]>
Commit | Line | Data |
---|---|---|
7b92ae8b JP |
1 | From 5e08782516d24de536e75d6bf4ff2bc87be55124 Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Denton <mpdenton@chromium.org> | |
3 | Date: Thu, 03 Jun 2021 19:02:10 +0000 | |
4 | Subject: [PATCH] Linux sandbox: update syscall numbers for all platforms. | |
5 | ||
6 | This includes clone3 and the landlock system calls. | |
7 | ||
8 | Bug: 1213452 | |
9 | Change-Id: Iaf14a7c9d455c7a22ad179b13541a60dcabaac09 | |
10 | Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2934620 | |
11 | Auto-Submit: Matthew Denton <mpdenton@chromium.org> | |
12 | Commit-Queue: Robert Sesek <rsesek@chromium.org> | |
13 | Reviewed-by: Robert Sesek <rsesek@chromium.org> | |
14 | Cr-Commit-Position: refs/heads/master@{#888958} | |
15 | --- | |
16 | ||
17 | diff --git a/sandbox/linux/system_headers/arm64_linux_syscalls.h b/sandbox/linux/system_headers/arm64_linux_syscalls.h | |
18 | index a242c18c..ab86b36 100644 | |
19 | --- a/sandbox/linux/system_headers/arm64_linux_syscalls.h | |
20 | +++ b/sandbox/linux/system_headers/arm64_linux_syscalls.h | |
21 | @@ -1119,4 +1119,100 @@ | |
22 | #define __NR_rseq 293 | |
23 | #endif | |
24 | ||
25 | +#if !defined(__NR_kexec_file_load) | |
26 | +#define __NR_kexec_file_load 294 | |
27 | +#endif | |
28 | + | |
29 | +#if !defined(__NR_pidfd_send_signal) | |
30 | +#define __NR_pidfd_send_signal 424 | |
31 | +#endif | |
32 | + | |
33 | +#if !defined(__NR_io_uring_setup) | |
34 | +#define __NR_io_uring_setup 425 | |
35 | +#endif | |
36 | + | |
37 | +#if !defined(__NR_io_uring_enter) | |
38 | +#define __NR_io_uring_enter 426 | |
39 | +#endif | |
40 | + | |
41 | +#if !defined(__NR_io_uring_register) | |
42 | +#define __NR_io_uring_register 427 | |
43 | +#endif | |
44 | + | |
45 | +#if !defined(__NR_open_tree) | |
46 | +#define __NR_open_tree 428 | |
47 | +#endif | |
48 | + | |
49 | +#if !defined(__NR_move_mount) | |
50 | +#define __NR_move_mount 429 | |
51 | +#endif | |
52 | + | |
53 | +#if !defined(__NR_fsopen) | |
54 | +#define __NR_fsopen 430 | |
55 | +#endif | |
56 | + | |
57 | +#if !defined(__NR_fsconfig) | |
58 | +#define __NR_fsconfig 431 | |
59 | +#endif | |
60 | + | |
61 | +#if !defined(__NR_fsmount) | |
62 | +#define __NR_fsmount 432 | |
63 | +#endif | |
64 | + | |
65 | +#if !defined(__NR_fspick) | |
66 | +#define __NR_fspick 433 | |
67 | +#endif | |
68 | + | |
69 | +#if !defined(__NR_pidfd_open) | |
70 | +#define __NR_pidfd_open 434 | |
71 | +#endif | |
72 | + | |
73 | +#if !defined(__NR_clone3) | |
74 | +#define __NR_clone3 435 | |
75 | +#endif | |
76 | + | |
77 | +#if !defined(__NR_close_range) | |
78 | +#define __NR_close_range 436 | |
79 | +#endif | |
80 | + | |
81 | +#if !defined(__NR_openat2) | |
82 | +#define __NR_openat2 437 | |
83 | +#endif | |
84 | + | |
85 | +#if !defined(__NR_pidfd_getfd) | |
86 | +#define __NR_pidfd_getfd 438 | |
87 | +#endif | |
88 | + | |
89 | +#if !defined(__NR_faccessat2) | |
90 | +#define __NR_faccessat2 439 | |
91 | +#endif | |
92 | + | |
93 | +#if !defined(__NR_process_madvise) | |
