diff options
Diffstat (limited to 'www/qt6-webengine/files/patch-src_3rdparty_chromium_sandbox_policy_openbsd_sandbox__openbsd.cc')
-rw-r--r-- | www/qt6-webengine/files/patch-src_3rdparty_chromium_sandbox_policy_openbsd_sandbox__openbsd.cc | 157 |
1 files changed, 89 insertions, 68 deletions
diff --git a/www/qt6-webengine/files/patch-src_3rdparty_chromium_sandbox_policy_openbsd_sandbox__openbsd.cc b/www/qt6-webengine/files/patch-src_3rdparty_chromium_sandbox_policy_openbsd_sandbox__openbsd.cc index 79833e898578..dbc297b8a2ab 100644 --- a/www/qt6-webengine/files/patch-src_3rdparty_chromium_sandbox_policy_openbsd_sandbox__openbsd.cc +++ b/www/qt6-webengine/files/patch-src_3rdparty_chromium_sandbox_policy_openbsd_sandbox__openbsd.cc @@ -1,6 +1,6 @@ ---- src/3rdparty/chromium/sandbox/policy/openbsd/sandbox_openbsd.cc.orig 2023-03-09 06:31:50 UTC +--- src/3rdparty/chromium/sandbox/policy/openbsd/sandbox_openbsd.cc.orig 2023-04-28 17:01:32 UTC +++ src/3rdparty/chromium/sandbox/policy/openbsd/sandbox_openbsd.cc -@@ -0,0 +1,399 @@ +@@ -0,0 +1,420 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. @@ -37,6 +37,8 @@ +#include "base/threading/thread.h" +#include "base/time/time.h" +#include "build/build_config.h" ++#include "crypto/crypto_buildflags.h" ++#include "ppapi/buildflags/buildflags.h" +#include "sandbox/constants.h" +#include "sandbox/linux/services/credentials.h" +#include "sandbox/linux/services/namespace_sandbox.h" @@ -55,7 +57,7 @@ +#include <sanitizer/common_interface_defs.h> +#endif + -+#if defined(USE_NSS_CERTS) ++#if BUILDFLAG(USE_NSS_CERTS) +#include "crypto/nss_util.h" +#endif + @@ -66,10 +68,7 @@ +#define MAXTOKENS 3 + +#define _UNVEIL_MAIN "/etc/chromium/unveil.main"; -+#define _UNVEIL_RENDERER "/etc/chromium/unveil.renderer"; +#define _UNVEIL_GPU "/etc/chromium/unveil.gpu"; -+#define _UNVEIL_PLUGIN "/etc/chromium/unveil.plugin"; -+#define _UNVEIL_UTILITY "/etc/chromium/unveil.utility"; +#define _UNVEIL_UTILITY_NETWORK "/etc/chromium/unveil.utility_network"; +#define _UNVEIL_UTILITY_AUDIO "/etc/chromium/unveil.utility_audio"; +#define _UNVEIL_UTILITY_VIDEO "/etc/chromium/unveil.utility_video"; @@ -118,40 +117,41 @@ + base::SysInfo::NumberOfProcessors(); + base::SysInfo::CPUModelName(); + -+#if defined(USE_NSS_CERTS) -+ // The main process has to initialize the ~/.pki dir which won't work -+ // after unveil(2). -+ if (process_type.empty()) -+ crypto::EnsureNSSInit(); ++ switch (sandbox_type) { ++ case sandbox::mojom::Sandbox::kNoSandbox: ++ { ++#if BUILDFLAG(USE_NSS_CERTS) ++ // The main process has to initialize the ~/.pki dir which won't work ++ // after unveil(2). ++ crypto::EnsureNSSInit(); +#endif ++ CRYPTO_pre_sandbox_init(); + -+ if (process_type.empty()) -+ CRYPTO_pre_sandbox_init(); ++ base::FilePath cache_directory, local_directory; + -+ if (process_type.empty()) { -+ base::FilePath cache_directory, local_directory; ++ base::PathService::Get(base::DIR_CACHE, &cache_directory); ++ base::PathService::Get(base::DIR_HOME, &local_directory); + -+ base::PathService::Get(base::DIR_CACHE, &cache_directory); -+ base::PathService::Get(base::DIR_HOME, &local_directory); ++ cache_directory = cache_directory.AppendASCII("chromium"); ++ local_directory = local_directory.AppendASCII(".local").AppendASCII("share").AppendASCII("applications"); + -+ cache_directory = cache_directory.AppendASCII("chromium"); -+ local_directory = local_directory.AppendASCII(".local").AppendASCII("share").AppendASCII("applications"); ++ if (!base::CreateDirectory(cache_directory)) { ++ LOG(ERROR) << "Failed to create " << cache_directory.value() << " directory."; ++ } + -+ if (!base::CreateDirectory(cache_directory)) { -+ LOG(ERROR) << "Failed to create " << cache_directory.value() << " directory."; -+ } ++ if (!base::CreateDirectory(local_directory)) { ++ LOG(ERROR) << "Failed to create " << local_directory.value() << " directory."; ++ } + -+ if (!base::CreateDirectory(local_directory)) { -+ LOG(ERROR) << "Failed to create " << local_directory.value() << " directory."; ++ break; + } ++ case sandbox::mojom::Sandbox::kRenderer: ++ gfx::InitializeFonts(); ++ break; ++ default: ++ break; + } + -+ if (process_type == switches::kRendererProcess) -+ gfx::InitializeFonts(); -+ -+ if (!command_line->HasSwitch(switches::kDisableUnveil)) -+ SetUnveil(process_type, sandbox_type); -+ + pre_initialized_ = true; +} + @@ -164,6 +164,7 @@ + if (pstring != NULL) { + if (pledge(pstring, NULL) == -1) + goto err; ++ VLOG(5) << "pledge " << pstring; + } else if (ppath != NULL) { + fp = fopen(ppath, "r"); + if (fp != NULL) { @@ -172,10 +173,11 @@ + s[strlen(s)-1] = '\0'; + if (pledge(s, NULL) == -1) + goto err; ++ VLOG(5) << "pledge " << s; + } + fclose(fp); + } else { -+ LOG(ERROR) << "fopen() failed, errno: " << errno; ++ LOG(ERROR) << "fopen(" << ppath << ") failed, errno: " << errno; + return false; + } + } @@ -192,24 +194,25 @@ + const char *ufile; + size_t len = 0, lineno = 0; + -+ if (process_type.empty()) { -+ ufile = _UNVEIL_MAIN; -+ } else if (process_type == switches::kRendererProcess) { -+ ufile = _UNVEIL_RENDERER; -+ } else if (process_type == switches::kGpuProcess) { -+ ufile = _UNVEIL_GPU; -+ } else if (process_type == switches::kPpapiPluginProcess) { -+ ufile = _UNVEIL_PLUGIN; -+ } else if (process_type == switches::kUtilityProcess) { -+ if (sandbox_type == sandbox::mojom::Sandbox::kNetwork) { ++ switch (sandbox_type) { ++ case sandbox::mojom::Sandbox::kNoSandbox: ++ ufile = _UNVEIL_MAIN; ++ break; ++ case sandbox::mojom::Sandbox::kGpu: ++ ufile = _UNVEIL_GPU; ++ break; ++ case sandbox::mojom::Sandbox::kNetwork: + ufile = _UNVEIL_UTILITY_NETWORK; -+ } else if (sandbox_type == sandbox::mojom::Sandbox::kAudio) { ++ break; ++ case sandbox::mojom::Sandbox::kAudio: + ufile = _UNVEIL_UTILITY_AUDIO; -+ } else if (sandbox_type == sandbox::mojom::Sandbox::kVideoCapture) { ++ break; ++ case sandbox::mojom::Sandbox::kVideoCapture: + ufile = _UNVEIL_UTILITY_VIDEO; -+ } else { -+ ufile = _UNVEIL_UTILITY; -+ } ++ break; ++ default: ++ unveil("/dev/null", "r"); ++ goto done; + } + + fp = fopen(ufile, "r"); @@ -259,7 +262,7 @@ + LOG(ERROR) << "failed unveiling " << path << " with permissions " << tokens[1]; + _exit(1); + } else { -+ VLOG(1) << "unveiling " << path << " with permissions " << tokens[1]; ++ VLOG(5) << "unveiling " << path << " with permissions " << tokens[1]; + } + } + fclose(fp); @@ -268,6 +271,7 @@ + _exit(1); + } + ++done: + unveil_initialized_ = true; + + return true; @@ -307,31 +311,46 @@ + PCHECK(limited_as); + } + -+ if (process_type.empty()) { -+ // XXX use a file for listing pledges of the main process for now -+ // XXX not having the file is not a fatal error -+ SetPledge(NULL, "/etc/chromium/pledge.main"); -+ } else if (process_type == switches::kRendererProcess) { -+ // prot_exec needed by v8 -+ // flock needed by sqlite3 locking -+ SetPledge("stdio rpath flock prot_exec recvfd sendfd ps", NULL); -+ } else if (process_type == switches::kGpuProcess) { -+ SetPledge("stdio rpath flock cpath wpath getpw drm prot_exec recvfd sendfd tmppath", NULL); -+ } else if (process_type == switches::kPpapiPluginProcess) { -+ // prot_exec needed by v8 -+ SetPledge("stdio rpath prot_exec recvfd sendfd", NULL); -+ } else if (process_type == switches::kUtilityProcess) { -+ if (sandbox_type == sandbox::mojom::Sandbox::kAudio) ++ if (hook) ++ CHECK(std::move(hook).Run(options)); ++ ++ if (!command_line->HasSwitch(switches::kDisableUnveil)) ++ SetUnveil(process_type, sandbox_type); ++ ++ switch(sandbox_type) { ++ case sandbox::mojom::Sandbox::kNoSandbox: ++ SetPledge(NULL, "/etc/chromium/pledge.main"); ++ break; ++ case sandbox::mojom::Sandbox::kRenderer: ++ // prot_exec needed by v8 ++ // flock needed by sqlite3 locking ++ SetPledge("stdio rpath flock prot_exec recvfd sendfd ps", NULL); ++ break; ++ case sandbox::mojom::Sandbox::kGpu: ++ SetPledge("stdio drm rpath flock cpath wpath prot_exec recvfd sendfd tmppath", NULL); ++ break; ++#if BUILDFLAG(ENABLE_PPAPI) ++ case sandbox::mojom::Sandbox::kPpapi: ++ // prot_exec needed by v8 ++ SetPledge("stdio rpath prot_exec recvfd sendfd", NULL); ++ break; ++#endif ++ case sandbox::mojom::Sandbox::kAudio: + SetPledge(NULL, "/etc/chromium/pledge.utility_audio"); -+ else if (sandbox_type == sandbox::mojom::Sandbox::kNetwork) ++ break; ++ case sandbox::mojom::Sandbox::kNetwork: + SetPledge(NULL, "/etc/chromium/pledge.utility_network"); -+ else if (sandbox_type == sandbox::mojom::Sandbox::kVideoCapture) ++ break; ++ case sandbox::mojom::Sandbox::kVideoCapture: + SetPledge(NULL, "/etc/chromium/pledge.utility_video"); -+ else ++ break; ++ case sandbox::mojom::Sandbox::kUtility: ++ case sandbox::mojom::Sandbox::kService: + SetPledge("stdio rpath cpath wpath fattr flock sendfd recvfd prot_exec", NULL); -+ } else { -+ LOG(ERROR) << "non-pledge()'d process: " << process_type; -+ return false; ++ break; ++ default: ++ LOG(ERROR) << "non-pledge()'d process: " << GetSandboxTypeInEnglish(sandbox_type); ++ break; + } + + return true; @@ -377,8 +396,10 @@ + return "Utility"; + case sandbox::mojom::Sandbox::kGpu: + return "GPU"; ++#if BUILDFLAG(ENABLE_PPAPI) + case sandbox::mojom::Sandbox::kPpapi: + return "PPAPI"; ++#endif + case sandbox::mojom::Sandbox::kNetwork: + return "Network"; + case sandbox::mojom::Sandbox::kCdm: |