[arch-commits] Commit in qt5-webengine/repos/kde-unstable-x86_64 (4 files)

Antonio Rojas arojas at archlinux.org
Tue Jun 4 12:12:43 UTC 2019


    Date: Tuesday, June 4, 2019 @ 12:12:42
  Author: arojas
Revision: 354792

archrelease: copy kde-unstable to kde-unstable-x86_64

Added:
  qt5-webengine/repos/kde-unstable-x86_64/PKGBUILD
    (from rev 354791, qt5-webengine/kde-unstable/PKGBUILD)
  qt5-webengine/repos/kde-unstable-x86_64/qtwebengine-glibc-2.29.patch
    (from rev 354791, qt5-webengine/kde-unstable/qtwebengine-glibc-2.29.patch)
Deleted:
  qt5-webengine/repos/kde-unstable-x86_64/PKGBUILD
  qt5-webengine/repos/kde-unstable-x86_64/qtwebengine-glibc-2.29.patch

------------------------------+
 PKGBUILD                     |  112 ++++++++++-----------
 qtwebengine-glibc-2.29.patch |  210 ++++++++++++++++++++---------------------
 2 files changed, 161 insertions(+), 161 deletions(-)

Deleted: PKGBUILD
===================================================================
--- PKGBUILD	2019-06-04 12:12:31 UTC (rev 354791)
+++ PKGBUILD	2019-06-04 12:12:42 UTC (rev 354792)
@@ -1,56 +0,0 @@
-# Maintainer: Felix Yan <felixonmars at archlinux.org>
-# Contributor: Andrea Scarpino <andrea at archlinux.org>
-
-pkgname=qt5-webengine
-_qtver=5.13.0-beta4
-pkgver=${_qtver/-/}
-pkgrel=1
-arch=('x86_64')
-url='https://www.qt.io'
-license=('LGPL3' 'LGPL2.1' 'BSD')
-pkgdesc='Provides support for web applications using the Chromium browser project'
-depends=('qt5-webchannel' 'qt5-location' 'libxcomposite' 'libxrandr' 'pciutils' 'libxss' 
-         'libevent' 'snappy' 'nss' 'libxslt' 'minizip' 'ffmpeg' 're2' 'libvpx')
-makedepends=('python2' 'git' 'gperf' 'jsoncpp' 'ninja' 'qt5-tools' 'poppler')
-groups=('qt' 'qt5')
-_pkgfqn="${pkgname/5-/}-everywhere-src-${_qtver}"
-source=("https://download.qt.io/development_releases/qt/${pkgver%.*}/${_qtver}/submodules/${_pkgfqn}.tar.xz"
-        qtwebengine-glibc-2.29.patch)
-sha256sums=('6d1f8c116f9cdc12d72c2fac2a99b8c73e153dfb18b88d22fbd580edc925faf6'
-            'dd791f154b48e69cd47fd94753c45448655b529590995fd71ac1591c53a3d60c')
-
-prepare() {
-  mkdir -p build
-
-  # Hack to force using python2
-  mkdir -p bin
-  ln -s /usr/bin/python2 bin/python
-
-  cd ${_pkgfqn}
-  cd src/3rdparty/chromium
-  patch -p1 -i "$srcdir"/qtwebengine-glibc-2.29.patch # Fix PPAPI plugins with glibc 2.29
-}
-
-build() {
-  cd build
-
-  export PATH="$srcdir/bin:$PATH"
-  qmake ../${_pkgfqn} -- \
-    -proprietary-codecs \
-    -system-ffmpeg \
-    -webp \
-    -spellchecker \
-    -webengine-icu
-  make
-}
-
-package() {
-  cd build
-  make INSTALL_ROOT="$pkgdir" install
-
-  # Drop QMAKE_PRL_BUILD_DIR because reference the build dir
-  find "$pkgdir/usr/lib" -type f -name '*.prl' \
-    -exec sed -i -e '/^QMAKE_PRL_BUILD_DIR/d' {} \;
-
-  install -Dm644 "$srcdir"/${_pkgfqn}/src/3rdparty/chromium/LICENSE "$pkgdir"/usr/share/licenses/${pkgname}/LICENSE.chromium
-}

