extra/chromium to 92.0.4515.107-3

extra/chromium/0001-widevine-support-for-arm.patch

@@ -1,7 +1,7 @@
 From 91ec5e7245f7ab302cd8fe22bfbbd2f0738ae286 Mon Sep 17 00:00:00 2001
 From: Kevin Mihelich <kevin@archlinuxarm.org>
 Date: Thu, 18 Feb 2021 19:35:58 -0700
-Subject: [PATCH] widevine support for arm
+Subject: [PATCH 1/2] widevine support for arm
 
 ---
  third_party/widevine/cdm/widevine.gni | 2 +-

extra/chromium/0002-Run-blink-bindings-generation-single-threaded.patch

@@ -0,0 +1,25 @@
+From b6540b7ab88e5c47ee0978de312cf0a997d9b981 Mon Sep 17 00:00:00 2001
+From: Kevin Mihelich <kevin@archlinuxarm.org>
+Date: Tue, 2 Feb 2021 13:58:59 -0700
+Subject: [PATCH 2/2] Run blink bindings generation single threaded
+
+When not single threaded this process will eat all the RAM.
+---
+ third_party/blink/renderer/bindings/BUILD.gn | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/third_party/blink/renderer/bindings/BUILD.gn b/third_party/blink/renderer/bindings/BUILD.gn
+index 385c9d0c45de..6b814e5cf741 100644
+--- a/third_party/blink/renderer/bindings/BUILD.gn
++++ b/third_party/blink/renderer/bindings/BUILD.gn
+@@ -187,6 +187,7 @@ template("generate_bindings") {
+     outputs = invoker.outputs
+ 
+     args = [
++             "--single_process",
+              "--web_idl_database",
+              rebase_path(web_idl_database, root_build_dir),
+              "--root_src_dir",
+-- 
+2.32.0
+

extra/chromium/PKGBUILD

@@ -16,7 +16,7 @@ highmem=1
 
 pkgname=chromium
 pkgver=92.0.4515.107
-pkgrel=2
+pkgrel=3
 _launcher_ver=7
 _gcc_patchset=7
 pkgdesc="A web browser built for speed, simplicity, and security"
@@ -36,18 +36,24 @@ source=(https://commondatastorage.googleapis.com/chromium-browser-official/$pkgn
         https://github.com/foutrelis/chromium-launcher/archive/v$_launcher_ver/chromium-launcher-$_launcher_ver.tar.gz
         https://github.com/stha09/chromium-patches/releases/download/chromium-${pkgver%%.*}-patchset-$_gcc_patchset/chromium-${pkgver%%.*}-patchset-$_gcc_patchset.tar.xz
         extend-enable-accelerated-video-decode-flag.patch
+        linux-sandbox-syscall-broker-use-struct-kernel_stat.patch
+        linux-sandbox-fix-fstatat-crash.patch
+        make-GetUsableSize-handle-nullptr-gracefully.patch
         sql-make-VirtualCursor-standard-layout-type.patch
-        chromium-glibc-2.33.patch
         use-oauth2-client-switches-as-default.patch
-        0001-widevine-support-for-arm.patch)
+        0001-widevine-support-for-arm.patch
+        0002-Run-blink-bindings-generation-single-threaded.patch)
 sha256sums=('6e51ac6512a4e95018eefc9fef1d2e7597f28a1c45c763b3a8eb7dde5f557012'
             '86859c11cfc8ba106a3826479c0bc759324a62150b271dd35d1a0f96e890f52f'
             '53a2cbb1b58d652d5424ff9040b6a51b9dc6348ce3edc68344cd0d25f1f4beb2'
             '66db9132d6f5e06aa26e5de0924f814224a76a9bdf4b61afce161fb1d7643b22'
+            '268e18ad56e5970157b51ec9fc8eb58ba93e313ea1e49c842a1ed0820d9c1fa3'
+            '253348550d54b8ae317fd250f772f506d2bae49fb5dc75fe15d872ea3d0e04a5'
+            '4489e5e7854a7dcd9464133eb4664250ce7149ac1714a0bf10ca0d82d8806568'
             'dd317f85e5abfdcfc89c6f23f4c8edbcdebdd5e083dcec770e5da49ee647d150'
-            '2fccecdcd4509d4c36af873988ca9dbcba7fdb95122894a9fdf502c33a1d7a4b'
             'e393174d7695d0bafed69e868c5fbfecf07aa6969f3b64596d0bae8b067e1711'
-            'd0b08de4b48b28525dd337800c51a1e02df260f5deafd3264f1a0df1987fe482')
+            '0014f33d92c514ff9160f1a82e9aa65f8b92d77574433ff5535ab078a6b23b4e'
+            'c6c586a0098ef22334081e7e1a36dc8efa866e32587fed79df9d3c9afb7b237f')
 
