aboutsummaryrefslogtreecommitdiffstats
path: root/testing
diff options
context:
space:
mode:
authorCarlo Landmeter <clandmeter@gmail.com>2015-07-09 16:49:42 +0200
committerCarlo Landmeter <clandmeter@gmail.com>2015-07-09 16:52:32 +0200
commitcc6c17a85095cd71cd581de3195b65bd264726ae (patch)
treeab601a313068d71c4be6d424964e23c3e009f0e9 /testing
parent39a731b6e965237ea12617bf41e4610d8b0eddf1 (diff)
downloadaports-cc6c17a85095cd71cd581de3195b65bd264726ae.tar.bz2
aports-cc6c17a85095cd71cd581de3195b65bd264726ae.tar.xz
testing/chromium: fix sandbox mode
Diffstat (limited to 'testing')
-rw-r--r--testing/chromium/APKBUILD6
-rw-r--r--testing/chromium/musl-sandbox.patch48
2 files changed, 53 insertions, 1 deletions
diff --git a/testing/chromium/APKBUILD b/testing/chromium/APKBUILD
index 1f0a0dfb49..9d1e454d49 100644
--- a/testing/chromium/APKBUILD
+++ b/testing/chromium/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer:
pkgname=chromium
pkgver=43.0.2357.132
-pkgrel=0
+pkgrel=1
pkgdesc="chromium web browser"
url="http://www.chromium.org/"
arch="x86_64"
@@ -33,6 +33,7 @@ source="https://commondatastorage.googleapis.com/chromium-browser-official/$pkgn
resolver.patch
no-mallinfo.patch
no-getcontext.patch
+ musl-sandbox.patch
chromium-hotwording-2403.patch
chromium-system-libvpx-r0.patch
@@ -222,6 +223,7 @@ c8be238104e757beafaae31e6804421a chromium.default
af047840f31e99aa36be04edc3482afd resolver.patch
a11a60155a9faf6ca648aaa06c81f29e no-mallinfo.patch
2c8de771a7c0e5e0e9fc68fa978785f7 no-getcontext.patch
+f99bb2ee8947418720a270ffa027c189 musl-sandbox.patch
2b7291195c467f8135473e543c1c7dad chromium-hotwording-2403.patch
9a73cf075dc321dfe781f5bed4920d6c chromium-system-libvpx-r0.patch
97b1578585ab600ed9adef4f341ccd80 chromium-system-jinja-r7.patch
@@ -236,6 +238,7 @@ ac38e2d1238b7062ee8c99ff7772477fa2d5328a750eab47553687e3782dc7a9 musl-fixes.pat
f16c63d4188fe56732dc6760307795ba4059452c4cf3de1460cbcb2616011511 resolver.patch
3e732ba5bbe324932a06a782bae655003089f5dc52a7bb2b790aa4837e20be8e no-mallinfo.patch
ea79f9a46116c8b56bbc69d226abd9252e4ae4d946ca695203f2298279cc2211 no-getcontext.patch
+8ed74cce08d0825e46eb21500a787d38ff2ac536b2ac1dff0bffc08d1257d278 musl-sandbox.patch
7d20f05bbd2b9ba363b28ed591cd0c770b4d7365a7ca9d20b5f6a268f6af2122 chromium-hotwording-2403.patch
06b26f3459e2f60866eb28803f129c59e064b082eae76126de60463706739f8c chromium-system-libvpx-r0.patch
872f5a38d8263b14308bb117828496a4093d0e6ad755d39d2c5e6857314fe071 chromium-system-jinja-r7.patch
@@ -250,6 +253,7 @@ febb6a204bcffda8dc3d80e75563710745e383cb30e460db5d8c5ded3d40f8a872461719283260f5
987f18d37824676e5d874a6fde1099bcc558920e7781de5f34e612411013e4fac9ca421a3cce1ed5f82401c4d54212b6f47a0a856892a78543b8e400a4bb0489 resolver.patch
511a3852d6172c14c651c316f1f874cfd23be0fde1c4285565dfead02e5865a1b240c40e270c940a23c55e2d3f2cfecbf3b5477bf9e6d3cf920d7c60331dc3c3 no-mallinfo.patch
42d9a6ebea2d95cdc169b921cc1a1b846cf500997059fd3084de09e21f00b63b76e60c6124f4af247d402ff5ca3f4bf8867a6f2c78198c05b4273ca01fb29241 no-getcontext.patch
+4075743c74a58e207eea77c2d1e25c7b7b4e5351d3bb2ed47cf9ac620dbe3b55e0f847c955d9d96d49db536fdd36b9f220aded337813d4ccfbd80c4ae7737f11 musl-sandbox.patch
38dcbae0d9bc63c044d50bd395692007642af705e1bbb9b704f3f349a48e45ca2b7f8495dbafbb4333b8bdb84ac53e5611eba4fe3d4fc7e841b319b4d744c324 chromium-hotwording-2403.patch
fe5801b63e7cb58c4653e6f4542de070cb5bf88e0d99fdd0bb7b45ba928be065ebda41fb1f5fa32f4a55d321b8765df53a977bf2d1418b030846a9e2b2fd1c1d chromium-system-libvpx-r0.patch
10bcc6a467b6766d13b5e41e7b7dcdbd62de7c04daad16c83037e88043032a0c118627029f91ef8a2a57faaaebc8b6f4ee16e8d1fecb5921d0d49efd60a27863 chromium-system-jinja-r7.patch
diff --git a/testing/chromium/musl-sandbox.patch b/testing/chromium/musl-sandbox.patch
new file mode 100644
index 0000000000..ef69e550dc
--- /dev/null
+++ b/testing/chromium/musl-sandbox.patch
@@ -0,0 +1,48 @@
+--- ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc.cld
++++ ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+@@ -111,23 +111,13 @@
+ // CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations.
+ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
+ const Arg<unsigned long> flags(0);
++ const int required = CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
++ CLONE_THREAD | CLONE_SYSVSEM;
++ const int safe = CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID |
++ CLONE_DETACHED;
++ const BoolExpr thread_clone_ok = (flags&~safe)==required;
+
+- // TODO(mdempsky): Extend DSL to support (flags & ~mask1) == mask2.
+- const uint64_t kAndroidCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES |
+- CLONE_SIGHAND | CLONE_THREAD |
+- CLONE_SYSVSEM;
+- const uint64_t kObsoleteAndroidCloneMask = kAndroidCloneMask | CLONE_DETACHED;
+-
+- const uint64_t kGlibcPthreadFlags =
+- CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD |
+- CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
+- const BoolExpr glibc_test = flags == kGlibcPthreadFlags;
+-
+- const BoolExpr android_test = flags == kAndroidCloneMask ||
+- flags == kObsoleteAndroidCloneMask ||
+- flags == kGlibcPthreadFlags;
+-
+- return If(IsAndroid() ? android_test : glibc_test, Allow())
++ return If(thread_clone_ok, Allow())
+ .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM))
+ .Else(CrashSIGSYSClone());
+ }
+--- ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc.orig
++++ ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+@@ -416,12 +416,12 @@
+ #endif
+ case __NR_epoll_create1:
+ case __NR_epoll_ctl:
++ case __NR_epoll_pwait:
+ return true;
+ default:
+ #if defined(__x86_64__)
+ case __NR_epoll_ctl_old:
+ #endif
+- case __NR_epoll_pwait:
+ #if defined(__x86_64__)
+ case __NR_epoll_wait_old:
+ #endif