94 | +#define __NR_process_madvise 440 | |
95 | +#endif | |
96 | + | |
97 | +#if !defined(__NR_epoll_pwait2) | |
98 | +#define __NR_epoll_pwait2 441 | |
99 | +#endif | |
100 | + | |
101 | +#if !defined(__NR_mount_setattr) | |
102 | +#define __NR_mount_setattr 442 | |
103 | +#endif | |
104 | + | |
105 | +#if !defined(__NR_quotactl_path) | |
106 | +#define __NR_quotactl_path 443 | |
107 | +#endif | |
108 | + | |
109 | +#if !defined(__NR_landlock_create_ruleset) | |
110 | +#define __NR_landlock_create_ruleset 444 | |
111 | +#endif | |
112 | + | |
113 | +#if !defined(__NR_landlock_add_rule) | |
114 | +#define __NR_landlock_add_rule 445 | |
115 | +#endif | |
116 | + | |
117 | +#if !defined(__NR_landlock_restrict_self) | |
118 | +#define __NR_landlock_restrict_self 446 | |
119 | +#endif | |
120 | + | |
121 | #endif // SANDBOX_LINUX_SYSTEM_HEADERS_ARM64_LINUX_SYSCALLS_H_ | |
122 | diff --git a/sandbox/linux/system_headers/mips64_linux_syscalls.h b/sandbox/linux/system_headers/mips64_linux_syscalls.h | |
123 | index ec75815a..ae7cb48 100644 | |
124 | --- a/sandbox/linux/system_headers/mips64_linux_syscalls.h | |
125 | +++ b/sandbox/linux/system_headers/mips64_linux_syscalls.h | |
126 | @@ -1271,4 +1271,148 @@ | |
127 | #define __NR_memfd_create (__NR_Linux + 314) | |
128 | #endif | |
129 | ||
130 | +#if !defined(__NR_bpf) | |
131 | +#define __NR_bpf (__NR_Linux + 315) | |
132 | +#endif | |
133 | + | |
134 | +#if !defined(__NR_execveat) | |
135 | +#define __NR_execveat (__NR_Linux + 316) | |
136 | +#endif | |
137 | + | |
138 | +#if !defined(__NR_userfaultfd) | |
139 | +#define __NR_userfaultfd (__NR_Linux + 317) | |
140 | +#endif | |
141 | + | |
142 | +#if !defined(__NR_membarrier) | |
143 | +#define __NR_membarrier (__NR_Linux + 318) | |
144 | +#endif | |
145 | + | |
146 | +#if !defined(__NR_mlock2) | |
147 | +#define __NR_mlock2 (__NR_Linux + 319) | |
148 | +#endif | |
149 | + | |
150 | +#if !defined(__NR_copy_file_range) | |
151 | +#define __NR_copy_file_range (__NR_Linux + 320) | |
152 | +#endif | |
153 | + | |
154 | +#if !defined(__NR_preadv2) | |
155 | +#define __NR_preadv2 (__NR_Linux + 321) | |
156 | +#endif | |
157 | + | |
158 | +#if !defined(__NR_pwritev2) | |
159 | +#define __NR_pwritev2 (__NR_Linux + 322) | |
160 | +#endif | |
161 | + | |
162 | +#if !defined(__NR_pkey_mprotect) | |
163 | +#define __NR_pkey_mprotect (__NR_Linux + 323) | |
164 | +#endif | |
165 | + | |
166 | +#if !defined(__NR_pkey_alloc) | |
167 | +#define __NR_pkey_alloc (__NR_Linux + 324) | |
168 | +#endif | |
169 | + | |
170 | +#if !defined(__NR_pkey_free) | |
171 | +#define __NR_pkey_free (__NR_Linux + 325) | |
172 | +#endif | |
173 | + | |
174 | +#if !defined(__NR_statx) | |
175 | +#define __NR_statx (__NR_Linux + 326) | |
176 | +#endif | |
177 | + | |
178 | +#if !defined(__NR_rseq) | |
179 | +#define __NR_rseq (__NR_Linux + 327) | |
180 | +#endif | |
181 | + | |
182 | +#if !defined(__NR_io_pgetevents) | |
183 | +#define __NR_io_pgetevents (__NR_Linux + 328) | |
184 | +#endif | |
185 | + | |
186 | +#if !defined(__NR_pidfd_send_signal) | |
