diff --git a/.abf.yml b/.abf.yml index ba087fe..a528a4d 100644 --- a/.abf.yml +++ b/.abf.yml @@ -1,8 +1,8 @@ sources: - chromium-91.0.4472.114.tar.xz: d3ea56e54f3ac872febbe7399af3fbf9fb2bcb31 - chromium-gost-efa8e0fdd004f162c8f8f537a137f124c814e0bf.tar.gz: db666b2e5b0163bb7616096f601231a92f541061 + chromium-93.0.4577.63.tar.xz: 92b63a237f1366a82e28f7afcde59f2a2eb4967c + chromium-gost-3181acb959fcb8de4aa3aca4c51d8a89b90d367d.tar.gz: 3f81e4ac5204d61384480c59f45a3ef5b8feb3b0 depot_tools.tar.xz: 082b7f9a4dfa7eb03900755b4866aef2d73543a5 icons.tar.bz2: a835954af164bf38f8ea4ea80608839bed7800a3 - msspi-32779bace9dd0ab644e016afe13af3f2ee1a54bd.tar.gz: d0ac1b243a4ecdc4f1c1f86b7dc95b5e8b1caa5e + msspi-676e76df03782fa965d8f985f4bd2e4c3ee81386.tar.gz: 5c82ce5a5780b06a481812986e3da8b1131ca1a8 new-system-icons.tar.xz: 89339b8b3b05359a8745ed7968fe148902a2fa28 xcb-proto-1.14.1.tar.xz: 836d5b2dd00ff21bd038e92764fda9a256a1b022 diff --git a/4b438323d68840453b5ef826c3997568e2e0e8c7.patch b/4b438323d68840453b5ef826c3997568e2e0e8c7.patch new file mode 100644 index 0000000..4a99f1d --- /dev/null +++ b/4b438323d68840453b5ef826c3997568e2e0e8c7.patch @@ -0,0 +1,1384 @@ +From 4b438323d68840453b5ef826c3997568e2e0e8c7 Mon Sep 17 00:00:00 2001 +From: Matthew Denton +Date: Mon, 19 Jul 2021 14:03:13 +0000 +Subject: [PATCH] Reland "Reland "Linux sandbox syscall broker: use struct + kernel_stat"" + +This reverts commit ff277a52ece0b216617d770f201ed66955fe70b9. + +Reason for revert: reland + +The fix included in the reland is that fstatat64() needs to be +allowed in the broker process's seccomp policy. + +This CL also includes some extra tests that the kernel_stat structures +match the layout the kernel expects. + +Bug: 1164975, 1199431 +Test: trogdor Chromebook successfully boots and allows login. + +Original change's description: +> Revert "Reland "Linux sandbox syscall broker: use struct kernel_stat"" +> +> This reverts commit cffbc4432af79f720ae3c75dff380b853701bd64. +> +> Reason for revert: https://bugs.chromium.org/p/chromium/issues/detail?id=1199431 +> +> Original change's description: +> > Reland "Linux sandbox syscall broker: use struct kernel_stat" +> > +> > This reverts commit 23030dc650cdfa22631f25bef937905f27f06a2c. +> > +> > Original change's description: +> > > Revert "Linux sandbox syscall broker: use struct kernel_stat" +> > > +> > > This reverts commit 784b0fcd8a3ca6bcd3acb9cfd624ec9cbbac2789. +> > > +> > > Reason for revert: Causing failure in +> > > Step "sandbox_linux_unittests" failing on builder "Linux ChromiumOS MSan Tests" +> > > See crbug.com/1198480 +> > > +> > > Original change's description: +> > > > Linux sandbox syscall broker: use struct kernel_stat +> > > > +> > > > The struct stat used in libc is different (in size and field ordering) +> > > > from the structure assumed by the Linux kernel. So, when emulating +> > > > system calls, we need to use the struct definition the kernel expects. +> > > > +> > > > This CL adds linux_stat.h that includes definitions of the different +> > > > kernel structs. +> > > > +> > > > Change-Id: I53cad35c2251dff0f6b7ea77528cfa58ef3cab4a +> > > > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2780876 +> > > > Commit-Queue: Matthew Denton +> > > > Reviewed-by: Robert Sesek +> > > > Cr-Commit-Position: refs/heads/master@{#871767} +> > > +> > > Change-Id: Icbec38f2103c8424dec79ab1870b97c3e83f9361 +> > > No-Presubmit: true +> > > No-Tree-Checks: true +> > > No-Try: true +> > > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2821812 +> > > Auto-Submit: Victor Vianna +> > > Owners-Override: Victor Vianna +> > > Commit-Queue: Rubber Stamper +> > > Bot-Commit: Rubber Stamper +> > > Cr-Commit-Position: refs/heads/master@{#871882} +> > +> > Change-Id: I1f39bb5242961474def594ff7dbea52009f2cee4 +> > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2824115 +> > Auto-Submit: Matthew Denton +> > Commit-Queue: Matthew Denton +> > Reviewed-by: Robert Sesek +> > Cr-Commit-Position: refs/heads/master@{#872812} +> +> Fixed: 1199431 +> Change-Id: Iebfc0c48201bf22ff9c54d8d5c8a43d26a880098 +> No-Presubmit: true +> No-Tree-Checks: true +> No-Try: true +> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2830459 +> Auto-Submit: Kyle Horimoto +> Commit-Queue: Matthew Denton +> Commit-Queue: Kinuko Yasuda +> Reviewed-by: Matthew Denton +> Reviewed-by: Kinuko Yasuda +> Owners-Override: Kinuko Yasuda +> Cr-Commit-Position: refs/heads/master@{#873173} + +Change-Id: Ibe6a485070f33489aaa157b51b908c2d23d174d7 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2848936 +Reviewed-by: Robert Sesek +Commit-Queue: Matthew Denton +Cr-Commit-Position: refs/heads/master@{#902981} +--- + sandbox/linux/BUILD.gn | 1 + + .../seccomp_broker_process_unittest.cc | 40 +++- + sandbox/linux/seccomp-bpf-helpers/DEPS | 1 - + ...scall_parameters_restrictions_unittests.cc | 4 - + sandbox/linux/services/syscall_wrappers.cc | 50 ++++- + sandbox/linux/services/syscall_wrappers.h | 15 ++ + .../services/syscall_wrappers_unittest.cc | 129 +++++++++++- + sandbox/linux/syscall_broker/DEPS | 3 +- + sandbox/linux/syscall_broker/broker_client.cc | 4 +- + sandbox/linux/syscall_broker/broker_client.h | 4 +- + sandbox/linux/syscall_broker/broker_host.cc | 23 ++- + .../syscall_broker/broker_process_unittest.cc | 74 +++---- + .../remote_syscall_arg_handler_unittest.cc | 36 ++-- + .../syscall_broker/syscall_dispatcher.cc | 67 ++++--- + .../linux/syscall_broker/syscall_dispatcher.h | 27 ++- + sandbox/linux/system_headers/linux_stat.h | 188 ++++++++++++++++++ + sandbox/linux/system_headers/linux_time.h | 26 +++ + sandbox/linux/tests/test_utils.cc | 15 ++ + sandbox/linux/tests/test_utils.h | 2 + + .../policy/linux/bpf_broker_policy_linux.cc | 4 +- + 20 files changed, 595 insertions(+), 118 deletions(-) + create mode 100644 sandbox/linux/system_headers/linux_stat.h + +diff --git a/sandbox/linux/BUILD.gn b/sandbox/linux/BUILD.gn +index 2f778dd0bcab2..ccbbc91716e71 100644 +--- a/sandbox/linux/BUILD.gn ++++ b/sandbox/linux/BUILD.gn +@@ -443,6 +443,7 @@ source_set("sandbox_services_headers") { + "system_headers/linux_ptrace.h", + "system_headers/linux_seccomp.h", + "system_headers/linux_signal.h", ++ "system_headers/linux_stat.h", + "system_headers/linux_syscalls.h", + "system_headers/linux_time.h", + "system_headers/linux_ucontext.h", +diff --git a/sandbox/linux/integration_tests/seccomp_broker_process_unittest.cc b/sandbox/linux/integration_tests/seccomp_broker_process_unittest.cc +index 9da9c68911428..8a941983b198d 100644 +--- a/sandbox/linux/integration_tests/seccomp_broker_process_unittest.cc ++++ b/sandbox/linux/integration_tests/seccomp_broker_process_unittest.cc +@@ -34,6 +34,7 @@ + #include "sandbox/linux/syscall_broker/broker_file_permission.h" + #include "sandbox/linux/syscall_broker/broker_process.h" + #include "sandbox/linux/system_headers/linux_seccomp.h" ++#include "sandbox/linux/system_headers/linux_stat.h" + #include "sandbox/linux/system_headers/linux_syscalls.h" + #include "sandbox/linux/tests/scoped_temporary_file.h" + #include "sandbox/linux/tests/test_utils.h" +@@ -202,6 +203,26 @@ namespace { + // not accept this as a valid error number. E.g. bionic accepts up to 255, glibc + // and musl up to 4096. + const int kFakeErrnoSentinel = 254; ++ ++void ConvertKernelStatToLibcStat(default_stat_struct& in_stat, ++ struct stat& out_stat) { ++ out_stat.st_dev = in_stat.st_dev; ++ out_stat.st_ino = in_stat.st_ino; ++ out_stat.st_mode = in_stat.st_mode; ++ out_stat.st_nlink = in_stat.st_nlink; ++ out_stat.st_uid = in_stat.st_uid; ++ out_stat.st_gid = in_stat.st_gid; ++ out_stat.st_rdev = in_stat.st_rdev; ++ out_stat.st_size = in_stat.st_size; ++ out_stat.st_blksize = in_stat.st_blksize; ++ out_stat.st_blocks = in_stat.st_blocks; ++ out_stat.st_atim.tv_sec = in_stat.st_atime_; ++ out_stat.st_atim.tv_nsec = in_stat.st_atime_nsec_; ++ out_stat.st_mtim.tv_sec = in_stat.st_mtime_; ++ out_stat.st_mtim.tv_nsec = in_stat.st_mtime_nsec_; ++ out_stat.st_ctim.tv_sec = in_stat.st_ctime_; ++ out_stat.st_ctim.tv_nsec = in_stat.st_ctime_nsec_; ++} + } // namespace + + // There are a variety of ways to make syscalls in a sandboxed process. One is +@@ -217,6 +238,10 @@ class Syscaller { + + virtual int Open(const char* filepath, int flags) = 0; + virtual int Access(const char* filepath, int mode) = 0; ++ // NOTE: we use struct stat instead of default_stat_struct, to make the libc ++ // syscaller simpler. Copying from default_stat_struct (the structure returned ++ // from a stat sycall) to struct stat (the structure exposed by a libc to its ++ // users) is simpler than going in the opposite direction. + virtual int Stat(const char* filepath, + bool follow_links, + struct stat* statbuf) = 0; +@@ -243,8 +268,12 @@ class IPCSyscaller : public Syscaller { + int Stat(const char* filepath, + bool follow_links, + struct stat* statbuf) override { +- return broker_->GetBrokerClientSignalBased()->Stat(filepath, follow_links, +- statbuf); ++ default_stat_struct buf; ++ int ret = broker_->GetBrokerClientSignalBased()->DefaultStatForTesting( ++ filepath, follow_links, &buf); ++ if (ret >= 0) ++ ConvertKernelStatToLibcStat(buf, *statbuf); ++ return ret; + } + + int Rename(const char* oldpath, const char* newpath) override { +@@ -300,10 +329,13 @@ class DirectSyscaller : public Syscaller { + int Stat(const char* filepath, + bool follow_links, + struct stat* statbuf) override { +- int ret = follow_links ? syscall(__NR_stat, filepath, statbuf) +- : syscall(__NR_lstat, filepath, statbuf); ++ struct kernel_stat buf; ++ int ret = syscall(__NR_newfstatat, AT_FDCWD, filepath, &buf, ++ follow_links ? 0 : AT_SYMLINK_NOFOLLOW); + if (ret < 0) + return -errno; ++ ++ ConvertKernelStatToLibcStat(buf, *statbuf); + return ret; + } + +diff --git a/sandbox/linux/seccomp-bpf-helpers/DEPS b/sandbox/linux/seccomp-bpf-helpers/DEPS +index 4419fd1da34e8..95d1bb6cbbabf 100644 +--- a/sandbox/linux/seccomp-bpf-helpers/DEPS ++++ b/sandbox/linux/seccomp-bpf-helpers/DEPS +@@ -3,5 +3,4 @@ include_rules = [ + "+sandbox/linux/seccomp-bpf", + "+sandbox/linux/services", + "+sandbox/linux/system_headers", +- "+third_party/lss/linux_syscall_support.h", + ] +diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc +index 903e702eab14b..76c393032c1fe 100644 +--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc ++++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc +@@ -37,10 +37,6 @@ + #include "sandbox/linux/system_headers/linux_time.h" + #include "sandbox/linux/tests/unit_tests.h" + +-#if !defined(OS_ANDROID) +-#include "third_party/lss/linux_syscall_support.h" // for MAKE_PROCESS_CPUCLOCK +-#endif +- + namespace sandbox { + + namespace { +diff --git a/sandbox/linux/services/syscall_wrappers.cc b/sandbox/linux/services/syscall_wrappers.cc +index fcfd2aa129d4b..3bec18a14e91e 100644 +--- a/sandbox/linux/services/syscall_wrappers.cc ++++ b/sandbox/linux/services/syscall_wrappers.cc +@@ -4,6 +4,7 @@ + + #include "sandbox/linux/services/syscall_wrappers.h" + ++#include + #include + #include + #include +@@ -14,11 +15,13 @@ + #include + #include + ++#include "base/check.h" + #include "base/compiler_specific.h" + #include "base/logging.h" + #include "build/build_config.h" + #include "sandbox/linux/system_headers/capability.h" + #include "sandbox/linux/system_headers/linux_signal.h" ++#include "sandbox/linux/system_headers/linux_stat.h" + #include "sandbox/linux/system_headers/linux_syscalls.h" + + namespace sandbox { +@@ -217,7 +220,7 @@ asm( + #undef STR + #undef XSTR + +-#endif ++#endif // defined(ARCH_CPU_X86_FAMILY) + + int sys_sigaction(int signum, + const struct sigaction* act, +@@ -241,7 +244,7 @@ int sys_sigaction(int signum, + #error "Unsupported architecture." + #endif + } +-#endif ++#endif // defined(ARCH_CPU_X86_FAMILY) + } + + LinuxSigAction linux_oldact = {}; +@@ -259,6 +262,47 @@ int sys_sigaction(int signum, + return result; + } + +-#endif // defined(MEMORY_SANITIZER) ++#endif // !defined(OS_NACL_NONSFI) ++ ++int sys_stat(const char* path, struct kernel_stat* stat_buf) { ++ int res; ++#if !defined(__NR_stat) ++ res = syscall(__NR_newfstatat, AT_FDCWD, path, stat_buf, 0); ++#else ++ res = syscall(__NR_stat, path, stat_buf); ++#endif ++ if (res == 0) ++ MSAN_UNPOISON(stat_buf, sizeof(*stat_buf)); ++ return res; ++} ++ ++int sys_lstat(const char* path, struct kernel_stat* stat_buf) { ++ int res; ++#if !defined(__NR_lstat) ++ res = syscall(__NR_newfstatat, AT_FDCWD, path, stat_buf, AT_SYMLINK_NOFOLLOW); ++#else ++ res = syscall(__NR_lstat, path, stat_buf); ++#endif ++ if (res == 0) ++ MSAN_UNPOISON(stat_buf, sizeof(*stat_buf)); ++ return res; ++} ++ ++int sys_fstatat64(int dirfd, ++ const char* pathname, ++ struct kernel_stat64* stat_buf, ++ int flags) { ++#if defined(__NR_fstatat64) ++ int res = syscall(__NR_fstatat64, dirfd, pathname, stat_buf, flags); ++ if (res == 0) ++ MSAN_UNPOISON(stat_buf, sizeof(*stat_buf)); ++ return res; ++#else // defined(__NR_fstatat64) ++ // We should not reach here on 64-bit systems, as the *stat*64() are only ++ // necessary on 32-bit. ++ RAW_CHECK(false); ++ return -ENOSYS; ++#endif ++} + + } // namespace sandbox +diff --git a/sandbox/linux/services/syscall_wrappers.h b/sandbox/linux/services/syscall_wrappers.h +index 1975bfbd88a6d..b55340e4a26b7 100644 +--- a/sandbox/linux/services/syscall_wrappers.h ++++ b/sandbox/linux/services/syscall_wrappers.h +@@ -17,6 +17,8 @@ struct sock_fprog; + struct rlimit64; + struct