 # Possible replacements are listed in build/linux/unbundle/replace_gn_files.py
 # Keys are the names in the above script; values are the dependencies in Arch
@@ -93,6 +99,7 @@ prepare() {
 
   # Arch Linux ARM fixes
   patch -p1 -i ../0001-widevine-support-for-arm.patch
+  patch -p1 -i ../0002-Run-blink-bindings-generation-single-threaded.patch
 
   # Build ARMv7 with NEON
   [[ $CARCH == "armv7h" ]] && MAKEFLAGS="-j4" && CFLAGS=`echo $CFLAGS | sed -e 's/vfpv3-d16/neon/'` && CXXFLAGS="$CFLAGS"
@@ -111,11 +118,11 @@ prepare() {
   # runtime -- this allows signing into Chromium without baked-in values
   patch -Np1 -i ../use-oauth2-client-switches-as-default.patch
 
-  # https://crbug.com/1164975
-  patch -Np1 -i ../chromium-glibc-2.33.patch
-
   # Upstream fixes
   patch -Np1 -i ../extend-enable-accelerated-video-decode-flag.patch
+  patch -Np1 -i ../linux-sandbox-syscall-broker-use-struct-kernel_stat.patch
+  patch -Np1 -i ../linux-sandbox-fix-fstatat-crash.patch
+  patch -Np1 -i ../make-GetUsableSize-handle-nullptr-gracefully.patch
 
   # https://chromium-review.googlesource.com/c/chromium/src/+/2862724
   patch -Np1 -i ../sql-make-VirtualCursor-standard-layout-type.patch

