mirror of
https://github.com/archlinuxarm/PKGBUILDs.git
synced 2025-03-09 00:17:31 +00:00
extra/chromium to 92.0.4515.107-3
This commit is contained in:
parent
4a2a9969b5
commit
369c0aef99
7 changed files with 1822 additions and 153 deletions
|
@ -1,7 +1,7 @@
|
|||
From 91ec5e7245f7ab302cd8fe22bfbbd2f0738ae286 Mon Sep 17 00:00:00 2001
|
||||
From: Kevin Mihelich <kevin@archlinuxarm.org>
|
||||
Date: Thu, 18 Feb 2021 19:35:58 -0700
|
||||
Subject: [PATCH] widevine support for arm
|
||||
Subject: [PATCH 1/2] widevine support for arm
|
||||
|
||||
---
|
||||
third_party/widevine/cdm/widevine.gni | 2 +-
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
From b6540b7ab88e5c47ee0978de312cf0a997d9b981 Mon Sep 17 00:00:00 2001
|
||||
From: Kevin Mihelich <kevin@archlinuxarm.org>
|
||||
Date: Tue, 2 Feb 2021 13:58:59 -0700
|
||||
Subject: [PATCH 2/2] Run blink bindings generation single threaded
|
||||
|
||||
When not single threaded this process will eat all the RAM.
|
||||
---
|
||||
third_party/blink/renderer/bindings/BUILD.gn | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/third_party/blink/renderer/bindings/BUILD.gn b/third_party/blink/renderer/bindings/BUILD.gn
|
||||
index 385c9d0c45de..6b814e5cf741 100644
|
||||
--- a/third_party/blink/renderer/bindings/BUILD.gn
|
||||
+++ b/third_party/blink/renderer/bindings/BUILD.gn
|
||||
@@ -187,6 +187,7 @@ template("generate_bindings") {
|
||||
outputs = invoker.outputs
|
||||
|
||||
args = [
|
||||
+ "--single_process",
|
||||
"--web_idl_database",
|
||||
rebase_path(web_idl_database, root_build_dir),
|
||||
"--root_src_dir",
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -16,7 +16,7 @@ highmem=1
|
|||
|
||||
pkgname=chromium
|
||||
pkgver=92.0.4515.107
|
||||
pkgrel=2
|
||||
pkgrel=3
|
||||
_launcher_ver=7
|
||||
_gcc_patchset=7
|
||||
pkgdesc="A web browser built for speed, simplicity, and security"
|
||||
|
@ -36,18 +36,24 @@ source=(https://commondatastorage.googleapis.com/chromium-browser-official/$pkgn
|
|||
https://github.com/foutrelis/chromium-launcher/archive/v$_launcher_ver/chromium-launcher-$_launcher_ver.tar.gz
|
||||
https://github.com/stha09/chromium-patches/releases/download/chromium-${pkgver%%.*}-patchset-$_gcc_patchset/chromium-${pkgver%%.*}-patchset-$_gcc_patchset.tar.xz
|
||||
extend-enable-accelerated-video-decode-flag.patch
|
||||
linux-sandbox-syscall-broker-use-struct-kernel_stat.patch
|
||||
linux-sandbox-fix-fstatat-crash.patch
|
||||
make-GetUsableSize-handle-nullptr-gracefully.patch
|
||||
sql-make-VirtualCursor-standard-layout-type.patch
|
||||
chromium-glibc-2.33.patch
|
||||
use-oauth2-client-switches-as-default.patch
|
||||
0001-widevine-support-for-arm.patch)
|
||||
0001-widevine-support-for-arm.patch
|
||||
0002-Run-blink-bindings-generation-single-threaded.patch)
|
||||
sha256sums=('6e51ac6512a4e95018eefc9fef1d2e7597f28a1c45c763b3a8eb7dde5f557012'
|
||||
'86859c11cfc8ba106a3826479c0bc759324a62150b271dd35d1a0f96e890f52f'
|
||||
'53a2cbb1b58d652d5424ff9040b6a51b9dc6348ce3edc68344cd0d25f1f4beb2'
|
||||
'66db9132d6f5e06aa26e5de0924f814224a76a9bdf4b61afce161fb1d7643b22'
|
||||
'268e18ad56e5970157b51ec9fc8eb58ba93e313ea1e49c842a1ed0820d9c1fa3'
|
||||
'253348550d54b8ae317fd250f772f506d2bae49fb5dc75fe15d872ea3d0e04a5'
|
||||
'4489e5e7854a7dcd9464133eb4664250ce7149ac1714a0bf10ca0d82d8806568'
|
||||
'dd317f85e5abfdcfc89c6f23f4c8edbcdebdd5e083dcec770e5da49ee647d150'
|
||||
'2fccecdcd4509d4c36af873988ca9dbcba7fdb95122894a9fdf502c33a1d7a4b'
|
||||
'e393174d7695d0bafed69e868c5fbfecf07aa6969f3b64596d0bae8b067e1711'
|
||||
'd0b08de4b48b28525dd337800c51a1e02df260f5deafd3264f1a0df1987fe482')
|
||||
'0014f33d92c514ff9160f1a82e9aa65f8b92d77574433ff5535ab078a6b23b4e'
|
||||
'c6c586a0098ef22334081e7e1a36dc8efa866e32587fed79df9d3c9afb7b237f')
|
||||
|
||||
# Possible replacements are listed in build/linux/unbundle/replace_gn_files.py
|