187 | +#define __NR_pidfd_send_signal (__NR_Linux + 424) | |
188 | +#endif | |
189 | + | |
190 | +#if !defined(__NR_io_uring_setup) | |
191 | +#define __NR_io_uring_setup (__NR_Linux + 425) | |
192 | +#endif | |
193 | + | |
194 | +#if !defined(__NR_io_uring_enter) | |
195 | +#define __NR_io_uring_enter (__NR_Linux + 426) | |
196 | +#endif | |
197 | + | |
198 | +#if !defined(__NR_io_uring_register) | |
199 | +#define __NR_io_uring_register (__NR_Linux + 427) | |
200 | +#endif | |
201 | + | |
202 | +#if !defined(__NR_open_tree) | |
203 | +#define __NR_open_tree (__NR_Linux + 428) | |
204 | +#endif | |
205 | + | |
206 | +#if !defined(__NR_move_mount) | |
207 | +#define __NR_move_mount (__NR_Linux + 429) | |
208 | +#endif | |
209 | + | |
210 | +#if !defined(__NR_fsopen) | |
211 | +#define __NR_fsopen (__NR_Linux + 430) | |
212 | +#endif | |
213 | + | |
214 | +#if !defined(__NR_fsconfig) | |
215 | +#define __NR_fsconfig (__NR_Linux + 431) | |
216 | +#endif | |
217 | + | |
218 | +#if !defined(__NR_fsmount) | |
219 | +#define __NR_fsmount (__NR_Linux + 432) | |
220 | +#endif | |
221 | + | |
222 | +#if !defined(__NR_fspick) | |
223 | +#define __NR_fspick (__NR_Linux + 433) | |
224 | +#endif | |
225 | + | |
226 | +#if !defined(__NR_pidfd_open) | |
227 | +#define __NR_pidfd_open (__NR_Linux + 434) | |
228 | +#endif | |
229 | + | |
230 | +#if !defined(__NR_clone3) | |
231 | +#define __NR_clone3 (__NR_Linux + 435) | |
232 | +#endif | |
233 | + | |
234 | +#if !defined(__NR_close_range) | |
235 | +#define __NR_close_range (__NR_Linux + 436) | |
236 | +#endif | |
237 | + | |
238 | +#if !defined(__NR_openat2) | |
239 | +#define __NR_openat2 (__NR_Linux + 437) | |
240 | +#endif | |
241 | + | |
242 | +#if !defined(__NR_pidfd_getfd) | |
243 | +#define __NR_pidfd_getfd (__NR_Linux + 438) | |
244 | +#endif | |
245 | + | |
246 | +#if !defined(__NR_faccessat2) | |
247 | +#define __NR_faccessat2 (__NR_Linux + 439) | |
248 | +#endif | |
249 | + | |
250 | +#if !defined(__NR_process_madvise) | |
251 | +#define __NR_process_madvise (__NR_Linux + 440) | |
252 | +#endif | |
253 | + | |
254 | +#if !defined(__NR_epoll_pwait2) | |
255 | +#define __NR_epoll_pwait2 (__NR_Linux + 441) | |
256 | +#endif | |
257 | + | |
258 | +#if !defined(__NR_mount_setattr) | |
259 | +#define __NR_mount_setattr (__NR_Linux + 442) | |
260 | +#endif | |
261 | + | |
262 | +#if !defined(__NR_landlock_create_ruleset) | |
263 | +#define __NR_landlock_create_ruleset (__NR_Linux + 444) | |
264 | +#endif | |
265 | + | |
266 | +#if !defined(__NR_landlock_add_rule) | |
267 | +#define __NR_landlock_add_rule (__NR_Linux + 445) | |
268 | +#endif | |
269 | + | |
270 | +#if !defined(__NR_landlock_restrict_self) | |
271 | +#define __NR_landlock_restrict_self (__NR_Linux + 446) | |
272 | +#endif | |
273 | + | |
274 | #endif // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS64_LINUX_SYSCALLS_H_ | |
275 | diff --git a/sandbox/linux/system_headers/x86_64_linux_syscalls.h b/sandbox/linux/system_headers/x86_64_linux_syscalls.h | |
276 | index b0ae0a2..e618c62 100644 | |
