1From 5f8c7d6fae3acd2aeb36ff982a83f3f7090596b7 Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Fri, 19 Mar 2021 20:16:00 -0700
4Subject: [PATCH] Fix tab crashes on musl
5
6Upstream-Status: Inappropriate [musl-specific]
7Signed-off-by: Khem Raj <raj.khem@gmail.com>
8
9---
10 .../syscall_parameters_restrictions.cc        | 22 +++++--------------
11 .../linux/seccomp-bpf-helpers/syscall_sets.cc |  5 +++--
12 .../system_headers/arm64_linux_syscalls.h     |  4 ++++
13 .../linux/system_headers/arm_linux_syscalls.h |  4 ++++
14 sandbox/linux/system_headers/linux_syscalls.h |  1 +
15 .../system_headers/mips64_linux_syscalls.h    |  4 ++++
16 .../system_headers/mips_linux_syscalls.h      |  4 ++++
17 .../system_headers/x86_64_linux_syscalls.h    |  4 ++++
18 8 files changed, 30 insertions(+), 18 deletions(-)
19
20diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
21index 2500a56acd..a5cf928bde 100644
22--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
23+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
24@@ -133,21 +133,11 @@ namespace sandbox {
25 // present (as in newer versions of posix_spawn).
26 ResultExpr RestrictCloneToThreadsAndEPERMFork() {
27   const Arg<unsigned long> flags(0);
28-
29-  // TODO(mdempsky): Extend DSL to support (flags & ~mask1) == mask2.
30-  const uint64_t kAndroidCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES |
31-                                     CLONE_SIGHAND | CLONE_THREAD |
32-                                     CLONE_SYSVSEM;
33-  const uint64_t kObsoleteAndroidCloneMask = kAndroidCloneMask | CLONE_DETACHED;
34-
35-  const uint64_t kGlibcPthreadFlags =
36-      CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD |
37-      CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
38-  const BoolExpr glibc_test = flags == kGlibcPthreadFlags;
39-
40-  const BoolExpr android_test =
41-      AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
42-            flags == kGlibcPthreadFlags);
43+  const int required = CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
44+                       CLONE_THREAD | CLONE_SYSVSEM;
45+  const int safe = CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID |
46+                   CLONE_DETACHED;
47+  const BoolExpr thread_clone_ok = (flags&~safe)==required;
48
49   // The following two flags are the two important flags in any vfork-emulating
50   // clone call. EPERM any clone call that contains both of them.
51@@ -157,7 +147,7 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
52       AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
53             (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
54
55-  return If(IsAndroid() ? android_test : glibc_test, Allow())
56+  return If(thread_clone_ok, Allow())
57       .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
58       .Else(CrashSIGSYSClone());
59 }
60diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
61index 21087322e4..b48ffc1e13 100644
62--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
63+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
64@@ -423,6 +423,7 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
65 #if defined(__i386__)
66     case __NR_waitpid:
67 #endif
68+    case __NR_set_tid_address:
69       return true;
70     case __NR_clone:  // Should be parameter-restricted.
71     case __NR_setns:  // Privileged.