||||
# Keys are the names in the above script; values are the dependencies in Arch
|
||||
|
@ -93,6 +99,7 @@ prepare() {
|
|||
|
||||
# Arch Linux ARM fixes
|
||||
patch -p1 -i ../0001-widevine-support-for-arm.patch
|
||||
patch -p1 -i ../0002-Run-blink-bindings-generation-single-threaded.patch
|
||||
|
||||
# Build ARMv7 with NEON
|
||||
[[ $CARCH == "armv7h" ]] && MAKEFLAGS="-j4" && CFLAGS=`echo $CFLAGS | sed -e 's/vfpv3-d16/neon/'` && CXXFLAGS="$CFLAGS"
|
||||
|
@ -111,11 +118,11 @@ prepare() {
|
|||
# runtime -- this allows signing into Chromium without baked-in values
|
||||
patch -Np1 -i ../use-oauth2-client-switches-as-default.patch
|
||||
|
||||
# https://crbug.com/1164975
|
||||
patch -Np1 -i ../chromium-glibc-2.33.patch
|
||||
|
||||
# Upstream fixes
|
||||
patch -Np1 -i ../extend-enable-accelerated-video-decode-flag.patch
|
||||
patch -Np1 -i ../linux-sandbox-syscall-broker-use-struct-kernel_stat.patch
|
||||
patch -Np1 -i ../linux-sandbox-fix-fstatat-crash.patch
|
||||
patch -Np1 -i ../make-GetUsableSize-handle-nullptr-gracefully.patch
|
||||
|
||||
# https://chromium-review.googlesource.com/c/chromium/src/+/2862724
|
||||
patch -Np1 -i ../sql-make-VirtualCursor-standard-layout-type.patch
|
||||
|
|
|
@ -1,144 +0,0 @@
|
|||
# Patch made by Kevin Kofler <Kevin@tigcc.ticalc.org>
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1904652
|
||||
|
||||
diff -up chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.fstatfix chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
|
||||
--- chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.fstatfix 2021-01-25 10:11:45.427436398 -0500
|
||||
+++ chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc 2021-01-25 10:12:51.337699003 -0500
|
||||
@@ -257,6 +257,18 @@ ResultExpr EvaluateSyscallImpl(int fs_de
|
||||
return RestrictKillTarget(current_pid, sysno);
|
||||
}
|
||||
|
||||
+#if defined(__NR_newfstatat)
|
||||
+ if (sysno == __NR_newfstatat) {
|
||||
+ return RewriteFstatatSIGSYS();
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+#if defined(__NR_fstatat64)
|
||||
+ if (sysno == __NR_fstatat64) {
|
||||
+ return RewriteFstatatSIGSYS();
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if (SyscallSets::IsFileSystem(sysno) ||
|
||||
SyscallSets::IsCurrentDirectory(sysno)) {
|
||||
return Error(fs_denied_errno);
|
||||
diff -up chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc.fstatfix chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
|
||||
--- chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc.fstatfix 2021-01-25 10:13:10.179774081 -0500
|
||||
+++ chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc 2021-01-25 10:16:18.790525746 -0500
|
||||
@@ -6,6 +6,8 @@
|
||||
|
||||
#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
|
||||
|
||||
+#include <errno.h>
|
||||
+#include <fcntl.h>
|
||||
#include <stddef.h>
|
||||
#include <stdint.h>
|
||||
#include <string.h>
|
||||
@@ -355,6 +357,35 @@ intptr_t SIGSYSSchedHandler(const struct
|
||||
return -ENOSYS;
|
||||
}
|
||||
|
||||
+intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args,
|
||||
+ void* aux) {
|
||||
+ switch (args.nr) {
|
||||
+#if defined(__NR_newfstatat)
|
||||
+ case __NR_newfstatat:
|
||||
+#endif
|
||||
+#if defined(__NR_fstatat64)
|
||||
+ case __NR_fstatat64:
|
||||
+#endif
|
||||
+#if defined(__NR_newfstatat) || defined(__NR_fstatat64)
|
||||
+ if (*reinterpret_cast<const char *>(args.args[1]) == '\0'
|
||||
+ && args.args[3] == static_cast<uint64_t>(AT_EMPTY_PATH)) {
|
||||
+ return sandbox::sys_fstat64(static_cast<int>(args.args[0]),
|
||||
+ reinterpret_cast<struct stat64 *>(args.args[2]));
|
||||
+ } else {
|
||||
+ errno = EACCES;
|
||||
+ return -1;
|
||||
+ }
|
||||
+ break;
|
||||
+#endif
|
||||
+ }
|
||||
+
|
||||
+ CrashSIGSYS_Handler(args, aux);
|
||||
+
|
||||
+ // Should never be reached.