cap_hdr; + struct cap_data; ++struct kernel_stat; ++struct kernel_stat64; + + namespace sandbox { + +@@ -84,6 +86,19 @@ SANDBOX_EXPORT int sys_sigaction(int signum, + const struct sigaction* act, + struct sigaction* oldact); + ++// Some architectures do not have stat() and lstat() syscalls. In that case, ++// these wrappers will use newfstatat(), which is available on all other ++// architectures, with the same capabilities as stat() and lstat(). ++SANDBOX_EXPORT int sys_stat(const char* path, struct kernel_stat* stat_buf); ++SANDBOX_EXPORT int sys_lstat(const char* path, struct kernel_stat* stat_buf); ++ ++// Takes care of unpoisoning |stat_buf| for MSAN. Check-fails if fstatat64() is ++// not a supported syscall on the current platform. ++SANDBOX_EXPORT int sys_fstatat64(int dirfd, ++ const char* pathname, ++ struct kernel_stat64* stat_buf, ++ int flags); ++ + } // namespace sandbox + + #endif // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_ +diff --git a/sandbox/linux/services/syscall_wrappers_unittest.cc b/sandbox/linux/services/syscall_wrappers_unittest.cc +index 32820f60a8cee..64b9cea80f319 100644 +--- a/sandbox/linux/services/syscall_wrappers_unittest.cc ++++ b/sandbox/linux/services/syscall_wrappers_unittest.cc +@@ -5,15 +5,19 @@ + #include "sandbox/linux/services/syscall_wrappers.h" + + #include ++#include + #include + #include + #include + #include +-#include + ++#include "base/logging.h" ++#include "base/memory/page_size.h" + #include "base/posix/eintr_wrapper.h" + #include "build/build_config.h" + #include "sandbox/linux/system_headers/linux_signal.h" ++#include "sandbox/linux/system_headers/linux_stat.h" ++#include "sandbox/linux/tests/scoped_temporary_file.h" + #include "sandbox/linux/tests/test_utils.h" + #include "sandbox/linux/tests/unit_tests.h" + #include "testing/gtest/include/gtest/gtest.h" +@@ -93,6 +97,129 @@ TEST(SyscallWrappers, LinuxSigSet) { + linux_sigset); + } + ++TEST(SyscallWrappers, Stat) { ++ // Create a file to stat, with 12 bytes of data. ++ ScopedTemporaryFile tmp_file; ++ EXPECT_EQ(12, write(tmp_file.fd(), "blahblahblah", 12)); ++ ++ // To test we have the correct stat structures for each kernel/platform, we ++ // will right-align them on a page, with a guard page after. ++ char* two_pages = static_cast(TestUtils::MapPagesOrDie(2)); ++ TestUtils::MprotectLastPageOrDie(two_pages, 2); ++ char* page1_end = two_pages + base::GetPageSize(); ++ ++ // First, check that calling stat with |stat_buf| pointing to the last byte on ++ // a page causes EFAULT. ++ int res = sys_stat(tmp_file.full_file_name(), ++ reinterpret_cast(page1_end - 1)); ++ ASSERT_EQ(res, -1); ++ ASSERT_EQ(errno, EFAULT); ++ ++ // Now, check that we have the correctly sized stat structure. ++ struct kernel_stat* sb = reinterpret_cast( ++ page1_end - sizeof(struct kernel_stat)); ++ // Memset to c's so we can check the kernel zero'd the padding... ++ memset(sb, 'c', sizeof(struct kernel_stat)); ++ res = sys_stat(tmp_file.full_file_name(), sb); ++ ASSERT_EQ(res, 0); ++ ++ // Following fields may never be consistent but should be non-zero. ++ // Don't trust the platform to define fields with any particular sign. ++ EXPECT_NE(0u, static_cast(sb->st_dev)); ++ EXPECT_NE(0u, static_cast(sb->st_ino)); ++ EXPECT_NE(0u, static_cast(sb->st_mode)); ++ EXPECT_NE(0u, static_cast(sb->st_blksize)); ++ EXPECT_NE(0u, static_cast(sb->st_blocks)); ++ ++// We are the ones that made the file. ++// Note: normally gid and uid overflow on backwards-compatible 32-bit systems ++// and we end up with dummy uids and gids in place here. ++#if defined(ARCH_CPU_64_BITS) ++ EXPECT_EQ(geteuid(), sb->st_uid); ++ EXPECT_EQ(getegid(), sb->st_gid); ++#endif ++ ++ // Wrote 12 bytes above which should fit in one block. ++ EXPECT_EQ(12u, sb->st_size); ++ ++ // Can't go backwards in time, 1500000000 was some time ago. ++ EXPECT_LT(1500000000u, static_cast(sb->st_atime_)); ++ EXPECT_LT(1500000000u, static_cast(sb->st_mtime_)); ++ EXPECT_LT(1500000000u, static_cast(sb->st_ctime_)); ++ ++ // Checking the padding for good measure. ++#if defined(__x86_64__) ++ EXPECT_EQ(0u, sb->__pad0); ++ EXPECT_EQ(0u, sb->__unused4[0]); ++ EXPECT_EQ(0u, sb->__unused4[1]); ++ EXPECT_EQ(0u, sb->__unused4[2]); ++#elif defined(__aarch64__) ++ EXPECT_EQ(0u, sb->__pad1); ++ EXPECT_EQ(0, sb->__pad2); ++ EXPECT_EQ(0u, sb->__unused4); ++ EXPECT_EQ(0u, sb->__unused5); ++#endif ++} ++ ++TEST(SyscallWrappers, LStat) { ++ // Create a file to stat, with 12 bytes of data. ++ ScopedTemporaryFile tmp_file; ++ EXPECT_EQ(12, write(tmp_file.fd(), "blahblahblah", 12)); ++ ++ // Also create a symlink. ++ std::string symlink_name; ++ { ++ ScopedTemporaryFile tmp_file2; ++ symlink_name = tmp_file2.full_file_name(); ++ } ++ int rc = symlink(tmp_file.full_file_name(), symlink_name.c_str()); ++ if (rc != 0) { ++ PLOG(ERROR) << "Couldn't symlink " << symlink_name << " to target " ++ << tmp_file.full_file_name(); ++ GTEST_FAIL(); ++ } ++ ++ struct kernel_stat lstat_info; ++ rc = sys_lstat(symlink_name.c_str(), &lstat_info); ++ if (rc < 0 && errno == EOVERFLOW) { ++ GTEST_SKIP(); ++ } ++ if (rc != 0) { ++ PLOG(ERROR) << "Couldn't sys_lstat " << symlink_name; ++ GTEST_FAIL(); ++ } ++ ++ struct kernel_stat stat_info; ++ rc = sys_stat(symlink_name.c_str(), &stat_info); ++ if (rc < 0 && errno == EOVERFLOW) { ++ GTEST_SKIP(); ++ } ++ if (rc != 0) { ++ PLOG(ERROR) << "Couldn't sys_stat " << symlink_name; ++ GTEST_FAIL(); ++ } ++ ++ struct kernel_stat tmp_file_stat_info; ++ rc = sys_stat(tmp_file.full_file_name(), &tmp_file_stat_info); ++ if (rc < 0 && errno == EOVERFLOW) { ++ GTEST_SKIP(); ++ } ++ if (rc != 0) { ++ PLOG(ERROR) << "Couldn't sys_stat " << tmp_file.full_file_name(); ++ GTEST_FAIL(); ++ } ++ ++ // lstat should produce information about a symlink. ++ ASSERT_TRUE(S_ISLNK(lstat_info.st_mode)); ++ ++ // stat-ing symlink_name and tmp_file should produce the same inode. ++ ASSERT_EQ(stat_info.st_ino, tmp_file_stat_info.st_ino); ++ ++ // lstat-ing symlink_name should give a different inode than stat-ing ++ // symlink_name. ++ ASSERT_NE(stat_info.st_ino, lstat_info.st_ino); ++} ++ + } // namespace + + } // namespace sandbox +diff --git a/sandbox/linux/syscall_broker/DEPS b/sandbox/linux/syscall_broker/DEPS +index c477f7d36394b..149c463b06839 100644 +--- a/sandbox/linux/syscall_broker/DEPS ++++ b/sandbox/linux/syscall_broker/DEPS +@@ -1,4 +1,5 @@ + include_rules = [ +- "+sandbox/linux/system_headers", + "+sandbox/linux/bpf_dsl", ++ "+sandbox/linux/services", ++ "+sandbox/linux/system_headers", + ] +diff --git a/sandbox/linux/syscall_broker/broker_client.cc b/sandbox/linux/syscall_broker/broker_client.cc +index 6b1b5be433899..e24f659fcf872 100644 +--- a/sandbox/linux/syscall_broker/broker_client.cc ++++ b/sandbox/linux/syscall_broker/broker_client.cc +@@ -166,7 +166,7 @@ int BrokerClient::Rmdir(const char* path) const { + + int BrokerClient::Stat(const char* pathname, + bool follow_links, +- struct stat* sb) const { ++ struct kernel_stat* sb) const { + if (!pathname || !sb) + return -EFAULT; + +@@ -181,7 +181,7 @@ int BrokerClient::Stat(const char* pathname, + + int BrokerClient::Stat64(const char* pathname, + bool follow_links, +- struct stat64* sb) const { ++ struct kernel_stat64* sb) const { + if (!pathname || !sb) + return -EFAULT; + +diff --git a/sandbox/linux/syscall_broker/broker_client.h b/sandbox/linux/syscall_broker/broker_client.h +index 05e14c83f2010..26ca78101c71c 100644 +--- a/sandbox/linux/syscall_broker/broker_client.h ++++ b/sandbox/linux/syscall_broker/broker_client.h +@@ -61,10 +61,10 @@ class SANDBOX_EXPORT BrokerClient : public SyscallDispatcher { + int Rmdir(const char* path) const override; + int Stat(const char* pathname, + bool follow_links, +- struct stat* sb) const override; ++ struct kernel_stat* sb) const override; + int Stat64(const char* pathname, + bool follow_links, +- struct stat64* sb) const override; ++ struct kernel_stat64* sb) const override; + int Unlink(const char* unlink) const override; + + private: +diff --git a/sandbox/linux/syscall_broker/broker_host.cc b/sandbox/linux/syscall_broker/broker_host.cc +index 1cd03a18df809..1cdc01a888f41 100644 +--- a/sandbox/linux/syscall_broker/broker_host.cc ++++ b/sandbox/linux/syscall_broker/broker_host.cc +@@ -20,9 +20,11 @@ + #include "base/files/scoped_file.h" + #include "base/logging.h" + #include "base/posix/eintr_wrapper.h" ++#include "sandbox/linux/services/syscall_wrappers.h" + #include "sandbox/linux/syscall_broker/broker_command.h" + #include "sandbox/linux/syscall_broker/broker_permission_list.h" + #include "sandbox/linux/syscall_broker/broker_simple_message.h" ++#include "sandbox/linux/system_headers/linux_stat.h" + #include "sandbox/linux/system_headers/linux_syscalls.h" + + namespace sandbox { +@@ -193,10 +195,12 @@ void StatFileForIPC(const BrokerCommandSet& allowed_command_set, + RAW_CHECK(reply->AddIntToMessage(-permission_list.denied_errno())); + return; + } ++ + if (command_type == COMMAND_STAT) { +- struct stat sb; +- int sts = +- follow_links ? stat(file_to_access, &sb) : lstat(file_to_access, &sb); ++ struct kernel_stat sb; ++ ++ int sts = follow_links ? sandbox::sys_stat(file_to_access, &sb) ++ : sandbox::sys_lstat(file_to_access, &sb); + if (sts < 0) { + RAW_CHECK(reply->AddIntToMessage(-errno)); + return; +@@ -205,10 +209,12 @@ void StatFileForIPC(const BrokerCommandSet& allowed_command_set, + RAW_CHECK( + reply->AddDataToMessage(reinterpret_cast(&sb), sizeof(sb))); + } else { ++#if defined(__NR_fstatat64) + DCHECK(command_type == COMMAND_STAT64); +- struct stat64 sb; +- int sts = follow_links ? stat64(file_to_access, &sb) +- : lstat64(file_to_access, &sb); ++ struct kernel_stat64 sb; ++ ++ int sts = sandbox::sys_fstatat64(AT_FDCWD, file_to_access, &sb, ++ follow_links ? 0 : AT_SYMLINK_NOFOLLOW); + if (sts < 0) { + RAW_CHECK(reply->AddIntToMessage(-errno)); + return; +@@ -216,6 +222,11 @@ void StatFileForIPC(const BrokerCommandSet& allowed_command_set, + RAW_CHECK(reply->AddIntToMessage(0)); + RAW_CHECK( + reply->AddDataToMessage(reinterpret_cast(&sb), sizeof(sb))); ++#else // defined(__NR_fstatat64) ++ // We should not reach here on 64-bit systems, as the *stat*64() are only ++ // necessary on 32-bit. ++ RAW_CHECK(false); ++#endif + } + } + +diff --git a/sandbox/linux/syscall_broker/broker_process_unittest.cc b/sandbox/linux/syscall_broker/broker_process_unittest.cc +index 55ba6bccb29ec..c65f25a78a999 100644 +--- a/sandbox/linux/syscall_broker/broker_process_unittest.cc ++++ b/sandbox/linux/syscall_broker/broker_process_unittest.cc +@@ -811,7 +811,7 @@ void TestStatHelper(bool fast_check_in_client, bool follow_links) { + const char* bad_leading_path5 = "/mbogo/fictitioux"; + const char* bad_leading_path6 = "/mbogo/fictitiousa"; + +- struct stat sb; ++ default_stat_struct sb; + + { + // Actual file with permissions to see file but command not allowed. +@@ -824,7 +824,7 @@ void TestStatHelper(bool fast_check_in_client, bool follow_links) { + + memset(&sb, 0, sizeof(sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + tempfile_name, follow_links, &sb)); + } + +@@ -840,7 +840,7 @@ void TestStatHelper(bool fast_check_in_client, bool follow_links) { + + memset(&sb, 0, sizeof(sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + nonesuch_name, follow_links, &sb)); + } + { +@@ -852,7 +852,7 @@ void TestStatHelper(bool fast_check_in_client, bool follow_links) { + + memset(&sb, 0, sizeof(sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + tempfile_name, follow_links, &sb)); + } + { +@@ -864,38 +864,39 @@ void TestStatHelper(bool fast_check_in_client, bool follow_links) { + ASSERT_TRUE(open_broker.Init(base::BindOnce(&NoOpCallback))); + + memset(&sb, 0, sizeof(sb)); +- EXPECT_EQ(-ENOENT, open_broker.GetBrokerClientSignalBased()->Stat( +- nonesuch_name, follow_links, &sb)); ++ EXPECT_EQ(-ENOENT, ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( ++ nonesuch_name, follow_links, &sb)); + + // Gets denied all the way back to root since no create permission. + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + leading_path1, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + leading_path2, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + leading_path3, follow_links, &sb)); + + // Not fooled by substrings. + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path1, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path2, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path3, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path4, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path5, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path6, follow_links, &sb)); + } + { +@@ -907,37 +908,41 @@ void TestStatHelper(bool fast_check_in_client, bool follow_links) { + ASSERT_TRUE(open_broker.Init(base::BindOnce(&NoOpCallback))); + + memset(&sb, 0, sizeof(sb)); +- EXPECT_EQ(-ENOENT, open_broker.GetBrokerClientSignalBased()->Stat( +- nonesuch_name, follow_links, &sb)); ++ EXPECT_EQ(-ENOENT, ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( ++ nonesuch_name, follow_links, &sb)); + + // Gets ENOENT all the way back to root since it has create permission. +- EXPECT_EQ(-ENOENT, open_broker.GetBrokerClientSignalBased()->Stat( +- leading_path1, follow_links, &sb)); +- EXPECT_EQ(-ENOENT, open_broker.GetBrokerClientSignalBased()->Stat( +- leading_path2, follow_links, &sb)); ++ EXPECT_EQ(-ENOENT, ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( ++ leading_path1, follow_links, &sb)); ++ EXPECT_EQ(-ENOENT, ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( ++ leading_path2, follow_links, &sb)); + + // But can always get the root. +- EXPECT_EQ(0, open_broker.GetBrokerClientSignalBased()->Stat( +- leading_path3, follow_links, &sb)); ++ EXPECT_EQ(0, ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( ++ leading_path3, follow_links, &sb)); + + // Not fooled by substrings. + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path1, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path2, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path3, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path4, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path5, follow_links, &sb)); + EXPECT_EQ(-kFakeErrnoSentinel, +- open_broker.GetBrokerClientSignalBased()->Stat( ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( + bad_leading_path6, follow_links, &sb)); + } + { +@@ -949,8 +954,9 @@ void TestStatHelper(bool fast_check_in_client, bool follow_links) { + ASSERT_TRUE(open_broker.Init(base::BindOnce(&NoOpCallback))); + + memset(&sb, 0, sizeof(sb)); +- EXPECT_EQ(0, open_broker.GetBrokerClientSignalBased()->Stat( +- tempfile_name, follow_links, &sb)); ++ EXPECT_EQ(0, ++ open_broker.GetBrokerClientSignalBased()->DefaultStatForTesting( ++ tempfile_name, follow_links, &sb)); + + // Following fields may never be consistent but should be non-zero. + // Don't trust the platform to define fields with any particular sign. +@@ -968,9 +974,9 @@ void TestStatHelper(bool fast_check_in_client, bool follow_links) { + EXPECT_EQ(12, sb.st_size); + + // Can't go backwards in time, 1500000000 was some time ago. +- EXPECT_LT(1500000000u, static_cast(sb.st_atime)); +- EXPECT_LT(1500000000u, static_cast(sb.st_mtime)); +- EXPECT_LT(1500000000u, static_cast(sb.st_ctime)); ++ EXPECT_LT(1500000000u, static_cast(sb.st_atime_)); ++ EXPECT_LT(1500000000u, static_cast(sb.st_mtime_)); ++ EXPECT_LT(1500000000u, static_cast(sb.st_ctime_)); + } + } + +diff --git a/sandbox/linux/syscall_broker/remote_syscall_arg_handler_unittest.cc b/sandbox/linux/syscall_broker/remote_syscall_arg_handler_unittest.cc +index fffa9bb7082ce..f517a9867c5de 100644 +--- a/sandbox/linux/syscall_broker/remote_syscall_arg_handler_unittest.cc ++++ b/sandbox/linux/syscall_broker/remote_syscall_arg_handler_unittest.cc +@@ -16,6 +16,7 @@ + #include "base/memory/page_size.h" + #include "base/posix/unix_domain_socket.h" + #include "base/test/bind.h" ++#include "sandbox/linux/tests/test_utils.h" + #include "sandbox/linux/tests/unit_tests.h" + #include "testing/gtest/include/gtest/gtest.h" + +@@ -52,19 +53,6 @@ void VerifyCorrectString(std::string str, size_t size) { + } + } + +-void* MapPagesOrDie(size_t num_pages) { +- void* addr = mmap(nullptr, num_pages * base::GetPageSize(), +- PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); +- PCHECK(addr); +- return addr; +-} +- +-void MprotectLastPageOrDie(char* addr, size_t num_pages) { +- size_t last_page_offset = (num_pages - 1) * base::GetPageSize(); +- PCHECK(mprotect(addr + last_page_offset, base::GetPageSize(), PROT_NONE) >= +- 0); +-} +- + pid_t ForkWaitingChild(base::OnceCallback + after_parent_signals_callback = base::DoNothing(), + base::ScopedFD* parent_sync_fd = nullptr) { +@@ -105,13 +93,13 @@ void ReadTest(const ReadTestConfig& test_config) { + size_t total_pages = (test_config.start_at + test_config.total_size + + base::GetPageSize() - 1) / + base::GetPageSize(); +- char* mmap_addr = static_cast(MapPagesOrDie(total_pages)); ++ char* mmap_addr = static_cast(TestUtils::MapPagesOrDie(total_pages)); + char* addr = mmap_addr + test_config.start_at; + FillBufferWithPath(addr, test_config.total_size, + test_config.include_null_byte); + + if (test_config.last_page_inaccessible) +- MprotectLastPageOrDie(mmap_addr, total_pages); ++ TestUtils::MprotectLastPageOrDie(mmap_addr, total_pages); + + pid_t pid = ForkWaitingChild(); + munmap(mmap_addr, base::GetPageSize() * total_pages); +@@ -212,7 +200,7 @@ SANDBOX_TEST(BrokerRemoteSyscallArgHandler, ReadChunkPlus1EndingOnePastPage) { + } + + SANDBOX_TEST(BrokerRemoteSyscallArgHandler, ReadChildExited) { +- void* addr = MapPagesOrDie(1); ++ void* addr = TestUtils::MapPagesOrDie(1); + FillBufferWithPath(static_cast(addr), strlen(kPathPart) + 1, true); + + base::ScopedFD parent_sync, child_sync; +@@ -240,10 +228,10 @@ SANDBOX_TEST(BrokerRemoteSyscallArgHandler, ReadChildExited) { + } + + SANDBOX_TEST(BrokerRemoteSyscallArgHandler, BasicWrite) { +- void* read_from = MapPagesOrDie(1); ++ void* read_from = TestUtils::MapPagesOrDie(1); + const size_t write_size = base::GetPageSize(); + FillBufferWithPath(static_cast(read_from), write_size, false); +- char* write_to = static_cast(MapPagesOrDie(1)); ++ char* write_to = static_cast(TestUtils::MapPagesOrDie(1)); + base::ScopedFD parent_signal_fd; + const std::vector empty_fd_vec; + +@@ -278,8 +266,8 @@ SANDBOX_TEST(BrokerRemoteSyscallArgHandler, BasicWrite) { + } + + SANDBOX_TEST(BrokerRemoteSyscallArgHandler, WriteToInvalidAddress) { +- char* write_to = static_cast(MapPagesOrDie(1)); +- MprotectLastPageOrDie(write_to, 1); ++ char* write_to = static_cast(TestUtils::MapPagesOrDie(1)); ++ TestUtils::MprotectLastPageOrDie(write_to, 1); + base::ScopedFD parent_signal_fd; + const std::vector empty_fd_vec; + +@@ -295,11 +283,11 @@ SANDBOX_TEST(BrokerRemoteSyscallArgHandler, WriteToInvalidAddress) { + } + + SANDBOX_TEST(BrokerRemoteSyscallArgHandler, WritePartiallyToInvalidAddress) { +- char* read_from = static_cast(MapPagesOrDie(2)); ++ char* read_from = static_cast(TestUtils::MapPagesOrDie(2)); + const size_t write_size = base::GetPageSize(); + FillBufferWithPath(static_cast(read_from), write_size, false); +- char* write_to = static_cast(MapPagesOrDie(2)); +- MprotectLastPageOrDie(write_to, 2); ++ char* write_to = static_cast(TestUtils::MapPagesOrDie(2)); ++ TestUtils::MprotectLastPageOrDie(write_to, 2); + write_to += base::GetPageSize() / 2; + base::ScopedFD parent_signal_fd; + const std::vector empty_fd_vec; +@@ -314,7 +302,7 @@ SANDBOX_TEST(BrokerRemoteSyscallArgHandler, WritePartiallyToInvalidAddress) { + } + + SANDBOX_TEST(BrokerRemoteSyscallArgHandler, WriteChildExited) { +- char* addr = static_cast(MapPagesOrDie(1)); ++ char* addr = static_cast(TestUtils::MapPagesOrDie(1)); + FillBufferWithPath(static_cast(addr), strlen(kPathPart) + 1, true); + + base::ScopedFD parent_sync, child_sync; +diff --git a/sandbox/linux/syscall_broker/syscall_dispatcher.cc b/sandbox/linux/syscall_broker/syscall_dispatcher.cc +index b9ee93c14ac59..8a42397ef872e 100644 +--- a/sandbox/linux/syscall_broker/syscall_dispatcher.cc ++++ b/sandbox/linux/syscall_broker/syscall_dispatcher.cc +@@ -19,8 +19,18 @@ namespace syscall_broker { + #define BROKER_UNPOISON_STRING(x) + #endif + ++int SyscallDispatcher::DefaultStatForTesting(const char* pathname, ++ bool follow_links, ++ default_stat_struct* sb) { ++#if defined(__NR_fstatat64) ++ return Stat64(pathname, follow_links, sb); ++#elif defined(__NR_newfstatat) ++ return Stat(pathname, follow_links, sb); ++#endif ++} ++ + int SyscallDispatcher::PerformStatat(const arch_seccomp_data& args, +- bool arch64) { ++ bool stat64) { + if (static_cast(args.args[0]) != AT_FDCWD) + return -EPERM; + // Only allow the AT_SYMLINK_NOFOLLOW flag which is used by some libc +@@ -30,13 +40,29 @@ int SyscallDispatcher::PerformStatat(const arch_seccomp_data& args, + + const bool follow_links = + !(static_cast(args.args[3]) & AT_SYMLINK_NOFOLLOW); +- if (arch64) { ++ if (stat64) { + return Stat64(reinterpret_cast(args.args[1]), follow_links, +- reinterpret_cast(args.args[2])); ++ reinterpret_cast(args.args[2])); + } + + return Stat(reinterpret_cast(args.args[1]), follow_links, +- reinterpret_cast(args.args[2])); ++ reinterpret_cast(args.args[2])); ++} ++ ++int SyscallDispatcher::PerformUnlinkat(const arch_seccomp_data& args) { ++ if (static_cast(args.args[0]) != AT_FDCWD) ++ return -EPERM; ++ ++ int flags = static_cast(args.args[2]); ++ ++ if (flags == AT_REMOVEDIR) { ++ return Rmdir(reinterpret_cast(args.args[1])); ++ } ++ ++ if (flags != 0) ++ return -EPERM; ++ ++ return Unlink(reinterpret_cast(args.args[1])); + } + + int SyscallDispatcher::DispatchSyscall(const arch_seccomp_data& args) { +@@ -127,59 +153,42 @@ int SyscallDispatcher::DispatchSyscall(const arch_seccomp_data& args) { + #if defined(__NR_stat) + case __NR_stat: + return Stat(reinterpret_cast(args.args[0]), true, +- reinterpret_cast(args.args[1])); ++ reinterpret_cast(args.args[1])); + #endif + #if defined(__NR_stat64) + case __NR_stat64: + return Stat64(reinterpret_cast(args.args[0]), true, +- reinterpret_cast(args.args[1])); ++ reinterpret_cast(args.args[1])); + #endif + #if defined(__NR_lstat) + case __NR_lstat: + // See https://crbug.com/847096 + BROKER_UNPOISON_STRING(reinterpret_cast(args.args[0])); + return Stat(reinterpret_cast(args.args[0]), false, +- reinterpret_cast(args.args[1])); ++ reinterpret_cast(args.args[1])); + #endif + #if defined(__NR_lstat64) + case __NR_lstat64: + // See https://crbug.com/847096 + BROKER_UNPOISON_STRING(reinterpret_cast(args.args[0])); + return Stat64(reinterpret_cast(args.args[0]), false, +- reinterpret_cast(args.args[1])); +-#endif +-#if defined(__NR_fstatat) +- case __NR_fstatat: +- return PerformStatat(args, /*arch64=*/false); ++ reinterpret_cast(args.args[1])); + #endif + #if defined(__NR_fstatat64) + case __NR_fstatat64: +- return PerformStatat(args, /*arch64=*/true); ++ return PerformStatat(args, /*stat64=*/true); + #endif + #if defined(__NR_newfstatat) + case __NR_newfstatat: +- return PerformStatat(args, /*arch64=*/false); ++ return PerformStatat(args, /*stat64=*/false); + #endif + #if defined(__NR_unlink) + case __NR_unlink: + return Unlink(reinterpret_cast(args.args[0])); + #endif + #if defined(__NR_unlinkat) +- case __NR_unlinkat: { +- if (static_cast(args.args[0]) != AT_FDCWD) +- return -EPERM; +- +- int flags = static_cast(args.args[2]); +- +- if (flags == AT_REMOVEDIR) { +- return Rmdir(reinterpret_cast(args.args[1])); +- } +- +- if (flags != 0) +- return -EPERM; +- +- return Unlink(reinterpret_cast(args.args[1])); +- } ++ case __NR_unlinkat: ++ return PerformUnlinkat(args); + #endif // defined(__NR_unlinkat) + default: + RAW_CHECK(false); +diff --git a/sandbox/linux/syscall_broker/syscall_dispatcher.h b/sandbox/linux/syscall_broker/syscall_dispatcher.h +index d8b8874ad9ce4..1d6653caf3bd2 100644 +--- a/sandbox/linux/syscall_broker/syscall_dispatcher.h ++++ b/sandbox/linux/syscall_broker/syscall_dispatcher.h +@@ -9,13 +9,15 @@ + #include + + #include "sandbox/linux/system_headers/linux_seccomp.h" ++#include "sandbox/linux/system_headers/linux_stat.h" ++#include "sandbox/sandbox_export.h" + + namespace sandbox { + namespace syscall_broker { + + // An abstract class that defines all the system calls we perform for the + // sandboxed process. +-class SyscallDispatcher { ++class SANDBOX_EXPORT SyscallDispatcher { + public: + // Emulates access()/faccessat(). + // X_OK will always return an error in practice since the broker process +@@ -40,19 +42,34 @@ class SyscallDispatcher { + virtual int Rmdir(const char* path) const = 0; + + // Emulates stat()/stat64()/lstat()/lstat64()/fstatat()/newfstatat(). ++ // Stat64 is only available on 32-bit systems. + virtual int Stat(const char* pathname, + bool follow_links, +- struct stat* sb) const = 0; ++ struct kernel_stat* sb) const = 0; + virtual int Stat64(const char* pathname, + bool follow_links, +- struct stat64* sb) const = 0; ++ struct kernel_stat64* sb) const = 0; + + // Emulates unlink()/unlinkat(). + virtual int Unlink(const char* unlink) const = 0; + ++ // Different architectures use a different syscall from the stat family by ++ // default in glibc. E.g. 32-bit systems use *stat*64() and fill out struct ++ // kernel_stat64, whereas 64-bit systems use *stat*() and fill out struct ++ // kernel_stat. Some tests want to call the SyscallDispatcher directly, and ++ // should be using the default stat in order to test against glibc. ++ int DefaultStatForTesting(const char* pathname, ++ bool follow_links, ++ default_stat_struct* sb); ++ + // Validates the args passed to a *statat*() syscall and performs the syscall +- // using Stat() or Stat64(). +- int PerformStatat(const arch_seccomp_data& args, bool arch64); ++ // using Stat(), or on 32-bit systems it uses Stat64() for the *statat64() ++ // syscalls. ++ int PerformStatat(const arch_seccomp_data& args, bool stat64); ++ ++ // Validates the args passed to an unlinkat() syscall and performs the syscall ++ // using either Unlink() or Rmdir(). ++ int PerformUnlinkat(const arch_seccomp_data& args); + + // Reads the syscall number and arguments, imposes some policy (e.g. the *at() + // system calls must only allow AT_FDCWD as the first argument), and +diff --git a/sandbox/linux/system_headers/linux_stat.h b/sandbox/linux/system_headers/linux_stat.h +new file mode 100644 +index 0000000000000..35788eb22a4e5 +--- /dev/null ++++ b/sandbox/linux/system_headers/linux_stat.h +@@ -0,0 +1,188 @@ ++// Copyright 2021 The Chromium Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style license that can be ++// found in the LICENSE file. ++ ++#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_STAT_H_ ++#define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_STAT_H_ ++ ++#include ++ ++#include "build/build_config.h" ++#include "sandbox/linux/system_headers/linux_syscalls.h" ++ ++#if defined(ARCH_CPU_MIPS_FAMILY) ++#if defined(ARCH_CPU_64_BITS) ++struct kernel_stat { ++#else ++struct kernel_stat64 { ++#endif ++ unsigned st_dev; ++ unsigned __pad0[3]; ++ unsigned long long st_ino; ++ unsigned st_mode; ++ unsigned st_nlink; ++ unsigned st_uid; ++ unsigned st_gid; ++ unsigned st_rdev; ++ unsigned __pad1[3]; ++ long long st_size; ++ unsigned st_atime_; ++ unsigned st_atime_nsec_; ++ unsigned st_mtime_; ++ unsigned st_mtime_nsec_; ++ unsigned st_ctime_; ++ unsigned st_ctime_nsec_; ++ unsigned st_blksize; ++ unsigned __pad2; ++ unsigned long long st_blocks; ++}; ++#else ++struct kernel_stat64 { ++ unsigned long long st_dev; ++ unsigned char __pad0[4]; ++ unsigned __st_ino; ++ unsigned st_mode; ++ unsigned st_nlink; ++ unsigned st_uid; ++ unsigned st_gid; ++ unsigned long long st_rdev; ++ unsigned char __pad3[4]; ++ long long st_size; ++ unsigned st_blksize; ++ unsigned long long st_blocks; ++ unsigned st_atime_; ++ unsigned st_atime_nsec_; ++ unsigned st_mtime_; ++ unsigned st_mtime_nsec_; ++ unsigned st_ctime_; ++ unsigned st_ctime_nsec_; ++ unsigned long long st_ino; ++}; ++#endif ++ ++#if defined(__i386__) || defined(__ARM_ARCH_3__) || defined(__ARM_EABI__) ++struct kernel_stat { ++ /* The kernel headers suggest that st_dev and st_rdev should be 32bit ++ * quantities encoding 12bit major and 20bit minor numbers in an interleaved ++ * format. In reality, we do not see useful data in the top bits. So, ++ * we'll leave the padding in here, until we find a better solution. ++ */ ++ unsigned short st_dev; ++ short pad1; ++ unsigned st_ino; ++ unsigned short st_mode; ++ unsigned short st_nlink; ++ unsigned short st_uid; ++ unsigned short st_gid; ++ unsigned short st_rdev; ++ short pad2; ++ unsigned st_size; ++ unsigned st_blksize; ++ unsigned st_blocks; ++ unsigned st_atime_; ++ unsigned st_atime_nsec_; ++ unsigned st_mtime_; ++ unsigned st_mtime_nsec_; ++ unsigned st_ctime_; ++ unsigned st_ctime_nsec_; ++ unsigned __unused4; ++ unsigned __unused5; ++}; ++#elif defined(__x86_64__) ++struct kernel_stat { ++ uint64_t st_dev; ++ uint64_t st_ino; ++ uint64_t st_nlink; ++ unsigned st_mode; ++ unsigned st_uid; ++ unsigned st_gid; ++ unsigned __pad0; ++ uint64_t st_rdev; ++ int64_t st_size; ++ int64_t st_blksize; ++ int64_t st_blocks; ++ uint64_t st_atime_; ++ uint64_t st_atime_nsec_; ++ uint64_t st_mtime_; ++ uint64_t st_mtime_nsec_; ++ uint64_t st_ctime_; ++ uint64_t st_ctime_nsec_; ++ int64_t __unused4[3]; ++}; ++#elif (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) ++struct kernel_stat { ++ unsigned st_dev; ++ int st_pad1[3]; ++ unsigned st_ino; ++ unsigned st_mode; ++ unsigned st_nlink; ++ unsigned st_uid; ++ unsigned st_gid; ++ unsigned st_rdev; ++ int st_pad2[2]; ++ long st_size; ++ int st_pad3; ++ long st_atime_; ++ long st_atime_nsec_; ++ long st_mtime_; ++ long st_mtime_nsec_; ++ long st_ctime_; ++ long st_ctime_nsec_; ++ int st_blksize; ++ int st_blocks; ++ int st_pad4[14]; ++}; ++#elif defined(__aarch64__) ++struct kernel_stat { ++ unsigned long st_dev; ++ unsigned long st_ino; ++ unsigned int st_mode; ++ unsigned int st_nlink; ++ unsigned int st_uid; ++ unsigned int st_gid; ++ unsigned long st_rdev; ++ unsigned long __pad1; ++ long st_size; ++ int st_blksize; ++ int __pad2; ++ long st_blocks; ++ long st_atime_; ++ unsigned long st_atime_nsec_; ++ long st_mtime_; ++ unsigned long st_mtime_nsec_; ++ long st_ctime_; ++ unsigned long st_ctime_nsec_; ++ unsigned int __unused4; ++ unsigned int __unused5; ++}; ++#endif ++ ++// On 32-bit systems, we default to the 64-bit stat struct like libc ++// implementations do. Otherwise we default to the normal stat struct which is ++// already 64-bit. ++// These defines make it easy to call the right syscall to fill out a 64-bit ++// stat struct, which is the default in libc implementations but requires ++// different syscall names on 32 and 64-bit platforms. ++#if defined(__NR_fstatat64) ++ ++namespace sandbox { ++using default_stat_struct = struct kernel_stat64; ++} // namespace sandbox ++ ++#define __NR_fstatat_default __NR_fstatat64 ++#define __NR_fstat_default __NR_fstat64 ++ ++#elif defined(__NR_newfstatat) ++ ++namespace sandbox { ++using default_stat_struct = struct kernel_stat; ++} // namespace sandbox ++ ++#define __NR_fstatat_default __NR_newfstatat ++#define __NR_fstat_default __NR_fstat ++ ++#else ++#error "one of fstatat64 and newfstatat must be defined" ++#endif ++ ++#endif // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_STAT_H_ +diff --git a/sandbox/linux/system_headers/linux_time.h b/sandbox/linux/system_headers/linux_time.h +index 780f24dddd9fa..f18c806611f83 100644 +--- a/sandbox/linux/system_headers/linux_time.h ++++ b/sandbox/linux/system_headers/linux_time.h +@@ -11,6 +11,32 @@ + #define CPUCLOCK_CLOCK_MASK 3 + #endif + ++#if !defined(CPUCLOCK_PROF) ++#define CPUCLOCK_PROF 0 ++#endif ++ ++#if !defined(CPUCLOCK_VIRT) ++#define CPUCLOCK_VIRT 1 ++#endif ++ ++#if !defined(CPUCLOCK_SCHED) ++#define CPUCLOCK_SCHED 2 ++#endif ++ ++#if !defined(CPUCLOCK_PERTHREAD_MASK) ++#define CPUCLOCK_PERTHREAD_MASK 4 ++#endif ++ ++#if !defined(MAKE_PROCESS_CPUCLOCK) ++#define MAKE_PROCESS_CPUCLOCK(pid, clock) \ ++ ((int)(~(unsigned)(pid) << 3) | (int)(clock)) ++#endif ++ ++#if !defined(MAKE_THREAD_CPUCLOCK) ++#define MAKE_THREAD_CPUCLOCK(tid, clock) \ ++ ((int)(~(unsigned)(tid) << 3) | (int)((clock) | CPUCLOCK_PERTHREAD_MASK)) ++#endif ++ + #if !defined(CLOCKFD) + #define CLOCKFD 3 + #endif +diff --git a/sandbox/linux/tests/test_utils.cc b/sandbox/linux/tests/test_utils.cc +index 847c20b20c5d2..cf6041a4b476a 100644 +--- a/sandbox/linux/tests/test_utils.cc ++++ b/sandbox/linux/tests/test_utils.cc +@@ -5,12 +5,14 @@ + #include "sandbox/linux/tests/test_utils.h" + + #include ++#include + #include + #include + #include + #include + + #include "base/check_op.h" ++#include "base/memory/page_size.h" + #include "base/posix/eintr_wrapper.h" + + namespace sandbox { +@@ -39,4 +41,17 @@ void TestUtils::HandlePostForkReturn(pid_t pid) { + } + } + ++void* TestUtils::MapPagesOrDie(size_t num_pages) { ++ void* addr = mmap(nullptr, num_pages * base::GetPageSize(), ++ PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); ++ PCHECK(addr); ++ return addr; ++} ++ ++void TestUtils::MprotectLastPageOrDie(char* addr, size_t num_pages) { ++ size_t last_page_offset = (num_pages - 1) * base::GetPageSize(); ++ PCHECK(mprotect(addr + last_page_offset, base::GetPageSize(), PROT_NONE) >= ++ 0); ++} ++ + } // namespace sandbox +diff --git a/sandbox/linux/tests/test_utils.h b/sandbox/linux/tests/test_utils.h +index 7cf9749fe4f1f..43b028b1e34ef 100644 +--- a/sandbox/linux/tests/test_utils.h ++++ b/sandbox/linux/tests/test_utils.h +@@ -19,6 +19,8 @@ class TestUtils { + // makes sure that if fork() succeeded the child exits + // and the parent waits for it. + static void HandlePostForkReturn(pid_t pid); ++ static void* MapPagesOrDie(size_t num_pages); ++ static void MprotectLastPageOrDie(char* addr, size_t num_pages); + + private: + DISALLOW_IMPLICIT_CONSTRUCTORS(TestUtils); +diff --git a/sandbox/policy/linux/bpf_broker_policy_linux.cc b/sandbox/policy/linux/bpf_broker_policy_linux.cc +index 2963bb9ca8612..6dc8c0581b43c 100644 +--- a/sandbox/policy/linux/bpf_broker_policy_linux.cc ++++ b/sandbox/policy/linux/bpf_broker_policy_linux.cc +@@ -93,8 +93,8 @@ ResultExpr BrokerProcessPolicy::EvaluateSyscall(int sysno) const { + return Allow(); + break; + #endif +-#if defined(__NR_fstatat) +- case __NR_fstatat: ++#if defined(__NR_fstatat64) ++ case __NR_fstatat64: + if (allowed_command_set_.test(syscall_broker::COMMAND_STAT)) + return Allow(); + break; diff --git a/60d5e803ef2a4874d29799b638754152285e0ed9.patch b/60d5e803ef2a4874d29799b638754152285e0ed9.patch new file mode 100644 index 0000000..7baf52b --- /dev/null +++ b/60d5e803ef2a4874d29799b638754152285e0ed9.patch @@ -0,0 +1,348 @@ +From 60d5e803ef2a4874d29799b638754152285e0ed9 Mon Sep 17 00:00:00 2001 +From: Matthew Denton +Date: Wed, 21 Jul 2021 12:55:11 +0000 +Subject: [PATCH] Linux sandbox: fix fstatat() crash + +This is a reland of https://crrev.com/c/2801873. + +Glibc has started rewriting fstat(fd, stat_buf) to +fstatat(fd, "", stat_buf, AT_EMPTY_PATH). This works because when +AT_EMPTY_PATH is specified, and the second argument is an empty string, +then fstatat just performs an fstat on fd like normal. + +Unfortunately, fstatat() also allows stat-ing arbitrary pathnames like +with fstatat(AT_FDCWD, "/i/am/a/file", stat_buf, 0); +The baseline policy needs to prevent this usage of fstatat() since it +doesn't allow access to arbitrary pathnames. + +Sadly, if the second argument is not an empty string, AT_EMPTY_PATH is +simply ignored by current kernels. + +This means fstatat() is completely unsandboxable with seccomp, since +we *need* to verify that the second argument is the empty string, but +we can't dereference pointers in seccomp (due to limitations of BPF, +and the difficulty of addressing these limitations due to TOCTOU +issues). + +So, this CL Traps (raises a SIGSYS via seccomp) on any fstatat syscall. +The signal handler, which runs in the sandboxed process, checks for +AT_EMPTY_PATH and the empty string, and then rewrites any applicable +fstatat() back into the old-style fstat(). + +Bug: 1164975 +Change-Id: I3df6c04c0d781eb1f181d707ccaaead779337291 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3042179 +Reviewed-by: Robert Sesek +Commit-Queue: Matthew Denton +Cr-Commit-Position: refs/heads/master@{#903873} +--- + .../seccomp-bpf-helpers/baseline_policy.cc | 8 ++++++ + .../baseline_policy_unittest.cc | 17 ++++++++++++- + .../seccomp-bpf-helpers/sigsys_handlers.cc | 25 +++++++++++++++++++ + .../seccomp-bpf-helpers/sigsys_handlers.h | 14 +++++++++++ + .../linux/syscall_broker/broker_process.cc | 21 ++++++++++------ + .../syscall_broker/broker_process_unittest.cc | 18 ++++++------- + sandbox/linux/system_headers/linux_stat.h | 4 +++ + 7 files changed, 89 insertions(+), 18 deletions(-) + +diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +index f2a60bb4d738d..9df0d2dbd3b5f 100644 +--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc ++++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +@@ -20,6 +20,7 @@ + #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" + #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" + #include "sandbox/linux/services/syscall_wrappers.h" ++#include "sandbox/linux/system_headers/linux_stat.h" + #include "sandbox/linux/system_headers/linux_syscalls.h" + + #if !defined(SO_PEEK_OFF) +@@ -304,6 +305,13 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno, + return Allow(); + } + ++ // The fstatat syscalls are file system syscalls, which will be denied below ++ // with fs_denied_errno. However some allowed fstat syscalls are rewritten by ++ // libc implementations to fstatat syscalls, and we need to rewrite them back. ++ if (sysno == __NR_fstatat_default) { ++ return RewriteFstatatSIGSYS(fs_denied_errno); ++ } ++ + if (SyscallSets::IsFileSystem(sysno) || + SyscallSets::IsCurrentDirectory(sysno)) { + return Error(fs_denied_errno); +diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc +index 68c29b564bb8f..57d307e09d36b 100644 +--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc ++++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc +@@ -51,7 +51,8 @@ namespace sandbox { + + namespace { + +-// This also tests that read(), write() and fstat() are allowed. ++// This also tests that read(), write(), fstat(), and fstatat(.., "", .., ++// AT_EMPTY_PATH) are allowed. + void TestPipeOrSocketPair(base::ScopedFD read_end, base::ScopedFD write_end) { + BPF_ASSERT_LE(0, read_end.get()); + BPF_ASSERT_LE(0, write_end.get()); +@@ -60,6 +61,20 @@ void TestPipeOrSocketPair(base::ScopedFD read_end, base::ScopedFD write_end) { + BPF_ASSERT_EQ(0, sys_ret); + BPF_ASSERT(S_ISFIFO(stat_buf.st_mode) || S_ISSOCK(stat_buf.st_mode)); + ++ sys_ret = fstatat(read_end.get(), "", &stat_buf, AT_EMPTY_PATH); ++ BPF_ASSERT_EQ(0, sys_ret); ++ BPF_ASSERT(S_ISFIFO(stat_buf.st_mode) || S_ISSOCK(stat_buf.st_mode)); ++ ++ // Make sure fstatat with anything other than an empty string is denied. ++ sys_ret = fstatat(read_end.get(), "/", &stat_buf, AT_EMPTY_PATH); ++ BPF_ASSERT_EQ(sys_ret, -1); ++ BPF_ASSERT_EQ(EPERM, errno); ++ ++ // Make sure fstatat without AT_EMPTY_PATH is denied. ++ sys_ret = fstatat(read_end.get(), "", &stat_buf, 0); ++ BPF_ASSERT_EQ(sys_ret, -1); ++ BPF_ASSERT_EQ(EPERM, errno); ++ + const ssize_t kTestTransferSize = 4; + static const char kTestString[kTestTransferSize] = {'T', 'E', 'S', 'T'}; + ssize_t transfered = 0; +diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc +index 64edbd68bde6b..71068a045277b 100644 +--- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc ++++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc +@@ -6,6 +6,7 @@ + + #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" + ++#include + #include + #include + #include +@@ -22,6 +23,7 @@ + #include "sandbox/linux/seccomp-bpf/syscall.h" + #include "sandbox/linux/services/syscall_wrappers.h" + #include "sandbox/linux/system_headers/linux_seccomp.h" ++#include "sandbox/linux/system_headers/linux_stat.h" + #include "sandbox/linux/system_headers/linux_syscalls.h" + + #if defined(__mips__) +@@ -355,6 +357,24 @@ intptr_t SIGSYSSchedHandler(const struct arch_seccomp_data& args, + return -ENOSYS; + } + ++intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args, ++ void* fs_denied_errno) { ++ if (args.nr == __NR_fstatat_default) { ++ if (*reinterpret_cast(args.args[1]) == '\0' && ++ args.args[3] == static_cast(AT_EMPTY_PATH)) { ++ return syscall(__NR_fstat_default, static_cast(args.args[0]), ++ reinterpret_cast(args.args[2])); ++ } ++ return -reinterpret_cast(fs_denied_errno); ++ } ++ ++ CrashSIGSYS_Handler(args, fs_denied_errno); ++ ++ // Should never be reached. ++ RAW_CHECK(false); ++ return -ENOSYS; ++} ++ + bpf_dsl::ResultExpr CrashSIGSYS() { + return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL); + } +@@ -387,6 +407,11 @@ bpf_dsl::ResultExpr RewriteSchedSIGSYS() { + return bpf_dsl::Trap(SIGSYSSchedHandler, NULL); + } + ++bpf_dsl::ResultExpr RewriteFstatatSIGSYS(int fs_denied_errno) { ++ return bpf_dsl::Trap(SIGSYSFstatatHandler, ++ reinterpret_cast(fs_denied_errno)); ++} ++ + void AllocateCrashKeys() { + #if !defined(OS_NACL_NONSFI) + if (seccomp_crash_key) +diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h +index 7a958b93b27a7..8cd735ce15793 100644 +--- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h ++++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h +@@ -62,6 +62,19 @@ SANDBOX_EXPORT intptr_t SIGSYSPtraceFailure(const arch_seccomp_data& args, + // sched_setparam(), sched_setscheduler() + SANDBOX_EXPORT intptr_t SIGSYSSchedHandler(const arch_seccomp_data& args, + void* aux); ++// If the fstatat() syscall is functionally equivalent to an fstat() syscall, ++// then rewrite the syscall to the equivalent fstat() syscall which can be ++// adequately sandboxed. ++// If the fstatat() is not functionally equivalent to an fstat() syscall, we ++// fail with -fs_denied_errno. ++// If the syscall is not an fstatat() at all, crash in the same way as ++// CrashSIGSYS_Handler. ++// This is necessary because glibc and musl have started rewriting fstat(fd, ++// stat_buf) as fstatat(fd, "", stat_buf, AT_EMPTY_PATH). We rewrite the latter ++// back to the former, which is actually sandboxable. ++SANDBOX_EXPORT intptr_t ++SIGSYSFstatatHandler(const struct arch_seccomp_data& args, ++ void* fs_denied_errno); + + // Variants of the above functions for use with bpf_dsl. + SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYS(); +@@ -72,6 +85,7 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSKill(); + SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSFutex(); + SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSPtrace(); + SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteSchedSIGSYS(); ++SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteFstatatSIGSYS(int fs_denied_errno); + + // Allocates a crash key so that Seccomp information can be recorded. + void AllocateCrashKeys(); +diff --git a/sandbox/linux/syscall_broker/broker_process.cc b/sandbox/linux/syscall_broker/broker_process.cc +index c2176eb785e78..e9dad37485aef 100644 +--- a/sandbox/linux/syscall_broker/broker_process.cc ++++ b/sandbox/linux/syscall_broker/broker_process.cc +@@ -113,44 +113,49 @@ bool BrokerProcess::IsSyscallAllowed(int sysno) const { + } + + bool BrokerProcess::IsSyscallBrokerable(int sysno, bool fast_check) const { ++ // The syscalls unavailable on aarch64 are all blocked by Android's default ++ // seccomp policy, even on non-aarch64 architectures. I.e., the syscalls XX() ++ // with a corresponding XXat() versions are typically unavailable in aarch64 ++ // and are default disabled in Android. So, we should refuse to broker them ++ // to be consistent with the platform's restrictions. + switch (sysno) { +-#if !defined(__aarch64__) ++#if !defined(__aarch64__) && !defined(OS_ANDROID) + case __NR_access: + #endif + case __NR_faccessat: + return !fast_check || allowed_command_set_.test(COMMAND_ACCESS); + +-#if !defined(__aarch64__) ++#if !defined(__aarch64__) && !defined(OS_ANDROID) + case __NR_mkdir: + #endif + case __NR_mkdirat: + return !fast_check || allowed_command_set_.test(COMMAND_MKDIR); + +-#if !defined(__aarch64__) ++#if !defined(__aarch64__) && !defined(OS_ANDROID) + case __NR_open: + #endif + case __NR_openat: + return !fast_check || allowed_command_set_.test(COMMAND_OPEN); + +-#if !defined(__aarch64__) ++#if !defined(__aarch64__) && !defined(OS_ANDROID) + case __NR_readlink: + #endif + case __NR_readlinkat: + return !fast_check || allowed_command_set_.test(COMMAND_READLINK); + +-#if !defined(__aarch64__) ++#if !defined(__aarch64__) && !defined(OS_ANDROID) + case __NR_rename: + #endif + case __NR_renameat: + case __NR_renameat2: + return !fast_check || allowed_command_set_.test(COMMAND_RENAME); + +-#if !defined(__aarch64__) ++#if !defined(__aarch64__) && !defined(OS_ANDROID) + case __NR_rmdir: + return !fast_check || allowed_command_set_.test(COMMAND_RMDIR); + #endif + +-#if !defined(__aarch64__) ++#if !defined(__aarch64__) && !defined(OS_ANDROID) + case __NR_stat: + case __NR_lstat: + #endif +@@ -175,7 +180,7 @@ bool BrokerProcess::IsSyscallBrokerable(int sysno, bool fast_check) const { + return !fast_check || allowed_command_set_.test(COMMAND_STAT); + #endif + +-#if !defined(__aarch64__) ++#if !defined(__aarch64__) && !defined(OS_ANDROID) + case __NR_unlink: + return !fast_check || allowed_command_set_.test(COMMAND_UNLINK); + #endif +diff --git a/sandbox/linux/syscall_broker/broker_process_unittest.cc b/sandbox/linux/syscall_broker/broker_process_unittest.cc +index c65f25a78a999..f0db08d84e06c 100644 +--- a/sandbox/linux/syscall_broker/broker_process_unittest.cc ++++ b/sandbox/linux/syscall_broker/broker_process_unittest.cc +@@ -1596,52 +1596,52 @@ TEST(BrokerProcess, IsSyscallAllowed) { + const base::flat_map> kSysnosForCommand = { + {COMMAND_ACCESS, + {__NR_faccessat, +-#if defined(__NR_access) ++#if defined(__NR_access) && !defined(OS_ANDROID) + __NR_access + #endif + }}, + {COMMAND_MKDIR, + {__NR_mkdirat, +-#if defined(__NR_mkdir) ++#if defined(__NR_mkdir) && !defined(OS_ANDROID) + __NR_mkdir + #endif + }}, + {COMMAND_OPEN, + {__NR_openat, +-#if defined(__NR_open) ++#if defined(__NR_open) && !defined(OS_ANDROID) + __NR_open + #endif + }}, + {COMMAND_READLINK, + {__NR_readlinkat, +-#if defined(__NR_readlink) ++#if defined(__NR_readlink) && !defined(OS_ANDROID) + __NR_readlink + #endif + }}, + {COMMAND_RENAME, + {__NR_renameat, +-#if defined(__NR_rename) ++#if defined(__NR_rename) && !defined(OS_ANDROID) + __NR_rename + #endif + }}, + {COMMAND_UNLINK, + {__NR_unlinkat, +-#if defined(__NR_unlink) ++#if defined(__NR_unlink) && !defined(OS_ANDROID) + __NR_unlink + #endif + }}, + {COMMAND_RMDIR, + {__NR_unlinkat, +-#if defined(__NR_rmdir) ++#if defined(__NR_rmdir) && !defined(OS_ANDROID) + __NR_rmdir + #endif + }}, + {COMMAND_STAT, + { +-#if defined(__NR_stat) ++#if defined(__NR_stat) && !defined(OS_ANDROID) + __NR_stat, + #endif +-#if defined(__NR_lstat) ++#if defined(__NR_lstat) && !defined(OS_ANDROID) + __NR_lstat, + #endif + #if defined(__NR_fstatat) +diff --git a/sandbox/linux/system_headers/linux_stat.h b/sandbox/linux/system_headers/linux_stat.h +index 35788eb22a4e5..83b89efc75e5e 100644 +--- a/sandbox/linux/system_headers/linux_stat.h ++++ b/sandbox/linux/system_headers/linux_stat.h +@@ -157,6 +157,10 @@ struct kernel_stat { + }; + #endif + ++#if !defined(AT_EMPTY_PATH) ++#define AT_EMPTY_PATH 0x1000 ++#endif ++ + // On 32-bit systems, we default to the 64-bit stat struct like libc + // implementations do. Otherwise we default to the normal stat struct which is + // already 64-bit. diff --git a/b2fbcdbe30cb84cd2f0b63e453f3782c49213264.patch b/b2fbcdbe30cb84cd2f0b63e453f3782c49213264.patch new file mode 100644 index 0000000..78eab1c --- /dev/null +++ b/b2fbcdbe30cb84cd2f0b63e453f3782c49213264.patch @@ -0,0 +1,70 @@ +From b2fbcdbe30cb84cd2f0b63e453f3782c49213264 Mon Sep 17 00:00:00 2001 +From: Matthew Denton +Date: Wed, 21 Jul 2021 17:12:27 +0000 +Subject: [PATCH] Linux sandbox: ENOSYS for some statx syscalls + +On some platforms, glibc will default to statx for normal stat-family +calls. Unfortunately there's no way to rewrite statx to something safe +using a signal handler. Returning ENOSYS will cause glibc to fallback +to old stat paths. + +Change-Id: Ieaddc8020b6555f2dfdc443197d13cb3fccc6bf1 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2823150 +Commit-Queue: Matthew Denton +Reviewed-by: Robert Sesek +Cr-Commit-Position: refs/heads/master@{#903952} +--- + sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc | 11 +++++++++++ + sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc | 1 + + sandbox/linux/system_headers/linux_stat.h | 4 ++++ + 3 files changed, 16 insertions(+) + +diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +index 9df0d2dbd3b5f..049e921694eda 100644 +--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc ++++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +@@ -312,6 +312,17 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno, + return RewriteFstatatSIGSYS(fs_denied_errno); + } + ++ // The statx syscall is a filesystem syscall, which will be denied below with ++ // fs_denied_errno. However, on some platforms, glibc will default to statx ++ // for normal stat-family calls. Unfortunately there's no way to rewrite statx ++ // to something safe using a signal handler. Returning ENOSYS will cause glibc ++ // to fallback to old stat paths. ++ if (sysno == __NR_statx) { ++ const Arg mask(3); ++ return If(mask == STATX_BASIC_STATS, Error(ENOSYS)) ++ .Else(Error(fs_denied_errno)); ++ } ++ + if (SyscallSets::IsFileSystem(sysno) || + SyscallSets::IsCurrentDirectory(sysno)) { + return Error(fs_denied_errno); +diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc +index 96c9f490e28cd..8227dc1854643 100644 +--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc ++++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc +@@ -171,6 +171,7 @@ bool SyscallSets::IsFileSystem(int sysno) { + (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS)) + case __NR_statfs64: + #endif ++ case __NR_statx: // EPERM not a valid errno. + case __NR_symlinkat: + case __NR_truncate: + #if defined(__i386__) || defined(__arm__) || \ +diff --git a/sandbox/linux/system_headers/linux_stat.h b/sandbox/linux/system_headers/linux_stat.h +index 83b89efc75e5e..e697dd6777ef5 100644 +--- a/sandbox/linux/system_headers/linux_stat.h ++++ b/sandbox/linux/system_headers/linux_stat.h +@@ -161,6 +161,10 @@ struct kernel_stat { + #define AT_EMPTY_PATH 0x1000 + #endif + ++#if !defined(STATX_BASIC_STATS) ++#define STATX_BASIC_STATS 0x000007ffU ++#endif ++ + // On 32-bit systems, we default to the 64-bit stat struct like libc + // implementations do. Otherwise we default to the normal stat struct which is + // already 64-bit. diff --git a/chromium-45.0.2454.101-system-icu-54-does-not-have-detectHostTimeZone.patch b/chromium-45.0.2454.101-system-icu-54-does-not-have-detectHostTimeZone.patch deleted file mode 100644 index f92b534..0000000 --- a/chromium-45.0.2454.101-system-icu-54-does-not-have-detectHostTimeZone.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up chromium-45.0.2454.101/content/browser/time_zone_monitor.cc.system-icu chromium-45.0.2454.101/content/browser/time_zone_monitor.cc ---- chromium-45.0.2454.101/content/browser/time_zone_monitor.cc.system-icu 2015-10-13 13:42:42.816642333 -0400 -+++ chromium-45.0.2454.101/content/browser/time_zone_monitor.cc 2015-10-13 13:43:13.750917363 -0400 -@@ -22,7 +22,7 @@ TimeZoneMonitor::~TimeZoneMonitor() { - - void TimeZoneMonitor::NotifyRenderers() { - DCHECK_CURRENTLY_ON(BrowserThread::UI); --#if defined(OS_CHROMEOS) -+#if defined(OS_CHROMEOS) || U_ICU_VERSION_MAJOR_NUM < 55 - // On CrOS, ICU's default tz is already set to a new zone. No - // need to redetect it with detectHostTimeZone(). - scoped_ptr new_zone(icu::TimeZone::createDefault()); diff --git a/chromium-50-system-ffmpeg-3.patch b/chromium-50-system-ffmpeg-3.patch deleted file mode 100644 index d965c70..0000000 --- a/chromium-50-system-ffmpeg-3.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -up chromium-51.0.2687.0/third_party/webrtc/modules/video_coding/codecs/h264/h264_decoder_impl.cc.system-ffmpeg-3 chromium-51.0.2687.0/third_party/webrtc/modules/video_coding/codecs/h264/h264_decoder_impl.cc ---- chromium-51.0.2687.0/third_party/webrtc/modules/video_coding/codecs/h264/h264_decoder_impl.cc.system-ffmpeg-3 2016-03-22 23:02:39.000000000 +0100 -+++ chromium-51.0.2687.0/third_party/webrtc/modules/video_coding/codecs/h264/h264_decoder_impl.cc 2016-03-23 18:51:16.810699343 +0100 -@@ -15,9 +15,9 @@ - #include - - extern "C" { --#include "third_party/ffmpeg/libavcodec/avcodec.h" --#include "third_party/ffmpeg/libavformat/avformat.h" --#include "third_party/ffmpeg/libavutil/imgutils.h" -+#include -+#include -+#include - } // extern "C" - - #include "api/video/color_space.h" -diff -up chromium-51.0.2687.0/third_party/webrtc/modules/video_coding/codecs/h264/h264_decoder_impl.h.system-ffmpeg-3 chromium-51.0.2687.0/third_party/webrtc/modules/video_coding/codecs/h264/h264_decoder_impl.h ---- chromium-51.0.2687.0/third_party/webrtc/modules/video_coding/codecs/h264/h264_decoder_impl.h.system-ffmpeg-3 2016-03-23 18:55:39.080894319 +0100 -+++ chromium-51.0.2687.0/third_party/webrtc/modules/video_coding/codecs/h264/h264_decoder_impl.h 2016-03-23 18:54:32.178123691 +0100 -@@ -17,7 +17,7 @@ - // passed to ffmpeg. - - extern "C" { --#include "third_party/ffmpeg/libavcodec/avcodec.h" -+#include - } // extern "C" - - #include "common_video/h264/h264_bitstream_parser.h" ---- chromium-86.0.4240.111/third_party/webrtc/modules/video_coding/codecs/h264/h264_color_space.h.orig -+++ chromium-86.0.4240.111/third_party/webrtc/modules/video_coding/codecs/h264/h264_color_space.h -@@ -23,7 +23,7 @@ - #include "api/video/color_space.h" - - extern "C" { --#include "third_party/ffmpeg/libavcodec/avcodec.h" -+#include - } // extern "C" - - namespace webrtc { diff --git a/chromium-54-proprietary-codecs-assert.patch b/chromium-54-proprietary-codecs-assert.patch deleted file mode 100644 index 56318ab..0000000 --- a/chromium-54-proprietary-codecs-assert.