1 From 5e08782516d24de536e75d6bf4ff2bc87be55124 Mon Sep 17 00:00:00 2001
2 From: Matthew Denton <mpdenton@chromium.org>
3 Date: Thu, 03 Jun 2021 19:02:10 +0000
4 Subject: [PATCH] Linux sandbox: update syscall numbers for all platforms.
6 This includes clone3 and the landlock system calls.
9 Change-Id: Iaf14a7c9d455c7a22ad179b13541a60dcabaac09
10 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2934620
11 Auto-Submit: Matthew Denton <mpdenton@chromium.org>
12 Commit-Queue: Robert Sesek <rsesek@chromium.org>
13 Reviewed-by: Robert Sesek <rsesek@chromium.org>
14 Cr-Commit-Position: refs/heads/master@{#888958}
17 diff --git a/sandbox/linux/system_headers/arm64_linux_syscalls.h b/sandbox/linux/system_headers/arm64_linux_syscalls.h
18 index a242c18c..ab86b36 100644
19 --- a/sandbox/linux/system_headers/arm64_linux_syscalls.h
20 +++ b/sandbox/linux/system_headers/arm64_linux_syscalls.h
21 @@ -1119,4 +1119,100 @@
25 +#if !defined(__NR_kexec_file_load)
26 +#define __NR_kexec_file_load 294
29 +#if !defined(__NR_pidfd_send_signal)
30 +#define __NR_pidfd_send_signal 424
33 +#if !defined(__NR_io_uring_setup)
34 +#define __NR_io_uring_setup 425
37 +#if !defined(__NR_io_uring_enter)
38 +#define __NR_io_uring_enter 426
41 +#if !defined(__NR_io_uring_register)
42 +#define __NR_io_uring_register 427
45 +#if !defined(__NR_open_tree)
46 +#define __NR_open_tree 428
49 +#if !defined(__NR_move_mount)
50 +#define __NR_move_mount 429
53 +#if !defined(__NR_fsopen)
54 +#define __NR_fsopen 430
57 +#if !defined(__NR_fsconfig)
58 +#define __NR_fsconfig 431
61 +#if !defined(__NR_fsmount)
62 +#define __NR_fsmount 432
65 +#if !defined(__NR_fspick)
66 +#define __NR_fspick 433
69 +#if !defined(__NR_pidfd_open)
70 +#define __NR_pidfd_open 434
73 +#if !defined(__NR_clone3)
74 +#define __NR_clone3 435
77 +#if !defined(__NR_close_range)
78 +#define __NR_close_range 436
81 +#if !defined(__NR_openat2)
82 +#define __NR_openat2 437
85 +#if !defined(__NR_pidfd_getfd)
86 +#define __NR_pidfd_getfd 438
89 +#if !defined(__NR_faccessat2)
90 +#define __NR_faccessat2 439
93 +#if !defined(__NR_process_madvise)
94 +#define __NR_process_madvise 440
97 +#if !defined(__NR_epoll_pwait2)
98 +#define __NR_epoll_pwait2 441
101 +#if !defined(__NR_mount_setattr)
102 +#define __NR_mount_setattr 442
105 +#if !defined(__NR_quotactl_path)
106 +#define __NR_quotactl_path 443
109 +#if !defined(__NR_landlock_create_ruleset)
110 +#define __NR_landlock_create_ruleset 444
113 +#if !defined(__NR_landlock_add_rule)
114 +#define __NR_landlock_add_rule 445
117 +#if !defined(__NR_landlock_restrict_self)
118 +#define __NR_landlock_restrict_self 446
121 #endif // SANDBOX_LINUX_SYSTEM_HEADERS_ARM64_LINUX_SYSCALLS_H_
122 diff --git a/sandbox/linux/system_headers/mips64_linux_syscalls.h b/sandbox/linux/system_headers/mips64_linux_syscalls.h
123 index ec75815a..ae7cb48 100644
124 --- a/sandbox/linux/system_headers/mips64_linux_syscalls.h
125 +++ b/sandbox/linux/system_headers/mips64_linux_syscalls.h
126 @@ -1271,4 +1271,148 @@
127 #define __NR_memfd_create (__NR_Linux + 314)
130 +#if !defined(__NR_bpf)
131 +#define __NR_bpf (__NR_Linux + 315)
134 +#if !defined(__NR_execveat)
135 +#define __NR_execveat (__NR_Linux + 316)
138 +#if !defined(__NR_userfaultfd)
139 +#define __NR_userfaultfd (__NR_Linux + 317)
142 +#if !defined(__NR_membarrier)
143 +#define __NR_membarrier (__NR_Linux + 318)
146 +#if !defined(__NR_mlock2)
147 +#define __NR_mlock2 (__NR_Linux + 319)
150 +#if !defined(__NR_copy_file_range)
151 +#define __NR_copy_file_range (__NR_Linux + 320)
154 +#if !defined(__NR_preadv2)
155 +#define __NR_preadv2 (__NR_Linux + 321)
158 +#if !defined(__NR_pwritev2)
