[arch-commits] Commit in qt5-webengine/repos (5 files)

Evangelos Foutras foutrelis at archlinux.org
Tue Aug 6 05:55:27 UTC 2019


    Date: Tuesday, August 6, 2019 @ 05:55:27
  Author: foutrelis
Revision: 359226

archrelease: copy trunk to staging-x86_64

Added:
  qt5-webengine/repos/staging-x86_64/
  qt5-webengine/repos/staging-x86_64/PKGBUILD
    (from rev 359225, qt5-webengine/trunk/PKGBUILD)
  qt5-webengine/repos/staging-x86_64/qtbug-76958.patch
    (from rev 359225, qt5-webengine/trunk/qtbug-76958.patch)
  qt5-webengine/repos/staging-x86_64/qtbug-77037-workaround.patch
    (from rev 359225, qt5-webengine/trunk/qtbug-77037-workaround.patch)
  qt5-webengine/repos/staging-x86_64/qtwebengine-glibc-2.29.patch
    (from rev 359225, qt5-webengine/trunk/qtwebengine-glibc-2.29.patch)

------------------------------+
 PKGBUILD                     |   61 +++++++++++++++++++++++
 qtbug-76958.patch            |   31 ++++++++++++
 qtbug-77037-workaround.patch |   11 ++++
 qtwebengine-glibc-2.29.patch |  105 +++++++++++++++++++++++++++++++++++++++++
 4 files changed, 208 insertions(+)

Copied: qt5-webengine/repos/staging-x86_64/PKGBUILD (from rev 359225, qt5-webengine/trunk/PKGBUILD)
===================================================================
--- staging-x86_64/PKGBUILD	                        (rev 0)
+++ staging-x86_64/PKGBUILD	2019-08-06 05:55:27 UTC (rev 359226)
@@ -0,0 +1,61 @@
+# Maintainer: Felix Yan <felixonmars at archlinux.org>
+# Contributor: Andrea Scarpino <andrea at archlinux.org>
+
+pkgname=qt5-webengine
+_qtver=5.13.0
+pkgver=${_qtver/-/}
+pkgrel=4
+arch=('x86_64')
+url='https://www.qt.io'
+license=('LGPL3' 'LGPL2.1' 'BSD')
+pkgdesc='Provides support for web applications using the Chromium browser project'
+depends=('qt5-webchannel' 'qt5-location' 'libxcomposite' 'libxrandr' 'pciutils' 'libxss' 
+         'libevent' 'snappy' 'nss' 'libxslt' 'minizip' 'ffmpeg' 're2' 'libvpx' 'libpulse')
+makedepends=('python2' 'gperf' 'jsoncpp' 'ninja' 'qt5-tools' 'poppler')
+groups=('qt' 'qt5')
+_pkgfqn="${pkgname/5-/}-everywhere-src-${_qtver}"
+source=("https://download.qt.io/official_releases/qt/${pkgver%.*}/${_qtver}/submodules/${_pkgfqn}.tar.xz"
+        qtwebengine-glibc-2.29.patch
+        qtbug-77037-workaround.patch
+        qtbug-76913.patch::"https://code.qt.io/cgit/qt/qtwebengine.git/patch/?id=4746bb90"
+        qtbug-76958.patch) # "https://code.qt.io/cgit/qt/qtwebengine.git/patch/?id=662de14c"
+sha256sums=('e0af82ecee1ab41b6732697f667b98b7b0c53164bebcfaad8070e88b2e064efe'
+            'dd791f154b48e69cd47fd94753c45448655b529590995fd71ac1591c53a3d60c'
+            '3e3bb8ecf292e7f249d001db4a4a072ca4ba38f713f496122bd7c73d93d5def9'
+            '5771af2442d7743ef7c59f0d3716a23985383e2b69ecb4fa9d4ea8e8f7c551fa'
+            'eef55340b3ec5f8d1020b7327eda67f86729aaf70107c688deb15083f5ca8fbc')
+
+prepare() {
+  mkdir -p build
+
+  cd ${_pkgfqn}
+  patch -p1 -i ../qtbug-76913.patch # Fix crashes on media-heavy sites
+  patch -p1 -i ../qtbug-76958.patch # Fix crash when loading tabs on the background
+  patch -p1 -i ../qtbug-77037-workaround.patch # Link to pulseaudio to avoid header mismatch
+
+  cd src/3rdparty/chromium
+  patch -p1 -i "$srcdir"/qtwebengine-glibc-2.29.patch # Fix PPAPI plugins with glibc 2.29
+}
+
+build() {
+  cd build
+
+  qmake ../${_pkgfqn} -- \
+    -proprietary-codecs \
+    -system-ffmpeg \
+    -webp \
+    -spellchecker \
+    -webengine-icu
+  make
+}
+
+package() {
+  cd build
+  make INSTALL_ROOT="$pkgdir" install
+
+  # Drop QMAKE_PRL_BUILD_DIR because reference the build dir
+  find "$pkgdir/usr/lib" -type f -name '*.prl' \
+    -exec sed -i -e '/^QMAKE_PRL_BUILD_DIR/d' {} \;
+
+  install -Dm644 "$srcdir"/${_pkgfqn}/src/3rdparty/chromium/LICENSE "$pkgdir"/usr/share/licenses/${pkgname}/LICENSE.chromium
+}