277 | --- a/sandbox/linux/system_headers/x86_64_linux_syscalls.h | |
278 | +++ b/sandbox/linux/system_headers/x86_64_linux_syscalls.h | |
279 | @@ -1350,5 +1350,93 @@ | |
280 | #define __NR_rseq 334 | |
281 | #endif | |
282 | ||
283 | +#if !defined(__NR_pidfd_send_signal) | |
284 | +#define __NR_pidfd_send_signal 424 | |
285 | +#endif | |
286 | + | |
287 | +#if !defined(__NR_io_uring_setup) | |
288 | +#define __NR_io_uring_setup 425 | |
289 | +#endif | |
290 | + | |
291 | +#if !defined(__NR_io_uring_enter) | |
292 | +#define __NR_io_uring_enter 426 | |
293 | +#endif | |
294 | + | |
295 | +#if !defined(__NR_io_uring_register) | |
296 | +#define __NR_io_uring_register 427 | |
297 | +#endif | |
298 | + | |
299 | +#if !defined(__NR_open_tree) | |
300 | +#define __NR_open_tree 428 | |
301 | +#endif | |
302 | + | |
303 | +#if !defined(__NR_move_mount) | |
304 | +#define __NR_move_mount 429 | |
305 | +#endif | |
306 | + | |
307 | +#if !defined(__NR_fsopen) | |
308 | +#define __NR_fsopen 430 | |
309 | +#endif | |
310 | + | |
311 | +#if !defined(__NR_fsconfig) | |
312 | +#define __NR_fsconfig 431 | |
313 | +#endif | |
314 | + | |
315 | +#if !defined(__NR_fsmount) | |
316 | +#define __NR_fsmount 432 | |
317 | +#endif | |
318 | + | |
319 | +#if !defined(__NR_fspick) | |
320 | +#define __NR_fspick 433 | |
321 | +#endif | |
322 | + | |
323 | +#if !defined(__NR_pidfd_open) | |
324 | +#define __NR_pidfd_open 434 | |
325 | +#endif | |
326 | + | |
327 | +#if !defined(__NR_clone3) | |
328 | +#define __NR_clone3 435 | |
329 | +#endif | |
330 | + | |
331 | +#if !defined(__NR_close_range) | |
332 | +#define __NR_close_range 436 | |
333 | +#endif | |
334 | + | |
335 | +#if !defined(__NR_openat2) | |
336 | +#define __NR_openat2 437 | |
337 | +#endif | |
338 | + | |
339 | +#if !defined(__NR_pidfd_getfd) | |
340 | +#define __NR_pidfd_getfd 438 | |
341 | +#endif | |
342 | + | |
343 | +#if !defined(__NR_faccessat2) | |
344 | +#define __NR_faccessat2 439 | |
345 | +#endif | |
346 | + | |
347 | +#if !defined(__NR_process_madvise) | |
348 | +#define __NR_process_madvise 440 | |
349 | +#endif | |
350 | + | |
351 | +#if !defined(__NR_epoll_pwait2) | |
352 | +#define __NR_epoll_pwait2 441 | |
353 | +#endif | |
354 | + | |
355 | +#if !defined(__NR_mount_setattr) | |
356 | +#define __NR_mount_setattr 442 | |
357 | +#endif | |
358 | + | |
359 | +#if !defined(__NR_landlock_create_ruleset) | |
360 | +#define __NR_landlock_create_ruleset 444 | |
361 | +#endif | |
362 | + | |
363 | +#if !defined(__NR_landlock_add_rule) | |
364 | +#define __NR_landlock_add_rule 445 | |
365 | +#endif | |
366 | + | |
367 | +#if !defined(__NR_landlock_restrict_self) | |
368 | +#define __NR_landlock_restrict_self 446 | |
369 | +#endif | |
370 | + | |
371 | #endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_ | |
372 | ||
373 | From 218438259dd795456f0a48f67cbe5b4e520db88b Mon Sep 17 00:00:00 2001 | |
374 | From: Matthew Denton <mpdenton@chromium.org> | |
375 | Date: Thu, 03 Jun 2021 20:06:13 +0000 | |
376 | Subject: [PATCH] Linux sandbox: return ENOSYS for clone3 | |
377 | ||
