${srcdir}/0001-ARM-toolchain-fixes.patch
}

105
extra/qt5-webengine/qtwebengine-glibc-2.29.patch Normal file
View file

@ -0,0 +1,105 @@
From 65046b8f90d0336cbe5f2f15cc7da5cb798360ad Mon Sep 17 00:00:00 2001
From: Matthew Denton <mpdenton@chromium.org>
Date: Wed, 24 Apr 2019 15:44:40 +0000
Subject: [PATCH] Update Linux Seccomp syscall restrictions to EPERM
posix_spawn/vfork
Glibc's system() function switched to using posix_spawn, which uses
CLONE_VFORK. Pepperflash includes a sandbox debugging check which
relies on us EPERM-ing process creation like this, rather than crashing
the process with SIGSYS.
So whitelist clone() calls, like posix_spawn, that include the flags
CLONE_VFORK and CLONE_VM.
Bug: 949312
Change-Id: I3f4b90114b2fc1d9929e3c0a85bbe8f10def3c20
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1568086
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#653590}
---
.../baseline_policy_unittest.cc | 29 +++++++++++++++++++
.../syscall_parameters_restrictions.cc | 13 +++++++--
2 files changed, 40 insertions(+), 2 deletions(-)
diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
index cdeb210ccb..40fcebf933 100644
--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
@@ -10,7 +10,9 @@
#include <sched.h>
#include <signal.h>
#include <stddef.h>
+#include <stdlib.h>
#include <string.h>
+#include <sys/mman.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>
@@ -130,6 +132,33 @@ BPF_TEST_C(BaselinePolicy, ForkArmEperm, BaselinePolicy) {
BPF_ASSERT_EQ(EPERM, fork_errno);
}
+BPF_TEST_C(BaselinePolicy, SystemEperm, BaselinePolicy) {
+ errno = 0;
+ int ret_val = system("echo SHOULD NEVER RUN");
+ BPF_ASSERT_EQ(-1, ret_val);
+ BPF_ASSERT_EQ(EPERM, errno);
+}
+
+BPF_TEST_C(BaselinePolicy, CloneVforkEperm, BaselinePolicy) {
+ errno = 0;
+ // Allocate a couple pages for the child's stack even though the child should
+ // never start.
+ constexpr size_t kStackSize = 4096 * 4;
+ void* child_stack = mmap(nullptr, kStackSize, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK, -1, 0);
+ BPF_ASSERT_NE(child_stack, nullptr);
+ pid_t pid = syscall(__NR_clone, CLONE_VM | CLONE_VFORK | SIGCHLD,
+ static_cast<char*>(child_stack) + kStackSize, nullptr,
+ nullptr, nullptr);
+ const int clone_errno = errno;
+ TestUtils::HandlePostForkReturn(pid);
+
+ munmap(child_stack, kStackSize);
+
+ BPF_ASSERT_EQ(-1, pid);
+ BPF_ASSERT_EQ(EPERM, clone_errno);
+}
+
BPF_TEST_C(BaselinePolicy, CreateThread, BaselinePolicy) {
base::Thread thread("sandbox_tests");
BPF_ASSERT(thread.Start());
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
index 100afe50e3..348ab6e8c5 100644
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
@@ -135,7 +135,8 @@ namespace sandbox {
#if !defined(OS_NACL_NONSFI)
// Allow Glibc's and Android pthread creation flags, crash on any other
// thread creation attempts and EPERM attempts to use neither
-// CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations.
+// CLONE_VM nor CLONE_THREAD (all fork implementations), unless CLONE_VFORK is
+// present (as in newer versions of posix_spawn).
ResultExpr RestrictCloneToThreadsAndEPERMFork() {
const Arg<unsigned long> flags(0);
@@ -154,8 +155,16 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
flags == kGlibcPthreadFlags);
+ // The following two flags are the two important flags in any vfork-emulating
+ // clone call. EPERM any clone call that contains both of them.
+ const uint64_t kImportantCloneVforkFlags = CLONE_VFORK | CLONE_VM;
+
+ const BoolExpr is_fork_or_clone_vfork =
+ AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
+ (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
+
return If(IsAndroid() ? android_test : glibc_test, Allow())
- .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM))
+ .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
.Else(CrashSIGSYSClone());
}