|
||||
+ RAW_CHECK(false);
|
||||
+ return -ENOSYS;
|
||||
+}
|
||||
+
|
||||
bpf_dsl::ResultExpr CrashSIGSYS() {
|
||||
return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL);
|
||||
}
|
||||
@@ -387,6 +418,10 @@ bpf_dsl::ResultExpr RewriteSchedSIGSYS()
|
||||
return bpf_dsl::Trap(SIGSYSSchedHandler, NULL);
|
||||
}
|
||||
|
||||
+bpf_dsl::ResultExpr RewriteFstatatSIGSYS() {
|
||||
+ return bpf_dsl::Trap(SIGSYSFstatatHandler, NULL);
|
||||
+}
|
||||
+
|
||||
void AllocateCrashKeys() {
|
||||
#if !defined(OS_NACL_NONSFI)
|
||||
if (seccomp_crash_key)
|
||||
diff -up chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h.fstatfix chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
|
||||
--- chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h.fstatfix 2021-01-25 10:16:36.982598236 -0500
|
||||
+++ chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h 2021-01-25 10:18:45.705111027 -0500
|
||||
@@ -62,6 +62,10 @@ SANDBOX_EXPORT intptr_t SIGSYSPtraceFail
|
||||
// sched_setparam(), sched_setscheduler()
|
||||
SANDBOX_EXPORT intptr_t SIGSYSSchedHandler(const arch_seccomp_data& args,
|
||||
void* aux);
|
||||
+// If the fstatat syscall is actually a disguised fstat, calls the regular fstat
|
||||
+// syscall, otherwise, crashes in the same way as CrashSIGSYS_Handler.
|
||||
+SANDBOX_EXPORT intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args,
|
||||
+ void* aux);
|
||||
|
||||
// Variants of the above functions for use with bpf_dsl.
|
||||
SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYS();
|
||||
@@ -72,6 +76,7 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr Crash
|
||||
SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSFutex();
|
||||
SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSPtrace();
|
||||
SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteSchedSIGSYS();
|
||||
+SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteFstatatSIGSYS();
|
||||
|
||||
// Allocates a crash key so that Seccomp information can be recorded.
|
||||
void AllocateCrashKeys();
|
||||
diff -up chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc.fstatfix chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc
|
||||
--- chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc.fstatfix 2021-01-25 10:18:53.307141311 -0500
|
||||
+++ chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc 2021-01-25 10:19:46.982355293 -0500
|
||||
@@ -261,4 +261,13 @@ int sys_sigaction(int signum,
|
||||
|
||||
#endif // defined(MEMORY_SANITIZER)
|
||||
|
||||
+SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf)
|
||||
+{
|
||||
+#if defined(__NR_fstat64)
|
||||
+ return syscall(__NR_fstat64, fd, buf);
|
||||
+#else
|
||||
+ return syscall(__NR_fstat, fd, buf);
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
} // namespace sandbox
|
||||
diff -up chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h.fstatfix chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h
|
||||
--- chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h.fstatfix 2021-01-25 10:19:53.115379741 -0500
|
||||
+++ chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h 2021-01-25 10:20:45.485588421 -0500
|
||||
@@ -17,6 +17,7 @@ struct sock_fprog;
|
||||
struct rlimit64;
|
||||
struct cap_hdr;
|
||||
struct cap_data;
|
||||
+struct stat64;
|
||||
|
||||
namespace sandbox {
|
||||
|
||||
@@ -84,6 +85,9 @@ SANDBOX_EXPORT int sys_sigaction(int sig
|
||||
const struct sigaction* act,
|
||||
struct sigaction* oldact);
|
||||
|
||||
+// Recent glibc rewrites fstat to fstatat.
