From: Jan Palus Date: Wed, 18 Aug 2021 21:55:24 +0000 (+0200) Subject: build and runtime fixes for glibc 2.34; rel 2 X-Git-Tag: auto/th/qt5-qtwebengine-5.15.5-2 X-Git-Url: http://git.pld-linux.org/gitweb.cgi?a=commitdiff_plain;h=7b92ae8bedb15f8f68d89b64dc8305aa78471431;p=packages%2Fqt5-qtwebengine.git build and runtime fixes for glibc 2.34; rel 2 based on: https://bugs.chromium.org/p/chromium/issues/detail?id=1213452 https://github.com/meta-qt5/meta-qt5/commit/2a38fca150f065f869ed530fffe1a07beec80692 --- diff --git a/glibc2.34.patch b/glibc2.34.patch new file mode 100644 index 0000000..08eac1f --- /dev/null +++ b/glibc2.34.patch @@ -0,0 +1,431 @@ +From 5e08782516d24de536e75d6bf4ff2bc87be55124 Mon Sep 17 00:00:00 2001 +From: Matthew Denton +Date: Thu, 03 Jun 2021 19:02:10 +0000 +Subject: [PATCH] Linux sandbox: update syscall numbers for all platforms. + +This includes clone3 and the landlock system calls. + +Bug: 1213452 +Change-Id: Iaf14a7c9d455c7a22ad179b13541a60dcabaac09 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2934620 +Auto-Submit: Matthew Denton +Commit-Queue: Robert Sesek +Reviewed-by: Robert Sesek +Cr-Commit-Position: refs/heads/master@{#888958} +--- + +diff --git a/sandbox/linux/system_headers/arm64_linux_syscalls.h b/sandbox/linux/system_headers/arm64_linux_syscalls.h +index a242c18c..ab86b36 100644 +--- a/sandbox/linux/system_headers/arm64_linux_syscalls.h ++++ b/sandbox/linux/system_headers/arm64_linux_syscalls.h +@@ -1119,4 +1119,100 @@ + #define __NR_rseq 293 + #endif + ++#if !defined(__NR_kexec_file_load) ++#define __NR_kexec_file_load 294 ++#endif ++ ++#if !defined(__NR_pidfd_send_signal) ++#define __NR_pidfd_send_signal 424 ++#endif ++ ++#if !defined(__NR_io_uring_setup) ++#define __NR_io_uring_setup 425 ++#endif ++ ++#if !defined(__NR_io_uring_enter) ++#define __NR_io_uring_enter 426 ++#endif ++ ++#if !defined(__NR_io_uring_register) ++#define __NR_io_uring_register 427 ++#endif ++ ++#if !defined(__NR_open_tree) ++#define __NR_open_tree 428 ++#endif ++ ++#if !defined(__NR_move_mount) ++#define __NR_move_mount 429 ++#endif ++ ++#if !defined(__NR_fsopen) ++#define __NR_fsopen 430 ++#endif ++ ++#if !defined(__NR_fsconfig) ++#define __NR_fsconfig 431 ++#endif ++ ++#if !defined(__NR_fsmount) ++#define __NR_fsmount 432 ++#endif ++ ++#if !defined(__NR_fspick) ++#define __NR_fspick 433 ++#endif ++ ++#if !defined(__NR_pidfd_open) ++#define __NR_pidfd_open 434 ++#endif ++ ++#if !defined(__NR_clone3) ++#define __NR_clone3 435 ++#endif ++ ++#if !defined(__NR_close_range) ++#define __NR_close_range 436 ++#endif ++ ++#if !defined(__NR_openat2) ++#define __NR_openat2 437 ++#endif ++ ++#if !defined(__NR_pidfd_getfd) ++#define __NR_pidfd_getfd 438 ++#endif ++ ++#if !defined(__NR_faccessat2) ++#define __NR_faccessat2 439 ++#endif ++ ++#if !defined(__NR_process_madvise) ++#define __NR_process_madvise 440 ++#endif ++ ++#if !defined(__NR_epoll_pwait2) ++#define __NR_epoll_pwait2 441 ++#endif ++ ++#if !defined(__NR_mount_setattr) ++#define __NR_mount_setattr 442 ++#endif ++ ++#if !defined(__NR_quotactl_path) ++#define __NR_quotactl_path 443 ++#endif ++ ++#if !defined(__NR_landlock_create_ruleset) ++#define __NR_landlock_create_ruleset 444 ++#endif ++ ++#if !defined(__NR_landlock_add_rule) ++#define __NR_landlock_add_rule 445 ++#endif ++ ++#if !defined(__NR_landlock_restrict_self) ++#define __NR_landlock_restrict_self 446 ++#endif ++ + #endif // SANDBOX_LINUX_SYSTEM_HEADERS_ARM64_LINUX_SYSCALLS_H_ +diff --git a/sandbox/linux/system_headers/mips64_linux_syscalls.h b/sandbox/linux/system_headers/mips64_linux_syscalls.h +index ec75815a..ae7cb48 100644 +--- a/sandbox/linux/system_headers/mips64_linux_syscalls.h ++++ b/sandbox/linux/system_headers/mips64_linux_syscalls.h +@@ -1271,4 +1271,148 @@ + #define __NR_memfd_create (__NR_Linux + 314) + #endif + ++#if !defined(__NR_bpf) ++#define __NR_bpf (__NR_Linux + 315) ++#endif ++ ++#if !defined(__NR_execveat) ++#define __NR_execveat (__NR_Linux + 316) ++#endif ++ ++#if !defined(__NR_userfaultfd) ++#define __NR_userfaultfd (__NR_Linux + 317) ++#endif ++ ++#if !defined(__NR_membarrier) ++#define __NR_membarrier (__NR_Linux + 318) ++#endif ++ ++#if !defined(__NR_mlock2) ++#define __NR_mlock2 (__NR_Linux + 319) ++#endif ++ ++#if !defined(__NR_copy_file_range) ++#define __NR_copy_file_range (__NR_Linux + 320) ++#endif ++ ++#if !defined(__NR_preadv2) ++#define __NR_preadv2 (__NR_Linux + 321) ++#endif ++ ++#if !defined(__NR_pwritev2) ++#define __NR_pwritev2 (__NR_Linux + 322) ++#endif ++ ++#if !defined(__NR_pkey_mprotect) ++#define __NR_pkey_mprotect (__NR_Linux + 323) ++#endif ++ ++#if !defined(__NR_pkey_alloc) ++#define __NR_pkey_alloc (__NR_Linux + 324) ++#endif ++ ++#if !defined(__NR_pkey_free) ++#define __NR_pkey_free (__NR_Linux + 325) ++#endif ++ ++#if !defined(__NR_statx) ++#define __NR_statx (__NR_Linux + 326) ++#endif ++ ++#if !defined(__NR_rseq) ++#define __NR_rseq (__NR_Linux + 327) ++#endif ++ ++#if !defined(__NR_io_pgetevents) ++#define __NR_io_pgetevents (__NR_Linux + 328) ++#endif ++ ++#if !defined(__NR_pidfd_send_signal) ++#define __NR_pidfd_send_signal (__NR_Linux + 424) ++#endif ++ ++#if !defined(__NR_io_uring_setup) ++#define __NR_io_uring_setup (__NR_Linux + 425) ++#endif ++ ++#if !defined(__NR_io_uring_enter) ++#define __NR_io_uring_enter (__NR_Linux + 426) ++#endif ++ ++#if !defined(__NR_io_uring_register) ++#define __NR_io_uring_register (__NR_Linux + 427) ++#endif ++ ++#if !defined(__NR_open_tree) ++#define __NR_open_tree (__NR_Linux + 428) ++#endif ++ ++#if !defined(__NR_move_mount) ++#define __NR_move_mount (__NR_Linux + 429) ++#endif ++ ++#if !defined(__NR_fsopen) ++#define __NR_fsopen (__NR_Linux + 430) ++#endif ++ ++#if !defined(__NR_fsconfig) ++#define __NR_fsconfig (__NR_Linux + 431) ++#endif ++ ++#if !defined(__NR_fsmount) ++#define __NR_fsmount (__NR_Linux + 432) ++#endif ++ ++#if !defined(__NR_fspick) ++#define __NR_fspick (__NR_Linux + 433) ++#endif ++ ++#if !defined(__NR_pidfd_open) ++#define __NR_pidfd_open (__NR_Linux + 434) ++#endif ++ ++#if !defined(__NR_clone3) ++#define __NR_clone3 (__NR_Linux + 435) ++#endif ++ ++#if !defined(__NR_close_range) ++#define __NR_close_range (__NR_Linux + 436) ++#endif ++ ++#if !defined(__NR_openat2) ++#define __NR_openat2 (__NR_Linux + 437) ++#endif ++ ++#if !defined(__NR_pidfd_getfd) ++#define __NR_pidfd_getfd (__NR_Linux + 438) ++#endif ++ ++#if !defined(__NR_faccessat2) ++#define __NR_faccessat2 (__NR_Linux + 439) ++#endif ++ ++#if !defined(__NR_process_madvise) ++#define __NR_process_madvise (__NR_Linux + 440) ++#endif ++ ++#if !defined(__NR_epoll_pwait2) ++#define __NR_epoll_pwait2 (__NR_Linux + 441) ++#endif ++ ++#if !defined(__NR_mount_setattr) ++#define __NR_mount_setattr (__NR_Linux + 442) ++#endif ++ ++#if !defined(__NR_landlock_create_ruleset) ++#define __NR_landlock_create_ruleset (__NR_Linux + 444) ++#endif ++ ++#if !defined(__NR_landlock_add_rule) ++#define __NR_landlock_add_rule (__NR_Linux + 445) ++#endif ++ ++#if !defined(__NR_landlock_restrict_self) ++#define __NR_landlock_restrict_self (__NR_Linux + 446) ++#endif ++ + #endif // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS64_LINUX_SYSCALLS_H_ +diff --git a/sandbox/linux/system_headers/x86_64_linux_syscalls.h b/sandbox/linux/system_headers/x86_64_linux_syscalls.h +index b0ae0a2..e618c62 100644 +--- a/sandbox/linux/system_headers/x86_64_linux_syscalls.h ++++ b/sandbox/linux/system_headers/x86_64_linux_syscalls.h +@@ -1350,5 +1350,93 @@ + #define __NR_rseq 334 + #endif + ++#if !defined(__NR_pidfd_send_signal) ++#define __NR_pidfd_send_signal 424 ++#endif ++ ++#if !defined(__NR_io_uring_setup) ++#define __NR_io_uring_setup 425 ++#endif ++ ++#if !defined(__NR_io_uring_enter) ++#define __NR_io_uring_enter 426 ++#endif ++ ++#if !defined(__NR_io_uring_register) ++#define __NR_io_uring_register 427 ++#endif ++ ++#if !defined(__NR_open_tree) ++#define __NR_open_tree 428 ++#endif ++ ++#if !defined(__NR_move_mount) ++#define __NR_move_mount 429 ++#endif ++ ++#if !defined(__NR_fsopen) ++#define __NR_fsopen 430 ++#endif ++ ++#if !defined(__NR_fsconfig) ++#define __NR_fsconfig 431 ++#endif ++ ++#if !defined(__NR_fsmount) ++#define __NR_fsmount 432 ++#endif ++ ++#if !defined(__NR_fspick) ++#define __NR_fspick 433 ++#endif ++ ++#if !defined(__NR_pidfd_open) ++#define __NR_pidfd_open 434 ++#endif ++ ++#if !defined(__NR_clone3) ++#define __NR_clone3 435 ++#endif ++ ++#if !defined(__NR_close_range) ++#define __NR_close_range 436 ++#endif ++ ++#if !defined(__NR_openat2) ++#define __NR_openat2 437 ++#endif ++ ++#if !defined(__NR_pidfd_getfd) ++#define __NR_pidfd_getfd 438 ++#endif ++ ++#if !defined(__NR_faccessat2) ++#define __NR_faccessat2 439 ++#endif ++ ++#if !defined(__NR_process_madvise) ++#define __NR_process_madvise 440 ++#endif ++ ++#if !defined(__NR_epoll_pwait2) ++#define __NR_epoll_pwait2 441 ++#endif ++ ++#if !defined(__NR_mount_setattr) ++#define __NR_mount_setattr 442 ++#endif ++ ++#if !defined(__NR_landlock_create_ruleset) ++#define __NR_landlock_create_ruleset 444 ++#endif ++ ++#if !defined(__NR_landlock_add_rule) ++#define __NR_landlock_add_rule 445 ++#endif ++ ++#if !defined(__NR_landlock_restrict_self) ++#define __NR_landlock_restrict_self 446 ++#endif ++ + #endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_ + +From 218438259dd795456f0a48f67cbe5b4e520db88b Mon Sep 17 00:00:00 2001 +From: Matthew Denton +Date: Thu, 03 Jun 2021 20:06:13 +0000 +Subject: [PATCH] Linux sandbox: return ENOSYS for clone3 + +Because clone3 uses a pointer argument rather than a flags argument, we +cannot examine the contents with seccomp, which is essential to +preventing sandboxed processes