[arch-commits] Commit in chromium/repos/extra-x86_64 (12 files)
Evangelos Foutras
foutrelis at archlinux.org
Wed May 1 04:00:18 UTC 2019
Date: Wednesday, May 1, 2019 @ 04:00:17
Author: foutrelis
Revision: 352333
archrelease: copy trunk to extra-x86_64
Added:
chromium/repos/extra-x86_64/PKGBUILD
(from rev 352332, chromium/trunk/PKGBUILD)
chromium/repos/extra-x86_64/chromium-glibc-2.29.patch
(from rev 352332, chromium/trunk/chromium-glibc-2.29.patch)
chromium/repos/extra-x86_64/chromium-skia-harmony.patch
(from rev 352332, chromium/trunk/chromium-skia-harmony.patch)
chromium/repos/extra-x86_64/chromium-system-icu.patch
(from rev 352332, chromium/trunk/chromium-system-icu.patch)
chromium/repos/extra-x86_64/chromium-widevine.patch
(from rev 352332, chromium/trunk/chromium-widevine.patch)
chromium/repos/extra-x86_64/chromium.install
(from rev 352332, chromium/trunk/chromium.install)
Deleted:
chromium/repos/extra-x86_64/PKGBUILD
chromium/repos/extra-x86_64/chromium-glibc-2.29.patch
chromium/repos/extra-x86_64/chromium-skia-harmony.patch
chromium/repos/extra-x86_64/chromium-system-icu.patch
chromium/repos/extra-x86_64/chromium-widevine.patch
chromium/repos/extra-x86_64/chromium.install
-----------------------------+
PKGBUILD | 444 +++++++++++++++++++++---------------------
chromium-glibc-2.29.patch | 203 +++++++++----------
chromium-skia-harmony.patch | 26 +-
chromium-system-icu.patch | 38 +--
chromium-widevine.patch | 44 ++--
chromium.install | 32 +--
6 files changed, 397 insertions(+), 390 deletions(-)
Deleted: PKGBUILD
===================================================================
--- PKGBUILD 2019-05-01 04:00:09 UTC (rev 352332)
+++ PKGBUILD 2019-05-01 04:00:17 UTC (rev 352333)
@@ -1,222 +0,0 @@
-# Maintainer: Evangelos Foutras <evangelos at foutrelis.com>
-# Contributor: Pierre Schmitz <pierre at archlinux.de>
-# Contributor: Jan "heftig" Steffens <jan.steffens at gmail.com>
-# Contributor: Daniel J Griffiths <ghost1227 at archlinux.us>
-
-pkgname=chromium
-pkgver=74.0.3729.108
-pkgrel=1
-_launcher_ver=6
-pkgdesc="A web browser built for speed, simplicity, and security"
-arch=('x86_64')
-url="https://www.chromium.org/Home"
-license=('BSD')
-depends=('gtk3' 'nss' 'alsa-lib' 'xdg-utils' 'libxss' 'libcups' 'libgcrypt'
- 'ttf-font' 'systemd' 'dbus' 'libpulse' 'pciutils' 'json-glib'
- 'desktop-file-utils' 'hicolor-icon-theme')
-makedepends=('python' 'python2' 'gperf' 'yasm' 'mesa' 'ninja' 'nodejs' 'git'
- 'clang' 'lld' 'gn' 'java-runtime-headless')
-optdepends=('pepper-flash: support for Flash content'
- 'kdialog: needed for file dialogs in KDE'
- 'gnome-keyring: for storing passwords in GNOME keyring'
- 'kwallet: for storing passwords in KWallet')
-install=chromium.install
-source=(https://commondatastorage.googleapis.com/chromium-browser-official/$pkgname-$pkgver.tar.xz
- chromium-launcher-$_launcher_ver.tar.gz::https://github.com/foutrelis/chromium-launcher/archive/v$_launcher_ver.tar.gz
- chromium-system-icu.patch
- chromium-glibc-2.29.patch
- chromium-widevine.patch
- chromium-skia-harmony.patch)
-sha256sums=('1e1e5e06fe24309377630800b44b5c6b624b7c722b5d9789abe80a962b945b6f'
- '04917e3cd4307d8e31bfb0027a5dce6d086edb10ff8a716024fbb8bb0c7dccf1'
- 'e2d284311f49c529ea45083438a768db390bde52949995534034d2a814beab89'
- '89ca1ac8394ec0920357ff64ba46573e978e9be64f82aa0fc225b36e30d5842c'
- 'd081f2ef8793544685aad35dea75a7e6264a2cb987ff3541e6377f4a3650a28b'
- '5887f78b55c4ecbbcba5930f3f0bb7bc0117c2a41c2f761805fcf7f46f1ca2b3')
-
-# Possible replacements are listed in build/linux/unbundle/replace_gn_files.py
-# Keys are the names in the above script; values are the dependencies in Arch
-declare -gA _system_libs=(
- [ffmpeg]=ffmpeg
- [flac]=flac
- [fontconfig]=fontconfig
- [freetype]=freetype2
- [harfbuzz-ng]=harfbuzz
- [icu]=icu
- [libdrm]=
- [libjpeg]=libjpeg
- #[libpng]=libpng # https://crbug.com/752403#c10
- [libvpx]=libvpx
- [libwebp]=libwebp
- [libxml]=libxml2
- [libxslt]=libxslt
- [opus]=opus
- [re2]=re2
- [snappy]=snappy
- [yasm]=
- [zlib]=minizip
-)
-_unwanted_bundled_libs=(
- ${!_system_libs[@]}
- ${_system_libs[libjpeg]+libjpeg_turbo}
-)
-depends+=(${_system_libs[@]})
-
-# Google API keys (see https://www.chromium.org/developers/how-tos/api-keys)
-# Note: These are for Arch Linux use ONLY. For your own distribution, please
-# get your own set of keys.
