commit: d3ff3ceee4053d9ca58ca904b27b036d861aef91 Author: Stephan Hartmann <sultan <AT> gentoo <DOT> org> AuthorDate: Tue Apr 13 17:00:22 2021 +0000 Commit: Stephan Hartmann <sultan <AT> gentoo <DOT> org> CommitDate: Tue Apr 13 17:01:11 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3ff3cee
www-client/chromium: beta channel bump to 90.0.4430.70 Package-Manager: Portage-3.0.17, Repoman-3.0.2 Signed-off-by: Stephan Hartmann <sultan <AT> gentoo.org> www-client/chromium/Manifest | 4 +- ...4430.61.ebuild => chromium-90.0.4430.70.ebuild} | 14 +- .../chromium/files/chromium-glibc-2.33.patch | 141 +++++++++++++++++++++ 3 files changed, 155 insertions(+), 4 deletions(-) diff --git a/www-client/chromium/Manifest b/www-client/chromium/Manifest index 72334096ea2..dd4f2d01e1e 100644 --- a/www-client/chromium/Manifest +++ b/www-client/chromium/Manifest @@ -1,7 +1,7 @@ DIST chromium-89-patchset-7.tar.xz 4640 BLAKE2B 6150f92a4cb83025b7521c573e9a14bfcb26f7a5ff4ebe79cfc819b214ae05d0e986b9db561a99b4f9c7b4a8e4adf1c8ee966011bb0791ef11fc2be89b03b216 SHA512 6ef5be9e56b82c70d3d1a0596e74af3bab97ea82a8247b6d0ba736411779be10b17c7cd9ccd9eae5fac27af3907fd3b56e301e73011f58b2c4052bbc03390b1c DIST chromium-89.0.4389.114.tar.xz 890898912 BLAKE2B b9590f83eb54fc1b524a7893f8ce0317cb5648aae84853b8958f2a0f65ae2f8331e65732322f4956fb5bc58ef3691755ae66ed901567e2b5a9749a99fc6096c4 SHA512 5b8d92ecde3ab35847dc4981caa12434334f81fc576e8809c5832a18989b6d1465ae8c43f0ad0ea8a3da7a5876c52679c57ec8323109de2b81ac467419fa1a4c -DIST chromium-90-patchset-6.tar.xz 3828 BLAKE2B bbd1378868cf4d699ff097ea41226ff694d58468f8f93860f2d6cc60924f35fb1f0b17fcf5a916f04545171d1219b699072222f138240fd483c704874cfce178 SHA512 70321eb4e9fe27818d5e6ae3109d3871a870a7fb6886328dcc9fc8291ac72fc003d678aec7f9925afe0c5667c70ce9bca8f61434b11a331fc1a29d61ad7b59e3 -DIST chromium-90.0.4430.61.tar.xz 917389704 BLAKE2B 58f79e1b7365d22d9f8fa0deb52dab3f5e027f18f5bda926e733035b5f2e5c7af07265806f5a88f5d5fb556164dd7221a6546f3b6c8dd013048e17f4202dd18a SHA512 9e029d08e396b85b9a3cbc67910ba47b67ecb8acaf607844cbeddb18907b3b8f15444034487c6258f253eb84835d21fccee4d654fbc5b815cc03b8be032eccac +DIST chromium-90-patchset-7.tar.xz 3892 BLAKE2B 3ba169baaaf74b548749be3f845f505256cc9573f798e10929b5d1f0f534d739e657e3fa134c78ec3f7987a3b89adfc4bee0d1a6585ad8fe4bdc3ffd1181042c SHA512 5e1aa834ee5668ee40fc3af5cda7325da710dd1a0dea7ce535e89e36fd7d321db63d520a9b6ce6372ed941473dff18d1276316567af810c18e1478a04d3f23f8 +DIST chromium-90.0.4430.70.tar.xz 917490588 BLAKE2B 335bd7cca22b691dce110ca838c71abc8971423be1f74709f2f95dbd6c5c9cfb79dca9391ceb11e2571ef0ce66e727bcaadef044923d2df7720873db71e48e72 SHA512 c75bd3b0078d90aa28d0542c845fbae1ac7a478ca70386ad74f98f4541186e3d5f5ceafd4f447ee541dfff2cc4cb5bec9be5d8d510cb52fcf2d188c3fc666311 DIST chromium-91-patchset-4.tar.xz 3188 BLAKE2B 34d64f4124cb5c020d7d20c883c3409f710b96d5412f8881936e86d78ed034c1d70bd16f9324c5af21f735c3c5f98b4b4cd28cbd7f86f9513df2a5f1ff404772 SHA512 79c1640a7248d628c31fdbf3df296aa888e80f3c90cc6a74be56ac1389d9748b7cce88641e626cd4a5ae298e82fb325a8604fda68378706f0f26a2570e8983a2 DIST chromium-91.0.4469.4.tar.xz 949712784 BLAKE2B 99453196fb9f2336afffb03affcf7441a1ee5f8c9ce50c76888783b8520f2490299e5fc3448c7f61c270c175e48e55a1f947f8cfdf0053a02513676d9ed8daeb SHA512 413452da449198713e6d10f05b937f95a6c0ffb11b2408dc9ced1048af6f7a406af07f8112fe39f73482723802ff25e51ce0085c598d03dba207a5658385871d DIST setuptools-44.1.0.zip 858569 BLAKE2B f59f154e121502a731e51294ccd293d60ffccadacf51e23b53bf7ceba38858948b86783238061136c827ac3373ea7ea8e6253d4bb53f3f1dd69284568ec65a68 SHA512 4dfb0f42d334b835758e865a26ecd1e725711fa2b9c38ddc273b8b3849fba04527bc97436d11ba1e98f1a42922aa0f0b9032e32998273c705fac6e10735eacbf