summaryrefslogtreecommitdiff
path: root/extra
diff options
context:
space:
mode:
authorAndreas Baumann <mail@andreasbaumann.cc>2020-08-16 10:07:04 +0200
committerAndreas Baumann <mail@andreasbaumann.cc>2020-08-16 10:07:04 +0200
commit59469e0e1394a098b76a1198c0eaa3de62a3b20f (patch)
tree948943fa269d3e098e1968ef132ec8e81a2b2735 /extra
parent224871404b2fcf34b0282a40beb374ee3b5e02fa (diff)
downloadpackages-59469e0e1394a098b76a1198c0eaa3de62a3b20f.tar.xz
extra/qt5-webengine: added patch for seccomp BFP filtering failures in Chromium
Diffstat (limited to 'extra')
-rw-r--r--extra/qt5-webengine/PKGBUILD13
-rw-r--r--extra/qt5-webengine/qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407.patch85
2 files changed, 98 insertions, 0 deletions
diff --git a/extra/qt5-webengine/PKGBUILD b/extra/qt5-webengine/PKGBUILD
index 7af5e50c..3a6bd03e 100644
--- a/extra/qt5-webengine/PKGBUILD
+++ b/extra/qt5-webengine/PKGBUILD
@@ -37,3 +37,16 @@ eval "$(
$ i cd "$srcdir/${_pkgfqn}"; patch -Np1 -i "${srcdir}"/qtwebengine-everywhere-src-5.15.0-gcc10-patches.patch
'
)"
+
+# backport seccomp time function jail fix from chromium
+# for for 64-bit time functions in seccomp sanbox (thanks to schnitzeltony)
+# https://github.com/schnitzeltony/meta-browser/blob/master/recipes-browser/chromium/files/0003-Fix-sandbox-Aw-snap-for-syscalls-403-and-407.patch
+source+=('qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407.patch')
+sha256sums+=('606adb05a5bc903ac371e8040a4c2b06847d32de72be8b15949a161946aa826c')
+
+eval "$(
+ declare -f prepare | \
+ sed '
+ $ i cd "$srcdir/${_pkgfqn}"; patch -Np1 -i "${srcdir}"/qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407.patch
+ '
+)"
diff --git a/extra/qt5-webengine/qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407.patch b/extra/qt5-webengine/qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407.patch
new file mode 100644
index 00000000..f9211305
--- /dev/null
+++ b/extra/qt5-webengine/qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407.patch
@@ -0,0 +1,85 @@
+diff -rauN qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+--- qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc 2020-05-06 16:21:29.000000000 +0200
++++ qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc 2020-08-16 08:55:45.992315648 +0200
+@@ -148,7 +148,14 @@
+ return Allow();
+ #endif
+
+- if (sysno == __NR_clock_gettime || sysno == __NR_clock_nanosleep) {
++ if (sysno == __NR_clock_gettime || sysno == __NR_clock_nanosleep
++#if defined(__NR_clock_gettime64)
++ || sysno == __NR_clock_gettime64
++#endif
++#if defined(__NR_clock_nanosleep_time64)
++ || sysno == __NR_clock_nanosleep_time64
++#endif
++ ) {
+ return RestrictClockID();
+ }
+
+diff -rauN qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc
+--- qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc 2020-05-06 16:21:29.000000000 +0200
++++ qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc 2020-08-16 08:56:28.085606998 +0200
+@@ -60,6 +60,12 @@
+ case __NR_clock_gettime:
+ case __NR_clock_getres:
+ case __NR_clock_nanosleep:
++#if defined(__NR_clock_nanosleep_time64)
++ case __NR_clock_nanosleep_time64:
++#endif
++#if defined(__NR_clock_gettime64)
++ case __NR_clock_gettime64:
++#endif
+ return RestrictClockID();
+ default:
+ return Allow();
+diff -rauN qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+--- qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc 2020-05-06 16:21:29.000000000 +0200
++++ qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc 2020-08-16 08:57:06.615551750 +0200
+@@ -39,6 +39,12 @@
+ // filtered by RestrictClokID().
+ case __NR_clock_gettime: // Parameters filtered by RestrictClockID().
+ case __NR_clock_nanosleep: // Parameters filtered by RestrictClockID().
++#if defined(__NR_clock_gettime64)
++ case __NR_clock_gettime64: // Parameters filtered by RestrictClockID().
++#endif
++#if defined(__NR_clock_nanosleep_time64)
++ case __NR_clock_nanosleep_time64: // Parameters filtered by RestrictClockID().
++#endif
+ case __NR_clock_settime: // Privileged.
+ #if defined(__i386__) || \
+ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
+diff -rauN qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h
+--- qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h 2020-05-06 16:21:29.000000000 +0200
++++ qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h 2020-08-16 08:57:56.025481868 +0200
+@@ -1385,6 +1385,14 @@
+ #define __NR_memfd_create (__NR_SYSCALL_BASE+385)
+ #endif
+
++#if !defined(__NR_clock_gettime64)
++#define __NR_clock_gettime64 (__NR_SYSCALL_BASE+403)
++#endif
++
++#if !defined(__NR_clock_nanosleep_time64)
++#define __NR_clock_nanosleep_time64 (__NR_SYSCALL_BASE+407)
++#endif
++
+ // ARM private syscalls.
+ #if !defined(__ARM_NR_BASE)
+ #define __ARM_NR_BASE (__NR_SYSCALL_BASE + 0xF0000)
+diff -rauN qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/system_headers/mips_linux_syscalls.h qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/system_headers/mips_linux_syscalls.h
+--- qtwebengine-everywhere-src-5.15.0/src/3rdparty/chromium/sandbox/linux/system_headers/mips_linux_syscalls.h 2020-05-06 16:21:29.000000000 +0200
++++ qtwebengine-everywhere-src-5.15.0-sandbox-Aw-snap-for-syscalls-403-and-407-patch/src/3rdparty/chromium/sandbox/linux/system_headers/mips_linux_syscalls.h 2020-08-16 08:58:27.458771331 +0200
+@@ -1433,4 +1433,12 @@
+ #define __NR_memfd_create (__NR_Linux + 354)
+ #endif
+
++#if !defined(__NR_clock_gettime64)
++#define __NR_clock_gettime64 (__NR_Linux + 403)
++#endif
++
++#if !defined(__NR_clock_nanosleep_time64)
++#define __NR_clock_nanosleep_time64 (__NR_Linux + 407)
++#endif
++
+ #endif // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS_LINUX_SYSCALLS_H_