-_google_api_key=AIzaSyDwr302FpOSkGRpLlUpPThNTDPbXcIn_FM
-_google_default_client_id=413772536636.apps.googleusercontent.com
-_google_default_client_secret=0ZChLK6AxeA3Isu96MkwqDR4
-
-prepare() {
- cd "$srcdir/$pkgname-$pkgver"
-
- # Allow building against system libraries in official builds
- sed -i 's/OFFICIAL_BUILD/GOOGLE_CHROME_BUILD/' \
- tools/generate_shim_headers/generate_shim_headers.py
-
- # https://crbug.com/893950
- sed -i -e 's/\<xmlMalloc\>/malloc/' -e 's/\<xmlFree\>/free/' \
- third_party/blink/renderer/core/xml/*.cc \
- third_party/blink/renderer/core/xml/parser/xml_document_parser.cc \
- third_party/libxml/chromium/libxml_utils.cc
-
- # https://crbug.com/949312
- patch -Np1 -i ../chromium-glibc-2.29.patch
-
- # Load Widevine CDM if available
- patch -Np1 -i ../chromium-widevine.patch
-
- # https://crbug.com/skia/6663#c10
- patch -Np0 -i ../chromium-skia-harmony.patch
-
- # https://bugs.gentoo.org/661880#c21
- patch -Np1 -i ../chromium-system-icu.patch
-
- # Force script incompatible with Python 3 to use /usr/bin/python2
- sed -i '1s|python$|&2|' third_party/dom_distiller_js/protoc_plugins/*.py
-
- mkdir -p third_party/node/linux/node-linux-x64/bin
- ln -s /usr/bin/node third_party/node/linux/node-linux-x64/bin/
-
- # Remove bundled libraries for which we will use the system copies; this
- # *should* do what the remove_bundled_libraries.py script does, with the
- # added benefit of not having to list all the remaining libraries
- local _lib
- for _lib in ${_unwanted_bundled_libs[@]}; do
- find "third_party/$_lib" -type f \
- \! -path "third_party/$_lib/chromium/*" \
- \! -path "third_party/$_lib/google/*" \
- \! -path 'third_party/yasm/run_yasm.py' \
- \! -regex '.*\.\(gn\|gni\|isolate\)' \
- -delete
- done
-
- python2 build/linux/unbundle/replace_gn_files.py \
- --system-libraries "${!_system_libs[@]}"
-}
-
-build() {
- make -C chromium-launcher-$_launcher_ver
-
- cd "$srcdir/$pkgname-$pkgver"
-
- if check_buildoption ccache y; then
- # Avoid falling back to preprocessor mode when sources contain time macros
- export CCACHE_SLOPPINESS=time_macros
- fi
-
- export CC=clang
- export CXX=clang++
- export AR=ar
- export NM=nm
-
- local _flags=(
- 'custom_toolchain="//build/toolchain/linux/unbundle:default"'
- 'host_toolchain="//build/toolchain/linux/unbundle:default"'
- 'clang_use_chrome_plugins=false'
- 'is_official_build=true' # implies is_cfi=true on x86_64
- 'treat_warnings_as_errors=false'
- 'fieldtrial_testing_like_official_build=true'
- 'ffmpeg_branding="Chrome"'
- 'proprietary_codecs=true'
- 'link_pulseaudio=true'
- 'use_gnome_keyring=false'
- 'use_sysroot=false'
- 'linux_use_bundled_binutils=false'
- 'use_custom_libcxx=false'
- 'enable_hangout_services_extension=true'
- 'enable_widevine=true'
- 'enable_nacl=false'
- 'enable_swiftshader=false'
- "google_api_key=\"${_google_api_key}\""
- "google_default_client_id=\"${_google_default_client_id}\""
- "google_default_client_secret=\"${_google_default_client_secret}\""
- )
-
- # Facilitate deterministic builds (taken from build/config/compiler/BUILD.gn)
- CFLAGS+=' -Wno-builtin-macro-redefined'
