ayaports/backports/electron/musl-sandbox.patch

125 lines
5.2 KiB
Diff
Raw Permalink Normal View History

2023-05-05 05:10:04 +00:00
musl uses different syscalls from glibc for some functions, so the sandbox has
to account for that
--
2023-01-11 00:40:45 +00:00
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
index ff5a1c0..da56b9b 100644
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
2023-05-05 05:10:04 +00:00
+++ ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
2023-01-11 00:40:45 +00:00
@@ -139,21 +139,11 @@ namespace sandbox {
// present (as in newer versions of posix_spawn).
ResultExpr RestrictCloneToThreadsAndEPERMFork() {
const Arg<unsigned long> flags(0);
-
- // TODO(mdempsky): Extend DSL to support (flags & ~mask1) == mask2.
- const uint64_t kAndroidCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES |
- CLONE_SIGHAND | CLONE_THREAD |
- CLONE_SYSVSEM;
- const uint64_t kObsoleteAndroidCloneMask = kAndroidCloneMask | CLONE_DETACHED;
-
- const uint64_t kGlibcPthreadFlags =
- CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD |
- CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
- const BoolExpr glibc_test = flags == kGlibcPthreadFlags;
-
- const BoolExpr android_test =
- AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
- flags == kGlibcPthreadFlags);
+ const int required = CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
+ CLONE_THREAD | CLONE_SYSVSEM;
+ const int safe = CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID |
+ CLONE_DETACHED;
+ const BoolExpr thread_clone_ok = (flags&~safe)==required;
// The following two flags are the two important flags in any vfork-emulating
// clone call. EPERM any clone call that contains both of them.
@@ -163,7 +153,7 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
(flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
- return If(IsAndroid() ? android_test : glibc_test, Allow())
+ return If(thread_clone_ok, Allow())
.ElseIf(is_fork_or_clone_vfork, Error(EPERM))
.Else(CrashSIGSYSClone());
}
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
index d9d1882..0567557 100644
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
2023-05-05 05:10:04 +00:00
+++ ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
2023-01-11 00:40:45 +00:00
@@ -392,6 +392,7 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
#if defined(__i386__)
case __NR_waitpid:
#endif
+ case __NR_set_tid_address:
return true;
case __NR_clone: // Should be parameter-restricted.
case __NR_setns: // Privileged.
@@ -404,7 +405,6 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
case __NR_set_thread_area:
#endif
- case __NR_set_tid_address:
case __NR_unshare:
#if !defined(__mips__) && !defined(__aarch64__)
case __NR_vfork:
@@ -514,6 +514,8 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
case __NR_mlock:
case __NR_munlock:
case __NR_munmap:
+ case __NR_mremap:
+ case __NR_membarrier:
return true;
case __NR_madvise:
case __NR_mincore:
@@ -531,7 +533,6 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
case __NR_modify_ldt:
#endif
case __NR_mprotect:
- case __NR_mremap:
case __NR_msync:
case __NR_munlockall:
case __NR_readahead:
diff --git a/sandbox/linux/system_headers/linux_syscalls.h ./sandbox/linux/system_headers/linux_syscalls.h
index 2b78a0c..b6fedb5 100644
--- a/sandbox/linux/system_headers/linux_syscalls.h
+++ b/sandbox/linux/system_headers/linux_syscalls.h
@@ -10,6 +10,7 @@
#define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SYSCALLS_H_
#include "build/build_config.h"
+#include <sys/syscall.h>
#if defined(__x86_64__)
#include "sandbox/linux/system_headers/x86_64_linux_syscalls.h"
--- a/sandbox/policy/linux/bpf_renderer_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_renderer_policy_linux.cc
2023-05-05 05:10:04 +00:00
@@ -94,6 +94,9 @@
case __NR_pwrite64:
case __NR_sched_get_priority_max:
case __NR_sched_get_priority_min:
+ case __NR_sched_getparam:
+ case __NR_sched_getscheduler:
+ case __NR_sched_setscheduler:
case __NR_sysinfo:
case __NR_times:
case __NR_uname:
--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
@@ -225,10 +225,15 @@
if (sysno == __NR_getpriority || sysno ==__NR_setpriority)
return RestrictGetSetpriority(current_pid);
+ // XXX: hacks for musl sandbox, calls needed?
+ if (sysno == __NR_sched_getparam || sysno == __NR_sched_getscheduler ||
+ sysno == __NR_sched_setscheduler) {
+ return Allow();
+ }
+
// The scheduling syscalls are used in threading libraries and also heavily in
// abseil. See for example https://crbug.com/1370394.
- if (sysno == __NR_sched_getaffinity || sysno == __NR_sched_getparam ||
- sysno == __NR_sched_getscheduler || sysno == __NR_sched_setscheduler) {
+ if (sysno == __NR_sched_getaffinity) {
return RestrictSchedTarget(current_pid, sysno);
}