improved seccomp glibc 2.29 patch

chromium-73.0.3683.103-glibc-2.29-clone-vfork.patch

@@ -0,0 +1,29 @@
+diff -up chromium-73.0.3683.103/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc.glibc229 chromium-73.0.3683.103/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+--- chromium-73.0.3683.103/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc.glibc229	2019-04-16 11:49:35.353081246 -0400
++++ chromium-73.0.3683.103/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc	2019-04-16 11:51:22.105794620 -0400
+@@ -134,7 +134,8 @@ namespace sandbox {
+ #if !defined(OS_NACL_NONSFI)
+ // Allow Glibc's and Android pthread creation flags, crash on any other
+ // thread creation attempts and EPERM attempts to use neither
+-// CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations.
++// CLONE_VM nor CLONE_THREAD (all fork implementations), unless CLONE_VFORK is
++// present (as in posix_spawn).
+ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
+   const Arg<unsigned long> flags(0);
+ 
+@@ -153,8 +154,14 @@ ResultExpr RestrictCloneToThreadsAndEPER
+       AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
+             flags == kGlibcPthreadFlags);
+ 
++  const uint64_t kImportantSpawnFlags = CLONE_VFORK | CLONE_VM;
++
++  const BoolExpr isForkOrSpawn =
++      AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
++            (flags & kImportantSpawnFlags) == kImportantSpawnFlags);
++
+   return If(IsAndroid() ? android_test : glibc_test, Allow())
+-      .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM))
++      .ElseIf(isForkOrSpawn, Error(EPERM))
+       .Else(CrashSIGSYSClone());
+ }
+ 

chromium-73.0.3683.86-glibc-2.29-clone-vfork.patch

@@ -1,13 +0,0 @@
-diff -up chromium-73.0.3683.86/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc.clonevfork chromium-73.0.3683.86/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
---- chromium-73.0.3683.86/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc.clonevfork	2019-04-11 10:22:21.250929060 -0400
-+++ chromium-73.0.3683.86/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc	2019-04-11 10:23:58.832770803 -0400
-@@ -146,7 +146,8 @@ ResultExpr RestrictCloneToThreadsAndEPER
- 
-   const uint64_t kGlibcPthreadFlags =
-       CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD |
--      CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
-+      CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID |
-+      CLONE_CHILD_CLEARTID | CLONE_VFORK;
-   const BoolExpr glibc_test = flags == kGlibcPthreadFlags;
- 
-   const BoolExpr android_test =

chromium.spec

@@ -329,7 +329,7 @@ Patch138:	chromium-73.0.3683.75-aarch64-crashpad-limits.patch
 # el7 only patch
 Patch139:	chromium-73.0.3683.75-el7-fix-noexcept.patch
 # https://bugs.chromium.org/p/chromium/issues/detail?id=949312
-Patch140:	chromium-73.0.3683.86-glibc-2.29-clone-vfork.patch
+Patch140:	chromium-73.0.3683.103-glibc-2.29-clone-vfork.patch
 
 # Use chromium-latest.py to generate clean tarball from released build tarballs, found here:
 # http://build.chromium.org/buildbot/official/
@@ -912,7 +912,7 @@ udev.
 %if 0%{?rhel} == 7
 %patch139 -p1 -b .el7-noexcept
 %endif
-%patch140 -p1 -b .clonevfork
+%patch140 -p1 -b .glibc229
 
 # Change shebang in all relevant files in this directory and all subdirectories
 # See `man find` for how the `-exec command {} +` syntax works
@@ -1903,7 +1903,7 @@ getent group chrome-remote-desktop >/dev/null || groupadd -r chrome-remote-deskt
 %changelog
 * Thu Apr 11 2019 Tom Callaway <spot@fedoraproject.org> - 73.0.3683.103-1
 - update to 73.0.3683.103
-- add CLONE_VFORK to seccomp filter for linux to handle glibc 2.29 change
+- add CLONE_VFORK logic to seccomp filter for linux to handle glibc 2.29 change
 
 * Wed Mar 27 2019 Tom Callaway <spot@fedoraproject.org> - 73.0.3683.86-2
 - remove lang macro from en-US.pak* because Chromium crashes if it is not present