|
||||
+SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf);
|
||||
+
|
||||
} // namespace sandbox
|
||||
|
||||
#endif // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_
|
348
extra/chromium/linux-sandbox-fix-fstatat-crash.patch
Normal file
348
extra/chromium/linux-sandbox-fix-fstatat-crash.patch
Normal file
|
@ -0,0 +1,348 @@
|
|||
From 60d5e803ef2a4874d29799b638754152285e0ed9 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Denton <mpdenton@chromium.org>
|
||||
Date: Wed, 21 Jul 2021 12:55:11 +0000
|
||||
Subject: [PATCH] Linux sandbox: fix fstatat() crash
|
||||
|
||||
This is a reland of https://crrev.com/c/2801873.
|
||||
|
||||
Glibc has started rewriting fstat(fd, stat_buf) to
|
||||
fstatat(fd, "", stat_buf, AT_EMPTY_PATH). This works because when
|
||||
AT_EMPTY_PATH is specified, and the second argument is an empty string,
|
||||
then fstatat just performs an fstat on fd like normal.
|
||||
|
||||
Unfortunately, fstatat() also allows stat-ing arbitrary pathnames like
|
||||
with fstatat(AT_FDCWD, "/i/am/a/file", stat_buf, 0);
|
||||
The baseline policy needs to prevent this usage of fstatat() since it
|
||||
doesn't allow access to arbitrary pathnames.
|
||||
|
||||
Sadly, if the second argument is not an empty string, AT_EMPTY_PATH is
|
||||
simply ignored by current kernels.
|
||||
|
||||
This means fstatat() is completely unsandboxable with seccomp, since
|
||||
we *need* to verify that the second argument is the empty string, but
|
||||
we can't dereference pointers in seccomp (due to limitations of BPF,
|
||||
and the difficulty of addressing these limitations due to TOCTOU
|
||||
issues).
|
||||
|
||||
So, this CL Traps (raises a SIGSYS via seccomp) on any fstatat syscall.
|
||||
The signal handler, which runs in the sandboxed process, checks for
|
||||
AT_EMPTY_PATH and the empty string, and then rewrites any applicable
|
||||
fstatat() back into the old-style fstat().
|
||||
|
||||
Bug: 1164975
|
||||
Change-Id: I3df6c04c0d781eb1f181d707ccaaead779337291
|
||||
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3042179
|
||||
Reviewed-by: Robert Sesek <rsesek@chromium.org>
|
||||
Commit-Queue: Matthew Denton <mpdenton@chromium.org>
|
||||
Cr-Commit-Position: refs/heads/master@{#903873}
|
||||
---
|
||||
.../seccomp-bpf-helpers/baseline_policy.cc | 8 ++++++
|
||||
.../baseline_policy_unittest.cc | 17 ++++++++++++-
|
||||
.../seccomp-bpf-helpers/sigsys_handlers.cc | 25 +++++++++++++++++++
|
||||
.../seccomp-bpf-helpers/sigsys_handlers.h | 14 +++++++++++
|
||||
.../linux/syscall_broker/broker_process.cc | 21 ++++++++++------
|
||||
.../syscall_broker/broker_process_unittest.cc | 18 ++++++-------
|
||||
sandbox/linux/system_headers/linux_stat.h | 4 +++
|
||||
7 files changed, 89 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
|
||||
index f2a60bb4d7..9df0d2dbd3 100644
|
||||
--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
|
||||
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
|
||||
@@ -20,6 +20,7 @@
|
||||
#include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
|
||||
#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
|
||||
#include "sandbox/linux/services/syscall_wrappers.h"
|
||||
+#include "sandbox/linux/system_headers/linux_stat.h"
|
||||
#include "sandbox/linux/system_headers/linux_syscalls.h"
|
||||
|
||||
#if !defined(SO_PEEK_OFF)
|
||||
@@ -304,6 +305,13 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
|
||||
return Allow();
|
||||
}
|
||||
|
||||
+ // The fstatat syscalls are file system syscalls, which will be denied below
|
||||
+ // with fs_denied_errno. However some allowed fstat syscalls are rewritten by
|
||||
+ // libc implementations to fstatat syscalls, and we need to rewrite them back.
|
||||
+ if (sysno == __NR_fstatat_default) {
|
||||
+ return RewriteFstatatSIGSYS(fs_denied_errno);
|
||||
+ }
|
||||
+
|
||||
if (SyscallSets::IsFileSystem(sysno) ||
|
||||
SyscallSets::IsCurrentDirectory(sysno)) {
|
||||
return Error(fs_denied_errno);
|
||||
diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
|
||||
index 68c29b564b..57d307e09d 100644
|
||||
--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
|
||||
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
|
||||
@@ -51,7 +51,8 @@ namespace sandbox {
|
||||
|
||||
namespace {
|
||||
|
||||
-// This also tests that read(), write() and fstat() are allowed.
|
||||
+// This also tests that read(), write(), fstat(), and fstatat(.., "", ..,
|
||||
+// AT_EMPTY_PATH) are allowed.
|
||||
void TestPipeOrSocketPair(base::ScopedFD read_end, base::ScopedFD write_end) {
|
||||
BPF_ASSERT_LE(0, read_end.get());
|
||||
BPF_ASSERT_LE(0, write_end.get());
|
||||
@@ -60,6 +61,20 @@ void TestPipeOrSocketPair(base::ScopedFD read_end, base::ScopedFD write_end) {
|
||||
BPF_ASSERT_EQ(0, sys_ret);
|
||||
BPF_ASSERT(S_ISFIFO(stat_buf.st_mode) || S_ISSOCK(stat_buf.st_mode));
|
||||
|
||||
+ sys_ret = fstatat(read_end.get(), "", &stat_buf, AT_EMPTY_PATH);
|
||||
+ BPF_ASSERT_EQ(0, sys_ret);
|
||||
+ BPF_ASSERT(S_ISFIFO(stat_buf.st_mode) || S_ISSOCK(stat_buf.st_mode));
|
||||
+
|
||||
+ // Make sure fstatat with anything other than an empty string is denied.
|
||||
+ sys_ret = fstatat(read_end.get(), "/", &stat_buf, AT_EMPTY_PATH);
|
||||
+ BPF_ASSERT_EQ(sys_ret, -1);
|
||||
+ BPF_ASSERT_EQ(EPERM, errno);
|
||||
+
|
||||
+ // Make sure fstatat without AT_EMPTY_PATH is denied.
|
||||
+ sys_ret = fstatat(read_end.get(), "", &stat_buf, 0);
|
||||
+ BPF_ASSERT_EQ(sys_ret, -1);
|
||||
+ BPF_ASSERT_EQ(EPERM, errno);
|
||||
+
|
||||
const ssize_t kTestTransferSize = 4;
|
||||
static const char kTestString[kTestTransferSize] = {'T', 'E', 'S', 'T'};
|
||||
ssize_t transfered = 0;
|
||||
diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
|
||||
index 64edbd68bd..71068a0452 100644
|
||||
--- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
|
||||
+++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
|
||||
@@ -6,6 +6,7 @@
|
||||
|
||||
#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
|
||||
|
||||
+#include <fcntl.h>
|
||||
#include <stddef.h>
|
||||
#include <stdint.h>
|
||||
#include <string.h>
|
||||
@@ -22,6 +23,7 @@
|
||||
#include "sandbox/linux/seccomp-bpf/syscall.h"
|
||||
#include "sandbox/linux/services/syscall_wrappers.h"
|
||||
#include "sandbox/linux/system_headers/linux_seccomp.h"
|
||||
+#include "sandbox/linux/system_headers/linux_stat.h"
|
||||
#include "sandbox/linux/system_headers/linux_syscalls.h"
|
||||
|
||||
#if defined(__mips__)
|
||||
@@ -355,6 +357,24 @@ intptr_t SIGSYSSchedHandler(const struct arch_seccomp_data& args,
|
||||
return -ENOSYS;
|
||||
}
|
||||
|
||||
+intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args,
|
||||
+ void* fs_denied_errno) {
|
||||
+ if (args.nr == __NR_fstatat_default) {
|
||||
+ if (*reinterpret_cast<const char*>(args.args[1]) == '\0' &&
|
||||
+ args.args[3] == static_cast<uint64_t>(AT_EMPTY_PATH)) {
|
||||
+ return syscall(__NR_fstat_default, static_cast<int>(args.args[0]),
|
||||
+ reinterpret_cast<default_stat_struct*>(args.args[2]));
|
||||
+ }
|
||||
+ return -reinterpret_cast<intptr_t>(fs_denied_errno);
|
||||
+ }
|
||||
+
|
||||
+ CrashSIGSYS_Handler(args, fs_denied_errno);
|
||||
+
|
||||
+ // Should never be reached.