extra/chromium/chromium-glibc-2.33.patch

@@ -1,144 +0,0 @@
-# Patch made by Kevin Kofler <Kevin@tigcc.ticalc.org>
-# https://bugzilla.redhat.com/show_bug.cgi?id=1904652
-
-diff -up chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.fstatfix chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
---- chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.fstatfix	2021-01-25 10:11:45.427436398 -0500
-+++ chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc	2021-01-25 10:12:51.337699003 -0500
-@@ -257,6 +257,18 @@ ResultExpr EvaluateSyscallImpl(int fs_de
-     return RestrictKillTarget(current_pid, sysno);
-   }
- 
-+#if defined(__NR_newfstatat)
-+  if (sysno == __NR_newfstatat) {
-+    return RewriteFstatatSIGSYS();
-+  }
-+#endif
-+
-+#if defined(__NR_fstatat64)
-+  if (sysno == __NR_fstatat64) {
-+    return RewriteFstatatSIGSYS();
-+  }
-+#endif
-+
-   if (SyscallSets::IsFileSystem(sysno) ||
-       SyscallSets::IsCurrentDirectory(sysno)) {
-     return Error(fs_denied_errno);
-diff -up chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc.fstatfix chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
---- chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc.fstatfix	2021-01-25 10:13:10.179774081 -0500
-+++ chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc	2021-01-25 10:16:18.790525746 -0500
-@@ -6,6 +6,8 @@
- 
- #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
- 
-+#include <errno.h>
-+#include <fcntl.h>
- #include <stddef.h>
- #include <stdint.h>
- #include <string.h>
-@@ -355,6 +357,35 @@ intptr_t SIGSYSSchedHandler(const struct
-   return -ENOSYS;
- }
- 
-+intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args,
-+                              void* aux) {
-+  switch (args.nr) {
-+#if defined(__NR_newfstatat)
-+    case __NR_newfstatat:
-+#endif
-+#if defined(__NR_fstatat64)
-+    case __NR_fstatat64:
-+#endif
-+#if defined(__NR_newfstatat) || defined(__NR_fstatat64)
-+      if (*reinterpret_cast<const char *>(args.args[1]) == '\0'
-+          && args.args[3] == static_cast<uint64_t>(AT_EMPTY_PATH)) {
-+        return sandbox::sys_fstat64(static_cast<int>(args.args[0]),
-+                                    reinterpret_cast<struct stat64 *>(args.args[2]));
-+      } else {
-+        errno = EACCES;
-+        return -1;
-+      }
-+      break;
-+#endif
-+  }
-+
-+  CrashSIGSYS_Handler(args, aux);
-+
-+  // Should never be reached.
-+  RAW_CHECK(false);
-+  return -ENOSYS;
-+}
-+
- bpf_dsl::ResultExpr CrashSIGSYS() {
-   return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL);
- }
-@@ -387,6 +418,10 @@ bpf_dsl::ResultExpr RewriteSchedSIGSYS()
-   return bpf_dsl::Trap(SIGSYSSchedHandler, NULL);
- }
- 
-+bpf_dsl::ResultExpr RewriteFstatatSIGSYS() {
-+  return bpf_dsl::Trap(SIGSYSFstatatHandler, NULL);
-+}
-+
- void AllocateCrashKeys() {
- #if !defined(OS_NACL_NONSFI)
-   if (seccomp_crash_key)
-diff -up chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h.fstatfix chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
---- chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h.fstatfix	2021-01-25 10:16:36.982598236 -0500
-+++ chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h	2021-01-25 10:18:45.705111027 -0500
-@@ -62,6 +62,10 @@ SANDBOX_EXPORT intptr_t SIGSYSPtraceFail
- // sched_setparam(), sched_setscheduler()
- SANDBOX_EXPORT intptr_t SIGSYSSchedHandler(const arch_seccomp_data& args,
-                                            void* aux);
-+// If the fstatat syscall is actually a disguised fstat, calls the regular fstat
-+// syscall, otherwise, crashes in the same way as CrashSIGSYS_Handler.
-+SANDBOX_EXPORT intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args, 
-+                                             void* aux);
- 
- // Variants of the above functions for use with bpf_dsl.
- SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYS();
-@@ -72,6 +76,7 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr Crash
- SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSFutex();
- SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSPtrace();
- SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteSchedSIGSYS();
-+SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteFstatatSIGSYS();
- 
- // Allocates a crash key so that Seccomp information can be recorded.
- void AllocateCrashKeys();
-diff -up chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc.fstatfix chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc
---- chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc.fstatfix	2021-01-25 10:18:53.307141311 -0500
-+++ chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc	2021-01-25 10:19:46.982355293 -0500
-@@ -261,4 +261,13 @@ int sys_sigaction(int signum,
- 
- #endif  // defined(MEMORY_SANITIZER)
- 
-+SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf)
-+{
-+#if defined(__NR_fstat64)
-+    return syscall(__NR_fstat64, fd, buf);
-+#else
-+    return syscall(__NR_fstat, fd, buf);
-+#endif
-+}
-+
- }  // namespace sandbox
-diff -up chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h.fstatfix chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h
---- chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h.fstatfix	2021-01-25 10:19:53.115379741 -0500
-+++ chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h	2021-01-25 10:20:45.485588421 -0500
-@@ -17,6 +17,7 @@ struct sock_fprog;
- struct rlimit64;
- struct cap_hdr;
- struct cap_data;
-+struct stat64;
- 
- namespace sandbox {
- 
-@@ -84,6 +85,9 @@ SANDBOX_EXPORT int sys_sigaction(int sig
-                                  const struct sigaction* act,
-                                  struct sigaction* oldact);
- 
-+// Recent glibc rewrites fstat to fstatat.
-+SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf);
-+
- }  // namespace sandbox
- 
- #endif  // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_