from starting other processes. So, we +won't be able to support clone3 in Chromium. This CL modifies the +BPF policy to return ENOSYS for clone3 so glibc always uses the fallback +to clone. + +Bug: 1213452 +Change-Id: I7c7c585a319e0264eac5b1ebee1a45be2d782303 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2936184 +Reviewed-by: Robert Sesek +Commit-Queue: Matthew Denton +Cr-Commit-Position: refs/heads/master@{#888980} +--- + +diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +index 05c39f0..086c56a2 100644 +--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc ++++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +@@ -178,6 +178,12 @@ + return RestrictCloneToThreadsAndEPERMFork(); + } + ++ // clone3 takes a pointer argument which we cannot examine, so return ENOSYS ++ // to force the libc to use clone. See https://crbug.com/1213452. ++ if (sysno == __NR_clone3) { ++ return Error(ENOSYS); ++ } ++ + if (sysno == __NR_fcntl) + return RestrictFcntlCommands(); + +--- chromium/third_party/abseil-cpp/absl/debugging/failure_signal_handler.cc.orig 2021-08-13 12:36:58.000000000 +0200 ++++ chromium/third_party/abseil-cpp/absl/debugging/failure_signal_handler.cc 2021-08-18 22:04:02.165382504 +0200 +@@ -135,7 +135,7 @@ + #else + const size_t page_mask = sysconf(_SC_PAGESIZE) - 1; + #endif +- size_t stack_size = (std::max(SIGSTKSZ, 65536) + page_mask) & ~page_mask; ++ size_t stack_size = (std::max(SIGSTKSZ, 65536) + page_mask) & ~page_mask; + #if defined(ABSL_HAVE_ADDRESS_SANITIZER) || \ + defined(ABSL_HAVE_MEMORY_SANITIZER) || defined(ABSL_HAVE_THREAD_SANITIZER) + // Account for sanitizer instrumentation requiring additional stack space. +--- chromium/third_party/breakpad/breakpad/src/client/linux/handler/exception_handler.cc.orig 2021-08-18 22:05:45.366849996 +0200 ++++ chromium/third_party/breakpad/breakpad/src/client/linux/handler/exception_handler.cc 2021-08-18 22:05:57.647024518 +0200 +@@ -138,7 +138,7 @@ + // SIGSTKSZ may be too small to prevent the signal handlers from overrunning + // the alternative stack. Ensure that the size of the alternative stack is + // large enough. +- static const unsigned kSigStackSize = std::max(16384, SIGSTKSZ); ++ static const unsigned kSigStackSize = std::max(16384, SIGSTKSZ); + + // Only set an alternative stack if there isn't already one, or if the current + // one is too small. diff --git a/qt5-qtwebengine.spec b/qt5-qtwebengine.spec index ca394d9..ad2bee3 100644 --- a/qt5-qtwebengine.spec +++ b/qt5-qtwebengine.spec @@ -14,7 +14,7 @@ Summary: The Qt5 WebEngine library Summary(pl.UTF-8): Biblioteka Qt5 WebEngine Name: qt5-%{orgname} Version: 5.15.5 -Release: 1 +Release: 2 License: LGPL v3 or GPL v2 or GPL v3 or commercial Group: X11/Libraries Source0: qtwebengine-%{version}.tar.xz @@ -23,6 +23,7 @@ Patch0: x32.patch Patch1: %{name}-gn-dynamic.patch Patch2: icu.patch Patch3: glibc-2.33.patch +Patch4: glibc2.34.patch URL: https://www.qt.io/ BuildRequires: Mesa-khrplatform-devel BuildRequires: Qt5Core-devel >= %{qtbase_ver} @@ -275,6 +276,9 @@ Przykłady do biblioteki Qt5 WebEngine. %patch1 -p1 %patch2 -p1 %patch3 -p1 +cd src/3rdparty/chromium +%patch4 -p1 +cd ../../.. %{qt5bindir}/syncqt.pl -version %{version}