[chromium-freeworld] Another sandbox fix

Wednesday, 25 August 2021

commit 970e263a483e402b55c8cc29497fadadbd4578c8
Author: Leigh Scott <leigh123linux(a)gmail.com&gt;
Date:   Wed Aug 25 18:09:00 2021 +0100

    Another sandbox fix

 chromium-freeworld.spec       |  1 +
 chromium-sandbox-clone3.patch | 16 ++++++++++++++++
 2 files changed, 17 insertions(+)
---

diff --git a/chromium-freeworld.spec b/chromium-freeworld.spec
index 56c662f..14a64b7 100644
--- a/chromium-freeworld.spec
+++ b/chromium-freeworld.spec
@@ -160,6 +160,7 @@ Patch301:       chromium-gcc11.patch
 Patch302:       chromium-py3-fixes.patch
 Patch303:       chromium-java-only-allowed-in-android-builds.patch
 Patch304:       chromium-freetype-2.11.patch
+Patch305:       chromium-sandbox-clone3.patch
 Patch1303:      chromium-rawhide-gcc-std-max-fix.patch
 
 # RPM Fusion patches [free/chromium-freeworld]:
diff --git a/chromium-sandbox-clone3.patch b/chromium-sandbox-clone3.patch
new file mode 100644
index 0000000..a439935
--- /dev/null
+++ b/chromium-sandbox-clone3.patch
@@ -0,0 +1,16 @@
+diff -up
chromium-92.0.4515.107/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.clone3
chromium-92.0.4515.107/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+---
chromium-92.0.4515.107/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.clone3	2021-08-16
09:05:35.836277326 -0400
++++
chromium-92.0.4515.107/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc	2021-08-16
09:06:17.420502628 -0400
+@@ -178,6 +178,12 @@ ResultExpr EvaluateSyscallImpl(int fs_de
+     return RestrictCloneToThreadsAndEPERMFork();
+   }
+ 
++  // clone3 takes a pointer argument which we cannot examine, so return ENOSYS
++  // to force the libc to use clone. See https://crbug.com/1213452.
++  if (sysno == __NR_clone3) {
++    return Error(ENOSYS);
++  }
++
+   if (sysno == __NR_fcntl)
+     return RestrictFcntlCommands();
+ 
    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008