aboutsummaryrefslogtreecommitdiff
path: root/devel/electron35/files/patch-sandbox_policy_freebsd_sandbox__freebsd.h
diff options
context:
space:
mode:
Diffstat (limited to 'devel/electron35/files/patch-sandbox_policy_freebsd_sandbox__freebsd.h')
-rw-r--r--devel/electron35/files/patch-sandbox_policy_freebsd_sandbox__freebsd.h279
1 files changed, 0 insertions, 279 deletions
diff --git a/devel/electron35/files/patch-sandbox_policy_freebsd_sandbox__freebsd.h b/devel/electron35/files/patch-sandbox_policy_freebsd_sandbox__freebsd.h
deleted file mode 100644
index 41877b1a9643..000000000000
--- a/devel/electron35/files/patch-sandbox_policy_freebsd_sandbox__freebsd.h
+++ /dev/null
@@ -1,279 +0,0 @@
---- sandbox/policy/freebsd/sandbox_freebsd.h.orig 2025-02-02 01:39:46 UTC
-+++ sandbox/policy/freebsd/sandbox_freebsd.h
-@@ -0,0 +1,276 @@
-+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-+// Use of this source code is governed by a BSD-style license that can be
-+// found in the LICENSE file.
-+#ifndef SANDBOX_POLICY_LINUX_SANDBOX_OPENBSD_H_
-+#define SANDBOX_POLICY_LINUX_SANDBOX_OPENBSD_H_
-+
-+#include <memory>
-+#include <string>
-+#include <vector>
-+
-+#include "base/logging.h"
-+#include "base/posix/global_descriptors.h"
-+#include "sandbox/policy/export.h"
-+#include "sandbox/policy/linux/sandbox_seccomp_bpf_linux.h"
-+#include "sandbox/policy/mojom/sandbox.mojom.h"
-+#include "base/sanitizer_buildflags.h"
-+
-+#if BUILDFLAG(USING_SANITIZER)
-+#include <sanitizer/common_interface_defs.h>
-+#endif
-+
-+namespace base {
-+template <typename T>
-+struct DefaultSingletonTraits;
-+class Thread;
-+} // namespace base
-+
-+namespace sandbox {
-+namespace syscall_broker {
-+class BrokerProcess;
-+} // namespace syscall_broker
-+} // namespace sandbox
-+
-+namespace sandbox {
-+namespace policy {
-+
-+// A singleton class to represent and change our sandboxing state for the
-+// three main Linux sandboxes.
-+// The sandboxing model allows using two layers of sandboxing. The first layer
-+// can be implemented either with unprivileged namespaces or with the setuid
-+// sandbox. This class provides a way to engage the namespace sandbox, but does
-+// not deal with the legacy setuid sandbox directly.
-+// The second layer is mainly based on seccomp-bpf and is engaged with
-+// InitializeSandbox(). InitializeSandbox() is also responsible for "sealing"
-+// the first layer of sandboxing. That is, InitializeSandbox must always be
-+// called to have any meaningful sandboxing at all.
-+class SANDBOX_POLICY_EXPORT SandboxLinux {
-+ public:
-+ // This is a list of sandbox IPC methods which the renderer may send to the
-+ // sandbox host. See
-+ // https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandbox_ipc.md
-+ // This isn't the full list, values < 32 are reserved for methods called from
-+ // Skia, and values < 64 are reserved for libc_interceptor.cc.
-+ enum LinuxSandboxIPCMethods {
-+ DEPRECATED_METHOD_GET_FALLBACK_FONT_FOR_CHAR = 64,
-+ DEPRECATED_METHOD_GET_CHILD_WITH_INODE,
-+ DEPRECATED_METHOD_GET_STYLE_FOR_STRIKE,
-+ METHOD_MAKE_SHARED_MEMORY_SEGMENT,
-+ DEPRECATED_METHOD_MATCH_WITH_FALLBACK,
-+ };
-+
-+ // These form a bitmask which describes the conditions of the Linux sandbox.
-+ // Note: this doesn't strictly give you the current status, it states
-+ // what will be enabled when the relevant processes are initialized.
-+ enum Status {
-+ // SUID sandbox active.
-+ kSUID = 1 << 0,
-+
-+ // Sandbox is using a new PID namespace.
-+ kPIDNS = 1 << 1,
-+
-+ // Sandbox is using a new network namespace.
-+ kNetNS = 1 << 2,
-+
-+ // seccomp-bpf sandbox active.
-+ kSeccompBPF = 1 << 3,
-+
-+ // The Yama LSM module is present and enforcing.
-+ kYama = 1 << 4,
-+
-+ // seccomp-bpf sandbox is active and the kernel supports TSYNC.
