improved seccomp glibc 2.29 patch

epel8
Tom Callaway 6 years ago
parent ae0be165a7
commit 41b87b039a

@ -0,0 +1,29 @@
diff -up chromium-73.0.3683.103/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc.glibc229 chromium-73.0.3683.103/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
--- chromium-73.0.3683.103/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc.glibc229 2019-04-16 11:49:35.353081246 -0400
+++ chromium-73.0.3683.103/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc 2019-04-16 11:51:22.105794620 -0400
@@ -134,7 +134,8 @@ namespace sandbox {
#if !defined(OS_NACL_NONSFI)
// Allow Glibc's and Android pthread creation flags, crash on any other
// thread creation attempts and EPERM attempts to use neither
-// CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations.
+// CLONE_VM nor CLONE_THREAD (all fork implementations), unless CLONE_VFORK is
+// present (as in posix_spawn).
ResultExpr RestrictCloneToThreadsAndEPERMFork() {
const Arg<unsigned long> flags(0);
@@ -153,8 +154,14 @@ ResultExpr RestrictCloneToThreadsAndEPER
AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
flags == kGlibcPthreadFlags);
+ const uint64_t kImportantSpawnFlags = CLONE_VFORK | CLONE_VM;
+
+ const BoolExpr isForkOrSpawn =
+ AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
+ (flags & kImportantSpawnFlags) == kImportantSpawnFlags);
+
return If(IsAndroid() ? android_test : glibc_test, Allow())
- .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM))
+ .ElseIf(isForkOrSpawn, Error(EPERM))
.Else(CrashSIGSYSClone());
}

@ -1,13 +0,0 @@
diff -up chromium-73.0.3683.86/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc.clonevfork chromium-73.0.3683.86/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
--- chromium-73.0.3683.86/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc.clonevfork 2019-04-11 10:22:21.250929060 -0400
+++ chromium-73.0.3683.86/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc 2019-04-11 10:23:58.832770803 -0400
@@ -146,7 +146,8 @@ ResultExpr RestrictCloneToThreadsAndEPER
const uint64_t kGlibcPthreadFlags =
CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD |
- CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
+ CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID |
+ CLONE_CHILD_CLEARTID | CLONE_VFORK;
const BoolExpr glibc_test = flags == kGlibcPthreadFlags;
const BoolExpr android_test =

@ -329,7 +329,7 @@ Patch138: chromium-73.0.3683.75-aarch64-crashpad-limits.patch
# el7 only patch
Patch139: chromium-73.0.3683.75-el7-fix-noexcept.patch
# https://bugs.chromium.org/p/chromium/issues/detail?id=949312
Patch140: chromium-73.0.3683.86-glibc-2.29-clone-vfork.patch
Patch140: chromium-73.0.3683.103-glibc-2.29-clone-vfork.patch
# Use chromium-latest.py to generate clean tarball from released build tarballs, found here:
# http://build.chromium.org/buildbot/official/
@ -912,7 +912,7 @@ udev.
%if 0%{?rhel} == 7
%patch139 -p1 -b .el7-noexcept
%endif
%patch140 -p1 -b .clonevfork
%patch140 -p1 -b .glibc229
# Change shebang in all relevant files in this directory and all subdirectories
# See `man find` for how the `-exec command {} +` syntax works
@ -1903,7 +1903,7 @@ getent group chrome-remote-desktop >/dev/null || groupadd -r chrome-remote-deskt
%changelog
* Thu Apr 11 2019 Tom Callaway <spot@fedoraproject.org> - 73.0.3683.103-1
- update to 73.0.3683.103
- add CLONE_VFORK to seccomp filter for linux to handle glibc 2.29 change
- add CLONE_VFORK logic to seccomp filter for linux to handle glibc 2.29 change
* Wed Mar 27 2019 Tom Callaway <spot@fedoraproject.org> - 73.0.3683.86-2
- remove lang macro from en-US.pak* because Chromium crashes if it is not present

Loading…
Cancel
Save