extra/chromium/linux-sandbox-fix-fstatat-crash.patch

@@ -0,0 +1,348 @@
+From 60d5e803ef2a4874d29799b638754152285e0ed9 Mon Sep 17 00:00:00 2001
+From: Matthew Denton <mpdenton@chromium.org>
+Date: Wed, 21 Jul 2021 12:55:11 +0000
+Subject: [PATCH] Linux sandbox: fix fstatat() crash
+
+This is a reland of https://crrev.com/c/2801873.
+
+Glibc has started rewriting fstat(fd, stat_buf) to
+fstatat(fd, "", stat_buf, AT_EMPTY_PATH). This works because when
+AT_EMPTY_PATH is specified, and the second argument is an empty string,
+then fstatat just performs an fstat on fd like normal.
+
+Unfortunately, fstatat() also allows stat-ing arbitrary pathnames like
+with fstatat(AT_FDCWD, "/i/am/a/file", stat_buf, 0);
+The baseline policy needs to prevent this usage of fstatat() since it
+doesn't allow access to arbitrary pathnames.
+
+Sadly, if the second argument is not an empty string, AT_EMPTY_PATH is
+simply ignored by current kernels.
+
+This means fstatat() is completely unsandboxable with seccomp, since
+we *need* to verify that the second argument is the empty string, but
+we can't dereference pointers in seccomp (due to limitations of BPF,
+and the difficulty of addressing these limitations due to TOCTOU
+issues).
+
+So, this CL Traps (raises a SIGSYS via seccomp) on any fstatat syscall.
+The signal handler, which runs in the sandboxed process, checks for
+AT_EMPTY_PATH and the empty string, and then rewrites any applicable
+fstatat() back into the old-style fstat().
+
+Bug: 1164975
+Change-Id: I3df6c04c0d781eb1f181d707ccaaead779337291
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3042179
+Reviewed-by: Robert Sesek <rsesek@chromium.org>
+Commit-Queue: Matthew Denton <mpdenton@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#903873}
+---
+ .../seccomp-bpf-helpers/baseline_policy.cc    |  8 ++++++
+ .../baseline_policy_unittest.cc               | 17 ++++++++++++-
+ .../seccomp-bpf-helpers/sigsys_handlers.cc    | 25 +++++++++++++++++++
+ .../seccomp-bpf-helpers/sigsys_handlers.h     | 14 +++++++++++
+ .../linux/syscall_broker/broker_process.cc    | 21 ++++++++++------
+ .../syscall_broker/broker_process_unittest.cc | 18 ++++++-------
+ sandbox/linux/system_headers/linux_stat.h     |  4 +++
+ 7 files changed, 89 insertions(+), 18 deletions(-)
+
+diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+index f2a60bb4d7..9df0d2dbd3 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
++++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+@@ -20,6 +20,7 @@
+ #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
+ #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+ #include "sandbox/linux/services/syscall_wrappers.h"
++#include "sandbox/linux/system_headers/linux_stat.h"
+ #include "sandbox/linux/system_headers/linux_syscalls.h"
+ 
+ #if !defined(SO_PEEK_OFF)
+@@ -304,6 +305,13 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
+     return Allow();
+   }
+ 
++  // The fstatat syscalls are file system syscalls, which will be denied below
++  // with fs_denied_errno. However some allowed fstat syscalls are rewritten by
++  // libc implementations to fstatat syscalls, and we need to rewrite them back.
++  if (sysno == __NR_fstatat_default) {
++    return RewriteFstatatSIGSYS(fs_denied_errno);
++  }
++
+   if (SyscallSets::IsFileSystem(sysno) ||
+       SyscallSets::IsCurrentDirectory(sysno)) {
+     return Error(fs_denied_errno);
+diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
