38 lines
1.6 KiB
Diff
38 lines
1.6 KiB
Diff
From b3a14db7637232d30c878cc1f1ad6d8037e81379 Mon Sep 17 00:00:00 2001
|
|
From: Shawn Anastasio <shawn@anastas.io>
|
|
Date: Tue, 15 Jan 2019 22:42:21 -0600
|
|
Subject: [PATCH] linux/seccomp-bpf: ppc64+glibc workaround in SIGSYS handler
|
|
|
|
Workaround for an apparent issue with glibc negating syscall
|
|
parameters. Observed on a ppc64le machine with glibc.
|
|
More investigation required.
|
|
---
|
|
sandbox/linux/seccomp-bpf/trap.cc | 14 ++++++++++++++
|
|
1 file changed, 14 insertions(+)
|
|
|
|
Index: chromium-128.0.6613.113/sandbox/linux/seccomp-bpf/trap.cc
|
|
===================================================================
|
|
--- chromium-128.0.6613.113.orig/sandbox/linux/seccomp-bpf/trap.cc
|
|
+++ chromium-128.0.6613.113/sandbox/linux/seccomp-bpf/trap.cc
|
|
@@ -236,6 +236,20 @@ void Trap::SigSys(int nr, LinuxSigInfo*
|
|
SetIsInSigHandler();
|
|
}
|
|
|
|
+#if defined(__powerpc64__)
|
|
+ // On ppc64+glibc, some syscalls seem to accidentally negate the first
|
|
+ // parameter which causes checks against it to fail. For now, manually
|
|
+ // negate them back.
|
|
+ // TODO(shawn@anastas.io): investigate this issue further
|
|
+ auto nr = SECCOMP_SYSCALL(ctx);
|
|
+ if (nr == __NR_openat || nr == __NR_mkdirat || nr == __NR_faccessat || nr == __NR_readlinkat ||
|
|
+ nr == __NR_renameat || nr == __NR_renameat2 || nr == __NR_newfstatat || nr == __NR_unlinkat) {
|
|
+ if (static_cast<int>(SECCOMP_PARM1(ctx)) > 0) {
|
|
+ SECCOMP_PARM1(ctx) = -SECCOMP_PARM1(ctx);
|
|
+ }
|
|
+ }
|
|
+#endif
|
|
+
|
|
// Copy the seccomp-specific data into a arch_seccomp_data structure. This
|
|
// is what we are showing to TrapFnc callbacks that the system call
|
|
// evaluator registered with the sandbox.
|