commit 41b87b039adf11906a2fceaaa66bf1651bb595ef Author: Tom Callaway <spot(a)fedoraproject.org&gt; Date: Tue Apr 16 11:54:46 2019 -0400 improved seccomp glibc 2.29 patch ...mium-73.0.3683.103-glibc-2.29-clone-vfork.patch | 29 ++++++++++++++++++++++ chromium-73.0.3683.86-glibc-2.29-clone-vfork.patch | 13 ---------- chromium.spec | 6 ++--- 3 files changed, 32 insertions(+), 16 deletions(-) --- diff --git a/chromium-73.0.3683.103-glibc-2.29-clone-vfork.patch b/chromium-73.0.3683.103-glibc-2.29-clone-vfork.patch new file mode 100644 index 0000000..8ff952b --- /dev/null +++ b/chromium-73.0.3683.103-glibc-2.29-clone-vfork.patch @@ -0,0 +1,29 @@ +diff -up chromium-73.0.3683.103/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc.glibc229 chromium-73.0.3683.103/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc +--- chromium-73.0.3683.103/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc.glibc229 2019-04-16 11:49:35.353081246 -0400 ++++ chromium-73.0.3683.103/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc 2019-04-16 11:51:22.105794620 -0400 +@@ -134,7 +134,8 @@ namespace sandbox { + #if !defined(OS_NACL_NONSFI) + // Allow Glibc's and Android pthread creation flags, crash on any other + // thread creation attempts and EPERM attempts to use neither +-// CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations. ++// CLONE_VM nor CLONE_THREAD (all fork implementations), unless CLONE_VFORK is ++// present (as in posix_spawn). + ResultExpr RestrictCloneToThreadsAndEPERMFork() { + const Arg<unsigned long> flags(0); + +@@ -153,8 +154,14 @@ ResultExpr RestrictCloneToThreadsAndEPER + AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask, + flags == kGlibcPthreadFlags); + ++ const uint64_t kImportantSpawnFlags = CLONE_VFORK | CLONE_VM; ++ ++ const BoolExpr isForkOrSpawn = ++ AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0, ++ (flags & kImportantSpawnFlags) == kImportantSpawnFlags); ++ + return If(IsAndroid() ? android_test : glibc_test, Allow()) +- .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM)) ++ .ElseIf(isForkOrSpawn, Error(EPERM)) + .Else(CrashSIGSYSClone()); + } + diff --git a/chromium.spec b/chromium.spec index dbc5a56..aa1e24a 100644 --- a/chromium.spec +++ b/chromium.spec @@ -329,7 +329,7 @@ Patch138: chromium-73.0.3683.75-aarch64-crashpad-limits.patch # el7 only patch Patch139: chromium-73.0.3683.75-el7-fix-noexcept.patch # https://bugs.chromium.org/p/chromium/issues/detail?id=949312 -Patch140: chromium-73.0.3683.86-glibc-2.29-clone-vfork.patch +Patch140: chromium-73.0.3683.103-glibc-2.29-clone-vfork.patch # Use chromium-latest.py to generate clean tarball from released build tarballs, found here: # http://build.chromium.org/buildbot/official/ @@ -912,7 +912,7 @@ udev. %if 0%{?rhel} == 7 %patch139 -p1 -b .el7-noexcept %endif -%patch140 -p1 -b .clonevfork +%patch140 -p1 -b .glibc229 # Change shebang in all relevant files in this directory and all subdirectories # See `man find` for how the `-exec command {} +` syntax works @@ -1903,7 +1903,7 @@ getent group chrome-remote-desktop >/dev/null || groupadd -r chrome-remote-deskt %changelog * Thu Apr 11 2019 Tom Callaway <spot(a)fedoraproject.org&gt; - 73.0.3683.103-1 - update to 73.0.3683.103 -- add CLONE_VFORK to seccomp filter for linux to handle glibc 2.29 change +- add CLONE_VFORK logic to seccomp filter for linux to handle glibc 2.29 change * Wed Mar 27 2019 Tom Callaway <spot(a)fedoraproject.org&gt; - 73.0.3683.86-2 - remove lang macro from en-US.pak* because Chromium crashes if it is not present