+index 68c29b564b..57d307e09d 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
++++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
+@@ -51,7 +51,8 @@ namespace sandbox {
+ 
+ namespace {
+ 
+-// This also tests that read(), write() and fstat() are allowed.
++// This also tests that read(), write(), fstat(), and fstatat(.., "", ..,
++// AT_EMPTY_PATH) are allowed.
+ void TestPipeOrSocketPair(base::ScopedFD read_end, base::ScopedFD write_end) {
+   BPF_ASSERT_LE(0, read_end.get());
+   BPF_ASSERT_LE(0, write_end.get());
+@@ -60,6 +61,20 @@ void TestPipeOrSocketPair(base::ScopedFD read_end, base::ScopedFD write_end) {
+   BPF_ASSERT_EQ(0, sys_ret);
+   BPF_ASSERT(S_ISFIFO(stat_buf.st_mode) || S_ISSOCK(stat_buf.st_mode));
+ 
++  sys_ret = fstatat(read_end.get(), "", &stat_buf, AT_EMPTY_PATH);
++  BPF_ASSERT_EQ(0, sys_ret);
++  BPF_ASSERT(S_ISFIFO(stat_buf.st_mode) || S_ISSOCK(stat_buf.st_mode));
++
++  // Make sure fstatat with anything other than an empty string is denied.
++  sys_ret = fstatat(read_end.get(), "/", &stat_buf, AT_EMPTY_PATH);
++  BPF_ASSERT_EQ(sys_ret, -1);
++  BPF_ASSERT_EQ(EPERM, errno);
++
++  // Make sure fstatat without AT_EMPTY_PATH is denied.
++  sys_ret = fstatat(read_end.get(), "", &stat_buf, 0);
++  BPF_ASSERT_EQ(sys_ret, -1);
++  BPF_ASSERT_EQ(EPERM, errno);
++
+   const ssize_t kTestTransferSize = 4;
+   static const char kTestString[kTestTransferSize] = {'T', 'E', 'S', 'T'};
+   ssize_t transfered = 0;
+diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
+index 64edbd68bd..71068a0452 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
++++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
+@@ -6,6 +6,7 @@
+ 
+ #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
+ 
++#include <fcntl.h>
+ #include <stddef.h>
+ #include <stdint.h>
+ #include <string.h>
+@@ -22,6 +23,7 @@
+ #include "sandbox/linux/seccomp-bpf/syscall.h"
+ #include "sandbox/linux/services/syscall_wrappers.h"
+ #include "sandbox/linux/system_headers/linux_seccomp.h"
++#include "sandbox/linux/system_headers/linux_stat.h"
+ #include "sandbox/linux/system_headers/linux_syscalls.h"
+ 
+ #if defined(__mips__)
+@@ -355,6 +357,24 @@ intptr_t SIGSYSSchedHandler(const struct arch_seccomp_data& args,
+   return -ENOSYS;
+ }
+ 
++intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args,
++                              void* fs_denied_errno) {
++  if (args.nr == __NR_fstatat_default) {
++    if (*reinterpret_cast<const char*>(args.args[1]) == '\0' &&
++        args.args[3] == static_cast<uint64_t>(AT_EMPTY_PATH)) {
++      return syscall(__NR_fstat_default, static_cast<int>(args.args[0]),
++                     reinterpret_cast<default_stat_struct*>(args.args[2]));
++    }
++    return -reinterpret_cast<intptr_t>(fs_denied_errno);
++  }
++
++  CrashSIGSYS_Handler(args, fs_denied_errno);
++
++  // Should never be reached.
++  RAW_CHECK(false);
++  return -ENOSYS;
++}
++
+ bpf_dsl::ResultExpr CrashSIGSYS() {
+   return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL);
+ }
+@@ -387,6 +407,11 @@ bpf_dsl::ResultExpr RewriteSchedSIGSYS() {
+   return bpf_dsl::Trap(SIGSYSSchedHandler, NULL);
+ }
+ 
++bpf_dsl::ResultExpr RewriteFstatatSIGSYS(int fs_denied_errno) {
++  return bpf_dsl::Trap(SIGSYSFstatatHandler,
++                       reinterpret_cast<void*>(fs_denied_errno));
++}
++
+ void AllocateCrashKeys() {
+ #if !defined(OS_NACL_NONSFI)
+   if (seccomp_crash_key)
+diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
+index 7a958b93b2..8cd735ce15 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
++++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
+@@ -62,6 +62,19 @@ SANDBOX_EXPORT intptr_t SIGSYSPtraceFailure(const arch_seccomp_data& args,
+ // sched_setparam(), sched_setscheduler()
+ SANDBOX_EXPORT intptr_t SIGSYSSchedHandler(const arch_seccomp_data& args,
+                                            void* aux);
++// If the fstatat() syscall is functionally equivalent to an fstat() syscall,
++// then rewrite the syscall to the equivalent fstat() syscall which can be
++// adequately sandboxed.
++// If the fstatat() is not functionally equivalent to an fstat() syscall, we
++// fail with -fs_denied_errno.
++// If the syscall is not an fstatat() at all, crash in the same way as
++// CrashSIGSYS_Handler.
++// This is necessary because glibc and musl have started rewriting fstat(fd,
++// stat_buf) as fstatat(fd, "", stat_buf, AT_EMPTY_PATH). We rewrite the latter
++// back to the former, which is actually sandboxable.
++SANDBOX_EXPORT intptr_t
++SIGSYSFstatatHandler(const struct arch_seccomp_data& args,
++                     void* fs_denied_errno);
+ 
+ // Variants of the above functions for use with bpf_dsl.
+ SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYS();
+@@ -72,6 +85,7 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSKill();
+ SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSFutex();
+ SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSPtrace();
+ SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteSchedSIGSYS();
++SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteFstatatSIGSYS(int fs_denied_errno);
+ 
+ // Allocates a crash key so that Seccomp information can be recorded.
+ void AllocateCrashKeys();
+diff --git a/sandbox/linux/syscall_broker/broker_process.cc b/sandbox/linux/syscall_broker/broker_process.cc
+index c2176eb785..e9dad37485 100644
+--- a/sandbox/linux/syscall_broker/broker_process.cc
++++ b/sandbox/linux/syscall_broker/broker_process.cc
+@@ -113,44 +113,49 @@ bool BrokerProcess::IsSyscallAllowed(int sysno) const {
+ }
+ 
+ bool BrokerProcess::IsSyscallBrokerable(int sysno, bool fast_check) const {
++  // The syscalls unavailable on aarch64 are all blocked by Android's default
++  // seccomp policy, even on non-aarch64 architectures. I.e., the syscalls XX()
++  // with a corresponding XXat() versions are typically unavailable in aarch64
++  // and are default disabled in Android. So, we should refuse to broker them
++  // to be consistent with the platform's restrictions.
+   switch (sysno) {
+-#if !defined(__aarch64__)
++#if !defined(__aarch64__) && !defined(OS_ANDROID)
+     case __NR_access:
+ #endif
+     case __NR_faccessat:
+       return !fast_check || allowed_command_set_.test(COMMAND_ACCESS);
+ 
+-#if !defined(__aarch64__)
++#if !defined(__aarch64__) && !defined(OS_ANDROID)
+     case __NR_mkdir:
+ #endif
+     case __NR_mkdirat:
+       return !fast_check || allowed_command_set_.test(COMMAND_MKDIR);
+ 
+-#if !defined(__aarch64__)
++#if !defined(__aarch64__) && !defined(OS_ANDROID)
+     case __NR_open:
+ #endif
+     case __NR_openat:
+       return !fast_check || allowed_command_set_.test(COMMAND_OPEN);
+ 
+-#if !defined(__aarch64__)
++#if !defined(__aarch64__) && !defined(OS_ANDROID)
+     case __NR_readlink:
+ #endif
+     case __NR_readlinkat:
