diff options
| author | Carlo Landmeter <clandmeter@gmail.com> | 2015-07-09 16:49:42 +0200 |
|---|---|---|
| committer | Carlo Landmeter <clandmeter@gmail.com> | 2015-07-09 16:52:32 +0200 |
| commit | cc6c17a85095cd71cd581de3195b65bd264726ae (patch) | |
| tree | ab601a313068d71c4be6d424964e23c3e009f0e9 /testing/chromium | |
| parent | 39a731b6e965237ea12617bf41e4610d8b0eddf1 (diff) | |
| download | aports-cc6c17a85095cd71cd581de3195b65bd264726ae.tar.bz2 aports-cc6c17a85095cd71cd581de3195b65bd264726ae.tar.xz | |
testing/chromium: fix sandbox mode
Diffstat (limited to 'testing/chromium')
| -rw-r--r-- | testing/chromium/APKBUILD | 6 | ||||
| -rw-r--r-- | testing/chromium/musl-sandbox.patch | 48 |
2 files changed, 53 insertions, 1 deletions
diff --git a/testing/chromium/APKBUILD b/testing/chromium/APKBUILD index 1f0a0dfb49..9d1e454d49 100644 --- a/testing/chromium/APKBUILD +++ b/testing/chromium/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: pkgname=chromium pkgver=43.0.2357.132 -pkgrel=0 +pkgrel=1 pkgdesc="chromium web browser" url="http://www.chromium.org/" arch="x86_64" @@ -33,6 +33,7 @@ source="https://commondatastorage.googleapis.com/chromium-browser-official/$pkgn resolver.patch no-mallinfo.patch no-getcontext.patch + musl-sandbox.patch chromium-hotwording-2403.patch chromium-system-libvpx-r0.patch @@ -222,6 +223,7 @@ c8be238104e757beafaae31e6804421a chromium.default af047840f31e99aa36be04edc3482afd resolver.patch a11a60155a9faf6ca648aaa06c81f29e no-mallinfo.patch 2c8de771a7c0e5e0e9fc68fa978785f7 no-getcontext.patch +f99bb2ee8947418720a270ffa027c189 musl-sandbox.patch 2b7291195c467f8135473e543c1c7dad chromium-hotwording-2403.patch 9a73cf075dc321dfe781f5bed4920d6c chromium-system-libvpx-r0.patch 97b1578585ab600ed9adef4f341ccd80 chromium-system-jinja-r7.patch @@ -236,6 +238,7 @@ ac38e2d1238b7062ee8c99ff7772477fa2d5328a750eab47553687e3782dc7a9 musl-fixes.pat f16c63d4188fe56732dc6760307795ba4059452c4cf3de1460cbcb2616011511 resolver.patch 3e732ba5bbe324932a06a782bae655003089f5dc52a7bb2b790aa4837e20be8e no-mallinfo.patch ea79f9a46116c8b56bbc69d226abd9252e4ae4d946ca695203f2298279cc2211 no-getcontext.patch +8ed74cce08d0825e46eb21500a787d38ff2ac536b2ac1dff0bffc08d1257d278 musl-sandbox.patch 7d20f05bbd2b9ba363b28ed591cd0c770b4d7365a7ca9d20b5f6a268f6af2122 chromium-hotwording-2403.patch 06b26f3459e2f60866eb28803f129c59e064b082eae76126de60463706739f8c chromium-system-libvpx-r0.patch 872f5a38d8263b14308bb117828496a4093d0e6ad755d39d2c5e6857314fe071 chromium-system-jinja-r7.patch @@ -250,6 +253,7 @@ febb6a204bcffda8dc3d80e75563710745e383cb30e460db5d8c5ded3d40f8a872461719283260f5 987f18d37824676e5d874a6fde1099bcc558920e7781de5f34e612411013e4fac9ca421a3cce1ed5f82401c4d54212b6f47a0a856892a78543b8e400a4bb0489 resolver.patch 511a3852d6172c14c651c316f1f874cfd23be0fde1c4285565dfead02e5865a1b240c40e270c940a23c55e2d3f2cfecbf3b5477bf9e6d3cf920d7c60331dc3c3 no-mallinfo.patch 42d9a6ebea2d95cdc169b921cc1a1b846cf500997059fd3084de09e21f00b63b76e60c6124f4af247d402ff5ca3f4bf8867a6f2c78198c05b4273ca01fb29241 no-getcontext.patch +4075743c74a58e207eea77c2d1e25c7b7b4e5351d3bb2ed47cf9ac620dbe3b55e0f847c955d9d96d49db536fdd36b9f220aded337813d4ccfbd80c4ae7737f11 musl-sandbox.patch 38dcbae0d9bc63c044d50bd395692007642af705e1bbb9b704f3f349a48e45ca2b7f8495dbafbb4333b8bdb84ac53e5611eba4fe3d4fc7e841b319b4d744c324 chromium-hotwording-2403.patch fe5801b63e7cb58c4653e6f4542de070cb5bf88e0d99fdd0bb7b45ba928be065ebda41fb1f5fa32f4a55d321b8765df53a977bf2d1418b030846a9e2b2fd1c1d chromium-system-libvpx-r0.patch 10bcc6a467b6766d13b5e41e7b7dcdbd62de7c04daad16c83037e88043032a0c118627029f91ef8a2a57faaaebc8b6f4ee16e8d1fecb5921d0d49efd60a27863 chromium-system-jinja-r7.patch diff --git a/testing/chromium/musl-sandbox.patch b/testing/chromium/musl-sandbox.patch new file mode 100644 index 0000000000..ef69e550dc --- /dev/null +++ b/testing/chromium/musl-sandbox.patch @@ -0,0 +1,48 @@ +--- ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc.cld ++++ ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc +@@ -111,23 +111,13 @@ + // CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations. + ResultExpr RestrictCloneToThreadsAndEPERMFork() { + const Arg<unsigned long> flags(0); ++ const int required = CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | ++ CLONE_THREAD | CLONE_SYSVSEM; ++ const int safe = CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID | ++ CLONE_DETACHED; ++ const BoolExpr thread_clone_ok = (flags&~safe)==required; + +- // TODO(mdempsky): Extend DSL to support (flags & ~mask1) == mask2. +- const uint64_t kAndroidCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES | +- CLONE_SIGHAND | CLONE_THREAD | +- CLONE_SYSVSEM; +- const uint64_t kObsoleteAndroidCloneMask = kAndroidCloneMask | CLONE_DETACHED; +- +- const uint64_t kGlibcPthreadFlags = +- CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD | +- CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID; +- const BoolExpr glibc_test = flags == kGlibcPthreadFlags; +- +- const BoolExpr android_test = flags == kAndroidCloneMask || +- flags == kObsoleteAndroidCloneMask || +- flags == kGlibcPthreadFlags; +- +- return If(IsAndroid() ? android_test : glibc_test, Allow()) ++ return If(thread_clone_ok, Allow()) + .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM)) + .Else(CrashSIGSYSClone()); + } +--- ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc.orig ++++ ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc +@@ -416,12 +416,12 @@ + #endif + case __NR_epoll_create1: + case __NR_epoll_ctl: ++ case __NR_epoll_pwait: + return true; + default: + #if defined(__x86_64__) + case __NR_epoll_ctl_old: + #endif +- case __NR_epoll_pwait: + #if defined(__x86_64__) + case __NR_epoll_wait_old: + #endif |