|
||||
+ RAW_CHECK(false);
|
||||
+ return -ENOSYS;
|
||||
+}
|
||||
+
|
||||
bpf_dsl::ResultExpr CrashSIGSYS() {
|
||||
return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL);
|
||||
}
|
||||
@@ -387,6 +407,11 @@ bpf_dsl::ResultExpr RewriteSchedSIGSYS() {
|
||||
return bpf_dsl::Trap(SIGSYSSchedHandler, NULL);
|
||||
}
|
||||
|
||||
+bpf_dsl::ResultExpr RewriteFstatatSIGSYS(int fs_denied_errno) {
|
||||
+ return bpf_dsl::Trap(SIGSYSFstatatHandler,
|
||||
+ reinterpret_cast<void*>(fs_denied_errno));
|
||||
+}
|
||||
+
|
||||
void AllocateCrashKeys() {
|
||||
#if !defined(OS_NACL_NONSFI)
|
||||
if (seccomp_crash_key)
|
||||
diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
|
||||
index 7a958b93b2..8cd735ce15 100644
|
||||
--- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
|
||||
+++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
|
||||
@@ -62,6 +62,19 @@ SANDBOX_EXPORT intptr_t SIGSYSPtraceFailure(const arch_seccomp_data& args,
|
||||
// sched_setparam(), sched_setscheduler()
|
||||
SANDBOX_EXPORT intptr_t SIGSYSSchedHandler(const arch_seccomp_data& args,
|
||||
void* aux);
|
||||
+// If the fstatat() syscall is functionally equivalent to an fstat() syscall,
|
||||
+// then rewrite the syscall to the equivalent fstat() syscall which can be
|
||||
+// adequately sandboxed.
|
||||
+// If the fstatat() is not functionally equivalent to an fstat() syscall, we
|
||||
+// fail with -fs_denied_errno.
|
||||
+// If the syscall is not an fstatat() at all, crash in the same way as
|
||||
+// CrashSIGSYS_Handler.
|
||||
+// This is necessary because glibc and musl have started rewriting fstat(fd,
|
||||
+// stat_buf) as fstatat(fd, "", stat_buf, AT_EMPTY_PATH). We rewrite the latter
|
||||
+// back to the former, which is actually sandboxable.
|
||||
+SANDBOX_EXPORT intptr_t
|
||||
+SIGSYSFstatatHandler(const struct arch_seccomp_data& args,
|
||||
+ void* fs_denied_errno);
|
||||
|
||||
// Variants of the above functions for use with bpf_dsl.
|
||||
SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYS();
|
||||
@@ -72,6 +85,7 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSKill();
|
||||
SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSFutex();
|
||||
SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSPtrace();
|
||||
SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteSchedSIGSYS();
|
||||
+SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteFstatatSIGSYS(int fs_denied_errno);
|
||||
|
||||
// Allocates a crash key so that Seccomp information can be recorded.
|
||||
void AllocateCrashKeys();
|
||||
diff --git a/sandbox/linux/syscall_broker/broker_process.cc b/sandbox/linux/syscall_broker/broker_process.cc
|
||||
index c2176eb785..e9dad37485 100644
|
||||
--- a/sandbox/linux/syscall_broker/broker_process.cc
|
||||
+++ b/sandbox/linux/syscall_broker/broker_process.cc
|
||||
@@ -113,44 +113,49 @@ bool BrokerProcess::IsSyscallAllowed(int sysno) const {
|
||||
}
|
||||
|
||||
bool BrokerProcess::IsSyscallBrokerable(int sysno, bool fast_check) const {
|
||||
+ // The syscalls unavailable on aarch64 are all blocked by Android's default
|
||||
+ // seccomp policy, even on non-aarch64 architectures. I.e., the syscalls XX()
|
||||
+ // with a corresponding XXat() versions are typically unavailable in aarch64
|
||||
+ // and are default disabled in Android. So, we should refuse to broker them
|
||||
+ // to be consistent with the platform's restrictions.
