diff options
author | Andreas Baumann <mail@andreasbaumann.cc> | 2020-08-16 10:07:04 +0200 |
---|---|---|
committer | Andreas Baumann <mail@andreasbaumann.cc> | 2020-08-16 10:07:04 +0200 |
commit | 59469e0e1394a098b76a1198c0eaa3de62a3b20f (patch) | |
tree | 948943fa269d3e098e1968ef132ec8e81a2b2735 /extra | |
parent | 224871404b2fcf34b0282a40beb374ee3b5e02fa (diff) | |
download | packages-59469e0e1394a098b76a1198c0eaa3de62a3b20f.tar.xz |
extra/qt5-webengine: added patch for seccomp BFP filtering failures in Chromium
Diffstat (limited to 'extra')
-rw-r--r-- | extra/qt5-webengine/PKGBUILD | 13 | ||||
-rw-r--r-- | extra/qt5-webengine/qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407.patch | 85 |
2 files changed, 98 insertions, 0 deletions
diff --git a/extra/qt5-webengine/PKGBUILD b/extra/qt5-webengine/PKGBUILD index 7af5e50c..3a6bd03e 100644 --- a/extra/qt5-webengine/PKGBUILD +++ b/extra/qt5-webengine/PKGBUILD @@ -37,3 +37,16 @@ eval "$( $ i cd "$srcdir/${_pkgfqn}"; patch -Np1 -i "${srcdir}"/qtwebengine-everywhere-src-5.15.0-gcc10-patches.patch ' )" + +# backport seccomp time function jail fix from chromium +# for for 64-bit time functions in seccomp sanbox (thanks to schnitzeltony) +# https://github.com/schnitzeltony/meta-browser/blob/master/recipes-browser/chromium/files/0003-Fix-sandbox-Aw-snap-for-syscalls-403-and-407.patch +source+=('qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407.patch') +sha256sums+=('606adb05a5bc903ac371e8040a4c2b06847d32de72be8b15949a161946aa826c') + +eval "$( + declare -f prepare | \ + sed ' + $ i cd "$srcdir/${_pkgfqn}"; patch -Np1 -i "${srcdir}"/qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407.patch + ' +)" diff --git a/extra/qt5-webengine/qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407.patch b/extra/qt5-webengine/qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407.patch new file mode 100644 index 00000000..f9211305 --- /dev/null +++ b/extra/qt5-webengine/qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407.patch @@ -0,0 +1,85 @@ +diff -rauN qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +--- qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc 2020-05-06 16:21:29.000000000 +0200 ++++ qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc 2020-08-16 08:55:45.992315648 +0200 +@@ -148,7 +148,14 @@ + return Allow(); + #endif + +- if (sysno == __NR_clock_gettime || sysno == __NR_clock_nanosleep) { ++ if (sysno == __NR_clock_gettime || sysno == __NR_clock_nanosleep ++#if defined(__NR_clock_gettime64) ++ || sysno == __NR_clock_gettime64 ++#endif ++#if defined(__NR_clock_nanosleep_time64) ++ || sysno == __NR_clock_nanosleep_time64 ++#endif ++ ) { + return RestrictClockID(); + } + +diff -rauN qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc +--- qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc 2020-05-06 16:21:29.000000000 +0200 ++++ qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc 2020-08-16 08:56:28.085606998 +0200 +@@ -60,6 +60,12 @@ + case __NR_clock_gettime: + case __NR_clock_getres: + case __NR_clock_nanosleep: ++#if defined(__NR_clock_nanosleep_time64) ++ case __NR_clock_nanosleep_time64: ++#endif ++#if defined(__NR_clock_gettime64) ++ case __NR_clock_gettime64: ++#endif + return RestrictClockID(); + default: + return Allow(); +diff -rauN qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc +--- qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc 2020-05-06 16:21:29.000000000 +0200 ++++ qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc 2020-08-16 08:57:06.615551750 +0200 +@@ -39,6 +39,12 @@ + // filtered by RestrictClokID(). + case __NR_clock_gettime: // Parameters filtered by RestrictClockID(). + case __NR_clock_nanosleep: // Parameters filtered by RestrictClockID(). ++#if defined(__NR_clock_gettime64) ++ case __NR_clock_gettime64: // Parameters filtered by RestrictClockID(). ++#endif ++#if defined(__NR_clock_nanosleep_time64) ++ case __NR_clock_nanosleep_time64: // Parameters filtered by RestrictClockID(). ++#endif + case __NR_clock_settime: // Privileged. + #if defined(__i386__) || \ + (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) +diff -rauN qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h +--- qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h 2020-05-06 16:21:29.000000000 +0200 ++++ qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h 2020-08-16 08:57:56.025481868 +0200 +@@ -1385,6 +1385,14 @@ + #define __NR_memfd_create (__NR_SYSCALL_BASE+385) + #endif + ++#if !defined(__NR_clock_gettime64) ++#define __NR_clock_gettime64 (__NR_SYSCALL_BASE+403) ++#endif ++ ++#if !defined(__NR_clock_nanosleep_time64) ++#define __NR_clock_nanosleep_time64 (__NR_SYSCALL_BASE+407) ++#endif ++ + // ARM private syscalls. + #if !defined(__ARM_NR_BASE) + #define __ARM_NR_BASE (__NR_SYSCALL_BASE + 0xF0000) +diff -rauN qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/system_headers/mips_linux_syscalls.h qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/system_headers/mips_linux_syscalls.h +--- qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/system_headers/mips_linux_syscalls.h 2020-05-06 16:21:29.000000000 +0200 ++++ qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/system_headers/mips_linux_syscalls.h 2020-08-16 08:58:27.458771331 +0200 +@@ -1433,4 +1433,12 @@ + #define __NR_memfd_create (__NR_Linux + 354) + #endif + ++#if !defined(__NR_clock_gettime64) ++#define __NR_clock_gettime64 (__NR_Linux + 403) ++#endif ++ ++#if !defined(__NR_clock_nanosleep_time64) ++#define __NR_clock_nanosleep_time64 (__NR_Linux + 407) ++#endif ++ + #endif // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS_LINUX_SYSCALLS_H_ |