diff -ur ../qtwebengine-everywhere-src-5.13.2.orig/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc ./src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc --- ../qtwebengine-everywhere-src-5.13.2.orig/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc 2020-03-25 12:57:05.214021490 +0000 +++ ./src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc 2020-03-25 12:58:35.813396054 +0000 @@ -137,7 +137,7 @@ return Allow(); #endif - if (sysno == __NR_clock_gettime) { + if (sysno == __NR_clock_gettime || sysno == __NR_clock_nanosleep) { return RestrictClockID(); } diff -ur ../qtwebengine-everywhere-src-5.13.2.orig/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc ./src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc --- ../qtwebengine-everywhere-src-5.13.2.orig/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc 2020-03-25 12:57:05.214021490 +0000 +++ ./src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc 2020-03-25 13:01:05.971702078 +0000 @@ -393,6 +393,18 @@ syscall(SYS_clock_gettime, CLOCK_MONOTONIC_RAW, &ts); } +BPF_DEATH_TEST_C(BaselinePolicy, + ClockNanosleepWithDisallowedClockCrashes, + DEATH_SEGV_MESSAGE(GetErrorMessageContentForTests()), + BaselinePolicy) { + struct timespec ts; + struct timespec out_ts; + ts.tv_sec = 0; + ts.tv_nsec = 0; + syscall(SYS_clock_nanosleep, (~0) | CLOCKFD, 0, &ts, &out_ts); +} + + #if !defined(GRND_RANDOM) #define GRND_RANDOM 2 #endif diff -ur ../qtwebengine-everywhere-src-5.13.2.orig/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h ./src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h --- ../qtwebengine-everywhere-src-5.13.2.orig/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h 2020-03-25 12:57:05.213021508 +0000 +++ ./src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h 2020-03-25 13:03:32.058081155 +0000 @@ -86,12 +86,13 @@ // process). SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictGetrusage(); -// Restrict |clk_id| for clock_getres(), clock_gettime() and clock_settime(). -// We allow accessing only CLOCK_MONOTONIC, CLOCK_PROCESS_CPUTIME_ID, -// CLOCK_REALTIME, and CLOCK_THREAD_CPUTIME_ID. In particular, this disallows -// access to arbitrary per-{process,thread} CPU-time clock IDs (such as those -// returned by {clock,pthread}_getcpuclockid), which can leak information -// about the state of the host OS. +// Restrict |clk_id| for clock_getres(), clock_gettime(), clock_settime(), and +// clock_nanosleep(). We allow accessing only CLOCK_BOOTTIME, +// CLOCK_MONOTONIC{,_RAW,_COARSE}, CLOCK_PROCESS_CPUTIME_ID, +// CLOCK_REALTIME{,_COARSE}, and CLOCK_THREAD_CPUTIME_ID. In particular, on +// non-Android platforms this disallows access to arbitrary per-{process,thread} +// CPU-time clock IDs (such as those returned by {clock,pthread}_getcpuclockid), +// which can leak information about the state of the host OS. SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictClockID(); // Restrict the flags argument to getrandom() to allow only no flags, or diff -ur ../qtwebengine-everywhere-src-5.13.2.orig/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc ./src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc --- ../qtwebengine-everywhere-src-5.13.2.orig/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc 2020-03-25 12:57:05.213021508 +0000 +++ ./src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc 2020-03-25 13:06:05.643325692 +0000 @@ -59,6 +59,7 @@ switch (sysno) { case __NR_clock_gettime: case __NR_clock_getres: + case __NR_clock_nanosleep: return RestrictClockID(); default: return Allow(); @@ -99,6 +100,25 @@ #endif } +void CheckClockNanosleep(clockid_t clockid) { + struct timespec ts; + struct timespec out_ts; + ts.tv_sec = 0; + ts.tv_nsec = 0; + clock_nanosleep(clockid, 0, &ts, &out_ts); +} + +BPF_TEST_C(ParameterRestrictions, + clock_nanosleep_allowed, + RestrictClockIdPolicy) { + CheckClockNanosleep(CLOCK_MONOTONIC); + CheckClockNanosleep(CLOCK_MONOTONIC_COARSE); + CheckClockNanosleep(CLOCK_MONOTONIC_RAW); + CheckClockNanosleep(CLOCK_BOOTTIME); + CheckClockNanosleep(CLOCK_REALTIME); + CheckClockNanosleep(CLOCK_REALTIME_COARSE); +} + BPF_DEATH_TEST_C(ParameterRestrictions, clock_gettime_crash_monotonic_raw, DEATH_SEGV_MESSAGE(sandbox::GetErrorMessageContentForTests()), @@ -107,6 +127,17 @@ syscall(SYS_clock_gettime, CLOCK_MONOTONIC_RAW, &ts); } +BPF_DEATH_TEST_C(ParameterRestrictions, + clock_nanosleep_crash_clock_fd, + DEATH_SEGV_MESSAGE(sandbox::GetErrorMessageContentForTests()), + RestrictClockIdPolicy) { + struct timespec ts; + struct timespec out_ts; + ts.tv_sec = 0; + ts.tv_nsec = 0; + syscall(SYS_clock_nanosleep, (~0) | CLOCKFD, 0, &ts, &out_ts); +} + #if !defined(OS_ANDROID) BPF_DEATH_TEST_C(ParameterRestrictions, clock_gettime_crash_cpu_clock, diff -ur ../qtwebengine-everywhere-src-5.13.2.orig/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc ./src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc --- ../qtwebengine-everywhere-src-5.13.2.orig/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc 2020-03-25 12:57:05.213021508 +0000 +++ ./src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc 2020-03-25 13:06:50.881514077 +0000 @@ -35,9 +35,10 @@ return true; case __NR_adjtimex: // Privileged. case __NR_clock_adjtime: // Privileged. - case __NR_clock_getres: // Could be allowed. - case __NR_clock_gettime: - case __NR_clock_nanosleep: // Could be allowed. + case __NR_clock_getres: // Allowed only on Android with parameters + // filtered by RestrictClokID(). + case __NR_clock_gettime: // Parameters filtered by RestrictClockID(). + case __NR_clock_nanosleep: // Parameters filtered by RestrictClockID(). case __NR_clock_settime: // Privileged. #if defined(__i386__) || \ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))