diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2019-05-06 06:00:51 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2019-08-07 14:40:55 +0000 |
| commit | 5f276606f194b9b107043dda8d8479a9842f13cb (patch) | |
| tree | 74189c769c729326ddd8578aee0890aa377422da /community/chromium/musl-sandbox.patch | |
| parent | ec982866ada0790335f5550608772b72f71e69a8 (diff) | |
| download | aports-5f276606f194b9b107043dda8d8479a9842f13cb.tar.bz2 aports-5f276606f194b9b107043dda8d8479a9842f13cb.tar.xz | |
community/chromium: upgrade to 76
disabel armhf and armv7 til we sorted out the clang++ problem
Diffstat (limited to 'community/chromium/musl-sandbox.patch')
| -rw-r--r-- | community/chromium/musl-sandbox.patch | 34 |
1 files changed, 20 insertions, 14 deletions
diff --git a/community/chromium/musl-sandbox.patch b/community/chromium/musl-sandbox.patch index 34717ec82c..5a7239fd9e 100644 --- a/community/chromium/musl-sandbox.patch +++ b/community/chromium/musl-sandbox.patch @@ -1,17 +1,12 @@ -diff --git sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc -index 68ce32a..bb779c2 100644 ---- sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc -+++ sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc -@@ -137,23 +137,13 @@ namespace sandbox { - // CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations. +diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc +index 348ab6e..4550f9e 100644 +--- ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc ++++ ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc +@@ -139,21 +139,11 @@ namespace sandbox { + // present (as in newer versions of posix_spawn). ResultExpr RestrictCloneToThreadsAndEPERMFork() { const Arg<unsigned long> flags(0); -+ const int required = CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | -+ CLONE_THREAD | CLONE_SYSVSEM; -+ const int safe = CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID | -+ CLONE_DETACHED; -+ const BoolExpr thread_clone_ok = (flags&~safe)==required; - +- - // TODO(mdempsky): Extend DSL to support (flags & ~mask1) == mask2. - const uint64_t kAndroidCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES | - CLONE_SIGHAND | CLONE_THREAD | @@ -26,10 +21,21 @@ index 68ce32a..bb779c2 100644 - const BoolExpr android_test = - AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask, - flags == kGlibcPthreadFlags); -- ++ const int required = CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | ++ CLONE_THREAD | CLONE_SYSVSEM; ++ const int safe = CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID | ++ CLONE_DETACHED; ++ const BoolExpr thread_clone_ok = (flags&~safe)==required; + + // The following two flags are the two important flags in any vfork-emulating + // clone call. EPERM any clone call that contains both of them. +@@ -163,7 +153,7 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() { + AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0, + (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags); + - return If(IsAndroid() ? android_test : glibc_test, Allow()) + return If(thread_clone_ok, Allow()) - .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM)) + .ElseIf(is_fork_or_clone_vfork, Error(EPERM)) .Else(CrashSIGSYSClone()); } diff --git sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc |