chromium/patches/016-musl-sandbox.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

musl uses different syscalls from glibc for some functions, so the sandbox has
to account for that
--
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
index ff5a1c0..da56b9b 100644
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+++ ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
@@ -139,21 +139,11 @@ namespace sandbox {
 // present (as in newer versions of posix_spawn).
 ResultExpr RestrictCloneToThreadsAndEPERMFork() {
   const Arg<unsigned long> flags(0);
-
-  // TODO(mdempsky): Extend DSL to support (flags & ~mask1) == mask2.
-  const uint64_t kAndroidCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES |
-                                     CLONE_SIGHAND | CLONE_THREAD |
-                                     CLONE_SYSVSEM;
-  const uint64_t kObsoleteAndroidCloneMask = kAndroidCloneMask | CLONE_DETACHED;
-
-  const uint64_t kGlibcPthreadFlags =
-      CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD |
-      CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
-  const BoolExpr glibc_test = flags == kGlibcPthreadFlags;
-
-  const BoolExpr android_test =
-      AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
-            flags == kGlibcPthreadFlags);
+  const int required = CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
+                       CLONE_THREAD | CLONE_SYSVSEM;
+  const int safe = CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID |
+                   CLONE_DETACHED;
+  const BoolExpr thread_clone_ok = (flags&~safe)==required;
 
   // The following two flags are the two important flags in any vfork-emulating
   // clone call. EPERM any clone call that contains both of them.
@@ -163,7 +153,7 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
       AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
             (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
 
-  return If(IsAndroid() ? android_test : glibc_test, Allow())
+  return If(thread_clone_ok, Allow())
       .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
       .Else(CrashSIGSYSClone());
 }
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
index d9d1882..0567557 100644
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+++ ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
@@ -392,6 +392,7 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
 #if defined(__i386__)
     case __NR_waitpid:
 #endif
+    case __NR_set_tid_address:
       return true;
     case __NR_clone:  // Should be parameter-restricted.
     case __NR_setns:  // Privileged.
@@ -404,7 +405,6 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
     case __NR_set_thread_area:
 #endif
-    case __NR_set_tid_address:
     case __NR_unshare:
 #if !defined(__mips__) && !defined(__aarch64__)
     case __NR_vfork:
@@ -514,6 +514,8 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
     case __NR_munlock:
     case __NR_munmap:
     case __NR_mseal:
+    case __NR_mremap:
+    case __NR_membarrier:
       return true;
     case __NR_madvise:
     case __NR_mincore:
@@ -531,7 +533,6 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
     case __NR_modify_ldt:
 #endif
     case __NR_mprotect:
-    case __NR_mremap:
     case __NR_msync:
     case __NR_munlockall:
     case __NR_readahead:
--- a/sandbox/policy/linux/bpf_renderer_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_renderer_policy_linux.cc
@@ -94,6 +94,10 @@
     case __NR_pwrite64:
+    case __NR_pwritev2:
     case __NR_sched_get_priority_max:
     case __NR_sched_get_priority_min:
+    case __NR_sched_getparam:
+    case __NR_sched_getscheduler:
+    case __NR_sched_setscheduler:
     case __NR_sysinfo:
     case __NR_times:
     case __NR_uname:
--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
@@ -225,10 +225,15 @@
   if (sysno == __NR_getpriority || sysno ==__NR_setpriority)
     return RestrictGetSetpriority(current_pid);
 
+  // XXX: hacks for musl sandbox, calls needed?
+  if (sysno == __NR_sched_getparam || sysno == __NR_sched_getscheduler ||
+      sysno == __NR_sched_setscheduler) {
+    return Allow();
+  }
+
   // The scheduling syscalls are used in threading libraries and also heavily in
   // abseil. See for example https://crbug.com/1370394.
-  if (sysno == __NR_sched_getaffinity || sysno == __NR_sched_getparam ||
-      sysno == __NR_sched_getscheduler || sysno == __NR_sched_setscheduler) {
+  if (sysno == __NR_sched_getaffinity) {
     return RestrictSchedTarget(current_pid, sysno);
   }