Copied: qt5-webengine/repos/kde-unstable-x86_64/PKGBUILD (from rev 354791, qt5-webengine/kde-unstable/PKGBUILD)
===================================================================
--- PKGBUILD	                        (rev 0)
+++ PKGBUILD	2019-06-04 12:12:42 UTC (rev 354792)
@@ -0,0 +1,56 @@
+# Maintainer: Felix Yan <felixonmars at archlinux.org>
+# Contributor: Andrea Scarpino <andrea at archlinux.org>
+
+pkgname=qt5-webengine
+_qtver=5.13.0-rc
+pkgver=${_qtver/-/}
+pkgrel=1
+arch=('x86_64')
+url='https://www.qt.io'
+license=('LGPL3' 'LGPL2.1' 'BSD')
+pkgdesc='Provides support for web applications using the Chromium browser project'
+depends=('qt5-webchannel' 'qt5-location' 'libxcomposite' 'libxrandr' 'pciutils' 'libxss' 
+         'libevent' 'snappy' 'nss' 'libxslt' 'minizip' 'ffmpeg' 're2' 'libvpx')
+makedepends=('python2' 'git' 'gperf' 'jsoncpp' 'ninja' 'qt5-tools' 'poppler')
+groups=('qt' 'qt5')
+_pkgfqn="${pkgname/5-/}-everywhere-src-${_qtver}"
+source=("https://download.qt.io/development_releases/qt/${pkgver%.*}/${_qtver}/submodules/${_pkgfqn}.tar.xz"
+        qtwebengine-glibc-2.29.patch)
+sha256sums=('c8c30e456c3201b2af53b257e0c9311f2600431367648dd57d399edc53252ad9'
+            'dd791f154b48e69cd47fd94753c45448655b529590995fd71ac1591c53a3d60c')
+
+prepare() {
+  mkdir -p build
+
+  # Hack to force using python2
+  mkdir -p bin
+  ln -s /usr/bin/python2 bin/python
+
+  cd ${_pkgfqn}
+  cd src/3rdparty/chromium
+  patch -p1 -i "$srcdir"/qtwebengine-glibc-2.29.patch # Fix PPAPI plugins with glibc 2.29
+}
+
+build() {
+  cd build
+
+  export PATH="$srcdir/bin:$PATH"
+  qmake ../${_pkgfqn} -- \
+    -proprietary-codecs \
+    -system-ffmpeg \
+    -webp \
+    -spellchecker \
+    -webengine-icu
+  make
+}
+
+package() {
+  cd build
+  make INSTALL_ROOT="$pkgdir" install
+
+  # Drop QMAKE_PRL_BUILD_DIR because reference the build dir
+  find "$pkgdir/usr/lib" -type f -name '*.prl' \
+    -exec sed -i -e '/^QMAKE_PRL_BUILD_DIR/d' {} \;
+
+  install -Dm644 "$srcdir"/${_pkgfqn}/src/3rdparty/chromium/LICENSE "$pkgdir"/usr/share/licenses/${pkgname}/LICENSE.chromium
+}