378 | Because clone3 uses a pointer argument rather than a flags argument, we | |
379 | cannot examine the contents with seccomp, which is essential to | |
380 | preventing sandboxed processes from starting other processes. So, we | |
381 | won't be able to support clone3 in Chromium. This CL modifies the | |
382 | BPF policy to return ENOSYS for clone3 so glibc always uses the fallback | |
383 | to clone. | |
384 | ||
385 | Bug: 1213452 | |
386 | Change-Id: I7c7c585a319e0264eac5b1ebee1a45be2d782303 | |
387 | Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2936184 | |
388 | Reviewed-by: Robert Sesek <rsesek@chromium.org> | |
389 | Commit-Queue: Matthew Denton <mpdenton@chromium.org> | |
390 | Cr-Commit-Position: refs/heads/master@{#888980} | |
391 | --- | |
392 | ||
393 | diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc | |
394 | index 05c39f0..086c56a2 100644 | |
395 | --- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc | |
396 | +++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc | |
397 | @@ -178,6 +178,12 @@ | |
398 | return RestrictCloneToThreadsAndEPERMFork(); | |
399 | } | |
400 | ||
401 | + // clone3 takes a pointer argument which we cannot examine, so return ENOSYS | |
402 | + // to force the libc to use clone. See https://crbug.com/1213452. | |
403 | + if (sysno == __NR_clone3) { | |
404 | + return Error(ENOSYS); | |
405 | + } | |
406 | + | |
407 | if (sysno == __NR_fcntl) | |
408 | return RestrictFcntlCommands(); | |
409 | ||
410 | --- chromium/third_party/abseil-cpp/absl/debugging/failure_signal_handler.cc.orig 2021-08-13 12:36:58.000000000 +0200 | |
411 | +++ chromium/third_party/abseil-cpp/absl/debugging/failure_signal_handler.cc 2021-08-18 22:04:02.165382504 +0200 | |
412 | @@ -135,7 +135,7 @@ | |
413 | #else | |
414 | const size_t page_mask = sysconf(_SC_PAGESIZE) - 1; | |
415 | #endif | |
416 | - size_t stack_size = (std::max(SIGSTKSZ, 65536) + page_mask) & ~page_mask; | |
417 | + size_t stack_size = (std::max<size_t>(SIGSTKSZ, 65536) + page_mask) & ~page_mask; | |
418 | #if defined(ABSL_HAVE_ADDRESS_SANITIZER) || \ | |
419 | defined(ABSL_HAVE_MEMORY_SANITIZER) || defined(ABSL_HAVE_THREAD_SANITIZER) | |
420 | // Account for sanitizer instrumentation requiring additional stack space. | |
421 | --- chromium/third_party/breakpad/breakpad/src/client/linux/handler/exception_handler.cc.orig 2021-08-18 22:05:45.366849996 +0200 | |
422 | +++ chromium/third_party/breakpad/breakpad/src/client/linux/handler/exception_handler.cc 2021-08-18 22:05:57.647024518 +0200 | |
423 | @@ -138,7 +138,7 @@ | |
424 | // SIGSTKSZ may be too small to prevent the signal handlers from overrunning | |
425 | // the alternative stack. Ensure that the size of the alternative stack is | |
426 | // large enough. | |
427 | - static const unsigned kSigStackSize = std::max(16384, SIGSTKSZ); | |
428 | + static const unsigned kSigStackSize = std::max<size_t>(16384, SIGSTKSZ); | |
429 | ||
430 | // Only set an alternative stack if there isn't already one, or if the current | |
431 | // one is too small. |