[arch-commits] Commit in qt5-webengine/repos/kde-unstable-x86_64 (4 files)
Antonio Rojas
arojas at archlinux.org
Tue Jun 4 12:12:43 UTC 2019
Date: Tuesday, June 4, 2019 @ 12:12:42
Author: arojas
Revision: 354792
archrelease: copy kde-unstable to kde-unstable-x86_64
Added:
qt5-webengine/repos/kde-unstable-x86_64/PKGBUILD
(from rev 354791, qt5-webengine/kde-unstable/PKGBUILD)
qt5-webengine/repos/kde-unstable-x86_64/qtwebengine-glibc-2.29.patch
(from rev 354791, qt5-webengine/kde-unstable/qtwebengine-glibc-2.29.patch)
Deleted:
qt5-webengine/repos/kde-unstable-x86_64/PKGBUILD
qt5-webengine/repos/kde-unstable-x86_64/qtwebengine-glibc-2.29.patch
------------------------------+
PKGBUILD | 112 ++++++++++-----------
qtwebengine-glibc-2.29.patch | 210 ++++++++++++++++++++---------------------
2 files changed, 161 insertions(+), 161 deletions(-)
Deleted: PKGBUILD
===================================================================
--- PKGBUILD 2019-06-04 12:12:31 UTC (rev 354791)
+++ PKGBUILD 2019-06-04 12:12:42 UTC (rev 354792)
@@ -1,56 +0,0 @@
-# Maintainer: Felix Yan <felixonmars at archlinux.org>
-# Contributor: Andrea Scarpino <andrea at archlinux.org>
-
-pkgname=qt5-webengine
-_qtver=5.13.0-beta4
-pkgver=${_qtver/-/}
-pkgrel=1
-arch=('x86_64')
-url='https://www.qt.io'
-license=('LGPL3' 'LGPL2.1' 'BSD')
-pkgdesc='Provides support for web applications using the Chromium browser project'
-depends=('qt5-webchannel' 'qt5-location' 'libxcomposite' 'libxrandr' 'pciutils' 'libxss'
- 'libevent' 'snappy' 'nss' 'libxslt' 'minizip' 'ffmpeg' 're2' 'libvpx')
-makedepends=('python2' 'git' 'gperf' 'jsoncpp' 'ninja' 'qt5-tools' 'poppler')
-groups=('qt' 'qt5')
-_pkgfqn="${pkgname/5-/}-everywhere-src-${_qtver}"
-source=("https://download.qt.io/development_releases/qt/${pkgver%.*}/${_qtver}/submodules/${_pkgfqn}.tar.xz"
- qtwebengine-glibc-2.29.patch)
-sha256sums=('6d1f8c116f9cdc12d72c2fac2a99b8c73e153dfb18b88d22fbd580edc925faf6'
- 'dd791f154b48e69cd47fd94753c45448655b529590995fd71ac1591c53a3d60c')
-
-prepare() {
- mkdir -p build
-
- # Hack to force using python2
- mkdir -p bin
- ln -s /usr/bin/python2 bin/python
-
- cd ${_pkgfqn}
- cd src/3rdparty/chromium
- patch -p1 -i "$srcdir"/qtwebengine-glibc-2.29.patch # Fix PPAPI plugins with glibc 2.29
-}
-
-build() {
- cd build
-
- export PATH="$srcdir/bin:$PATH"
- qmake ../${_pkgfqn} -- \
- -proprietary-codecs \
- -system-ffmpeg \
- -webp \
- -spellchecker \
- -webengine-icu
- make
-}
-
-package() {
- cd build
- make INSTALL_ROOT="$pkgdir" install
-
- # Drop QMAKE_PRL_BUILD_DIR because reference the build dir
- find "$pkgdir/usr/lib" -type f -name '*.prl' \
- -exec sed -i -e '/^QMAKE_PRL_BUILD_DIR/d' {} \;
-
- install -Dm644 "$srcdir"/${_pkgfqn}/src/3rdparty/chromium/LICENSE "$pkgdir"/usr/share/licenses/${pkgname}/LICENSE.chromium
-}