Deleted: qtwebengine-glibc-2.29.patch
===================================================================
--- qtwebengine-glibc-2.29.patch	2019-06-04 12:12:31 UTC (rev 354791)
+++ qtwebengine-glibc-2.29.patch	2019-06-04 12:12:42 UTC (rev 354792)
@@ -1,105 +0,0 @@
-From 65046b8f90d0336cbe5f2f15cc7da5cb798360ad Mon Sep 17 00:00:00 2001
-From: Matthew Denton <mpdenton at chromium.org>
-Date: Wed, 24 Apr 2019 15:44:40 +0000
-Subject: [PATCH] Update Linux Seccomp syscall restrictions to EPERM
- posix_spawn/vfork
-
-Glibc's system() function switched to using posix_spawn, which uses
-CLONE_VFORK. Pepperflash includes a sandbox debugging check which
-relies on us EPERM-ing process creation like this, rather than crashing
-the process with SIGSYS.
-
-So whitelist clone() calls, like posix_spawn, that include the flags
-CLONE_VFORK and CLONE_VM.
-
-Bug: 949312
-Change-Id: I3f4b90114b2fc1d9929e3c0a85bbe8f10def3c20
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1568086
-Commit-Queue: Robert Sesek <rsesek at chromium.org>
-Reviewed-by: Robert Sesek <rsesek at chromium.org>
-Cr-Commit-Position: refs/heads/master@{#653590}
----
- .../baseline_policy_unittest.cc               | 29 +++++++++++++++++++
- .../syscall_parameters_restrictions.cc        | 13 +++++++--
- 2 files changed, 40 insertions(+), 2 deletions(-)
-
-diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
-index cdeb210ccb..40fcebf933 100644
---- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
-+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
-@@ -10,7 +10,9 @@
- #include <sched.h>
- #include <signal.h>
- #include <stddef.h>
-+#include <stdlib.h>
- #include <string.h>
-+#include <sys/mman.h>
- #include <sys/prctl.h>
- #include <sys/resource.h>
- #include <sys/socket.h>
-@@ -130,6 +132,33 @@ BPF_TEST_C(BaselinePolicy, ForkArmEperm, BaselinePolicy) {
-   BPF_ASSERT_EQ(EPERM, fork_errno);
- }
- 
-+BPF_TEST_C(BaselinePolicy, SystemEperm, BaselinePolicy) {
-+  errno = 0;
-+  int ret_val = system("echo SHOULD NEVER RUN");
-+  BPF_ASSERT_EQ(-1, ret_val);
-+  BPF_ASSERT_EQ(EPERM, errno);
-+}
-+
-+BPF_TEST_C(BaselinePolicy, CloneVforkEperm, BaselinePolicy) {
-+  errno = 0;
-+  // Allocate a couple pages for the child's stack even though the child should
-+  // never start.
-+  constexpr size_t kStackSize = 4096 * 4;
-+  void* child_stack = mmap(nullptr, kStackSize, PROT_READ | PROT_WRITE,
-+                           MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK, -1, 0);
-+  BPF_ASSERT_NE(child_stack, nullptr);
-+  pid_t pid = syscall(__NR_clone, CLONE_VM | CLONE_VFORK | SIGCHLD,
-+                      static_cast<char*>(child_stack) + kStackSize, nullptr,
-+                      nullptr, nullptr);
-+  const int clone_errno = errno;
-+  TestUtils::HandlePostForkReturn(pid);
-+
-+  munmap(child_stack, kStackSize);
-+
-+  BPF_ASSERT_EQ(-1, pid);
-+  BPF_ASSERT_EQ(EPERM, clone_errno);
-+}
-+
- BPF_TEST_C(BaselinePolicy, CreateThread, BaselinePolicy) {
-   base::Thread thread("sandbox_tests");
-   BPF_ASSERT(thread.Start());
-diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
-index 100afe50e3..348ab6e8c5 100644
---- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
-+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
-@@ -135,7 +135,8 @@ namespace sandbox {
- #if !defined(OS_NACL_NONSFI)
- // Allow Glibc's and Android pthread creation flags, crash on any other
- // thread creation attempts and EPERM attempts to use neither
--// CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations.
-+// CLONE_VM nor CLONE_THREAD (all fork implementations), unless CLONE_VFORK is
-+// present (as in newer versions of posix_spawn).
- ResultExpr RestrictCloneToThreadsAndEPERMFork() {
-   const Arg<unsigned long> flags(0);
- 
-@@ -154,8 +155,16 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
-       AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
-             flags == kGlibcPthreadFlags);
- 
-+  // The following two flags are the two important flags in any vfork-emulating
-+  // clone call. EPERM any clone call that contains both of them.
-+  const uint64_t kImportantCloneVforkFlags = CLONE_VFORK | CLONE_VM;
-+
-+  const BoolExpr is_fork_or_clone_vfork =
-+      AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
-+            (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
-+
-   return If(IsAndroid() ? android_test : glibc_test, Allow())
--      .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM))
-+      .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
-       .Else(CrashSIGSYSClone());
- }
- 

