PKGBUILDs/extra/chromium/0002-Linux-Sandbox-whitelist-arm64-syscalls.patch

From 3dafa17489a30f5e2a9d274f842a8caa9f881698 Mon Sep 17 00:00:00 2001
From: "riku.voipio" <riku.voipio@linaro.org>
Date: Tue, 1 Mar 2016 08:02:43 -0800
Subject: [PATCH 2/2] Linux Sandbox: whitelist arm64 syscalls

On debian/arm64, two syscalls needed whitelisting for chromium to work with seccomp:

epoll_pwait, replacing epoll_wait which is a legacy syscall not available on arm64. epoll_wait implmentation in glibc calls epoll_pwait behind scenes, so this needs to be enabled.

getrlimit, missing #ifdef for arm64 in several policy definitions. test for arm64 added for each case.

BUG=581018
R=keescook@chromium.org,jln@chromium.org,rsesek@chromium.org
TEST=Start chrome on arm64 with seccomp enabled kernel

Review URL: https://codereview.chromium.org/1613883002

Cr-Commit-Position: refs/heads/master@{#378440}
---
 components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc | 3 ++-
 content/common/sandbox_linux/bpf_renderer_policy_linux.cc      | 3 ++-
 content/common/sandbox_linux/bpf_utility_policy_linux.cc       | 3 ++-
 mojo/shell/runner/host/linux_sandbox.cc                        | 7 ++++++-
 sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc              | 2 +-
 5 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc b/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc
index 66a606a..3e88304 100644
--- a/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc
+++ b/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc
@@ -106,7 +106,8 @@ ResultExpr NaClBPFSandboxPolicy::EvaluateSyscall(int sysno) const {
     // NaCl uses custom signal stacks.
     case __NR_sigaltstack:
     // Below is fairly similar to the policy for a Chromium renderer.
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+    defined(__aarch64__)
     case __NR_getrlimit:
 #endif
 #if defined(__i386__) || defined(__arm__)
diff --git a/content/common/sandbox_linux/bpf_renderer_policy_linux.cc b/content/common/sandbox_linux/bpf_renderer_policy_linux.cc
index e799273..993e2a5 100644
--- a/content/common/sandbox_linux/bpf_renderer_policy_linux.cc
+++ b/content/common/sandbox_linux/bpf_renderer_policy_linux.cc
@@ -60,7 +60,8 @@ ResultExpr RendererProcessPolicy::EvaluateSyscall(int sysno) const {
     // Allow the system calls below.
     case __NR_fdatasync:
     case __NR_fsync:
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+    defined(__aarch64__)
     case __NR_getrlimit:
 #endif
 #if defined(__i386__) || defined(__arm__)
diff --git a/content/common/sandbox_linux/bpf_utility_policy_linux.cc b/content/common/sandbox_linux/bpf_utility_policy_linux.cc
index 3ead1c8..1336796 100644
--- a/content/common/sandbox_linux/bpf_utility_policy_linux.cc
+++ b/content/common/sandbox_linux/bpf_utility_policy_linux.cc
@@ -32,7 +32,8 @@ ResultExpr UtilityProcessPolicy::EvaluateSyscall(int sysno) const {
     // Allow the system calls below.
     case __NR_fdatasync:
     case __NR_fsync:
-#if defined(__i386__) || defined(__x86_64__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+    defined(__aarch64__)
     case __NR_getrlimit:
 #endif
 #if defined(__i386__) || defined(__arm__)
diff --git a/mojo/shell/runner/host/linux_sandbox.cc b/mojo/shell/runner/host/linux_sandbox.cc
index 6cd3750..0d9082c 100644
--- a/mojo/shell/runner/host/linux_sandbox.cc
+++ b/mojo/shell/runner/host/linux_sandbox.cc
@@ -39,12 +39,14 @@ intptr_t SandboxSIGSYSHandler(const struct sandbox::arch_seccomp_data& args,
   const sandbox::syscall_broker::BrokerProcess* broker_process =
       static_cast<const sandbox::syscall_broker::BrokerProcess*>(aux);
   switch (args.nr) {
+#if !defined(__aarch64__)
     case __NR_access:
       return broker_process->Access(reinterpret_cast<const char*>(args.args[0]),
                                     static_cast<int>(args.args[1]));
     case __NR_open:
       return broker_process->Open(reinterpret_cast<const char*>(args.args[0]),
                                   static_cast<int>(args.args[1]));
+#endif
     case __NR_faccessat:
       if (static_cast<int>(args.args[0]) == AT_FDCWD) {
         return broker_process->Access(
@@ -77,15 +79,18 @@ class SandboxPolicy : public sandbox::BaselinePolicy {
   sandbox::bpf_dsl::ResultExpr EvaluateSyscall(int sysno) const override {
     // This policy is only advisory/for noticing FS access for the moment.
     switch (sysno) {
+#if !defined(__aarch64__)
       case __NR_access:
       case __NR_open:
+#endif
       case __NR_faccessat:
       case __NR_openat:
         return sandbox::bpf_dsl::Trap(SandboxSIGSYSHandler, broker_process_);
       case __NR_sched_getaffinity:
         return sandbox::RestrictSchedTarget(policy_pid(), sysno);
       case __NR_ftruncate:
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+    defined(__aarch64__)
       // Per #ifdefs in
       // content/common/sandbox_linux/bpf_renderer_policy_linux.cc
       case __NR_getrlimit:
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
index 10278dc..b30b3e6 100644
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
@@ -414,6 +414,7 @@ bool SyscallSets::IsAllowedEpoll(int sysno) {
     case __NR_epoll_create:
     case __NR_epoll_wait:
 #endif
+    case __NR_epoll_pwait:
     case __NR_epoll_create1:
     case __NR_epoll_ctl:
       return true;
@@ -421,7 +422,6 @@ bool SyscallSets::IsAllowedEpoll(int sysno) {
 #if defined(__x86_64__)
     case __NR_epoll_ctl_old:
 #endif
-    case __NR_epoll_pwait:
 #if defined(__x86_64__)
     case __NR_epoll_wait_old:
 #endif
-- 
2.8.0