Copied: qt5-webengine/repos/kde-unstable-x86_64/PKGBUILD (from rev 354791, qt5-webengine/kde-unstable/PKGBUILD)
===================================================================
--- PKGBUILD (rev 0)
+++ PKGBUILD 2019-06-04 12:12:42 UTC (rev 354792)
@@ -0,0 +1,56 @@
+# Maintainer: Felix Yan <felixonmars at archlinux.org>
+# Contributor: Andrea Scarpino <andrea at archlinux.org>
+
+pkgname=qt5-webengine
+_qtver=5.13.0-rc
+pkgver=${_qtver/-/}
+pkgrel=1
+arch=('x86_64')
+url='https://www.qt.io'
+license=('LGPL3' 'LGPL2.1' 'BSD')
+pkgdesc='Provides support for web applications using the Chromium browser project'
+depends=('qt5-webchannel' 'qt5-location' 'libxcomposite' 'libxrandr' 'pciutils' 'libxss'
+ 'libevent' 'snappy' 'nss' 'libxslt' 'minizip' 'ffmpeg' 're2' 'libvpx')
+makedepends=('python2' 'git' 'gperf' 'jsoncpp' 'ninja' 'qt5-tools' 'poppler')
+groups=('qt' 'qt5')
+_pkgfqn="${pkgname/5-/}-everywhere-src-${_qtver}"
+source=("https://download.qt.io/development_releases/qt/${pkgver%.*}/${_qtver}/submodules/${_pkgfqn}.tar.xz"
+ qtwebengine-glibc-2.29.patch)
+sha256sums=('c8c30e456c3201b2af53b257e0c9311f2600431367648dd57d399edc53252ad9'
+ 'dd791f154b48e69cd47fd94753c45448655b529590995fd71ac1591c53a3d60c')
+
+prepare() {
+ mkdir -p build
+
+ # Hack to force using python2
+ mkdir -p bin
+ ln -s /usr/bin/python2 bin/python
+
+ cd ${_pkgfqn}
+ cd src/3rdparty/chromium
+ patch -p1 -i "$srcdir"/qtwebengine-glibc-2.29.patch # Fix PPAPI plugins with glibc 2.29
+}
+
+build() {
+ cd build
+
+ export PATH="$srcdir/bin:$PATH"
+ qmake ../${_pkgfqn} -- \
+ -proprietary-codecs \
+ -system-ffmpeg \
+ -webp \
+ -spellchecker \
+ -webengine-icu
+ make
+}
+
+package() {
+ cd build
+ make INSTALL_ROOT="$pkgdir" install
+
+ # Drop QMAKE_PRL_BUILD_DIR because reference the build dir
+ find "$pkgdir/usr/lib" -type f -name '*.prl' \
+ -exec sed -i -e '/^QMAKE_PRL_BUILD_DIR/d' {} \;
+
+ install -Dm644 "$srcdir"/${_pkgfqn}/src/3rdparty/chromium/LICENSE "$pkgdir"/usr/share/licenses/${pkgname}/LICENSE.chromium
+}
Deleted: qtwebengine-glibc-2.29.patch
===================================================================
--- qtwebengine-glibc-2.29.patch 2019-06-04 12:12:31 UTC (rev 354791)
+++ qtwebengine-glibc-2.29.patch 2019-06-04 12:12:42 UTC (rev 354792)
@@ -1,105 +0,0 @@
-From 65046b8f90d0336cbe5f2f15cc7da5cb798360ad Mon Sep 17 00:00:00 2001
-From: Matthew Denton <mpdenton at chromium.org>
-Date: Wed, 24 Apr 2019 15:44:40 +0000
-Subject: [PATCH] Update Linux Seccomp syscall restrictions to EPERM
- posix_spawn/vfork
-
-Glibc's system() function switched to using posix_spawn, which uses
-CLONE_VFORK. Pepperflash includes a sandbox debugging check which
-relies on us EPERM-ing process creation like this, rather than crashing
-the process with SIGSYS.
-
-So whitelist clone() calls, like posix_spawn, that include the flags
-CLONE_VFORK and CLONE_VM.