159 +#define __NR_pwritev2 (__NR_Linux + 322)
162 +#if !defined(__NR_pkey_mprotect)
163 +#define __NR_pkey_mprotect (__NR_Linux + 323)
166 +#if !defined(__NR_pkey_alloc)
167 +#define __NR_pkey_alloc (__NR_Linux + 324)
170 +#if !defined(__NR_pkey_free)
171 +#define __NR_pkey_free (__NR_Linux + 325)
174 +#if !defined(__NR_statx)
175 +#define __NR_statx (__NR_Linux + 326)
178 +#if !defined(__NR_rseq)
179 +#define __NR_rseq (__NR_Linux + 327)
182 +#if !defined(__NR_io_pgetevents)
183 +#define __NR_io_pgetevents (__NR_Linux + 328)
186 +#if !defined(__NR_pidfd_send_signal)
187 +#define __NR_pidfd_send_signal (__NR_Linux + 424)
190 +#if !defined(__NR_io_uring_setup)
191 +#define __NR_io_uring_setup (__NR_Linux + 425)
194 +#if !defined(__NR_io_uring_enter)
195 +#define __NR_io_uring_enter (__NR_Linux + 426)
198 +#if !defined(__NR_io_uring_register)
199 +#define __NR_io_uring_register (__NR_Linux + 427)
202 +#if !defined(__NR_open_tree)
203 +#define __NR_open_tree (__NR_Linux + 428)
206 +#if !defined(__NR_move_mount)
207 +#define __NR_move_mount (__NR_Linux + 429)
210 +#if !defined(__NR_fsopen)
211 +#define __NR_fsopen (__NR_Linux + 430)
214 +#if !defined(__NR_fsconfig)
215 +#define __NR_fsconfig (__NR_Linux + 431)
218 +#if !defined(__NR_fsmount)
219 +#define __NR_fsmount (__NR_Linux + 432)
222 +#if !defined(__NR_fspick)
223 +#define __NR_fspick (__NR_Linux + 433)
226 +#if !defined(__NR_pidfd_open)
227 +#define __NR_pidfd_open (__NR_Linux + 434)
230 +#if !defined(__NR_clone3)
231 +#define __NR_clone3 (__NR_Linux + 435)
234 +#if !defined(__NR_close_range)
235 +#define __NR_close_range (__NR_Linux + 436)
238 +#if !defined(__NR_openat2)
239 +#define __NR_openat2 (__NR_Linux + 437)
242 +#if !defined(__NR_pidfd_getfd)
243 +#define __NR_pidfd_getfd (__NR_Linux + 438)
246 +#if !defined(__NR_faccessat2)
247 +#define __NR_faccessat2 (__NR_Linux + 439)
250 +#if !defined(__NR_process_madvise)
251 +#define __NR_process_madvise (__NR_Linux + 440)
254 +#if !defined(__NR_epoll_pwait2)
255 +#define __NR_epoll_pwait2 (__NR_Linux + 441)
258 +#if !defined(__NR_mount_setattr)
259 +#define __NR_mount_setattr (__NR_Linux + 442)
262 +#if !defined(__NR_landlock_create_ruleset)
263 +#define __NR_landlock_create_ruleset (__NR_Linux + 444)
266 +#if !defined(__NR_landlock_add_rule)
267 +#define __NR_landlock_add_rule (__NR_Linux + 445)
270 +#if !defined(__NR_landlock_restrict_self)
271 +#define __NR_landlock_restrict_self (__NR_Linux + 446)
274 #endif // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS64_LINUX_SYSCALLS_H_
275 diff --git a/sandbox/linux/system_headers/x86_64_linux_syscalls.h b/sandbox/linux/system_headers/x86_64_linux_syscalls.h
276 index b0ae0a2..e618c62 100644
277 --- a/sandbox/linux/system_headers/x86_64_linux_syscalls.h
278 +++ b/sandbox/linux/system_headers/x86_64_linux_syscalls.h
279 @@ -1350,5 +1350,93 @@
280 #define __NR_rseq 334
283 +#if !defined(__NR_pidfd_send_signal)
284 +#define __NR_pidfd_send_signal 424
287 +#if !defined(__NR_io_uring_setup)
288 +#define __NR_io_uring_setup 425
291 +#if !defined(__NR_io_uring_enter)
292 +#define __NR_io_uring_enter 426
295 +#if !defined(__NR_io_uring_register)
296 +#define __NR_io_uring_register 427
299 +#if !defined(__NR_open_tree)
300 +#define __NR_open_tree 428
303 +#if !defined(__NR_move_mount)
304 +#define __NR_move_mount 429
307 +#if !defined(__NR_fsopen)
308 +#define __NR_fsopen 430
311 +#if !defined(__NR_fsconfig)
312 +#define __NR_fsconfig 431
315 +#if !defined(__NR_fsmount)
316 +#define __NR_fsmount 432
319 +#if !defined(__NR_fspick)
320 +#define __NR_fspick 433
323 +#if !defined(__NR_pidfd_open)
324 +#define __NR_pidfd_open 434
