archlinuxarm/PKGBUILDs
1
0
Fork 0
mirror of https://github.com/archlinuxarm/PKGBUILDs.git synced 2024-11-08 22:45:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
PKGBUILDs/extra/chromium/0002-Linux-Sandbox-whitelist-arm64-syscalls.patch
Kevin Mihelich f512d8801f extra/chromium to 50.0.2661.75-1
2016-04-15 12:16:26 +00:00

130 lines
5.8 KiB
Diff
Raw Blame History

From 3dafa17489a30f5e2a9d274f842a8caa9f881698 Mon Sep 17 00:00:00 2001
From: "riku.voipio" <riku.voipio@linaro.org>
Date: Tue, 1 Mar 2016 08:02:43 -0800
Subject: [PATCH 2/2] Linux Sandbox: whitelist arm64 syscalls
On debian/arm64, two syscalls needed whitelisting for chromium to work with seccomp:
epoll_pwait, replacing epoll_wait which is a legacy syscall not available on arm64. epoll_wait implmentation in glibc calls epoll_pwait behind scenes, so this needs to be enabled.
getrlimit, missing #ifdef for arm64 in several policy definitions. test for arm64 added for each case.
BUG=581018
R=keescook@chromium.org,jln@chromium.org,rsesek@chromium.org
TEST=Start chrome on arm64 with seccomp enabled kernel
Review URL: https://codereview.chromium.org/1613883002
Cr-Commit-Position: refs/heads/master@{#378440}
---
components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc | 3 ++-
content/common/sandbox_linux/bpf_renderer_policy_linux.cc | 3 ++-
content/common/sandbox_linux/bpf_utility_policy_linux.cc | 3 ++-
mojo/shell/runner/host/linux_sandbox.cc | 7 ++++++-
sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc | 2 +-
5 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc b/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc
index 66a606a..3e88304 100644
--- a/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc
+++ b/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc
@@ -106,7 +106,8 @@ ResultExpr NaClBPFSandboxPolicy::EvaluateSyscall(int sysno) const {
// NaCl uses custom signal stacks.
case __NR_sigaltstack:
// Below is fairly similar to the policy for a Chromium renderer.
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
case __NR_getrlimit:
#endif
#if defined(__i386__) || defined(__arm__)
diff --git a/content/common/sandbox_linux/bpf_renderer_policy_linux.cc b/content/common/sandbox_linux/bpf_renderer_policy_linux.cc
index e799273..993e2a5 100644
--- a/content/common/sandbox_linux/bpf_renderer_policy_linux.cc
+++ b/content/common/sandbox_linux/bpf_renderer_policy_linux.cc
@@ -60,7 +60,8 @@ ResultExpr RendererProcessPolicy::EvaluateSyscall(int sysno) const {
// Allow the system calls below.
case __NR_fdatasync:
case __NR_fsync:
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
case __NR_getrlimit:
#endif
#if defined(__i386__) || defined(__arm__)
diff --git a/content/common/sandbox_linux/bpf_utility_policy_linux.cc b/content/common/sandbox_linux/bpf_utility_policy_linux.cc
index 3ead1c8..1336796 100644
--- a/content/common/sandbox_linux/bpf_utility_policy_linux.cc
+++ b/content/common/sandbox_linux/bpf_utility_policy_linux.cc
@@ -32,7 +32,8 @@ ResultExpr UtilityProcessPolicy::EvaluateSyscall(int sysno) const {
// Allow the system calls below.
case __NR_fdatasync:
case __NR_fsync:
-#if defined(__i386__) || defined(__x86_64__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
case __NR_getrlimit:
#endif
#if defined(__i386__) || defined(__arm__)
diff --git a/mojo/shell/runner/host/linux_sandbox.cc b/mojo/shell/runner/host/linux_sandbox.cc
index 6cd3750..0d9082c 100644
--- a/mojo/shell/runner/host/linux_sandbox.cc
+++ b/mojo/shell/runner/host/linux_sandbox.cc
@@ -39,12 +39,14 @@ intptr_t SandboxSIGSYSHandler(const struct sandbox::arch_seccomp_data& args,
const sandbox::syscall_broker::BrokerProcess* broker_process =
static_cast<const sandbox::syscall_broker::BrokerProcess*>(aux);
switch (args.nr) {
+#if !defined(__aarch64__)
case __NR_access:
return broker_process->Access(reinterpret_cast<const char*>(args.args[0]),
static_cast<int>(args.args[1]));
case __NR_open:
return broker_process->Open(reinterpret_cast<const char*>(args.args[0]),
static_cast<int>(args.args[1]));
+#endif
case __NR_faccessat:
if (static_cast<int>(args.args[0]) == AT_FDCWD) {
return broker_process->Access(
@@ -77,15 +79,18 @@ class SandboxPolicy : public sandbox::BaselinePolicy {
sandbox::bpf_dsl::ResultExpr EvaluateSyscall(int sysno) const override {
// This policy is only advisory/for noticing FS access for the moment.
switch (sysno) {
+#if !defined(__aarch64__)
case __NR_access:
case __NR_open:
+#endif
case __NR_faccessat:
case __NR_openat:
return sandbox::bpf_dsl::Trap(SandboxSIGSYSHandler, broker_process_);
case __NR_sched_getaffinity:
return sandbox::RestrictSchedTarget(policy_pid(), sysno);
case __NR_ftruncate:
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
// Per #ifdefs in
// content/common/sandbox_linux/bpf_renderer_policy_linux.cc
case __NR_getrlimit:
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
index 10278dc..b30b3e6 100644
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
@@ -414,6 +414,7 @@ bool SyscallSets::IsAllowedEpoll(int sysno) {
case __NR_epoll_create:
case __NR_epoll_wait:
#endif
+ case __NR_epoll_pwait:
case __NR_epoll_create1:
case __NR_epoll_ctl:
return true;
@@ -421,7 +422,6 @@ bool SyscallSets::IsAllowedEpoll(int sysno) {
#if defined(__x86_64__)
case __NR_epoll_ctl_old:
#endif
- case __NR_epoll_pwait:
#if defined(__x86_64__)
case __NR_epoll_wait_old:
#endif
--
2.8.0
Reference in a new issue View git blame Copy permalink