-
-Bug: 949312
-Change-Id: I3f4b90114b2fc1d9929e3c0a85bbe8f10def3c20
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1568086
-Commit-Queue: Robert Sesek <rsesek at chromium.org>
-Reviewed-by: Robert Sesek <rsesek at chromium.org>
-Cr-Commit-Position: refs/heads/master@{#653590}
----
- .../baseline_policy_unittest.cc | 29 +++++++++++++++++++
- .../syscall_parameters_restrictions.cc | 13 +++++++--
- 2 files changed, 40 insertions(+), 2 deletions(-)
-
-diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
-index cdeb210ccb..40fcebf933 100644
---- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
-+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
-@@ -10,7 +10,9 @@
- #include <sched.h>
- #include <signal.h>
- #include <stddef.h>
-+#include <stdlib.h>
- #include <string.h>
-+#include <sys/mman.h>
- #include <sys/prctl.h>
- #include <sys/resource.h>
- #include <sys/socket.h>
-@@ -130,6 +132,33 @@ BPF_TEST_C(BaselinePolicy, ForkArmEperm, BaselinePolicy) {
- BPF_ASSERT_EQ(EPERM, fork_errno);
- }
-
-+BPF_TEST_C(BaselinePolicy, SystemEperm, BaselinePolicy) {
-+ errno = 0;
-+ int ret_val = system("echo SHOULD NEVER RUN");
-+ BPF_ASSERT_EQ(-1, ret_val);
-+ BPF_ASSERT_EQ(EPERM, errno);
-+}
-+
-+BPF_TEST_C(BaselinePolicy, CloneVforkEperm, BaselinePolicy) {
-+ errno = 0;
-+ // Allocate a couple pages for the child's stack even though the child should
-+ // never start.
-+ constexpr size_t kStackSize = 4096 * 4;
-+ void* child_stack = mmap(nullptr, kStackSize, PROT_READ | PROT_WRITE,
-+ MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK, -1, 0);
-+ BPF_ASSERT_NE(child_stack, nullptr);
-+ pid_t pid = syscall(__NR_clone, CLONE_VM | CLONE_VFORK | SIGCHLD,
-+ static_cast<char*>(child_stack) + kStackSize, nullptr,
-+ nullptr, nullptr);
-+ const int clone_errno = errno;
-+ TestUtils::HandlePostForkReturn(pid);
-+
-+ munmap(child_stack, kStackSize);
-+
-+ BPF_ASSERT_EQ(-1, pid);
-+ BPF_ASSERT_EQ(EPERM, clone_errno);
-+}
-+
- BPF_TEST_C(BaselinePolicy, CreateThread, BaselinePolicy) {
- base::Thread thread("sandbox_tests");
- BPF_ASSERT(thread.Start());
-diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
-index 100afe50e3..348ab6e8c5 100644
---- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
-+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
-@@ -135,7 +135,8 @@ namespace sandbox {
- #if !defined(OS_NACL_NONSFI)
- // Allow Glibc's and Android pthread creation flags, crash on any other
- // thread creation attempts and EPERM attempts to use neither
--// CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations.
-+// CLONE_VM nor CLONE_THREAD (all fork implementations), unless CLONE_VFORK is
-+// present (as in newer versions of posix_spawn).
- ResultExpr RestrictCloneToThreadsAndEPERMFork() {
- const Arg<unsigned long> flags(0);
-
-@@ -154,8 +155,16 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
- AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
- flags == kGlibcPthreadFlags);
-
-+ // The following two flags are the two important flags in any vfork-emulating
-+ // clone call. EPERM any clone call that contains both of them.
-+ const uint64_t kImportantCloneVforkFlags = CLONE_VFORK | CLONE_VM;
-+
-+ const BoolExpr is_fork_or_clone_vfork =
-+ AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
-+ (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
-+
- return If(IsAndroid() ? android_test : glibc_test, Allow())
-- .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM))
-+ .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
- .Else(CrashSIGSYSClone());
- }
-
Copied: qt5-webengine/repos/kde-unstable-x86_64/qtwebengine-glibc-2.29.patch (from rev 354791, qt5-webengine/kde-unstable/qtwebengine-glibc-2.29.patch)
===================================================================
--- qtwebengine-glibc-2.29.patch (rev 0)
+++ qtwebengine-glibc-2.29.patch 2019-06-04 12:12:42 UTC (rev 354792)
@@ -0,0 +1,105 @@
+From 65046b8f90d0336cbe5f2f15cc7da5cb798360ad Mon Sep 17 00:00:00 2001
+From: Matthew Denton <mpdenton at chromium.org>
+Date: Wed, 24 Apr 2019 15:44:40 +0000
+Subject: [PATCH] Update Linux Seccomp syscall restrictions to EPERM
+ posix_spawn/vfork
+
+Glibc's system() function switched to using posix_spawn, which uses
+CLONE_VFORK. Pepperflash includes a sandbox debugging check which
+relies on us EPERM-ing process creation like this, rather than crashing
+the process with SIGSYS.