+       return !fast_check || allowed_command_set_.test(COMMAND_READLINK);
+ 
+-#if !defined(__aarch64__)
++#if !defined(__aarch64__) && !defined(OS_ANDROID)
+     case __NR_rename:
+ #endif
+     case __NR_renameat:
+     case __NR_renameat2:
+       return !fast_check || allowed_command_set_.test(COMMAND_RENAME);
+ 
+-#if !defined(__aarch64__)
++#if !defined(__aarch64__) && !defined(OS_ANDROID)
+     case __NR_rmdir:
+       return !fast_check || allowed_command_set_.test(COMMAND_RMDIR);
+ #endif
+ 
+-#if !defined(__aarch64__)
++#if !defined(__aarch64__) && !defined(OS_ANDROID)
+     case __NR_stat:
+     case __NR_lstat:
+ #endif
+@@ -175,7 +180,7 @@ bool BrokerProcess::IsSyscallBrokerable(int sysno, bool fast_check) const {
+       return !fast_check || allowed_command_set_.test(COMMAND_STAT);
+ #endif
+ 
+-#if !defined(__aarch64__)
++#if !defined(__aarch64__) && !defined(OS_ANDROID)
+     case __NR_unlink:
+       return !fast_check || allowed_command_set_.test(COMMAND_UNLINK);
+ #endif
+diff --git a/sandbox/linux/syscall_broker/broker_process_unittest.cc b/sandbox/linux/syscall_broker/broker_process_unittest.cc
+index c65f25a78a..f0db08d84e 100644
+--- a/sandbox/linux/syscall_broker/broker_process_unittest.cc
++++ b/sandbox/linux/syscall_broker/broker_process_unittest.cc
+@@ -1596,52 +1596,52 @@ TEST(BrokerProcess, IsSyscallAllowed) {
+   const base::flat_map<BrokerCommand, base::flat_set<int>> kSysnosForCommand = {
+       {COMMAND_ACCESS,
+        {__NR_faccessat,
+-#if defined(__NR_access)
++#if defined(__NR_access) && !defined(OS_ANDROID)
+         __NR_access
+ #endif
+        }},
+       {COMMAND_MKDIR,
+        {__NR_mkdirat,
+-#if defined(__NR_mkdir)
++#if defined(__NR_mkdir) && !defined(OS_ANDROID)
+         __NR_mkdir
+ #endif
+        }},
+       {COMMAND_OPEN,
+        {__NR_openat,
+-#if defined(__NR_open)
++#if defined(__NR_open) && !defined(OS_ANDROID)
+         __NR_open
+ #endif
+        }},
+       {COMMAND_READLINK,
+        {__NR_readlinkat,
+-#if defined(__NR_readlink)
++#if defined(__NR_readlink) && !defined(OS_ANDROID)
+         __NR_readlink
+ #endif
+        }},
+       {COMMAND_RENAME,
+        {__NR_renameat,
+-#if defined(__NR_rename)
++#if defined(__NR_rename) && !defined(OS_ANDROID)
+         __NR_rename
+ #endif
+        }},
+       {COMMAND_UNLINK,
+        {__NR_unlinkat,
+-#if defined(__NR_unlink)
++#if defined(__NR_unlink) && !defined(OS_ANDROID)
+         __NR_unlink
+ #endif
+        }},
+       {COMMAND_RMDIR,
+        {__NR_unlinkat,
+-#if defined(__NR_rmdir)
++#if defined(__NR_rmdir) && !defined(OS_ANDROID)
+         __NR_rmdir
+ #endif
+        }},
+       {COMMAND_STAT,
+        {
+-#if defined(__NR_stat)
++#if defined(__NR_stat) && !defined(OS_ANDROID)
+            __NR_stat,
+ #endif
+-#if defined(__NR_lstat)
++#if defined(__NR_lstat) && !defined(OS_ANDROID)
+            __NR_lstat,
+ #endif
+ #if defined(__NR_fstatat)
+diff --git a/sandbox/linux/system_headers/linux_stat.h b/sandbox/linux/system_headers/linux_stat.h
+index 35788eb22a..83b89efc75 100644
+--- a/sandbox/linux/system_headers/linux_stat.h
++++ b/sandbox/linux/system_headers/linux_stat.h
+@@ -157,6 +157,10 @@ struct kernel_stat {
+ };
+ #endif
+ 
++#if !defined(AT_EMPTY_PATH)
++#define AT_EMPTY_PATH 0x1000
++#endif
++
+ // On 32-bit systems, we default to the 64-bit stat struct like libc
+ // implementations do. Otherwise we default to the normal stat struct which is
+ // already 64-bit.