Copied: qt5-webengine/repos/staging-x86_64/qtbug-76958.patch (from rev 359225, qt5-webengine/trunk/qtbug-76958.patch)
===================================================================
--- staging-x86_64/qtbug-76958.patch	                        (rev 0)
+++ staging-x86_64/qtbug-76958.patch	2019-08-06 05:55:27 UTC (rev 359226)
@@ -0,0 +1,31 @@
+diff --git a/src/core/web_contents_adapter.cpp b/src/core/web_contents_adapter.cpp
+index c4f4591e..dc005b62 100644
+--- a/src/core/web_contents_adapter.cpp
++++ b/src/core/web_contents_adapter.cpp
+@@ -671,19 +671,23 @@ void WebContentsAdapter::load(const QWebEngineHttpRequest &request)
+         }
+     }
+ 
+-    auto navigate = [](WebContentsAdapter *adapter, const content::NavigationController::LoadURLParams &params) {
++    auto navigate = [](QWeakPointer<WebContentsAdapter> weakAdapter, const content::NavigationController::LoadURLParams &params) {
++        WebContentsAdapter *adapter = weakAdapter.data();
++        if (!adapter)
++            return;
+         adapter->webContents()->GetController().LoadURLWithParams(params);
+         // Follow chrome::Navigate and invalidate the URL immediately.
+         adapter->m_webContentsDelegate->NavigationStateChanged(adapter->webContents(), content::INVALIDATE_TYPE_URL);
+         adapter->focusIfNecessary();
+     };
+ 
++    QWeakPointer<WebContentsAdapter> weakThis(sharedFromThis());
+     if (resizeNeeded) {
+         // Schedule navigation on the event loop.
+         base::PostTaskWithTraits(FROM_HERE, {content::BrowserThread::UI},
+-                                 base::BindOnce(navigate, this, std::move(params)));
++                                 base::BindOnce(navigate, std::move(weakThis), std::move(params)));
+     } else {
+-        navigate(this, params);
++        navigate(std::move(weakThis), params);
+     }
+ }
+ 

Copied: qt5-webengine/repos/staging-x86_64/qtbug-77037-workaround.patch (from rev 359225, qt5-webengine/trunk/qtbug-77037-workaround.patch)
===================================================================
--- staging-x86_64/qtbug-77037-workaround.patch	                        (rev 0)
+++ staging-x86_64/qtbug-77037-workaround.patch	2019-08-06 05:55:27 UTC (rev 359226)
@@ -0,0 +1,11 @@
+--- qtwebengine-everywhere-src-5.13.0/src/core/config/linux.pri.orig	2019-08-06 08:23:45.385072740 +0300
++++ qtwebengine-everywhere-src-5.13.0/src/core/config/linux.pri	2019-08-06 08:23:51.085237082 +0300
+@@ -162,7 +162,7 @@ host_build {
+     qtConfig(webengine-system-harfbuzz): gn_args += use_system_harfbuzz=true
+     !qtConfig(webengine-system-glib): gn_args += use_glib=false
+     qtConfig(webengine-pulseaudio) {
+-        gn_args += use_pulseaudio=true
++        gn_args += use_pulseaudio=true link_pulseaudio=true
+     } else {
+         gn_args += use_pulseaudio=false
+     }

