From 4e8083b4ab953ba298aedfc4e79d464be15e4012 Mon Sep 17 00:00:00 2001 From: "riku.voipio" Date: Tue, 1 Mar 2016 08:02:43 -0800 Subject: [PATCH] Linux Sandbox: whitelist arm64 syscalls On debian/arm64, two syscalls needed whitelisting for chromium to work with seccomp: epoll_pwait, replacing epoll_wait which is a legacy syscall not available on arm64. epoll_wait implmentation in glibc calls epoll_pwait behind scenes, so this needs to be enabled. getrlimit, missing #ifdef for arm64 in several policy definitions. test for arm64 added for each case. BUG=581018 R=keescook@chromium.org,jln@chromium.org,rsesek@chromium.org TEST=Start chrome on arm64 with seccomp enabled kernel Review URL: https://codereview.chromium.org/1613883002 Cr-Commit-Position: refs/heads/master@{#378440} --- components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc | 3 ++- content/common/sandbox_linux/bpf_renderer_policy_linux.cc | 3 ++- content/common/sandbox_linux/bpf_utility_policy_linux.cc | 3 ++- mojo/shell/runner/host/linux_sandbox.cc | 5 ++++- sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc | 2 +- 5 files changed, 11 insertions(+), 5 deletions(-) diff --git a/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc b/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc index 66a606a..3e88304 100644 --- a/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc +++ b/components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc @@ -106,7 +106,8 @@ ResultExpr NaClBPFSandboxPolicy::EvaluateSyscall(int sysno) const { // NaCl uses custom signal stacks. case __NR_sigaltstack: // Below is fairly similar to the policy for a Chromium renderer. -#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) +#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \ + defined(__aarch64__) case __NR_getrlimit: #endif #if defined(__i386__) || defined(__arm__) diff --git a/content/common/sandbox_linux/bpf_renderer_policy_linux.cc b/content/common/sandbox_linux/bpf_renderer_policy_linux.cc index e799273..993e2a5 100644 --- a/content/common/sandbox_linux/bpf_renderer_policy_linux.cc +++ b/content/common/sandbox_linux/bpf_renderer_policy_linux.cc @@ -60,7 +60,8 @@ ResultExpr RendererProcessPolicy::EvaluateSyscall(int sysno) const { // Allow the system calls below. case __NR_fdatasync: case __NR_fsync: -#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) +#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \ + defined(__aarch64__) case __NR_getrlimit: #endif #if defined(__i386__) || defined(__arm__) diff --git a/content/common/sandbox_linux/bpf_utility_policy_linux.cc b/content/common/sandbox_linux/bpf_utility_policy_linux.cc index 3ead1c8..1336796 100644 --- a/content/common/sandbox_linux/bpf_utility_policy_linux.cc +++ b/content/common/sandbox_linux/bpf_utility_policy_linux.cc @@ -32,7 +32,8 @@ ResultExpr UtilityProcessPolicy::EvaluateSyscall(int sysno) const { // Allow the system calls below. case __NR_fdatasync: case __NR_fsync: -#if defined(__i386__) || defined(__x86_64__) +#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \ + defined(__aarch64__) case __NR_getrlimit: #endif #if defined(__i386__) || defined(__arm__) diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc index 10278dc..b30b3e6 100644 --- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc @@ -414,6 +414,7 @@ bool SyscallSets::IsAllowedEpoll(int sysno) { case __NR_epoll_create: case __NR_epoll_wait: #endif + case __NR_epoll_pwait: case __NR_epoll_create1: case __NR_epoll_ctl: return true; @@ -421,7 +422,6 @@ bool SyscallSets::IsAllowedEpoll(int sysno) { #if defined(__x86_64__) case __NR_epoll_ctl_old: #endif - case __NR_epoll_pwait: #if defined(__x86_64__) case __NR_epoll_wait_old: #endif -- 2.7.2