extra/chromium/make-GetUsableSize-handle-nullptr-gracefully.patch

@@ -0,0 +1,49 @@
+From 61e16c92ff24bb71b9b7309a9d6d470ee91738bc Mon Sep 17 00:00:00 2001
+From: Bartek Nowierski <bartekn@chromium.org>
+Date: Wed, 21 Jul 2021 15:01:38 +0000
+Subject: [PATCH] [PA] Make GetUsableSize() handle nullptr gracefully
+
+malloc_usable_size() is expected to not crush on NULL and return 0.
+
+Bug: 1221442
+Change-Id: I6a3b90dcf3a8ad18114c206d87b98f60d5f50eb1
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3042177
+Commit-Queue: Bartek Nowierski <bartekn@chromium.org>
+Commit-Queue: Kentaro Hara <haraken@chromium.org>
+Auto-Submit: Bartek Nowierski <bartekn@chromium.org>
+Reviewed-by: Kentaro Hara <haraken@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#903900}
+---
+ .../allocator/partition_allocator/partition_alloc_unittest.cc | 4 ++++
+ base/allocator/partition_allocator/partition_root.h           | 3 +++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/base/allocator/partition_allocator/partition_alloc_unittest.cc b/base/allocator/partition_allocator/partition_alloc_unittest.cc
+index c12120114aa7..8863984cd805 100644
+--- a/base/allocator/partition_allocator/partition_alloc_unittest.cc
++++ b/base/allocator/partition_allocator/partition_alloc_unittest.cc
+@@ -2838,6 +2838,10 @@ TEST_F(PartitionAllocTest, OptimizedGetSlotNumber) {
+   }
+ }
+ 
++TEST_F(PartitionAllocTest, GetUsableSizeNull) {
++  EXPECT_EQ(0ULL, PartitionRoot<ThreadSafe>::GetUsableSize(nullptr));
++}
++
+ TEST_F(PartitionAllocTest, GetUsableSize) {
+   size_t delta = SystemPageSize() + 1;
+   for (size_t size = 1; size <= kMinDirectMappedDownsize; size += delta) {
+diff --git a/base/allocator/partition_allocator/partition_root.h b/base/allocator/partition_allocator/partition_root.h
+index b72a1d94a4e4..baac952597d1 100644
+--- a/base/allocator/partition_allocator/partition_root.h
++++ b/base/allocator/partition_allocator/partition_root.h
+@@ -1220,6 +1220,9 @@ ALWAYS_INLINE bool PartitionRoot<thread_safe>::TryRecommitSystemPagesForData(
+ // PartitionAlloc's internal data. Used as malloc_usable_size.
+ template <bool thread_safe>
+ ALWAYS_INLINE size_t PartitionRoot<thread_safe>::GetUsableSize(void* ptr) {
++  // malloc_usable_size() is expected to handle NULL gracefully and return 0.
++  if (!ptr)
++    return 0;
+   auto* slot_span = SlotSpan::FromSlotInnerPtr(ptr);
+   auto* root = FromSlotSpan(slot_span);
+   return slot_span->GetUsableSize(root);