Copied: qt5-webengine/repos/staging-x86_64/qtwebengine-glibc-2.29.patch (from rev 359225, qt5-webengine/trunk/qtwebengine-glibc-2.29.patch)
===================================================================
--- staging-x86_64/qtwebengine-glibc-2.29.patch	                        (rev 0)
+++ staging-x86_64/qtwebengine-glibc-2.29.patch	2019-08-06 05:55:27 UTC (rev 359226)
@@ -0,0 +1,105 @@
+From 65046b8f90d0336cbe5f2f15cc7da5cb798360ad Mon Sep 17 00:00:00 2001
+From: Matthew Denton <mpdenton at chromium.org>
+Date: Wed, 24 Apr 2019 15:44:40 +0000
+Subject: [PATCH] Update Linux Seccomp syscall restrictions to EPERM
+ posix_spawn/vfork
+
+Glibc's system() function switched to using posix_spawn, which uses
+CLONE_VFORK. Pepperflash includes a sandbox debugging check which
+relies on us EPERM-ing process creation like this, rather than crashing
+the process with SIGSYS.
+
+So whitelist clone() calls, like posix_spawn, that include the flags
+CLONE_VFORK and CLONE_VM.
+
+Bug: 949312
+Change-Id: I3f4b90114b2fc1d9929e3c0a85bbe8f10def3c20
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1568086
+Commit-Queue: Robert Sesek <rsesek at chromium.org>
+Reviewed-by: Robert Sesek <rsesek at chromium.org>
+Cr-Commit-Position: refs/heads/master@{#653590}
+---
+ .../baseline_policy_unittest.cc               | 29 +++++++++++++++++++
+ .../syscall_parameters_restrictions.cc        | 13 +++++++--
+ 2 files changed, 40 insertions(+), 2 deletions(-)
+
+diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
+index cdeb210ccb..40fcebf933 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
++++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
+@@ -10,7 +10,9 @@
+ #include <sched.h>
+ #include <signal.h>
+ #include <stddef.h>
++#include <stdlib.h>
+ #include <string.h>
++#include <sys/mman.h>
+ #include <sys/prctl.h>
+ #include <sys/resource.h>
+ #include <sys/socket.h>
+@@ -130,6 +132,33 @@ BPF_TEST_C(BaselinePolicy, ForkArmEperm, BaselinePolicy) {
+   BPF_ASSERT_EQ(EPERM, fork_errno);
+ }
+ 
++BPF_TEST_C(BaselinePolicy, SystemEperm, BaselinePolicy) {
++  errno = 0;
++  int ret_val = system("echo SHOULD NEVER RUN");
++  BPF_ASSERT_EQ(-1, ret_val);
++  BPF_ASSERT_EQ(EPERM, errno);
++}
++
++BPF_TEST_C(BaselinePolicy, CloneVforkEperm, BaselinePolicy) {
++  errno = 0;
++  // Allocate a couple pages for the child's stack even though the child should
++  // never start.
++  constexpr size_t kStackSize = 4096 * 4;
++  void* child_stack = mmap(nullptr, kStackSize, PROT_READ | PROT_WRITE,
++                           MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK, -1, 0);
++  BPF_ASSERT_NE(child_stack, nullptr);
++  pid_t pid = syscall(__NR_clone, CLONE_VM | CLONE_VFORK | SIGCHLD,
++                      static_cast<char*>(child_stack) + kStackSize, nullptr,
++                      nullptr, nullptr);
++  const int clone_errno = errno;
++  TestUtils::HandlePostForkReturn(pid);
++
++  munmap(child_stack, kStackSize);
++
++  BPF_ASSERT_EQ(-1, pid);
++  BPF_ASSERT_EQ(EPERM, clone_errno);
++}
++
+ BPF_TEST_C(BaselinePolicy, CreateThread, BaselinePolicy) {
+   base::Thread thread("sandbox_tests");
+   BPF_ASSERT(thread.Start());
+diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+index 100afe50e3..348ab6e8c5 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
++++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+@@ -135,7 +135,8 @@ namespace sandbox {
+ #if !defined(OS_NACL_NONSFI)
+ // Allow Glibc's and Android pthread creation flags, crash on any other
+ // thread creation attempts and EPERM attempts to use neither
+-// CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations.
++// CLONE_VM nor CLONE_THREAD (all fork implementations), unless CLONE_VFORK is
++// present (as in newer versions of posix_spawn).
+ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
+   const Arg<unsigned long> flags(0);
+ 
+@@ -154,8 +155,16 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
+       AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
+             flags == kGlibcPthreadFlags);
+ 
++  // The following two flags are the two important flags in any vfork-emulating
++  // clone call. EPERM any clone call that contains both of them.
++  const uint64_t kImportantCloneVforkFlags = CLONE_VFORK | CLONE_VM;
++
++  const BoolExpr is_fork_or_clone_vfork =
++      AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
++            (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
++
+   return If(IsAndroid() ? android_test : glibc_test, Allow())
+-      .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM))
++      .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
+       .Else(CrashSIGSYSClone());
+ }
+ 


More information about the arch-commits mailing list