allow clock_nanosleep through seccomp (bz #1773289)

5 years ago · 0dd9dad819
parent 978a69928b
commit 0dd9dad819
2 changed files with 25 additions and 1 deletions
--- a/chromium-78.0.3904.97-glibc-clock-nanosleep.patch
+++ b/chromium-78.0.3904.97-glibc-clock-nanosleep.patch
@ -0,0 +1,17 @@
+diff -up chromium-78.0.3904.97/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc.glibc-clock-nanosleep chromium-78.0.3904.97/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+--- chromium-78.0.3904.97/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc.glibc-clock-nanosleep	2019-11-17 16:48:03.463997928 -0500
+++ chromium-78.0.3904.97/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc	2019-11-17 16:48:37.057222139 -0500
+@@ -32,12 +32,12 @@ bool SyscallSets::IsAllowedGettime(int s
+     (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
+     case __NR_time:
+ #endif
+    case __NR_clock_nanosleep:
+       return true;
+     case __NR_adjtimex:         // Privileged.
+     case __NR_clock_adjtime:    // Privileged.
+     case __NR_clock_getres:     // Could be allowed.
+     case __NR_clock_gettime:
+-    case __NR_clock_nanosleep:  // Could be allowed.
+     case __NR_clock_settime:    // Privileged.
+ #if defined(__i386__) || \
+     (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
--- a/chromium.spec
+++ b/chromium.spec
@ -168,7 +168,7 @@ Name:		chromium%{chromium_channel}%{nsuffix}
 Name:		chromium%{chromium_channel}
 %endif
 Version:	%{majorversion}.0.3904.97
-Release:	1%{?dist}
+Release:	2%{?dist}
 %if %{?freeworld}
 %if %{?shared}
 # chromium-libs-media-freeworld
@ -255,6 +255,9 @@ Patch67:	chromium-78.0.3904.70-v8-tracedreference-fix.patch
 Patch68:	v8-implement-tracedreference.patch
 # https://gitweb.gentoo.org/repo/gentoo.git/plain/www-client/chromium/files/chromium-77-clang.patch
 Patch69:	chromium-77-clang.patch
+# Needs upstreaming
+Patch70:	chromium-78.0.3904.97-glibc-clock-nanosleep.patch
+

 # Use lstdc++ on EPEL7 only
 Patch101:	chromium-75.0.3770.100-epel7-stdc++.patch
@ -806,6 +809,7 @@ udev.
 %patch67 -p1 -b .implement-TraceWrapperV8Reference-without-destructor
 %patch68 -p1 -b .v8-implement-tracedreference
 %patch69 -p1 -b .clang-supports-location-builtins
+%patch70 -p1 -b .glibc-clock-nanosleep

 # Fedora branded user agent
 %if 0%{?fedora}
@ -1726,6 +1730,9 @@ getent group chrome-remote-desktop >/dev/null || groupadd -r chrome-remote-deskt


 %changelog
+* Sun Nov 17 2019 Tom Callaway <spot@fedoraproject.org> - 78.0.3904.97-2
+- allow clock_nanosleep through seccomp (bz #1773289)
+
 * Thu Nov  7 2019 Tom Callaway <spot@fedoraproject.org> - 78.0.3904.97-1
 - update to 78.0.3904.97