libqt5-qtwebengine/sandbox-statx-futex_time64.patch

From: Fabian Vogt <fabian@ritter-vogt.de>
Subject: Sandbox: Handle statx and futex_time64

glibc uses statx in some more places now (e.g stat64 -> __fstatat64_time64),
but it's caught by the sandbox, which doesn't handle it and breaks.
Return -ENOSYS instead to trigger the fallback in glibc.

futex_time64 is also used internally in glibc, so handle that as well.
The signature is identical where it matters.

diff --git a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
index 3c67b124786..4772dc096f5 100644
--- a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+++ b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
@@ -194,6 +194,11 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
   if (sysno == __NR_futex)
     return RestrictFutex();
 
+#if defined(__NR_futex_time64)
+  if (sysno == __NR_futex_time64)
+    return RestrictFutex();
+#endif
+
   if (sysno == __NR_set_robust_list)
     return Error(EPERM);
 
@@ -257,6 +262,12 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
     return RestrictKillTarget(current_pid, sysno);
   }
 
+#if defined(__NR_statx)
+  if (sysno == __NR_statx) {
+    return Error(ENOSYS);
+  }
+#endif
+
   if (SyscallSets::IsFileSystem(sysno) ||
       SyscallSets::IsCurrentDirectory(sysno)) {
     return Error(fs_denied_errno);
Accepting request 873154 from home:Vogtinator:qt5.15 - Add patch to fix sandbox with glibc 2.33 on 32bit: * sandbox-statx-futex_time64.patch OBS-URL: https://build.opensuse.org/request/show/873154 OBS-URL: https://build.opensuse.org/package/show/KDE:Qt:5.15/libqt5-qtwebengine?expand=0&rev=21 2021-02-17 16:13:18 +01:00			`From: Fabian Vogt <fabian@ritter-vogt.de>`
			`Subject: Sandbox: Handle statx and futex_time64`

			`glibc uses statx in some more places now (e.g stat64 -> __fstatat64_time64),`
			`but it's caught by the sandbox, which doesn't handle it and breaks.`
			`Return -ENOSYS instead to trigger the fallback in glibc.`

			`futex_time64 is also used internally in glibc, so handle that as well.`
			`The signature is identical where it matters.`

Accepting request 881623 from home:cgiboudeaux:branches:KDE:Qt:5.15 Qt WebEngine 5.15.3. Also compatible with Qt 5.12 OBS-URL: https://build.opensuse.org/request/show/881623 OBS-URL: https://build.opensuse.org/package/show/KDE:Qt:5.15/libqt5-qtwebengine?expand=0&rev=23 2021-03-29 06:47:36 +02:00			`diff --git a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc`
			`index 3c67b124786..4772dc096f5 100644`
			`--- a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc`
			`+++ b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc`
			`@@ -194,6 +194,11 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,`
Accepting request 873154 from home:Vogtinator:qt5.15 - Add patch to fix sandbox with glibc 2.33 on 32bit: * sandbox-statx-futex_time64.patch OBS-URL: https://build.opensuse.org/request/show/873154 OBS-URL: https://build.opensuse.org/package/show/KDE:Qt:5.15/libqt5-qtwebengine?expand=0&rev=21 2021-02-17 16:13:18 +01:00			`if (sysno == __NR_futex)`
			`return RestrictFutex();`

			`+#if defined(__NR_futex_time64)`
			`+ if (sysno == __NR_futex_time64)`
			`+ return RestrictFutex();`
			`+#endif`
			`+`
			`if (sysno == __NR_set_robust_list)`
			`return Error(EPERM);`

Accepting request 881623 from home:cgiboudeaux:branches:KDE:Qt:5.15 Qt WebEngine 5.15.3. Also compatible with Qt 5.12 OBS-URL: https://build.opensuse.org/request/show/881623 OBS-URL: https://build.opensuse.org/package/show/KDE:Qt:5.15/libqt5-qtwebengine?expand=0&rev=23 2021-03-29 06:47:36 +02:00			`@@ -257,6 +262,12 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,`
			`return RestrictKillTarget(current_pid, sysno);`
Accepting request 873154 from home:Vogtinator:qt5.15 - Add patch to fix sandbox with glibc 2.33 on 32bit: * sandbox-statx-futex_time64.patch OBS-URL: https://build.opensuse.org/request/show/873154 OBS-URL: https://build.opensuse.org/package/show/KDE:Qt:5.15/libqt5-qtwebengine?expand=0&rev=21 2021-02-17 16:13:18 +01:00			`}`

			`+#if defined(__NR_statx)`
			`+ if (sysno == __NR_statx) {`
			`+ return Error(ENOSYS);`
			`+ }`
			`+#endif`
			`+`
			`if (SyscallSets::IsFileSystem(sysno) \|\|`
			`SyscallSets::IsCurrentDirectory(sysno)) {`
			`return Error(fs_denied_errno);`