51 lines
2.6 KiB
Diff
51 lines
2.6 KiB
Diff
diff -up chromium-74.0.3729.169/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.glibc229 chromium-74.0.3729.169/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
|
|
--- chromium-74.0.3729.169/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.glibc229 2019-05-31 13:45:04.165403187 -0400
|
|
+++ chromium-74.0.3729.169/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc 2019-05-31 13:45:38.200830150 -0400
|
|
@@ -162,6 +162,15 @@ ResultExpr EvaluateSyscallImpl(int fs_de
|
|
}
|
|
#endif
|
|
|
|
+#if defined(__NR_vfork)
|
|
+ // vfork() is almost never used as a system call, but some libc versions (e.g.
|
|
+ // older versions of bionic) might use it in a posix_spawn() implementation,
|
|
+ // which is used by system();
|
|
+ if (sysno == __NR_vfork) {
|
|
+ return Error(EPERM);
|
|
+ }
|
|
+#endif
|
|
+
|
|
if (sysno == __NR_futex)
|
|
return RestrictFutex();
|
|
|
|
diff -up chromium-74.0.3729.169/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc.glibc229 chromium-74.0.3729.169/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
|
|
--- chromium-74.0.3729.169/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc.glibc229 2019-05-31 13:45:54.653553140 -0400
|
|
+++ chromium-74.0.3729.169/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc 2019-05-31 13:47:19.357675791 -0400
|
|
@@ -134,7 +134,8 @@ namespace sandbox {
|
|
#if !defined(OS_NACL_NONSFI)
|
|
// Allow Glibc's and Android pthread creation flags, crash on any other
|
|
// thread creation attempts and EPERM attempts to use neither
|
|
-// CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations.
|
|
+// CLONE_VM nor CLONE_THREAD (all fork implementations), unless CLONE_VFORK is
|
|
+// present (as in newer versions of posix_spawn).
|
|
ResultExpr RestrictCloneToThreadsAndEPERMFork() {
|
|
const Arg<unsigned long> flags(0);
|
|
|
|
@@ -153,8 +154,16 @@ ResultExpr RestrictCloneToThreadsAndEPER
|
|
AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
|
|
flags == kGlibcPthreadFlags);
|
|
|
|
+ // The following two flags are the two important flags in any vfork-emulating
|
|
+ // clone call. EPERM any clone call that contains both of them.
|
|
+ const uint64_t kImportantCloneVforkFlags = CLONE_VFORK | CLONE_VM;
|
|
+
|
|
+ const BoolExpr is_fork_or_clone_vfork =
|
|
+ AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
|
|
+ (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
|
|
+
|
|
return If(IsAndroid() ? android_test : glibc_test, Allow())
|
|
- .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM))
|
|
+ .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
|
|
.Else(CrashSIGSYSClone());
|
|
}
|
|
|