From 25d42d8e806a4a38fe5e3fec7d52a896f7b7de42 Mon Sep 17 00:00:00 2001 From: "riku.voipio" Date: Tue, 1 Mar 2016 08:02:43 -0800 Subject: [PATCH 2/2] Linux Sandbox: whitelist arm64 syscalls On debian/arm64, two syscalls needed whitelisting for chromium to work with seccomp: epoll_pwait, replacing epoll_wait which is a legacy syscall not available on arm64. epoll_wait implmentation in glibc calls epoll_pwait behind scenes, so this needs to be enabled. getrlimit, missing #ifdef for arm64 in several policy definitions. test for arm64 added for each case. BUG=581018 R=keescook@chromium.org,jln@chromium.org,rsesek@chromium.org TEST=Start chrome on arm64 with seccomp enabled kernel Review URL: https://codereview.chromium.org/1613883002 Cr-Commit-Position: refs/heads/master@{#378440} --- mojo/shell/runner/host/linux_sandbox.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mojo/shell/runner/host/linux_sandbox.cc b/mojo/shell/runner/host/linux_sandbox.cc index 9e9dbc7..0d9082c 100644 --- a/mojo/shell/runner/host/linux_sandbox.cc +++ b/mojo/shell/runner/host/linux_sandbox.cc @@ -39,12 +39,14 @@ intptr_t SandboxSIGSYSHandler(const struct sandbox::arch_seccomp_data& args, const sandbox::syscall_broker::BrokerProcess* broker_process = static_cast(aux); switch (args.nr) { +#if !defined(__aarch64__) case __NR_access: return broker_process->Access(reinterpret_cast(args.args[0]), static_cast(args.args[1])); case __NR_open: return broker_process->Open(reinterpret_cast(args.args[0]), static_cast(args.args[1])); +#endif case __NR_faccessat: if (static_cast(args.args[0]) == AT_FDCWD) { return broker_process->Access( -- 2.7.2