Copied: qt5-webengine/repos/kde-unstable-x86_64/qtwebengine-glibc-2.29.patch (from rev 354791, qt5-webengine/kde-unstable/qtwebengine-glibc-2.29.patch)
===================================================================
--- qtwebengine-glibc-2.29.patch	                        (rev 0)
+++ qtwebengine-glibc-2.29.patch	2019-06-04 12:12:42 UTC (rev 354792)
@@ -0,0 +1,105 @@
+From 65046b8f90d0336cbe5f2f15cc7da5cb798360ad Mon Sep 17 00:00:00 2001
+From: Matthew Denton <mpdenton at chromium.org>
+Date: Wed, 24 Apr 2019 15:44:40 +0000
+Subject: [PATCH] Update Linux Seccomp syscall restrictions to EPERM
+ posix_spawn/vfork
+
+Glibc's system() function switched to using posix_spawn, which uses
+CLONE_VFORK. Pepperflash includes a sandbox debugging check which
+relies on us EPERM-ing process creation like this, rather than crashing
+the process with SIGSYS.
+
+So whitelist clone() calls, like posix_spawn, that include the flags
+CLONE_VFORK and CLONE_VM.
+
+Bug: 949312
+Change-Id: I3f4b90114b2fc1d9929e3c0a85bbe8f10def3c20
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1568086
+Commit-Queue: Robert Sesek <rsesek at chromium.org>
+Reviewed-by: Robert Sesek <rsesek at chromium.org>
+Cr-Commit-Position: refs/heads/master@{#653590}
+---
+ .../baseline_policy_unittest.cc               | 29 +++++++++++++++++++
+ .../syscall_parameters_restrictions.cc        | 13 +++++++--
+ 2 files changed, 40 insertions(+), 2 deletions(-)
+
+diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
+index cdeb210ccb..40fcebf933 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
++++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
+@@ -10,7 +10,9 @@
+ #include <sched.h>
+ #include <signal.h>
+ #include <stddef.h>
++#include <stdlib.h>
+ #include <string.h>
++#include <sys/mman.h>
+ #include <sys/prctl.h>
+ #include <sys/resource.h>
+ #include <sys/socket.h>
+@@ -130,6 +132,33 @@ BPF_TEST_C(BaselinePolicy, ForkArmEperm, BaselinePolicy) {
+   BPF_ASSERT_EQ(EPERM, fork_errno);
+ }
+ 
++BPF_TEST_C(BaselinePolicy, SystemEperm, BaselinePolicy) {
++  errno = 0;
++  int ret_val = system("echo SHOULD NEVER RUN");
++  BPF_ASSERT_EQ(-1, ret_val);
++  BPF_ASSERT_EQ(EPERM, errno);
++}
++
++BPF_TEST_C(BaselinePolicy, CloneVforkEperm, BaselinePolicy) {
++  errno = 0;
++  // Allocate a couple pages for the child's stack even though the child should
++  // never start.
++  constexpr size_t kStackSize = 4096 * 4;
++  void* child_stack = mmap(nullptr, kStackSize, PROT_READ | PROT_WRITE,
++                           MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK, -1, 0);
++  BPF_ASSERT_NE(child_stack, nullptr);
++  pid_t pid = syscall(__NR_clone, CLONE_VM | CLONE_VFORK | SIGCHLD,
++                      static_cast<char*>(child_stack) + kStackSize, nullptr,
++                      nullptr, nullptr);
++  const int clone_errno = errno;
++  TestUtils::HandlePostForkReturn(pid);
++
++  munmap(child_stack, kStackSize);
++
++  BPF_ASSERT_EQ(-1, pid);
++  BPF_ASSERT_EQ(EPERM, clone_errno);
++}
++
+ BPF_TEST_C(BaselinePolicy, CreateThread, BaselinePolicy) {
+   base::Thread thread("sandbox_tests");
+   BPF_ASSERT(thread.Start());
+diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+index 100afe50e3..348ab6e8c5 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
++++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+@@ -135,7 +135,8 @@ namespace sandbox {
+ #if !defined(OS_NACL_NONSFI)
+ // Allow Glibc's and Android pthread creation flags, crash on any other
+ // thread creation attempts and EPERM attempts to use neither
+-// CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations.
++// CLONE_VM nor CLONE_THREAD (all fork implementations), unless CLONE_VFORK is
++// present (as in newer versions of posix_spawn).
+ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
+   const Arg<unsigned long> flags(0);
+ 
+@@ -154,8 +155,16 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
+       AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
+             flags == kGlibcPthreadFlags);
+ 
++  // The following two flags are the two important flags in any vfork-emulating
++  // clone call. EPERM any clone call that contains both of them.
++  const uint64_t kImportantCloneVforkFlags = CLONE_VFORK | CLONE_VM;
++
++  const BoolExpr is_fork_or_clone_vfork =
++      AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
++            (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
++
+   return If(IsAndroid() ? android_test : glibc_test, Allow())
+-      .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM))
++      .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
+       .Else(CrashSIGSYSClone());
+ }
+ 



More information about the arch-commits mailing list