1 files changed, 113 insertions, 0 deletions
diff --git a/chromium/patches/016-musl-sandbox.patch b/chromium/patches/016-musl-sandbox.patch
new file mode 100644
index 0000000..41abc50
--- /dev/null
+++ b/chromium/patches/016-musl-sandbox.patch
@@ -0,0 +1,113 @@
+musl uses different syscalls from glibc for some functions, so the sandbox has
+to account for that
+--
+diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+index ff5a1c0..da56b9b 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+++ ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+@@ -139,21 +139,11 @@ namespace sandbox {
+ // present (as in newer versions of posix_spawn).
+ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
+   const Arg<unsigned long> flags(0);
+-
+-  // TODO(mdempsky): Extend DSL to support (flags & ~mask1) == mask2.
+-  const uint64_t kAndroidCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES |
+-                                     CLONE_SIGHAND | CLONE_THREAD |
+-                                     CLONE_SYSVSEM;
+-  const uint64_t kObsoleteAndroidCloneMask = kAndroidCloneMask | CLONE_DETACHED;
+-
+-  const uint64_t kGlibcPthreadFlags =
+-      CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD |
+-      CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
+-  const BoolExpr glibc_test = flags == kGlibcPthreadFlags;
+-
+-  const BoolExpr android_test =
+-      AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
+-            flags == kGlibcPthreadFlags);
+  const int required = CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
+                       CLONE_THREAD | CLONE_SYSVSEM;
+  const int safe = CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID |
+                   CLONE_DETACHED;
+  const BoolExpr thread_clone_ok = (flags&~safe)==required;
+ 
+   // The following two flags are the two important flags in any vfork-emulating
+   // clone call. EPERM any clone call that contains both of them.
+@@ -163,7 +153,7 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
+       AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
+             (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
+ 
+-  return If(IsAndroid() ? android_test : glibc_test, Allow())
+  return If(thread_clone_ok, Allow())
+       .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
+       .Else(CrashSIGSYSClone());
+ }
+diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+index d9d1882..0567557 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+++ ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+@@ -392,6 +392,7 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
+ #if defined(__i386__)
+     case __NR_waitpid:
+ #endif
+    case __NR_set_tid_address:
+       return true;
+     case __NR_clone:  // Should be parameter-restricted.
+     case __NR_setns:  // Privileged.
+@@ -404,7 +405,6 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
+ #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+     case __NR_set_thread_area:
+ #endif
+-    case __NR_set_tid_address:
+     case __NR_unshare:
+ #if !defined(__mips__) && !defined(__aarch64__)
+     case __NR_vfork:
+@@ -514,6 +514,8 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
+     case __NR_munlock:
+     case __NR_munmap:
+     case __NR_mseal:
+    case __NR_mremap:
+    case __NR_membarrier:
+       return true;
+     case __NR_madvise:
+     case __NR_mincore:
+@@ -531,7 +533,6 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
+     case __NR_modify_ldt:
+ #endif
+     case __NR_mprotect:
+-    case __NR_mremap:
+     case __NR_msync:
+     case __NR_munlockall:
+     case __NR_readahead:
+--- a/sandbox/policy/linux/bpf_renderer_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_renderer_policy_linux.cc
+@@ -94,6 +94,10 @@
+     case __NR_pwrite64:
+    case __NR_pwritev2:
+     case __NR_sched_get_priority_max:
+     case __NR_sched_get_priority_min:
+    case __NR_sched_getparam:
+    case __NR_sched_getscheduler:
+    case __NR_sched_setscheduler:
+     case __NR_sysinfo:
+     case __NR_times:
+     case __NR_uname:
+--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+@@ -225,10 +225,15 @@
+   if (sysno == __NR_getpriority || sysno ==__NR_setpriority)
+     return RestrictGetSetpriority(current_pid);
+ 
+  // XXX: hacks for musl sandbox, calls needed?
+  if (sysno == __NR_sched_getparam || sysno == __NR_sched_getscheduler ||
+      sysno == __NR_sched_setscheduler) {
+    return Allow();
+  }
+
+   // The scheduling syscalls are used in threading libraries and also heavily in
+   // abseil. See for example https://crbug.com/1370394.
+-  if (sysno == __NR_sched_getaffinity || sysno == __NR_sched_getparam ||
+-      sysno == __NR_sched_getscheduler || sysno == __NR_sched_setscheduler) {
+  if (sysno == __NR_sched_getaffinity) {
+     return RestrictSchedTarget(current_pid, sysno);
+   }
+

diff --git a/chromium/patches/016-musl-sandbox.patch b/chromium/patches/016-musl-sandbox.patch new file mode 100644 index 0000000..41abc50 --- /dev/null +++ b/chromium/patches/016-musl-sandbox.patch
@@ -0,0 +1,113 @@
	1	musl uses different syscalls from glibc for some functions, so the sandbox has
	2	to account for that
	3	--
	4	diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
	5	index ff5a1c0..da56b9b 100644
	6	--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
	7	+++ ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
	8	@@ -139,21 +139,11 @@ namespace sandbox {
	9	// present (as in newer versions of posix_spawn).
