1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
From 4e8083b4ab953ba298aedfc4e79d464be15e4012 Mon Sep 17 00:00:00 2001
From: "riku.voipio" <riku.voipio@linaro.org>
Date: Tue, 1 Mar 2016 08:02:43 -0800
Subject: [PATCH] Linux Sandbox: whitelist arm64 syscalls
On debian/arm64, two syscalls needed whitelisting for chromium to work with seccomp:
epoll_pwait, replacing epoll_wait which is a legacy syscall not available on arm64. epoll_wait implmentation in glibc calls epoll_pwait behind scenes, so this needs to be enabled.
getrlimit, missing #ifdef for arm64 in several policy definitions. test for arm64 added for each case.
BUG=581018
R=keescook@chromium.org,jln@chromium.org,rsesek@chromium.org
TEST=Start chrome on arm64 with seccomp enabled kernel
Review URL: https://codereview.chromium.org/1613883002
Cr-Commit-Position: refs/heads/master@{#378440}
---
components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc | 3 ++-
content/common/sandbox_linux/bpf_renderer_policy_linux.cc | 3 ++-
content/common/sandbox_linux/bpf_utility_policy_linux.cc | 3 ++-
mojo/shell/runner/host/linux_sandbox.cc | 5 ++++-
sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc | 2 +-
5 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc b/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc
index 66a606a..3e88304 100644
--- a/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc
+++ b/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc
@@ -106,7 +106,8 @@ ResultExpr NaClBPFSandboxPolicy::EvaluateSyscall(int sysno) const {
// NaCl uses custom signal stacks.
case __NR_sigaltstack:
// Below is fairly similar to the policy for a Chromium renderer.
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
case __NR_getrlimit:
#endif
#if defined(__i386__) || defined(__arm__)
diff --git a/content/common/sandbox_linux/bpf_renderer_policy_linux.cc b/content/common/sandbox_linux/bpf_renderer_policy_linux.cc
index e799273..993e2a5 100644
--- a/content/common/sandbox_linux/bpf_renderer_policy_linux.cc
+++ b/content/common/sandbox_linux/bpf_renderer_policy_linux.cc
@@ -60,7 +60,8 @@ ResultExpr RendererProcessPolicy::EvaluateSyscall(int sysno) const {
// Allow the system calls below.
case __NR_fdatasync:
case __NR_fsync:
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
case __NR_getrlimit:
#endif
#if defined(__i386__) || defined(__arm__)
diff --git a/content/common/sandbox_linux/bpf_utility_policy_linux.cc b/content/common/sandbox_linux/bpf_utility_policy_linux.cc
index 3ead1c8..1336796 100644
--- a/content/common/sandbox_linux/bpf_utility_policy_linux.cc
+++ b/content/common/sandbox_linux/bpf_utility_policy_linux.cc
@@ -32,7 +32,8 @@ ResultExpr UtilityProcessPolicy::EvaluateSyscall(int sysno) const {
// Allow the system calls below.
case __NR_fdatasync:
case __NR_fsync:
-#if defined(__i386__) || defined(__x86_64__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
case __NR_getrlimit:
#endif
#if defined(__i386__) || defined(__arm__)
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
index 10278dc..b30b3e6 100644
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
@@ -414,6 +414,7 @@ bool SyscallSets::IsAllowedEpoll(int sysno) {
case __NR_epoll_create:
case __NR_epoll_wait:
#endif
+ case __NR_epoll_pwait:
case __NR_epoll_create1:
case __NR_epoll_ctl:
return true;
@@ -421,7 +422,6 @@ bool SyscallSets::IsAllowedEpoll(int sysno) {
#if defined(__x86_64__)
case __NR_epoll_ctl_old:
#endif
- case __NR_epoll_pwait:
#if defined(__x86_64__)
case __NR_epoll_wait_old:
#endif
--
2.7.2
|
GitWeb