diff --git a/www-client/chromium/chromium-90.0.4430.61.ebuild b/www-client/chromium/chromium-90.0.4430.70.ebuild similarity index 98% rename from www-client/chromium/chromium-90.0.4430.61.ebuild rename to www-client/chromium/chromium-90.0.4430.70.ebuild index 10be8d7a2e6..341730c15b5 100644 --- a/www-client/chromium/chromium-90.0.4430.61.ebuild +++ b/www-client/chromium/chromium-90.0.4430.70.ebuild @@ -13,7 +13,7 @@ inherit check-reqs chromium-2 desktop flag-o-matic multilib ninja-utils pax-util DESCRIPTION="Open-source version of Google Chrome web browser" HOMEPAGE="https://chromium.org/"; -PATCHSET="6" +PATCHSET="7" PATCHSET_NAME="chromium-$(ver_cut 1)-patchset-${PATCHSET}" SRC_URI="https://commondatastorage.googleapis.com/chromium-browser-official/${P}.tar.xz https://files.pythonhosted.org/packages/ed/7b/bbf89ca71e722b7f9464ebffe4b5ee20a9e5c9a555a56e2d3914bb9119a6/setuptools-44.1.0.zip @@ -70,7 +70,6 @@ COMMON_DEPEND=" ) sys-apps/dbus:= sys-apps/pciutils:= - <sys-libs/glibc-2.33 virtual/udev x11-libs/cairo:= x11-libs/gdk-pixbuf:2 @@ -237,6 +236,17 @@ src_prepare() { "${FILESDIR}/chromium-shim_headers.patch" ) + # seccomp sandbox is broken if compiled against >=sys-libs/glibc-2.33, bug #769989 + if has_version -d ">=sys-libs/glibc-2.33"; then + ewarn "Adding experimental glibc-2.33 sandbox patch. Seccomp sandbox might" + ewarn "still not work correctly. In case of issues, try to disable seccomp" + ewarn "sandbox by adding --disable-seccomp-filter-sandbox to CHROMIUM_FLAGS" + ewarn "in /etc/chromium/default." + PATCHES+=( + "${FILESDIR}/chromium-glibc-2.33.patch" + ) + fi + default mkdir -p third_party/node/linux/node-linux-x64/bin || die diff --git a/www-client/chromium/files/chromium-glibc-2.33.patch b/www-client/chromium/files/chromium-glibc-2.33.patch new file mode 100644 index 00000000000..26e8003968d --- /dev/null +++ b/www-client/chromium/files/chromium-glibc-2.33.patch @@ -0,0 +1,141 @@ +diff -up chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.fstatfix chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +--- chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.fstatfix 2021-01-25 10:11:45.427436398 -0500 ++++ chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc 2021-01-25 10:12:51.337699003 -0500 +@@ -257,6 +257,18 @@ ResultExpr EvaluateSyscallImpl(int fs_de + return RestrictKillTarget(current_pid, sysno); + } + ++#if defined(__NR_newfstatat) ++ if (sysno == __NR_newfstatat) { ++ return RewriteFstatatSIGSYS(); ++ } ++#endif ++ ++#if defined(__NR_fstatat64) ++ if (sysno == __NR_fstatat64) { ++ return RewriteFstatatSIGSYS(); ++ } ++#endif ++ + if (SyscallSets::IsFileSystem(sysno) || + SyscallSets::IsCurrentDirectory(sysno)) { + return Error(fs_denied_errno); +diff -up chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc.fstatfix chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc +--- chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc.fstatfix 2021-01-25 10:13:10.179774081 -0500 ++++ chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc 2021-01-25 10:16:18.790525746 -0500 +@@ -6,6 +6,8 @@ + + #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" + ++#include <errno.h> ++#include <fcntl.h> + #include <stddef.h> + #include <stdint.h> + #include <string.h> +@@ -355,6 +357,35 @@ intptr_t SIGSYSSchedHandler(const struct + return -ENOSYS; + } + ++intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args, ++ void* aux) { ++ switch (args.nr) { ++#if defined(__NR_newfstatat) ++ case __NR_newfstatat: ++#endif ++#if defined(__NR_fstatat64) ++ case __NR_fstatat64: ++#endif ++#if defined(__NR_newfstatat) || defined(__NR_fstatat64) ++ if (*reinterpret_cast<const char *>(args.args[1]) == '\0' ++ && args.args[3] == static_cast<uint64_t>(AT_EMPTY_PATH)) { ++ return sandbox::sys_fstat64(static_cast<int>(args.args[0]), ++ reinterpret_cast<struct stat64 *>(args.args[2])); ++ } else { ++ errno = EACCES; ++ return -1; ++ } ++ break; ++#endif ++ } ++ ++ CrashSIGSYS_Handler(args, aux); ++ ++ // Should never be reached. ++ RAW_CHECK(false); ++ return -ENOSYS; ++} ++ + bpf_dsl::ResultExpr CrashSIGSYS() { + return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL); + } +@@ -387,6 +418,10 @@ bpf_dsl::ResultExpr RewriteSchedSIGSYS() + return bpf_dsl::Trap(SIGSYSSchedHandler, NULL); + } + ++bpf_dsl::ResultExpr RewriteFstatatSIGSYS() { ++ return bpf_dsl::Trap(SIGSYSFstatatHandler, NULL); ++} ++ + void AllocateCrashKeys() { + #if !defined(OS_NACL_NONSFI) + if (seccomp_crash_key) +diff -up chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h.fstatfix chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h +--- chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h.fstatfix 2021-01-25 10:16:36.982598236 -0500 ++++ chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h 2021-01-25 10:18:45.705111027 -0500 +@@ -62,6 +62,10 @@ SANDBOX_EXPORT intptr_t SIGSYSPtraceFail + // sched_setparam(), sched_setscheduler() + SANDBOX_EXPORT intptr_t SIGSYSSchedHandler(const arch_seccomp_data& args, + void* aux); ++// If the fstatat syscall is actually a disguised fstat, calls the regular fstat ++// syscall, otherwise, crashes in the same way as CrashSIGSYS_Handler. ++SANDBOX_EXPORT intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args, ++ void* aux); + + // Variants of the above functions for use with bpf_dsl. + SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYS(); +@@ -72,6 +76,7 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr Crash + SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSFutex(); + SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSPtrace(); + SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteSchedSIGSYS(); ++SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteFstatatSIGSYS(); + + // Allocates a crash key so that Seccomp information can be recorded. + void AllocateCrashKeys(); +diff -up chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc.fstatfix chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc +--- chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc.fstatfix 2021-01-25 10:18:53.307141311 -0500 ++++ chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc 2021-01-25 10:19:46.982355293 -0500 +@@ -261,4 +261,13 @@ int sys_sigaction(int signum, + + #endif // defined(MEMORY_SANITIZER) + ++SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf) ++{ ++#if defined(__NR_fstat64) ++ return syscall(__NR_fstat64, fd, buf); ++#else ++ return syscall(__NR_fstat, fd, buf); ++#endif ++} ++ + } // namespace sandbox +diff -up chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h.fstatfix chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h +--- chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h.fstatfix 2021-01-25 10:19:53.115379741 -0500 ++++ chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h 2021-01-25 10:20:45.485588421 -0500 +@@ -17,6 +17,7 @@ struct sock_fprog; + struct rlimit64; + struct cap_hdr; + struct cap_data; ++struct stat64; + + namespace sandbox { + +@@ -84,6 +85,9 @@ SANDBOX_EXPORT int sys_sigaction(int sig + const struct sigaction* act, + struct sigaction* oldact); + ++// Recent glibc rewrites fstat to fstatat. ++SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf); ++ + } // namespace sandbox + + #endif // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_