- CXXFLAGS+=' -Wno-builtin-macro-redefined'
- CPPFLAGS+=' -D__DATE__= -D__TIME__= -D__TIMESTAMP__='
-
- if check_option strip y; then
- _flags+=('symbol_level=0')
-
- # Mimic exclude_unwind_tables=true
- CFLAGS+=' -fno-unwind-tables -fno-asynchronous-unwind-tables'
- CXXFLAGS+=' -fno-unwind-tables -fno-asynchronous-unwind-tables'
- CPPFLAGS+=' -DNO_UNWIND_TABLES'
- fi
-
- gn gen out/Release --args="${_flags[*]}" --script-executable=/usr/bin/python2
- ninja -C out/Release chrome chrome_sandbox chromedriver
-}
-
-package() {
- cd chromium-launcher-$_launcher_ver
- make PREFIX=/usr DESTDIR="$pkgdir" install
- install -Dm644 LICENSE \
- "$pkgdir/usr/share/licenses/chromium/LICENSE.launcher"
-
- cd "$srcdir/$pkgname-$pkgver"
-
- install -D out/Release/chrome "$pkgdir/usr/lib/chromium/chromium"
- install -Dm4755 out/Release/chrome_sandbox "$pkgdir/usr/lib/chromium/chrome-sandbox"
- ln -s /usr/lib/chromium/chromedriver "$pkgdir/usr/bin/chromedriver"
-
- install -Dm644 chrome/installer/linux/common/desktop.template \
- "$pkgdir/usr/share/applications/chromium.desktop"
- install -Dm644 chrome/app/resources/manpage.1.in \
- "$pkgdir/usr/share/man/man1/chromium.1"
- sed -i \
- -e "s/@@MENUNAME@@/Chromium/g" \
- -e "s/@@PACKAGE@@/chromium/g" \
- -e "s/@@USR_BIN_SYMLINK_NAME@@/chromium/g" \
- "$pkgdir/usr/share/applications/chromium.desktop" \
- "$pkgdir/usr/share/man/man1/chromium.1"
-
- cp \
- out/Release/{chrome_{100,200}_percent,resources}.pak \
- out/Release/{*.bin,chromedriver} \
- "$pkgdir/usr/lib/chromium/"
- install -Dm644 -t "$pkgdir/usr/lib/chromium/locales" out/Release/locales/*.pak
-
- if [[ -z ${_system_libs[icu]+set} ]]; then
- cp out/Release/icudtl.dat "$pkgdir/usr/lib/chromium/"
- fi
-
- for size in 22 24 48 64 128 256; do
- install -Dm644 "chrome/app/theme/chromium/product_logo_$size.png" \
- "$pkgdir/usr/share/icons/hicolor/${size}x${size}/apps/chromium.png"
- done
-
- for size in 16 32; do
- install -Dm644 "chrome/app/theme/default_100_percent/chromium/product_logo_$size.png" \
- "$pkgdir/usr/share/icons/hicolor/${size}x${size}/apps/chromium.png"
- done
-
- install -Dm644 LICENSE "$pkgdir/usr/share/licenses/chromium/LICENSE"
-}
-
-# vim:set ts=2 sw=2 et:
Copied: chromium/repos/extra-x86_64/PKGBUILD (from rev 352332, chromium/trunk/PKGBUILD)
===================================================================
--- PKGBUILD (rev 0)
+++ PKGBUILD 2019-05-01 04:00:17 UTC (rev 352333)
@@ -0,0 +1,222 @@
+# Maintainer: Evangelos Foutras <evangelos at foutrelis.com>
+# Contributor: Pierre Schmitz <pierre at archlinux.de>
+# Contributor: Jan "heftig" Steffens <jan.steffens at gmail.com>
+# Contributor: Daniel J Griffiths <ghost1227 at archlinux.us>
+
+pkgname=chromium
+pkgver=74.0.3729.131
+pkgrel=1
+_launcher_ver=6
+pkgdesc="A web browser built for speed, simplicity, and security"
+arch=('x86_64')
+url="https://www.chromium.org/Home"
+license=('BSD')
+depends=('gtk3' 'nss' 'alsa-lib' 'xdg-utils' 'libxss' 'libcups' 'libgcrypt'
+ 'ttf-font' 'systemd' 'dbus' 'libpulse' 'pciutils' 'json-glib'
+ 'desktop-file-utils' 'hicolor-icon-theme')