|
||||
switch (sysno) {
|
||||
-#if !defined(__aarch64__)
|
||||
+#if !defined(__aarch64__) && !defined(OS_ANDROID)
|
||||
case __NR_access:
|
||||
#endif
|
||||
case __NR_faccessat:
|
||||
return !fast_check || allowed_command_set_.test(COMMAND_ACCESS);
|
||||
|
||||
-#if !defined(__aarch64__)
|
||||
+#if !defined(__aarch64__) && !defined(OS_ANDROID)
|
||||
case __NR_mkdir:
|
||||
#endif
|
||||
case __NR_mkdirat:
|
||||
return !fast_check || allowed_command_set_.test(COMMAND_MKDIR);
|
||||
|
||||
-#if !defined(__aarch64__)
|
||||
+#if !defined(__aarch64__) && !defined(OS_ANDROID)
|
||||
case __NR_open:
|
||||
#endif
|
||||
case __NR_openat:
|
||||
return !fast_check || allowed_command_set_.test(COMMAND_OPEN);
|
||||
|
||||
-#if !defined(__aarch64__)
|
||||
+#if !defined(__aarch64__) && !defined(OS_ANDROID)
|
||||
case __NR_readlink:
|
||||
#endif
|
||||
case __NR_readlinkat:
|
||||
return !fast_check || allowed_command_set_.test(COMMAND_READLINK);
|
||||
|
||||
-#if !defined(__aarch64__)
|
||||
+#if !defined(__aarch64__) && !defined(OS_ANDROID)
|
||||
case __NR_rename:
|
||||
#endif
|
||||
case __NR_renameat:
|
||||
case __NR_renameat2:
|
||||
return !fast_check || allowed_command_set_.test(COMMAND_RENAME);
|
||||
|
||||
-#if !defined(__aarch64__)
|
||||
+#if !defined(__aarch64__) && !defined(OS_ANDROID)
|
||||
case __NR_rmdir:
|
||||
return !fast_check || allowed_command_set_.test(COMMAND_RMDIR);
|
||||
#endif
|
||||
|
||||
-#if !defined(__aarch64__)
|
||||
+#if !defined(__aarch64__) && !defined(OS_ANDROID)
|
||||
case __NR_stat:
|
||||
case __NR_lstat:
|
||||
#endif
|
||||
@@ -175,7 +180,7 @@ bool BrokerProcess::IsSyscallBrokerable(int sysno, bool fast_check) const {
|
||||
return !fast_check || allowed_command_set_.test(COMMAND_STAT);
|
||||
#endif
|
||||
|
||||
-#if !defined(__aarch64__)
|
||||
+#if !defined(__aarch64__) && !defined(OS_ANDROID)
|
||||
case __NR_unlink:
|
||||
return !fast_check || allowed_command_set_.test(COMMAND_UNLINK);
|
||||
#endif
|
||||
diff --git a/sandbox/linux/syscall_broker/broker_process_unittest.cc b/sandbox/linux/syscall_broker/broker_process_unittest.cc
|
||||
index c65f25a78a..f0db08d84e 100644
|
||||
--- a/sandbox/linux/syscall_broker/broker_process_unittest.cc
|
||||
+++ b/sandbox/linux/syscall_broker/broker_process_unittest.cc
|
||||
@@ -1596,52 +1596,52 @@ TEST(BrokerProcess, IsSyscallAllowed) {
|
||||
const base::flat_map<BrokerCommand, base::flat_set<int>> kSysnosForCommand = {
|
||||
{COMMAND_ACCESS,
|
||||
{__NR_faccessat,
|
||||
-#if defined(__NR_access)
|
||||
+#if defined(__NR_access) && !defined(OS_ANDROID)
|
||||
__NR_access
|
||||
#endif
|
||||
}},
|
||||
{COMMAND_MKDIR,
|
||||
{__NR_mkdirat,
|
||||
-#if defined(__NR_mkdir)
|
||||
+#if defined(__NR_mkdir) && !defined(OS_ANDROID)
|
||||
__NR_mkdir
|
||||
#endif
|
||||
}},
|
||||
{COMMAND_OPEN,
|
||||
{__NR_openat,
|
||||
-#if defined(__NR_open)
|
||||
+#if defined(__NR_open) && !defined(OS_ANDROID)
|
||||
__NR_open
|
||||
#endif
|
||||
}},
|
||||
{COMMAND_READLINK,
|
||||
{__NR_readlinkat,
|
||||
-#if defined(__NR_readlink)
|
||||
+#if defined(__NR_readlink) && !defined(OS_ANDROID)
|
||||
__NR_readlink
|
||||
#endif
|
||||
}},
|
||||
{COMMAND_RENAME,
|
||||
{__NR_renameat,
|
||||
-#if defined(__NR_rename)
|
||||
+#if defined(__NR_rename) && !defined(OS_ANDROID)
|
||||
__NR_rename
|
||||
#endif
|
||||
}},
|
||||
{COMMAND_UNLINK,
|
||||
{__NR_unlinkat,
|
||||
-#if defined(__NR_unlink)
|
||||
+#if defined(__NR_unlink) && !defined(OS_ANDROID)
|
||||
__NR_unlink
|
||||
#endif
|
||||
}},
|
||||
{COMMAND_RMDIR,
|
||||
{__NR_unlinkat,
|
||||
-#if defined(__NR_rmdir)
|
||||
+#if defined(__NR_rmdir) && !defined(OS_ANDROID)
|
||||
__NR_rmdir
|
||||
#endif
|
||||
}},
|
||||
{COMMAND_STAT,
|
||||
{
|
||||
-#if defined(__NR_stat)
|
||||
+#if defined(__NR_stat) && !defined(OS_ANDROID)
|
||||
__NR_stat,
|
||||
#endif
|
||||
-#if defined(__NR_lstat)
|
||||
+#if defined(__NR_lstat) && !defined(OS_ANDROID)
|
||||
__NR_lstat,
|
||||
#endif
|
||||
#if defined(__NR_fstatat)
|
||||
diff --git a/sandbox/linux/system_headers/linux_stat.h b/sandbox/linux/system_headers/linux_stat.h
|
||||
index 35788eb22a..83b89efc75 100644
|
||||
--- a/sandbox/linux/system_headers/linux_stat.h
|
||||
+++ b/sandbox/linux/system_headers/linux_stat.h
|
||||
@@ -157,6 +157,10 @@ struct kernel_stat {
|
||||
};
|
||||
#endif
|
||||
|
||||
+#if !defined(AT_EMPTY_PATH)
|
||||
+#define AT_EMPTY_PATH 0x1000
|
||||
+#endif
|
||||
+
|
||||
// On 32-bit systems, we default to the 64-bit stat struct like libc
|
||||
// implementations do. Otherwise we default to the normal stat struct which is
|
||||
// already 64-bit.