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -up chromium-62.0.3192.0/media/BUILD.gn.proprietary-codecs chromium-62.0.3192.0/media/BUILD.gn ---- chromium-62.0.3192.0/media/BUILD.gn.proprietary-codecs 2017-08-30 16:13:04.296259457 +0200 -+++ chromium-62.0.3192.0/media/BUILD.gn 2017-08-30 16:18:23.778444612 +0200 -@@ -33,12 +33,6 @@ buildflag_header("media_features") { - ] - } - --if (proprietary_codecs && media_use_ffmpeg) { -- assert( -- ffmpeg_branding != "Chromium", -- "proprietary codecs and ffmpeg_branding set to Chromium are incompatible") --} -- - # Common configuration for targets in the media directory; these must not be - # exported since things like USE_NEON and USE_CRAS have different meanings - # elsewhere in the code base. diff --git a/chromium-79.0.3945.88-deleted-chromium-gost-info.patch b/chromium-79.0.3945.88-deleted-chromium-gost-info.patch deleted file mode 100644 index 3492abf..0000000 --- a/chromium-79.0.3945.88-deleted-chromium-gost-info.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff --git a/chrome/installer/linux/common/chromium-browser/chromium-browser.info b/chrome/installer/linux/common/chromium-browser/chromium-browser.info -index 6f67b06166f0..997d45b6af45 100644 ---- a/chrome/installer/linux/common/chromium-browser/chromium-browser.info -+++ b/chrome/installer/linux/common/chromium-browser/chromium-browser.info -@@ -6,7 +6,7 @@ - # chromium-browser packages for various platforms. - - # Base name of the package. --PACKAGE="chromium-browser" -+PACKAGE="chromium-gost" - - # Base name of the snap package - SNAPNAME="chromium" -@@ -15,16 +15,16 @@ SNAPNAME="chromium" - PROGNAME=chrome - - # Base directory for package installation. --INSTALLDIR=/opt/chromium.org/chromium -+INSTALLDIR=/opt/chromium-gost - - # Display string for desktop menu/icon. --MENUNAME="Chromium Web Browser" -+MENUNAME="chromium-gost" - - # Brief package description. --SHORTDESC="The web browser from Chromium.org" -+SHORTDESC="Chromium browser with GOST cryptography support" - - # Detailed package description. --FULLDESC="Chromium is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier." -+FULLDESC="Chromium is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier. This version supports GOST cryptography in TLS-connections." - - # Package maintainer information. - # TODO(mmoss) Setup a mailbox for this address diff --git a/chromium-90.0.4430.72-fstatfix.patch b/chromium-90.0.4430.72-fstatfix.patch deleted file mode 100644 index 6d3f71b..0000000 --- a/chromium-90.0.4430.72-fstatfix.patch +++ /dev/null @@ -1,141 +0,0 @@ -diff -up chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.fstatfix chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc ---- chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.fstatfix 2021-04-16 15:35:53.869542483 -0400 -+++ chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc 2021-04-16 15:38:19.754688717 -0400 -@@ -269,6 +269,18 @@ ResultExpr EvaluateSyscallImpl(int fs_de - return Allow(); - } - -+#if defined(__NR_newfstatat) -+ if (sysno == __NR_newfstatat) { -+ return RewriteFstatatSIGSYS(); -+ } -+#endif -+ -+#if defined(__NR_fstatat64) -+ if (sysno == __NR_fstatat64) { -+ return RewriteFstatatSIGSYS(); -+ } -+#endif -+ - if (SyscallSets::IsFileSystem(sysno) || - SyscallSets::IsCurrentDirectory(sysno)) { - return Error(fs_denied_errno); -diff -up chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc.fstatfix chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc ---- chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc.fstatfix 2021-04-14 14:41:08.000000000 -0400 -+++ chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc 2021-04-16 15:35:53.869542483 -0400 -@@ -6,6 +6,8 @@ - - #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" - -+#include -+#include - #include - #include - #include -@@ -355,6 +357,35 @@ intptr_t SIGSYSSchedHandler(const struct - return -ENOSYS; - } - -+intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args, -+ void* aux) { -+ switch (args.nr) { -+#if defined(__NR_newfstatat) -+ case __NR_newfstatat: -+#endif -+#if defined(__NR_fstatat64) -+ case __NR_fstatat64: -+#endif -+#if defined(__NR_newfstatat) || defined(__NR_fstatat64) -+ if (*reinterpret_cast(args.args[1]) == '\0' -+ && args.args[3] == static_cast(AT_EMPTY_PATH)) { -+ return sandbox::sys_fstat64(static_cast(args.args[0]), -+ reinterpret_cast(args.args[2])); -+ } else { -+ errno = EACCES; -+ return -1; -+ } -+ break; -+#endif -+ } -+ -+ CrashSIGSYS_Handler(args, aux); -+ -+ // Should never be reached. -+ RAW_CHECK(false); -+ return -ENOSYS; -+} -+ - bpf_dsl::ResultExpr CrashSIGSYS() { - return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL); - } -@@ -387,6 +418,10 @@ bpf_dsl::ResultExpr RewriteSchedSIGSYS() - return bpf_dsl::Trap(SIGSYSSchedHandler, NULL); - } - -+bpf_dsl::ResultExpr RewriteFstatatSIGSYS() { -+ return bpf_dsl::Trap(SIGSYSFstatatHandler, NULL); -+} -+ - void AllocateCrashKeys() { - #if !defined(OS_NACL_NONSFI) - if (seccomp_crash_key) -diff -up chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h.fstatfix chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h ---- chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h.fstatfix 2021-04-14 14:41:08.000000000 -0400 -+++ chromium-90.0.4430.72/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h 2021-04-16 15:35:53.869542483 -0400 -@@ -62,6 +62,10 @@ SANDBOX_EXPORT intptr_t SIGSYSPtraceFail - // sched_setparam(), sched_setscheduler() - SANDBOX_EXPORT intptr_t SIGSYSSchedHandler(const arch_seccomp_data& args, - void* aux); -+// If the fstatat syscall is actually a disguised fstat, calls the regular fstat -+// syscall, otherwise, crashes in the same way as CrashSIGSYS_Handler. -+SANDBOX_EXPORT intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args, -+ void* aux); - - // Variants of the above functions for use with bpf_dsl. - SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYS(); -@@ -72,6 +76,7 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr Crash - SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSFutex(); - SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSPtrace(); - SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteSchedSIGSYS(); -+SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteFstatatSIGSYS(); - - // Allocates a crash key so that Seccomp information can be recorded. - void AllocateCrashKeys(); -diff -up chromium-90.0.4430.72/sandbox/linux/services/syscall_wrappers.cc.fstatfix chromium-90.0.4430.72/sandbox/linux/services/syscall_wrappers.cc ---- chromium-90.0.4430.72/sandbox/linux/services/syscall_wrappers.cc.fstatfix 2021-04-14 14:41:08.000000000 -0400 -+++ chromium-90.0.4430.72/sandbox/linux/services/syscall_wrappers.cc 2021-04-16 15:35:53.869542483 -0400 -@@ -261,4 +261,13 @@ int sys_sigaction(int signum, - - #endif // defined(MEMORY_SANITIZER) - -+SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf) -+{ -+#if defined(__NR_fstat64) -+ return syscall(__NR_fstat64, fd, buf); -+#else -+ return syscall(__NR_fstat, fd, buf); -+#endif -+} -+ - } // namespace sandbox -diff -up chromium-90.0.4430.72/sandbox/linux/services/syscall_wrappers.h.fstatfix chromium-90.0.4430.72/sandbox/linux/services/syscall_wrappers.h ---- chromium-90.0.4430.72/sandbox/linux/services/syscall_wrappers.h.fstatfix 2021-04-14 14:41:08.000000000 -0400 -+++ chromium-90.0.4430.72/sandbox/linux/services/syscall_wrappers.h 2021-04-16 15:35:53.870542491 -0400 -@@ -17,6 +17,7 @@ struct sock_fprog; - struct rlimit64; - struct cap_hdr; - struct cap_data; -+struct stat64; - - namespace sandbox { - -@@ -84,6 +85,9 @@ SANDBOX_EXPORT int sys_sigaction(int sig - const struct sigaction* act, - struct sigaction* oldact); - -+// Recent glibc rewrites fstat to fstatat. -+SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf); -+ - } // namespace sandbox - - #endif // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_ diff --git a/chromium-browser-stable.spec b/chromium-browser-stable.spec index 3b1dd64..4d1f827 100644 --- a/chromium-browser-stable.spec +++ b/chromium-browser-stable.spec @@ -6,6 +6,7 @@ # [5] https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/chromium/ # [6] https://packages.altlinux.org/ru/sisyphus/srpms/chromium # [7] https://packages.altlinux.org/ru/sisyphus/specfiles/chromium-gost +# [8] https://github.com/saiarcot895/chromium-ubuntu-build # Get the version number of latest stable version # $ curl -s 'https://omahaproxy.appspot.com/all?os=linux&channel=stable' | sed 1d | cut -d , -f 3 @@ -35,10 +36,9 @@ %define crname chromium-browser %define _crdir %{_libdir}/%{crname} - -%define ffmpeg 1 -%define icu 0 -%define jsoncpp 0 +# Yandex Browser, Opera and other proprietary forks of Chromium look for libffmpeg.so in /usr/lib/chromium-browser, +# while we use /usr/lib64/chromium-browser on x86_64 +%define _crdir_compat %{_prefix}/lib/%{crname} # Set up Google API keys, see http://www.chromium.org/developers/how-tos/api-keys # Note: these are for Mageia use ONLY. @@ -50,8 +50,8 @@ # GOST patches and sources # Using commit hashes because upstream often puts tags long after making changes # (they wait for builds to finish to make a new "release" with binary packages) -%define chromium_gost_commit efa8e0fdd004f162c8f8f537a137f124c814e0bf -%define msspi_commit 32779bace9dd0ab644e016afe13af3f2ee1a54bd +%define chromium_gost_commit 3181acb959fcb8de4aa3aca4c51d8a89b90d367d +%define msspi_commit 676e76df03782fa965d8f985f4bd2e4c3ee81386 %define _gostsourcedir %{_builddir}/chromium-gost %define xcb_version 1.14.1 @@ -70,8 +70,7 @@ # Do not provide libEGL.so, libGLESv2.so %global __provides_exclude_from ^%{_crdir}/.*\\.so$ -# Chromium build scripts are not compatible with Python 3 yet -%define __python %{__python2} +%define __python %{__python3} # workaround rpmlint bugs (?) %global _build_pkgcheck_set /bin/sh %{_sourcedir}/rpmlint-wrapper.sh %{_build_pkgcheck_set} @@ -80,7 +79,7 @@ Summary: A fast web browser based on the Blink engine Name: chromium-browser-stable -Version: 91.0.4472.114 +Version: 93.0.4577.63 Release: 1 License: BSD, LGPL Group: Networking/WWW @@ -95,7 +94,7 @@ Source20: https://www.x.org/releases/individual/proto/xcb-proto-%{xcb_version}.t # From https://github.com/systemd/systemd/blob/main/src/basic/missing_fcntl.h # to fix building on rosa2016.1 where glibc does not have /usr/include/bits/fcntl-linux.h Source21: missing_fcntl.h -Source30: master_preferences +Source30: master_preferences.json Source31: default_bookmarks.html Source32: chromium.default Source100: icons.tar.bz2 @@ -106,55 +105,29 @@ Source999: new-system-icons.tar.xz Source1101: https://github.com/deemru/chromium-gost/archive/%{chromium_gost_commit}.tar.gz?/chromium-gost-%{chromium_gost_commit}.tar.gz Source1102: https://github.com/deemru/msspi/archive/%{msspi_commit}.tar.gz?/msspi-%{msspi_commit}.tar.gz -# needs with gost -# https://github.com/deemru/chromium-gost/blob/master/patch/chromium.patch -Patch1: chromium-79.0.3945.88-deleted-chromium-gost-info.patch - Patch4: chromium-30.0.1599.66-master-prefs-path.patch - -Patch22: chromium-54-proprietary-codecs-assert.patch -%if 0%{jsoncpp} -# (cjw) add missing unbundle gn files (1) -Patch28: chromium-53-gn-system-icu-jsoncpp.patch -%endif -# (cjw) fix webrtc build with system ffmpeg -Patch35: chromium-50-system-ffmpeg-3.patch # (cjw) fix gn bootstrapping with gcc Patch190: chromium-69-gn-bootstrap.patch - -# Google patched their bundled copy of icu 54 to include API functionality that wasn't added until 55. -# :P -Patch502: chromium-45.0.2454.101-system-icu-54-does-not-have-detectHostTimeZone.patch -# Patch to fix build with use_system_libvpx -# Chromium bug #541273 -# fix build with icu other than 54 -Patch504: chromium-system-icu-r0.patch - -# ROSA Build -Patch600: chromium-buildname-60.0.3112.90.patch # Patch to fix build Patch601: chromium-62-include-cstdlib.patch - # Add "ROSA" to the user agent string Patch627: chromium-68.0.3440.106-rosa-user-agent.patch # Fix building third_party/wayland on rosa2016.1 Patch639: wayland-strndup.patch -# Fix sandbox code to properly handle the new way that glibc handles fstat in rosa2019.1+ -# Thanks to Kevin Kofler for the fix (from Fedora) -Patch640: chromium-90.0.4430.72-fstatfix.patch # Fix building with current glib2.0 # Hunks from https://build.opensuse.org/package/view_file/openSUSE:Factory/chromium/chromium-gcc11.patch Patch643: glib2.0.patch -# Enable hw mjpeg decoding, Nvidia etc. -# https://github.com/saiarcot895/chromium-ubuntu-build/blob/master/debian/patches/enable-vaapi-on-linux.diff -Patch644: enable-vaapi-on-linux.diff -# Enable VA-API with VDPAU backend on Nvidia GPUs -# https://github.com/saiarcot895/chromium-ubuntu-build/blob/master/debian/patches/vdpau-support.patch -Patch645: vdpau-support.patch -Patch646: ALT-allow-to-override-clang-through-env-variables.patch +# Fix mess of python2 and python3 +# https://github.com/saiarcot895/chromium-ubuntu-build/blob/master/debian/patches/rename-python-to-python2.patch +Patch646: rename-python-to-python2.patch +Patch647: ALT-allow-to-override-clang-through-env-variables.patch # XXX This patch is not enough to fully fix debuginfo and debugsource subpackages -Patch647: fix-debugsource.patch -Patch648: off-java-check.patch +Patch648: fix-debugsource.patch +Patch649: off-java-check.patch +# From Chromium 94+ for new glibc +Patch650: https://github.com/chromium/chromium/commit/4b438323d68840453b5ef826c3997568e2e0e8c7.patch +Patch651: https://github.com/chromium/chromium/commit/60d5e803ef2a4874d29799b638754152285e0ed9.patch +Patch652: https://github.com/chromium/chromium/commit/b2fbcdbe30cb84cd2f0b63e453f3782c49213264.patch BuildRequires: bison BuildRequires: llvm12 @@ -176,15 +149,13 @@ BuildRequires: atomic-devel BuildRequires: bzip2-devel BuildRequires: cap-devel BuildRequires: cups-devel +# %{_bindir}/eu-strip +BuildRequires: elfutils BuildRequires: elfutils-devel BuildRequires: multiarch-utils BuildRequires: java-devel -BuildRequires: jpeg-devel -%if 0%{jsoncpp} -BuildRequires: jsoncpp-devel -%endif BuildRequires: pam-devel -BuildRequires: %{python2} +BuildRequires: python3 BuildRequires: snappy-devel BuildRequires: speech-dispatcher-devel BuildRequires: pkgconfig(alsa) @@ -197,9 +168,6 @@ BuildRequires: pkgconfig(krb5) BuildRequires: pkgconfig(krb5-gssapi) %endif BuildRequires: pkgconfig(expat) -%if 0%{?ffmpeg} -BuildRequires: pkgconfig(libavcodec) >= 4.0.2 -%endif BuildRequires: pkgconfig(flac) BuildRequires: pkgconfig(fontconfig) BuildRequires: pkgconfig(freetype2) @@ -208,32 +176,21 @@ BuildRequires: pkgconfig(gconf-2.0) BuildRequires: pkgconfig(gl) BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(glu) -BuildRequires: pkgconfig(gnome-keyring-1) BuildRequires: pkgconfig(gstreamer-plugins-base-1.0) BuildRequires: pkgconfig(gtk+-3.0) BuildRequires: pkgconfig(harfbuzz) -%if 0%{icu} -BuildRequires: pkgconfig(icu-i18n) -%endif -BuildRequires: pkgconfig(libexif) BuildRequires: pkgconfig(libgcrypt) BuildRequires: pkgconfig(libmtp) BuildRequires: pkgconfig(libopenjp2) BuildRequires: pkgconfig(libpci) -%if %{without native_libpng} -BuildRequires: pkgconfig(libpng) -%endif BuildRequires: pkgconfig(libpulse) -BuildRequires: pkgconfig(libtiff-4) BuildRequires: pkgconfig(libusb-1.0) BuildRequires: pkgconfig(libxml-2.0) BuildRequires: pkgconfig(libxslt) BuildRequires: pkgconfig(libva) BuildRequires: pkgconfig(glesv2) -BuildRequires: pkgconfig(minizip) BuildRequires: pkgconfig(nspr) BuildRequires: pkgconfig(nss) -BuildRequires: pkgconfig(opus) %if %{mdvver} >= 201910 # Upstream Chromium is comatible with 0.2, we patch for 0.3 BuildRequires: pkgconfig(libpipewire-0.3) @@ -250,10 +207,11 @@ BuildRequires: pythonegg(setuptools) BuildRequires: chrpath %endif +Requires: chromium-codecs = %{EVRD} + +%if %{mdvver} <= 201610 Conflicts: chromium-widevinecdm-plugin < 54 Obsoletes: chromium-widevinecdm-plugin < 54 -Conflicts: %{crname}-beta -Conflicts: %{crname}-unstable # There was a dummy empty package chromium-browser # which depended from chromium-browser-stable and nothing more. # We decided to remove that package. @@ -261,6 +219,8 @@ Conflicts: %{crname}-unstable Obsoletes: %{crname} < 1:%{version}-%{release} Provides: %{crname} = 1:%{version}-%{release} Obsoletes: chromium-gost-lib < 78.0.3904.70 +%endif + %if %{with gost} Provides: chromium-gost-lib = %{EVRD} %endif @@ -284,6 +244,7 @@ if proprietary CryptoPro is installed. %{_crdir}/chromium-wrapper %{_crdir}/chrome %{_crdir}/chrome-sandbox +%{_crdir}/crashpad_handler %{_crdir}/icudtl.dat %{_crdir}/locales %{_crdir}/*.pak @@ -308,6 +269,25 @@ fi #---------------------------------------------------------------------------- +%package -n chromium-codecs +Summary: FFmpeg library for supporting media codecs in Chromium-based browsers +# alike Ubuntu +Provides: chromium-codecs-ffmpeg-extra = %{EVRD} +Provides: chromium-codecs-ffmpeg = %{EVRD} + +%description -n chromium-codecs +FFmpeg (libffmpeg.so) for Chromium-based browsers. +This packaged is build from Chromium's bundled FFmpeg +with proprietary codecs turned on. + +%files -n chromium-codecs +%{_crdir}/libffmpeg.so +%if "%{_lib}" != "lib" +%{_crdir_compat}/libffmpeg.so +%endif + +#---------------------------------------------------------------------------- + %package -n chromedriver Summary: WebDriver for Google Chrome/Chromium Group: Development/Other @@ -338,10 +318,13 @@ sed -i \ -e "s,^#include <../ssl/internal.h>,#include \"${PWD}/third_party/boringssl/src/ssl/internal.h\",g" \ %{_gostsourcedir}/src/gostssl.cpp tar -C %{_gostsourcedir}/src/msspi --strip 1 -xf %{SOURCE1102} -sed -i 's/ (Chromium GOST)//g' %{_gostsourcedir}/patch/chromium.patch -sed -i 's/Chromium GOST/Chromium/g' %{_gostsourcedir}/patch/chromium.patch +sed -i'' %{_gostsourcedir}/patch/chromium.patch \ + -e 's/ (Chromium GOST)//g' \ + -e 's/Chromium GOST/Chromium/g' \ + -e 's/"chromium-gost"/"chromium-browser"/g' \ + -e 's/"chromium-gost.desktop"/"chromium-browser.desktop"/g' \ + -- patch -p1 < %{_gostsourcedir}/patch/chromium.patch -%patch1 -p1 -R ( cd ./third_party/boringssl/src patch -p1 < %{_gostsourcedir}/patch/boringssl.patch ) @@ -350,32 +333,7 @@ cp -f %{_gostsourcedir}/src/msspi/src/* third_party/boringssl cp -f %{_gostsourcedir}/src/msspi/third_party/cprocsp/include/* third_party/boringssl/src/include %endif -%patch4 -p1 -b .prefs -%patch22 -p1 -%if 0%{jsoncpp} -%patch28 -p1 -%endif -%if 0%{?ffmpeg} -%patch35 -p1 -%endif -%patch190 -p1 - -%if 0%{icu} -%patch502 -p1 -b .system-icu -%patch504 -p0 -b .icu-ver -%endif - -%patch600 -p1 -%patch601 -p1 -%patch627 -p1 -%patch639 -p1 -%patch640 -p1 -%patch643 -p1 -%patch644 -p1 -%patch645 -p1 -%patch646 -p1 -%patch647 -p1 -%patch648 -p1 +%autopatch -p1 # fatal error: 'fuzzer/FuzzedDataProvider.h' file not found # (Available in Clang10) @@ -413,25 +371,15 @@ export PATH="$PWD/local_bin:$PATH" mkdir -p third_party/node/linux/node-linux-x64/bin ln -s /usr/bin/node third_party/node/linux/node-linux-x64/bin/node +# (From Fedora) Get rid of the pre-built eu-strip binary, it is x86_64 and of mysterious origin +rm -rf buildtools/third_party/eu-strip/bin/eu-strip +ln -s %{_bindir}/eu-strip buildtools/third_party/eu-strip/bin/eu-strip + %build # unpack a local copy of the xcb-proto bits tar xf %{SOURCE20} export PYTHONPATH="../../third_party/pyjson5/src:../../xcb-proto-%{xcb_version}" -%if 0%{?ffmpeg} -%define system_gn_list ffmpeg -%endif -# flac libxslt snappy yasm zlib -# opus -# icu -# libevent -# libvpx -# libwebp -# System libxml must be built with icu support to be used in Chromium -# libxml -# handled by upstream regular build scripts? : freetype harfbuzz-ng -# jsoncpp - # widevinecdmadapter # Build error with widevinecdmadapter in 67.0.3396.62 (fixed) %define widevine 1 @@ -491,22 +439,27 @@ export PYTHONPATH="../../third_party/pyjson5/src:../../xcb-proto-%{xcb_version}" symbol_level=%{symbol_level} \ use_thin_lto=%{use_thin_lto} \ strip_debug_info=false \ + is_cfi=false \ system_libdir="%{_lib}" \ icu_use_data_file=true \ enable_nacl=false \ is_nacl_glibc=false \ %{linker_params} \ - ffmpeg_branding="Chromium" \ + ffmpeg_branding="ChromeOS" \ proprietary_codecs=true \ + is_component_ffmpeg=true \ + is_component_build=false \ enable_platform_ac3_eac3_audio = true \ enable_mse_mpeg2ts_stream_parser=true \ enable_platform_hevc=true \ use_system_libjpeg=true \ use_libjpeg_turbo=false \ enable_widevine=%{is_widevine} \ + enable_vulkan=true \ use_pulseaudio=true \ link_pulseaudio=true \ %{pipewire_enablement} \ + use_gnome_keyring=false \ use_allocator="none" \ treat_warnings_as_errors=false \ fatal_linker_warnings=false \ @@ -529,7 +482,10 @@ export PYTHONPATH="../../third_party/pyjson5/src:../../xcb-proto-%{xcb_version}" #clang_base_path="//third_party/llvm-build/Release+Asserts" \ -%{__python} build/linux/unbundle/replace_gn_files.py --system-libraries %{system_gn_list} +%{__python} build/linux/unbundle/replace_gn_files.py --system-libraries \ + freetype \ + fontconfig \ + libdrm %{__python} third_party/libaddressinput/chromium/tools/update-strings.py # (From Fedora) @@ -603,7 +559,7 @@ out/Release/gn gen --script-executable=%{__python} --args='%{gn_config}' out/Rel pushd out/Release # widevinecdmadapter -ninja %{_smp_mflags} %{?_with_verbose:--verbose} chrome chrome_sandbox chromedriver +ninja %{_smp_mflags} %{?_with_verbose:--verbose} chrome chrome_sandbox chromedriver libffmpeg.so popd %install @@ -613,10 +569,17 @@ mkdir -p %{buildroot}%{_crdir}/themes install -m 755 %{SOURCE1} %{buildroot}%{_crdir}/chromium-wrapper install -m 755 out/Release/chrome %{buildroot}%{_crdir}/ install -m 4755 out/Release/chrome_sandbox %{buildroot}%{_crdir}/chrome-sandbox +install -m 755 out/Release/crashpad_handler %{buildroot}%{_crdir}/crashpad_handler cp -a out/Release/chromedriver %{buildroot}%{_crdir}/chromedriver install -m 644 out/Release/*.pak %{buildroot}%{_crdir}/ install -m 644 out/Release/icudtl.dat %{buildroot}%{_crdir}/ +install -m 0755 out/Release/libffmpeg.so %{buildroot}%{_crdir}/ +%if "%{_lib}" != "lib" +mkdir -p %{buildroot}%{_crdir_compat} +ln -sr %{buildroot}%{_crdir}/libffmpeg.so %{buildroot}%{_crdir_compat}/libffmpeg.so +%endif + install -m 644 out/Release/locales/*.pak %{buildroot}%{_crdir}/locales/ install -m 644 out/Release/resources.pak %{buildroot}%{_crdir}/ ln -s %{_crdir}/chromium-wrapper %{buildroot}%{_bindir}/%{crname} diff --git a/chromium-buildname-60.0.3112.90.patch b/chromium-buildname-60.0.3112.90.patch deleted file mode 100644 index aeeb386..0000000 --- a/chromium-buildname-60.0.3112.90.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- chromium-60.0.3112.20.old/components/version_ui_strings.grdp 2017-06-08 16:55:00.495103433 +0200 -+++ chromium-60.0.3112.20/components/version_ui_strings.grdp 2017-06-08 16:55:36.027102220 +0200 -@@ -7,7 +7,7 @@ - Official Build - - -- Developer Build -+ Сборка ROSA - - - (32-bit) diff --git a/chromium-system-icu-r0.patch b/chromium-system-icu-r0.patch deleted file mode 100644 index e1e2135..0000000 --- a/chromium-system-icu-r0.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- components/autofill/core/common/autofill_l10n_util.cc.orig 2015-12-07 11:46:37.738740329 +0000 -+++ components/autofill/core/common/autofill_l10n_util.cc 2015-12-07 11:46:44.574878953 +0000 -@@ -22,7 +22,7 @@ - // library. This could be due to a device-specific issue (has been seen in - // the wild on Android devices). In the failure case, |collator_| will be - // null. See http://crbug.com/558625. -- icu_54::UnicodeString name; -+ icu::UnicodeString name; - std::string locale_name; - locale.getDisplayName(name).toUTF8String(locale_name); - LOG(ERROR) << "Failed to initialize the ICU Collator for " diff --git a/enable-vaapi-on-linux.diff b/enable-vaapi-on-linux.diff deleted file mode 100644 index f2a00c5..0000000 --- a/enable-vaapi-on-linux.diff +++ /dev/null @@ -1,144 +0,0 @@ -From 53b93dfe87fd10cced5d2a2a63072dfc7a2af6e4 Mon Sep 17 00:00:00 2001 -From: Daniel Charles -Date: Fri, 28 Jul 2017 16:31:47 -0700 -Subject: [PATCH] Enable VAVDA, VAVEA and VAJDA on linux with VAAPI only - -This patch contains all the changes necessary to use VA-API along with -vaapi-driver to run all media use cases supported with hardware acceleration. - -It is intended to remain as experimental accessible from chrome://flags on linux. -It requires libva/intel-vaapi-driver to be installed on the system path where -chrome is executed. Other drivers could be tested if available. Flags are -kept independent for linux, where this feature has to be enabled before -actually using it. This should not change how other OSes use the flags -already, the new flags will show at the buttom on the section of unavailable -experiments - -The changes cover a range of compiler pre-processor flags to enable the stack. -It moves the presandbox operations to the vaapi_wrapper class as the hook function -is available there. vaInit will open driver on the correct installed folder. - -chrome flags consolidtation into only two flags for linux. Mjpeg and accelerated -video are used. The other flags are kept for ChromeOS and other OSes. - -Developer testing was made on skylake hardware, ChromeOS and Ubuntu. - -BUG=NONE -TEST="subjective testing with VAVDA,VAVEA and VAJDA, autotest for encoder" -TEST="and decoder hardware accelerated" -TEST="have libva/intel-vaapi-driver installed and not installed in the system" -TEST="repeat on different hardware families" -R=posciak@chromium.org -R=kcwu@chromium.org - -Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel -Change-Id: Ifbbf5c9e5221a8b5733fc6d4d0cf984a1f103171 -Signed-off-by: Daniel Charles ---- - -Index: dev/content/gpu/BUILD.gn -=================================================================== ---- dev.orig/content/gpu/BUILD.gn -+++ dev/content/gpu/BUILD.gn -@@ -6,6 +6,7 @@ import("//build/config/chromeos/ui_mode. - import("//build/config/ui.gni") - import("//gpu/vulkan/features.gni") - import("//media/media_options.gni") -+import("//media/gpu/args.gni") - - # See //content/BUILD.gn for how this works. - group("gpu") { -@@ -140,4 +141,8 @@ target(link_target_type, "gpu_sources") - (!is_chromecast || is_cast_desktop_build)) { - configs += [ "//build/config/linux/dri" ] - } -+ -+ if (is_linux && use_vaapi) { -+ public_configs = [ "//build/config/linux/libva" ] -+ } - } -Index: dev/media/gpu/gpu_video_decode_accelerator_factory.cc -=================================================================== ---- dev.orig/media/gpu/gpu_video_decode_accelerator_factory.cc -+++ dev/media/gpu/gpu_video_decode_accelerator_factory.cc -@@ -164,6 +164,8 @@ GpuVideoDecodeAcceleratorFactory::Create - vda = (this->*create_vda_function)(workarounds, gpu_preferences, media_log); - if (vda && vda->Initialize(config, client)) - return vda; -+ else -+ LOG(ERROR) << "Initialization of one or more VDAs failed."; - } - - return nullptr; -@@ -222,6 +224,7 @@ GpuVideoDecodeAcceleratorFactory::Create - const gpu::GpuDriverBugWorkarounds& workarounds, - const gpu::GpuPreferences& gpu_preferences, - MediaLog* media_log) const { -+ LOG(WARNING) << "Initializing VAAPI VDA."; - std::unique_ptr decoder; - decoder.reset(new VaapiVideoDecodeAccelerator(gl_client_.make_context_current, - gl_client_.bind_image)); -Index: dev/media/gpu/ipc/service/gpu_video_decode_accelerator.cc -=================================================================== ---- dev.orig/media/gpu/ipc/service/gpu_video_decode_accelerator.cc -+++ dev/media/gpu/ipc/service/gpu_video_decode_accelerator.cc -@@ -384,6 +384,7 @@ bool GpuVideoDecodeAccelerator::Initiali - LOG(ERROR) << "Failed creating the VDA factory"; - return false; - } -+ LOG(WARNING) << "Created the VDA factory"; - - const gpu::GpuDriverBugWorkarounds& gpu_workarounds = - stub_->channel()->gpu_channel_manager()->gpu_driver_bug_workarounds(); -@@ -404,6 +405,7 @@ bool GpuVideoDecodeAccelerator::Initiali - << (config.is_encrypted() ? " with encryption" : ""); - return false; - } -+ LOG(WARNING) << "Created VDA"; - - // Attempt to set up performing decoding tasks on IO thread, if supported by - // the VDA. -Index: dev/media/gpu/vaapi/vaapi_wrapper.cc -=================================================================== ---- dev.orig/media/gpu/vaapi/vaapi_wrapper.cc -+++ dev/media/gpu/vaapi/vaapi_wrapper.cc -@@ -526,6 +526,11 @@ void VADisplayState::PreSandboxInitializ - base::File::FLAG_OPEN | base::File::FLAG_READ | base::File::FLAG_WRITE); - if (drm_file.IsValid()) - VADisplayState::Get()->SetDrmFd(drm_file.GetPlatformFile()); -+ -+ const char kNvidiaPath[] = "/dev/dri/nvidiactl"; -+ base::File nvidia_file = base::File( -+ base::FilePath::FromUTF8Unsafe(kNvidiaPath), -+ base::File::FLAG_OPEN | base::File::FLAG_READ | base::File::FLAG_WRITE); - } - - VADisplayState::VADisplayState() -@@ -632,10 +637,6 @@ bool VADisplayState::InitializeVaDriver_ - } - - bool VADisplayState::InitializeOnce() { -- static_assert( -- VA_MAJOR_VERSION >= 2 || (VA_MAJOR_VERSION == 1 && VA_MINOR_VERSION >= 1), -- "Requires VA-API >= 1.1.0"); -- - // Set VA logging level, unless already set. - constexpr char libva_log_level_env[] = "LIBVA_MESSAGING_LEVEL"; - std::unique_ptr env(base::Environment::Create()); -@@ -656,7 +657,6 @@ bool VADisplayState::InitializeOnce() { - // https://github.com/intel/media-driver/issues/818 - if (!env->HasVar(libva_driver_impl_env)) - env->SetVar(libva_driver_impl_env, "i965"); -- - // Re-initialize with the new driver. - va_display_ = nullptr; - va_initialized_ = false; -@@ -864,7 +864,7 @@ bool AreAttribsSupported(const base::Loc - if (attribs[i].type != required_attribs[i].type || - (attribs[i].value & required_attribs[i].value) != - required_attribs[i].value) { -- DVLOG(1) << "Unsupported value " << required_attribs[i].value << " for " -+ VLOG(1) << "Unsupported value " << required_attribs[i].value << " for " - << vaConfigAttribTypeStr(required_attribs[i].type); - return false; - } diff --git a/master_preferences b/master_preferences.json similarity index 100% rename from master_preferences rename to master_preferences.json diff --git a/rename-python-to-python2.patch b/rename-python-to-python2.patch new file mode 100644 index 0000000..303d54b --- /dev/null +++ b/rename-python-to-python2.patch @@ -0,0 +1,86 @@ +Index: dev/tools/gn/bootstrap/bootstrap.py +=================================================================== +--- dev.orig/tools/gn/bootstrap/bootstrap.py ++++ dev/tools/gn/bootstrap/bootstrap.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + # Copyright 2014 The Chromium Authors. All rights reserved. + # Use of this source code is governed by a BSD-style license that can be + # found in the LICENSE file. +Index: dev/tools/generate_stubs/generate_stubs.py +=================================================================== +--- dev.orig/tools/generate_stubs/generate_stubs.py ++++ dev/tools/generate_stubs/generate_stubs.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + # Copyright (c) 2012 The Chromium Authors. All rights reserved. + # Use of this source code is governed by a BSD-style license that can be + # found in the LICENSE file. +Index: dev/tools/gn/build/gen.py +=================================================================== +--- dev.orig/tools/gn/build/gen.py ++++ dev/tools/gn/build/gen.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + # Copyright 2014 The Chromium Authors. All rights reserved. + # Use of this source code is governed by a BSD-style license that can be + # found in the LICENSE file. +Index: dev/tools/gn/src/gn/setup.cc +=================================================================== +--- dev.orig/tools/gn/src/gn/setup.cc ++++ dev/tools/gn/src/gn/setup.cc +@@ -795,7 +795,7 @@ bool Setup::FillPythonPath(const base::C + } + build_settings_.set_python_path(python_path); + #else +- build_settings_.set_python_path(base::FilePath("python")); ++ build_settings_.set_python_path(base::FilePath("python2")); + #endif + } + return true; +Index: dev/third_party/catapult/common/py_vulcanize/py_vulcanize/generate.py +=================================================================== +--- dev.orig/third_party/catapult/common/py_vulcanize/py_vulcanize/generate.py ++++ dev/third_party/catapult/common/py_vulcanize/py_vulcanize/generate.py +@@ -83,7 +83,7 @@ def _MinifyJS(input_js): + + with tempfile.NamedTemporaryFile() as _: + args = [ +- sys.executable, ++ 'python3', + rjsmin_path + ] + p = subprocess.Popen(args, +Index: dev/ui/gfx/x/gen_xproto.py +=================================================================== +--- dev.orig/ui/gfx/x/gen_xproto.py ++++ dev/ui/gfx/x/gen_xproto.py +@@ -1087,7 +1087,7 @@ class GenXproto(FileWriter): + + self.resolve_element(t.elt, fields) + +- for field in fields.values(): ++ for field in list(fields.values()): + if field.field_name == 'sequence': + field.visible = True + field.parent = (t, name) +@@ -1629,8 +1630,14 @@ def main(): + args = parser.parse_args() + + sys.path.insert(1, args.xcbproto_dir) +- import xcbgen.xtypes +- import xcbgen.state ++ try: ++ import xcbgen.xtypes ++ import xcbgen.state ++ except: ++ if sys.version_info < (3, 0): ++ import subprocess ++ subprocess.check_call(["python3"] + sys.argv) ++ return 0 + + all_types = {} + proto_src_dir = os.path.join(args.xcbproto_dir, 'src') diff --git a/vdpau-support.patch b/vdpau-support.patch deleted file mode 100644 index dd016f8..0000000 --- a/vdpau-support.patch +++ /dev/null @@ -1,152 +0,0 @@ -Taken from https://aur.archlinux.org/cgit/aur.git/tree/vdpau-support.patch?h=chromium-vaapi - -Index: dev/media/gpu/vaapi/vaapi_video_decode_accelerator.cc -=================================================================== ---- dev.orig/media/gpu/vaapi/vaapi_video_decode_accelerator.cc -+++ dev/media/gpu/vaapi/vaapi_video_decode_accelerator.cc -@@ -711,7 +711,8 @@ void VaapiVideoDecodeAccelerator::Assign - // implementation we get from |vaapi_picture_factory_| requires the video - // processing pipeline for downloading the decoded frame from the internal - // surface, we need to create a |vpp_vaapi_wrapper_|. -- if (requires_vpp && buffer_allocation_mode_ != BufferAllocationMode::kNone) { -+ if (requires_vpp && buffer_allocation_mode_ != BufferAllocationMode::kNone && -+ buffer_allocation_mode_ != BufferAllocationMode::kWrapVdpau) { - if (!vpp_vaapi_wrapper_) { - vpp_vaapi_wrapper_ = VaapiWrapper::Create( - VaapiWrapper::kVideoProcess, VAProfileNone, -@@ -1226,6 +1227,12 @@ VaapiVideoDecodeAccelerator::DecideBuffe - return BufferAllocationMode::kReduced; - return BufferAllocationMode::kSuperReduced; - #else -+ // NVIDIA blobs use VDPAU -+ if (VaapiWrapper::GetImplementationType() == VAImplementation::kNVIDIAVDPAU) { -+ LOG(INFO) << "VA-API driver on VDPAU backend"; -+ return BufferAllocationMode::kWrapVdpau; -+ } -+ - // TODO(crbug.com/912295): Enable a better BufferAllocationMode for IMPORT - // |output_mode_| as well. - if (output_mode_ == VideoDecodeAccelerator::Config::OutputMode::IMPORT) -@@ -1236,7 +1243,7 @@ VaapiVideoDecodeAccelerator::DecideBuffe - // associated format reconciliation copy, avoiding all internal buffer - // allocations. - // TODO(crbug.com/911754): Enable for VP9 Profile 2. -- if (IsGeminiLakeOrLater() && -+ if (false && IsGeminiLakeOrLater() && - (profile_ == VP9PROFILE_PROFILE0 || profile_ == VP8PROFILE_ANY || - (profile_ >= H264PROFILE_MIN && profile_ <= H264PROFILE_MAX))) { - // Add one to the reference frames for the one being currently egressed, and -Index: dev/media/gpu/vaapi/vaapi_video_decode_accelerator.h -=================================================================== ---- dev.orig/media/gpu/vaapi/vaapi_video_decode_accelerator.h -+++ dev/media/gpu/vaapi/vaapi_video_decode_accelerator.h -@@ -217,6 +217,7 @@ class MEDIA_GPU_EXPORT VaapiVideoDecodeA - // Using |client_|s provided PictureBuffers and as many internally - // allocated. - kNormal, -+ kWrapVdpau, - }; - - // Decides the concrete buffer allocation mode, depending on the hardware -Index: dev/media/gpu/vaapi/vaapi_wrapper.cc -=================================================================== ---- dev.orig/media/gpu/vaapi/vaapi_wrapper.cc -+++ dev/media/gpu/vaapi/vaapi_wrapper.cc -@@ -240,6 +240,9 @@ media::VAImplementation VendorStringToIm - } else if (base::StartsWith(va_vendor_string, "Intel iHD driver", - base::CompareCase::SENSITIVE)) { - return media::VAImplementation::kIntelIHD; -+ } else if (base::StartsWith(va_vendor_string, "Splitted-Desktop Systems VDPAU", -+ base::CompareCase::SENSITIVE)) { -+ return media::VAImplementation::kNVIDIAVDPAU; - } - return media::VAImplementation::kOther; - } -@@ -1977,6 +1980,11 @@ VaapiWrapper::ExportVASurfaceAsNativePix - return nullptr; - } - -+ if (GetImplementationType() == VAImplementation::kNVIDIAVDPAU) { -+ LOG(ERROR) << "Disabled due to potential breakage."; -+ return nullptr; -+ } -+ - VADRMPRIMESurfaceDescriptor descriptor; - { - base::AutoLock auto_lock(*va_lock_); -@@ -2680,32 +2688,43 @@ bool VaapiWrapper::CreateSurfaces(unsign - DCHECK(va_surfaces->empty()); - - va_surfaces->resize(num_surfaces); -+ - VASurfaceAttrib attribute{}; -- attribute.type = VASurfaceAttribUsageHint; -- attribute.flags = VA_SURFACE_ATTRIB_SETTABLE; -- attribute.value.type = VAGenericValueTypeInteger; -- switch (usage_hint) { -- case SurfaceUsageHint::kVideoDecoder: -- attribute.value.value.i = VA_SURFACE_ATTRIB_USAGE_HINT_DECODER; -- break; -- case SurfaceUsageHint::kVideoEncoder: -- attribute.value.value.i = VA_SURFACE_ATTRIB_USAGE_HINT_ENCODER; -- break; -- case SurfaceUsageHint::kVideoProcessWrite: -- attribute.value.value.i = VA_SURFACE_ATTRIB_USAGE_HINT_VPP_WRITE; -- break; -- case SurfaceUsageHint::kGeneric: -- attribute.value.value.i = VA_SURFACE_ATTRIB_USAGE_HINT_GENERIC; -- break; -+ if (GetImplementationType() != VAImplementation::kNVIDIAVDPAU) { -+ // Nvidia's VAAPI-VDPAU driver doesn't support this attribute -+ attribute.type = VASurfaceAttribUsageHint; -+ attribute.flags = VA_SURFACE_ATTRIB_SETTABLE; -+ attribute.value.type = VAGenericValueTypeInteger; -+ switch (usage_hint) { -+ case SurfaceUsageHint::kVideoDecoder: -+ attribute.value.value.i = VA_SURFACE_ATTRIB_USAGE_HINT_DECODER; -+ break; -+ case SurfaceUsageHint::kVideoEncoder: -+ attribute.value.value.i = VA_SURFACE_ATTRIB_USAGE_HINT_ENCODER; -+ break; -+ case SurfaceUsageHint::kVideoProcessWrite: -+ attribute.value.value.i = VA_SURFACE_ATTRIB_USAGE_HINT_VPP_WRITE; -+ break; -+ case SurfaceUsageHint::kGeneric: -+ attribute.value.value.i = VA_SURFACE_ATTRIB_USAGE_HINT_GENERIC; -+ break; -+ } - } - - VAStatus va_res; - { - base::AutoLock auto_lock(*va_lock_); -- va_res = vaCreateSurfaces( -- va_display_, va_format, base::checked_cast(size.width()), -- base::checked_cast(size.height()), va_surfaces->data(), -- num_surfaces, &attribute, 1u); -+ if (GetImplementationType() == VAImplementation::kNVIDIAVDPAU) { -+ va_res = vaCreateSurfaces( -+ va_display_, va_format, base::checked_cast(size.width()), -+ base::checked_cast(size.height()), va_surfaces->data(), -+ num_surfaces, NULL, 0); -+ } else { -+ va_res = vaCreateSurfaces( -+ va_display_, va_format, base::checked_cast(size.width()), -+ base::checked_cast(size.height()), va_surfaces->data(), -+ num_surfaces, &attribute, 1u); -+ } - } - VA_LOG_ON_ERROR(va_res, VaapiFunctions::kVACreateSurfaces_Allocating); - return va_res == VA_STATUS_SUCCESS; -Index: dev/media/gpu/vaapi/vaapi_wrapper.h -=================================================================== ---- dev.orig/media/gpu/vaapi/vaapi_wrapper.h -+++ dev/media/gpu/vaapi/vaapi_wrapper.h -@@ -92,6 +92,7 @@ enum class VAImplementation { - kIntelIHD, - kOther, - kInvalid, -+ kNVIDIAVDPAU, - }; - - // This class handles VA-API calls and ensures proper locking of VA-API calls