327 +#if !defined(__NR_clone3)
328 +#define __NR_clone3 435
331 +#if !defined(__NR_close_range)
332 +#define __NR_close_range 436
335 +#if !defined(__NR_openat2)
336 +#define __NR_openat2 437
339 +#if !defined(__NR_pidfd_getfd)
340 +#define __NR_pidfd_getfd 438
343 +#if !defined(__NR_faccessat2)
344 +#define __NR_faccessat2 439
347 +#if !defined(__NR_process_madvise)
348 +#define __NR_process_madvise 440
351 +#if !defined(__NR_epoll_pwait2)
352 +#define __NR_epoll_pwait2 441
355 +#if !defined(__NR_mount_setattr)
356 +#define __NR_mount_setattr 442
359 +#if !defined(__NR_landlock_create_ruleset)
360 +#define __NR_landlock_create_ruleset 444
363 +#if !defined(__NR_landlock_add_rule)
364 +#define __NR_landlock_add_rule 445
367 +#if !defined(__NR_landlock_restrict_self)
368 +#define __NR_landlock_restrict_self 446
371 #endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_
373 From 218438259dd795456f0a48f67cbe5b4e520db88b Mon Sep 17 00:00:00 2001
374 From: Matthew Denton <mpdenton@chromium.org>
375 Date: Thu, 03 Jun 2021 20:06:13 +0000
376 Subject: [PATCH] Linux sandbox: return ENOSYS for clone3
378 Because clone3 uses a pointer argument rather than a flags argument, we
379 cannot examine the contents with seccomp, which is essential to
380 preventing sandboxed processes from starting other processes. So, we
381 won't be able to support clone3 in Chromium. This CL modifies the
382 BPF policy to return ENOSYS for clone3 so glibc always uses the fallback
386 Change-Id: I7c7c585a319e0264eac5b1ebee1a45be2d782303
387 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2936184
388 Reviewed-by: Robert Sesek <rsesek@chromium.org>
389 Commit-Queue: Matthew Denton <mpdenton@chromium.org>
390 Cr-Commit-Position: refs/heads/master@{#888980}
393 diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
394 index 05c39f0..086c56a2 100644
395 --- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
396 +++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
398 return RestrictCloneToThreadsAndEPERMFork();
401 + // clone3 takes a pointer argument which we cannot examine, so return ENOSYS
402 + // to force the libc to use clone. See https://crbug.com/1213452.
403 + if (sysno == __NR_clone3) {
404 + return Error(ENOSYS);
407 if (sysno == __NR_fcntl)
408 return RestrictFcntlCommands();
410 --- chromium/third_party/abseil-cpp/absl/debugging/failure_signal_handler.cc.orig 2021-08-13 12:36:58.000000000 +0200
411 +++ chromium/third_party/abseil-cpp/absl/debugging/failure_signal_handler.cc 2021-08-18 22:04:02.165382504 +0200
414 const size_t page_mask = sysconf(_SC_PAGESIZE) - 1;
416 - size_t stack_size = (std::max(SIGSTKSZ, 65536) + page_mask) & ~page_mask;
417 + size_t stack_size = (std::max<size_t>(SIGSTKSZ, 65536) + page_mask) & ~page_mask;
418 #if defined(ABSL_HAVE_ADDRESS_SANITIZER) || \
419 defined(ABSL_HAVE_MEMORY_SANITIZER) || defined(ABSL_HAVE_THREAD_SANITIZER)
420 // Account for sanitizer instrumentation requiring additional stack space.
421 --- chromium/third_party/breakpad/breakpad/src/client/linux/handler/exception_handler.cc.orig 2021-08-18 22:05:45.366849996 +0200
422 +++ chromium/third_party/breakpad/breakpad/src/client/linux/handler/exception_handler.cc 2021-08-18 22:05:57.647024518 +0200
424 // SIGSTKSZ may be too small to prevent the signal handlers from overrunning
425 // the alternative stack. Ensure that the size of the alternative stack is
427 - static const unsigned kSigStackSize = std::max(16384, SIGSTKSZ);
428 + static const unsigned kSigStackSize = std::max<size_t>(16384, SIGSTKSZ);
430 // Only set an alternative stack if there isn't already one, or if the current