|
File diff suppressed because it is too large
Load diff
|
@ -0,0 +1,49 @@
|
|||
From 61e16c92ff24bb71b9b7309a9d6d470ee91738bc Mon Sep 17 00:00:00 2001
|
||||
From: Bartek Nowierski <bartekn@chromium.org>
|
||||
Date: Wed, 21 Jul 2021 15:01:38 +0000
|
||||
Subject: [PATCH] [PA] Make GetUsableSize() handle nullptr gracefully
|
||||
|
||||
malloc_usable_size() is expected to not crush on NULL and return 0.
|
||||
|
||||
Bug: 1221442
|
||||
Change-Id: I6a3b90dcf3a8ad18114c206d87b98f60d5f50eb1
|
||||
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3042177
|
||||
Commit-Queue: Bartek Nowierski <bartekn@chromium.org>
|
||||
Commit-Queue: Kentaro Hara <haraken@chromium.org>
|
||||
Auto-Submit: Bartek Nowierski <bartekn@chromium.org>
|
||||
Reviewed-by: Kentaro Hara <haraken@chromium.org>
|
||||
Cr-Commit-Position: refs/heads/master@{#903900}
|
||||
---
|
||||
.../allocator/partition_allocator/partition_alloc_unittest.cc | 4 ++++
|
||||
base/allocator/partition_allocator/partition_root.h | 3 +++
|
||||
2 files changed, 7 insertions(+)
|
||||
|
||||
diff --git a/base/allocator/partition_allocator/partition_alloc_unittest.cc b/base/allocator/partition_allocator/partition_alloc_unittest.cc
|
||||
index c12120114aa7..8863984cd805 100644
|
||||
--- a/base/allocator/partition_allocator/partition_alloc_unittest.cc
|
||||
+++ b/base/allocator/partition_allocator/partition_alloc_unittest.cc
|
||||
@@ -2838,6 +2838,10 @@ TEST_F(PartitionAllocTest, OptimizedGetSlotNumber) {
|
||||
}
|
||||
}
|
||||
|
||||
+TEST_F(PartitionAllocTest, GetUsableSizeNull) {
|
||||
+ EXPECT_EQ(0ULL, PartitionRoot<ThreadSafe>::GetUsableSize(nullptr));
|
||||
+}
|
||||
+
|
||||
TEST_F(PartitionAllocTest, GetUsableSize) {
|
||||
size_t delta = SystemPageSize() + 1;
|
||||
for (size_t size = 1; size <= kMinDirectMappedDownsize; size += delta) {
|
||||
diff --git a/base/allocator/partition_allocator/partition_root.h b/base/allocator/partition_allocator/partition_root.h
|
||||
index b72a1d94a4e4..baac952597d1 100644
|
||||
--- a/base/allocator/partition_allocator/partition_root.h
|
||||
+++ b/base/allocator/partition_allocator/partition_root.h
|
||||
@@ -1220,6 +1220,9 @@ ALWAYS_INLINE bool PartitionRoot<thread_safe>::TryRecommitSystemPagesForData(
|
||||
// PartitionAlloc's internal data. Used as malloc_usable_size.
|
||||
template <bool thread_safe>
|
||||
ALWAYS_INLINE size_t PartitionRoot<thread_safe>::GetUsableSize(void* ptr) {
|
||||
+ // malloc_usable_size() is expected to handle NULL gracefully and return 0.
|
||||
+ if (!ptr)
|
||||
+ return 0;
|
||||
auto* slot_span = SlotSpan::FromSlotInnerPtr(ptr);
|
||||
auto* root = FromSlotSpan(slot_span);
|
||||
return slot_span->GetUsableSize(root);
|
Loading…
Reference in a new issue