-+ kSeccompTSYNC = 1 << 5,
-+
-+ // User namespace sandbox active.
-+ kUserNS = 1 << 6,
-+
-+ // A flag that denotes an invalid sandbox status.
-+ kInvalid = 1 << 31,
-+ };
-+
-+ // SandboxLinux Options are a superset of SandboxSecompBPF Options.
-+ struct Options : public SandboxSeccompBPF::Options {
-+ // When running with a zygote, the namespace sandbox will have already
-+ // been engaged prior to initializing SandboxLinux itself, and need not
-+ // be done so again. Set to true to indicate that there isn't a zygote
-+ // for this process and the step is to be performed here explicitly.
-+ bool engage_namespace_sandbox = false;
-+
-+ // Allow starting the sandbox with multiple threads already running. This
-+ // will enable TSYNC for seccomp-BPF, which syncs the seccomp-BPF policy
-+ // across all running threads.
-+ bool allow_threads_during_sandbox_init = false;
-+
-+ // Enables the CHECK for open directories. The open directory check is only
-+ // useful for the chroot jail (from the semantic layer of the sandbox), and
-+ // can safely be disabled if we are only enabling the seccomp-BPF layer.
-+ bool check_for_open_directories = true;
-+ };
-+
-+ // Callers can provide this hook to run code right before the policy
-+ // is passed to the BPF compiler and the sandbox is engaged. If
-+ // pre_sandbox_hook() returns true, the sandbox will be engaged
-+ // afterwards, otherwise the process is terminated.
-+ using PreSandboxHook = base::OnceCallback<bool(Options)>;
-+
-+ // Get our singleton instance.
-+ static SandboxLinux* GetInstance();
-+
-+ SandboxLinux(const SandboxLinux&) = delete;
-+ SandboxLinux& operator=(const SandboxLinux&) = delete;
-+
-+ bool SetPledge(const char *pstring, const char *ppath);
-+ bool SetUnveil(const std::string process_type, sandbox::mojom::Sandbox sandbox_type);
-+
-+ // Do some initialization that can only be done before any of the sandboxes
-+ // are enabled. If using the setuid sandbox, this should be called manually
-+ // before the setuid sandbox is engaged.
-+ // Security: When this runs, it is imperative that either InitializeSandbox()
-+ // runs as well or that all file descriptors returned in
-+ // GetFileDescriptorsToClose() get closed.
-+ // Otherwise file descriptors that bypass the security of the setuid sandbox
-+ // would be kept open. One must be particularly careful if a process performs
-+ // a fork().
-+ void PreinitializeSandbox(sandbox::mojom::Sandbox sandbox_type);
-+
-+ // Check that the current process is the init process of a new PID
-+ // namespace and then proceed to drop access to the file system by using
-+ // a new unprivileged namespace. This is a layer-1 sandbox.
-+ // In order for this sandbox to be effective, it must be "sealed" by calling
-+ // InitializeSandbox().
-+ void EngageNamespaceSandbox(bool from_zygote);
-+
-+ // Return a list of file descriptors to close if PreinitializeSandbox() ran
-+ // but InitializeSandbox() won't. Avoid using.
-+ // TODO(jln): get rid of this hack.
-+ std::vector<int> GetFileDescriptorsToClose();
-+
-+ // Seal an eventual layer-1 sandbox and initialize the layer-2 sandbox with
-+ // an adequate policy depending on the process type and command line
-+ // arguments.
-+ // Currently the layer-2 sandbox is composed of seccomp-bpf and address space
-+ // limitations.
-+ // This function should only be called without any thread running.
-+ bool InitializeSandbox(sandbox::mojom::Sandbox sandbox_type,
-+ PreSandboxHook hook,
-+ const Options& options);
-+
-+ // Stop |thread| in a way that can be trusted by the sandbox.
-+ void StopThread(base::Thread* thread);
-+
-+ // Returns the status of the renderer, worker and ppapi sandbox. Can only
-+ // be queried after going through PreinitializeSandbox(). This is a bitmask
-+ // and uses the constants defined in "enum Status" above. Since the
-+ // status needs to be provided before the sandboxes are actually started,
-+ // this returns what will actually happen once InitializeSandbox()
-+ // is called from inside these processes.
-+ int GetStatus();
-+
-+ // Returns true if the current process is single-threaded or if the number
-+ // of threads cannot be determined.
-+ bool IsSingleThreaded() const;
-+
-+ // Returns true if we started Seccomp BPF.
-+ bool seccomp_bpf_started() const;
-+
-+ // Check the policy and eventually start the seccomp-bpf sandbox. This should
-+ // never be called with threads started. If we detect that threads have
-+ // started we will crash.
-+ bool StartSeccompBPF(sandbox::mojom::Sandbox sandbox_type,
-+ PreSandboxHook hook,
-+ const Options& options);
-+
-+ // Limit the address space of the current process (and its children) to make
-+ // some vulnerabilities harder to exploit. Writes the errno due to setrlimit
-+ // (including 0 if no error) into |error|.
-+ bool LimitAddressSpace(int* error);
-+
-+ // Returns a file descriptor to proc. The file descriptor is no longer valid
-+ // after the sandbox has been sealed.
-+ int proc_fd() const {
-+ DCHECK_NE(-1, proc_fd_);
-+ return proc_fd_;
-+ }
-+
-+#if BUILDFLAG(USING_SANITIZER)
-+ __sanitizer_sandbox_arguments* sanitizer_args() const {
-+ return sanitizer_args_.get();
-+ };
-+#endif
-+
-+ // A BrokerProcess is a helper that is started before the sandbox is engaged,
-+ // typically from a pre-sandbox hook, that will serve requests to access
-+ // files over an IPC channel. The client of this runs from a SIGSYS handler
-+ // triggered by the seccomp-bpf sandbox.
-+ // |client_sandbox_policy| is the policy being run by the client, and is
-+ // used to derive the equivalent broker-side policy.
-+ // |broker_side_hook| is an alternate pre-sandbox hook to be run before the
-+ // broker itself gets sandboxed, to which the broker side policy and
-+ // |options| are passed.
-+ // Crashes the process if the broker can not be started since continuation
-+ // is impossible (and presumably unsafe).
-+ // This should never be destroyed, as after the sandbox is started it is
-+ // vital to the process.
-+#if 0
-+ void StartBrokerProcess(
-+ const sandbox::syscall_broker::BrokerCommandSet& allowed_command_set,
-+ std::vector<sandbox::syscall_broker::BrokerFilePermission> permissions,
-+ PreSandboxHook broker_side_hook,
-+ const Options& options);
-+
-+ sandbox::syscall_broker::BrokerProcess* broker_process() const {
-+ return broker_process_;
-+ }
-+#endif
-+
-+ private:
-+ friend struct base::DefaultSingletonTraits<SandboxLinux>;
-+
-+ SandboxLinux();
-+ ~SandboxLinux();
-+
-+ // We must have been pre_initialized_ before using these.
-+ bool seccomp_bpf_supported() const;
-+ bool seccomp_bpf_with_tsync_supported() const;
-+
-+ // Returns true if it can be determined that the current process has open
-+ // directories that are not managed by the SandboxLinux class. This would
-+ // be a vulnerability as it would allow to bypass the setuid sandbox.
-+ bool HasOpenDirectories() const;
-+
-+ // The last part of the initialization is to make sure any temporary "hole"
-+ // in the sandbox is closed. For now, this consists of closing proc_fd_.
-+ void SealSandbox();
-+
-+ // GetStatus() makes promises as to how the sandbox will behave. This
-+ // checks that no promises have been broken.
-+ void CheckForBrokenPromises(sandbox::mojom::Sandbox sandbox_type);
-+
-+ // Stop |thread| and make sure it does not appear in /proc/self/tasks/
-+ // anymore.
-+ void StopThreadAndEnsureNotCounted(base::Thread* thread) const;
-+
-+ // A file descriptor to /proc. It's dangerous to have it around as it could
-+ // allow for sandbox bypasses. It needs to be closed before we consider
-+ // ourselves sandboxed.
-+ int proc_fd_;
-+
-+ bool seccomp_bpf_started_;
-+ // The value returned by GetStatus(). Gets computed once and then cached.
-+ int sandbox_status_flags_;
-+ // Did PreinitializeSandbox() run?
-+ bool pre_initialized_;
-+ bool seccomp_bpf_supported_; // Accurate if pre_initialized_.
-+ bool seccomp_bpf_with_tsync_supported_; // Accurate if pre_initialized_.
-+ bool yama_is_enforcing_; // Accurate if pre_initialized_.
-+ bool initialize_sandbox_ran_; // InitializeSandbox() was called.
-+#if BUILDFLAG(USING_SANITIZER)
-+ std::unique_ptr<__sanitizer_sandbox_arguments> sanitizer_args_;
-+#endif
-+ sandbox::syscall_broker::BrokerProcess* broker_process_; // Leaked as global.
-+};
-+
-+} // namespace policy
-+} // namespace sandbox
-+
-+#endif // SANDBOX_POLICY_LINUX_SANDBOX_OPENBSD_H_
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-04 10:43:21 +0000