72@@ -435,7 +436,6 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
73 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
74     case __NR_set_thread_area:
75 #endif
76-    case __NR_set_tid_address:
77     case __NR_unshare:
78 #if !defined(__mips__) && !defined(__aarch64__)
79     case __NR_vfork:
80@@ -549,6 +549,8 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
81     case __NR_mlock:
82     case __NR_munlock:
83     case __NR_munmap:
84+    case __NR_mremap:
85+    case __NR_membarrier:
86       return true;
87     case __NR_madvise:
88     case __NR_mincore:
89@@ -566,7 +568,6 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
90     case __NR_modify_ldt:
91 #endif
92     case __NR_mprotect:
93-    case __NR_mremap:
94     case __NR_msync:
95     case __NR_munlockall:
96     case __NR_readahead:
97diff --git a/sandbox/linux/system_headers/arm64_linux_syscalls.h b/sandbox/linux/system_headers/arm64_linux_syscalls.h
98index 03d28567a3..5715a69bc4 100644
99--- a/sandbox/linux/system_headers/arm64_linux_syscalls.h
100+++ b/sandbox/linux/system_headers/arm64_linux_syscalls.h
101@@ -1215,4 +1215,8 @@
102 #define __NR_landlock_restrict_self 446
103 #endif
104
105+#if !defined(__NR_membarrier)
106+#define __NR_membarrier 283
107+#endif
108+
109 #endif  // SANDBOX_LINUX_SYSTEM_HEADERS_ARM64_LINUX_SYSCALLS_H_
110diff --git a/sandbox/linux/system_headers/arm_linux_syscalls.h b/sandbox/linux/system_headers/arm_linux_syscalls.h
111index bb1335e6d2..7e8150820a 100644
112--- a/sandbox/linux/system_headers/arm_linux_syscalls.h
113+++ b/sandbox/linux/system_headers/arm_linux_syscalls.h
114@@ -1617,6 +1617,10 @@
115 #define __NR_landlock_restrict_self (__NR_SYSCALL_BASE + 446)
116 #endif
117
118+#if !defined(__NR_membarrier)
119+#define __NR_membarrier (__NR_SYSCALL_BASE+389)
120+#endif
121+
122 // ARM private syscalls.
123 #if !defined(__ARM_NR_BASE)
124 #define __ARM_NR_BASE (__NR_SYSCALL_BASE + 0xF0000)
125diff --git a/sandbox/linux/system_headers/linux_syscalls.h b/sandbox/linux/system_headers/linux_syscalls.h
126index 438147b401..6b67cbcedc 100644
127--- a/sandbox/linux/system_headers/linux_syscalls.h
128+++ b/sandbox/linux/system_headers/linux_syscalls.h
129@@ -10,6 +10,7 @@
130 #define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SYSCALLS_H_
131
132 #include "build/build_config.h"
133+#include <sys/syscall.h>
134
135 #if defined(__x86_64__)
136 #include "sandbox/linux/system_headers/x86_64_linux_syscalls.h"
137diff --git a/sandbox/linux/system_headers/mips64_linux_syscalls.h b/sandbox/linux/system_headers/mips64_linux_syscalls.h
138index 0f9ab41b6e..448351699f 100644
139--- a/sandbox/linux/system_headers/mips64_linux_syscalls.h
140+++ b/sandbox/linux/system_headers/mips64_linux_syscalls.h
141@@ -1415,4 +1415,8 @@
142 #define __NR_landlock_restrict_self (__NR_Linux + 446)
143 #endif
144
145+#if !defined(__NR_membarrier)
146+#define __NR_membarrier (__NR_Linux  318)
147+#endif
148+
149 #endif  // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS64_LINUX_SYSCALLS_H_
150diff --git a/sandbox/linux/system_headers/mips_linux_syscalls.h b/sandbox/linux/system_headers/mips_linux_syscalls.h
151index 9664858a93..259751f93c 100644
152--- a/sandbox/linux/system_headers/mips_linux_syscalls.h
153+++ b/sandbox/linux/system_headers/mips_linux_syscalls.h
154@@ -1697,4 +1697,8 @@
155 #define __NR_landlock_restrict_self (__NR_Linux + 446)
156 #endif
157
158+#if !defined(__NR_membarrier)
159+#define __NR_membarrier (__NR_Linux  358)
160+#endif
161+
162 #endif  // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS_LINUX_SYSCALLS_H_
163diff --git a/sandbox/linux/system_headers/x86_64_linux_syscalls.h b/sandbox/linux/system_headers/x86_64_linux_syscalls.h
164index fe59d1ae35..37e677f7e9 100644
165--- a/sandbox/linux/system_headers/x86_64_linux_syscalls.h
166+++ b/sandbox/linux/system_headers/x86_64_linux_syscalls.h
167@@ -1438,5 +1438,9 @@
168 #define __NR_landlock_restrict_self 446
169 #endif
170
171+#if !defined(__NR_membarrier)
172+#define __NR_membarrier 324
173+#endif
174+
175 #endif  // SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_
176
177