+
+So whitelist clone() calls, like posix_spawn, that include the flags
+CLONE_VFORK and CLONE_VM.
+
+Bug: 949312
+Change-Id: I3f4b90114b2fc1d9929e3c0a85bbe8f10def3c20
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1568086
+Commit-Queue: Robert Sesek <rsesek at chromium.org>
+Reviewed-by: Robert Sesek <rsesek at chromium.org>
+Cr-Commit-Position: refs/heads/master@{#653590}
+---
+ .../baseline_policy_unittest.cc | 29 +++++++++++++++++++
+ .../syscall_parameters_restrictions.cc | 13 +++++++--
+ 2 files changed, 40 insertions(+), 2 deletions(-)
+
+diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
+index cdeb210ccb..40fcebf933 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
++++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
+@@ -10,7 +10,9 @@
+ #include <sched.h>
+ #include <signal.h>
+ #include <stddef.h>
++#include <stdlib.h>
+ #include <string.h>
++#include <sys/mman.h>
+ #include <sys/prctl.h>
+ #include <sys/resource.h>
+ #include <sys/socket.h>
+@@ -130,6 +132,33 @@ BPF_TEST_C(BaselinePolicy, ForkArmEperm, BaselinePolicy) {
+ BPF_ASSERT_EQ(EPERM, fork_errno);
+ }
+
++BPF_TEST_C(BaselinePolicy, SystemEperm, BaselinePolicy) {
++ errno = 0;
++ int ret_val = system("echo SHOULD NEVER RUN");
++ BPF_ASSERT_EQ(-1, ret_val);
++ BPF_ASSERT_EQ(EPERM, errno);
++}
++
++BPF_TEST_C(BaselinePolicy, CloneVforkEperm, BaselinePolicy) {
++ errno = 0;
++ // Allocate a couple pages for the child's stack even though the child should
++ // never start.
++ constexpr size_t kStackSize = 4096 * 4;
++ void* child_stack = mmap(nullptr, kStackSize, PROT_READ | PROT_WRITE,
++ MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK, -1, 0);
++ BPF_ASSERT_NE(child_stack, nullptr);
++ pid_t pid = syscall(__NR_clone, CLONE_VM | CLONE_VFORK | SIGCHLD,
++ static_cast<char*>(child_stack) + kStackSize, nullptr,
++ nullptr, nullptr);
++ const int clone_errno = errno;
++ TestUtils::HandlePostForkReturn(pid);
++
++ munmap(child_stack, kStackSize);
++
++ BPF_ASSERT_EQ(-1, pid);
++ BPF_ASSERT_EQ(EPERM, clone_errno);
++}
++
+ BPF_TEST_C(BaselinePolicy, CreateThread, BaselinePolicy) {
+ base::Thread thread("sandbox_tests");
+ BPF_ASSERT(thread.Start());
+diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+index 100afe50e3..348ab6e8c5 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
++++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+@@ -135,7 +135,8 @@ namespace sandbox {
+ #if !defined(OS_NACL_NONSFI)
+ // Allow Glibc's and Android pthread creation flags, crash on any other
+ // thread creation attempts and EPERM attempts to use neither
+-// CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations.
++// CLONE_VM nor CLONE_THREAD (all fork implementations), unless CLONE_VFORK is
++// present (as in newer versions of posix_spawn).
+ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
+ const Arg<unsigned long> flags(0);
+
+@@ -154,8 +155,16 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
+ AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
+ flags == kGlibcPthreadFlags);
+
++ // The following two flags are the two important flags in any vfork-emulating
++ // clone call. EPERM any clone call that contains both of them.
++ const uint64_t kImportantCloneVforkFlags = CLONE_VFORK | CLONE_VM;
++
++ const BoolExpr is_fork_or_clone_vfork =
++ AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
++ (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
++
+ return If(IsAndroid() ? android_test : glibc_test, Allow())
+- .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM))
++ .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
+ .Else(CrashSIGSYSClone());
+ }
+
More information about the arch-commits
mailing list