	10	ResultExpr RestrictCloneToThreadsAndEPERMFork() {
	11	const Arg<unsigned long> flags(0);
	12	-
	13	- // TODO(mdempsky): Extend DSL to support (flags & ~mask1) == mask2.
	14	- const uint64_t kAndroidCloneMask = CLONE_VM \| CLONE_FS \| CLONE_FILES \|
	15	- CLONE_SIGHAND \| CLONE_THREAD \|
	16	- CLONE_SYSVSEM;
	17	- const uint64_t kObsoleteAndroidCloneMask = kAndroidCloneMask \| CLONE_DETACHED;
	18	-
	19	- const uint64_t kGlibcPthreadFlags =
	20	- CLONE_VM \| CLONE_FS \| CLONE_FILES \| CLONE_SIGHAND \| CLONE_THREAD \|
	21	- CLONE_SYSVSEM \| CLONE_SETTLS \| CLONE_PARENT_SETTID \| CLONE_CHILD_CLEARTID;
	22	- const BoolExpr glibc_test = flags == kGlibcPthreadFlags;
	23	-
	24	- const BoolExpr android_test =
	25	- AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
	26	- flags == kGlibcPthreadFlags);
	27	+ const int required = CLONE_VM \| CLONE_FS \| CLONE_FILES \| CLONE_SIGHAND \|
	28	+ CLONE_THREAD \| CLONE_SYSVSEM;
	29	+ const int safe = CLONE_SETTLS \| CLONE_PARENT_SETTID \| CLONE_CHILD_CLEARTID \|
	30	+ CLONE_DETACHED;
	31	+ const BoolExpr thread_clone_ok = (flags&~safe)==required;
	32
	33	// The following two flags are the two important flags in any vfork-emulating
	34	// clone call. EPERM any clone call that contains both of them.
	35	@@ -163,7 +153,7 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
	36	AnyOf((flags & (CLONE_VM \| CLONE_THREAD)) == 0,
	37	(flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
	38
	39	- return If(IsAndroid() ? android_test : glibc_test, Allow())
	40	+ return If(thread_clone_ok, Allow())
	41	.ElseIf(is_fork_or_clone_vfork, Error(EPERM))
	42	.Else(CrashSIGSYSClone());
	43	}
	44	diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
	45	index d9d1882..0567557 100644
	46	--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
	47	+++ ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
	48	@@ -392,6 +392,7 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
	49	#if defined(__i386__)
	50	case __NR_waitpid:
	51	#endif
	52	+ case __NR_set_tid_address:
	53	return true;
	54	case __NR_clone: // Should be parameter-restricted.
	55	case __NR_setns: // Privileged.
	56	@@ -404,7 +405,6 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
	57	#if defined(__i386__) \|\| defined(__x86_64__) \|\| defined(__mips__)
	58	case __NR_set_thread_area:
	59	#endif
	60	- case __NR_set_tid_address:
	61	case __NR_unshare:
	62	#if !defined(__mips__) && !defined(__aarch64__)
	63	case __NR_vfork:
	64	@@ -514,6 +514,8 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
	65	case __NR_munlock:
	66	case __NR_munmap:
	67	case __NR_mseal:
	68	+ case __NR_mremap:
	69	+ case __NR_membarrier:
	70	return true;
	71	case __NR_madvise:
	72	case __NR_mincore:
	73	@@ -531,7 +533,6 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
	74	case __NR_modify_ldt:
	75	#endif
	76	case __NR_mprotect:
	77	- case __NR_mremap:
	78	case __NR_msync:
	79	case __NR_munlockall:
	80	case __NR_readahead:
	81	--- a/sandbox/policy/linux/bpf_renderer_policy_linux.cc
	82	+++ b/sandbox/policy/linux/bpf_renderer_policy_linux.cc
	83	@@ -94,6 +94,10 @@
	84	case __NR_pwrite64:
	85	+ case __NR_pwritev2:
	86	case __NR_sched_get_priority_max:
	87	case __NR_sched_get_priority_min:
	88	+ case __NR_sched_getparam:
	89	+ case __NR_sched_getscheduler:
	90	+ case __NR_sched_setscheduler:
	91	case __NR_sysinfo:
	92	case __NR_times:
	93	case __NR_uname:
	94	--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
	95	+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
	96	@@ -225,10 +225,15 @@
	97	if (sysno == __NR_getpriority \|\| sysno ==__NR_setpriority)
	98	return RestrictGetSetpriority(current_pid);
	99
	100	+ // XXX: hacks for musl sandbox, calls needed?
	101	+ if (sysno == __NR_sched_getparam \|\| sysno == __NR_sched_getscheduler \|\|
	102	+ sysno == __NR_sched_setscheduler) {
	103	+ return Allow();
	104	+ }
	105	+
	106	// The scheduling syscalls are used in threading libraries and also heavily in
	107	// abseil. See for example https://crbug.com/1370394.
	108	- if (sysno == __NR_sched_getaffinity \|\| sysno == __NR_sched_getparam \|\|
	109	- sysno == __NR_sched_getscheduler \|\| sysno == __NR_sched_setscheduler) {
	110	+ if (sysno == __NR_sched_getaffinity) {
	111	return RestrictSchedTarget(current_pid, sysno);
	112	}
	113