+makedepends=('python' 'python2' 'gperf' 'yasm' 'mesa' 'ninja' 'nodejs' 'git'
+ 'clang' 'lld' 'gn' 'java-runtime-headless')
+optdepends=('pepper-flash: support for Flash content'
+ 'kdialog: needed for file dialogs in KDE'
+ 'gnome-keyring: for storing passwords in GNOME keyring'
+ 'kwallet: for storing passwords in KWallet')
+install=chromium.install
+source=(https://commondatastorage.googleapis.com/chromium-browser-official/$pkgname-$pkgver.tar.xz
+ chromium-launcher-$_launcher_ver.tar.gz::https://github.com/foutrelis/chromium-launcher/archive/v$_launcher_ver.tar.gz
+ chromium-system-icu.patch
+ chromium-glibc-2.29.patch
+ chromium-widevine.patch
+ chromium-skia-harmony.patch)
+sha256sums=('d178c7842f8f858ac876d88ce866cbd2132d7ca6c73940613ebf7e9c3fada986'
+ '04917e3cd4307d8e31bfb0027a5dce6d086edb10ff8a716024fbb8bb0c7dccf1'
+ 'e2d284311f49c529ea45083438a768db390bde52949995534034d2a814beab89'
+ 'dd791f154b48e69cd47fd94753c45448655b529590995fd71ac1591c53a3d60c'
+ 'd081f2ef8793544685aad35dea75a7e6264a2cb987ff3541e6377f4a3650a28b'
+ '5887f78b55c4ecbbcba5930f3f0bb7bc0117c2a41c2f761805fcf7f46f1ca2b3')
+
+# Possible replacements are listed in build/linux/unbundle/replace_gn_files.py
+# Keys are the names in the above script; values are the dependencies in Arch
+declare -gA _system_libs=(
+ [ffmpeg]=ffmpeg
+ [flac]=flac
+ [fontconfig]=fontconfig
+ [freetype]=freetype2
+ [harfbuzz-ng]=harfbuzz
+ [icu]=icu
+ [libdrm]=
+ [libjpeg]=libjpeg
+ #[libpng]=libpng # https://crbug.com/752403#c10
+ [libvpx]=libvpx
+ [libwebp]=libwebp
+ [libxml]=libxml2
+ [libxslt]=libxslt
+ [opus]=opus
+ [re2]=re2
+ [snappy]=snappy
+ [yasm]=
+ [zlib]=minizip
+)
+_unwanted_bundled_libs=(
+ ${!_system_libs[@]}
+ ${_system_libs[libjpeg]+libjpeg_turbo}
+)
+depends+=(${_system_libs[@]})
+
+# Google API keys (see https://www.chromium.org/developers/how-tos/api-keys)
+# Note: These are for Arch Linux use ONLY. For your own distribution, please
+# get your own set of keys.
+_google_api_key=AIzaSyDwr302FpOSkGRpLlUpPThNTDPbXcIn_FM
+_google_default_client_id=413772536636.apps.googleusercontent.com
+_google_default_client_secret=0ZChLK6AxeA3Isu96MkwqDR4
+
+prepare() {
+ cd "$srcdir/$pkgname-$pkgver"
+
+ # Allow building against system libraries in official builds
+ sed -i 's/OFFICIAL_BUILD/GOOGLE_CHROME_BUILD/' \
+ tools/generate_shim_headers/generate_shim_headers.py
+
+ # https://crbug.com/893950
+ sed -i -e 's/\<xmlMalloc\>/malloc/' -e 's/\<xmlFree\>/free/' \
+ third_party/blink/renderer/core/xml/*.cc \
+ third_party/blink/renderer/core/xml/parser/xml_document_parser.cc \
+ third_party/libxml/chromium/libxml_utils.cc
+
+ # https://crbug.com/949312
+ patch -Np1 -i ../chromium-glibc-2.29.patch
+
+ # Load Widevine CDM if available
+ patch -Np1 -i ../chromium-widevine.patch
+
+ # https://crbug.com/skia/6663#c10
+ patch -Np0 -i ../chromium-skia-harmony.patch
+
+ # https://bugs.gentoo.org/661880#c21
+ patch -Np1 -i ../chromium-system-icu.patch
+
+ # Force script incompatible with Python 3 to use /usr/bin/python2
+ sed -i '1s|python$|&2|' third_party/dom_distiller_js/protoc_plugins/*.py
+
+ mkdir -p third_party/node/linux/node-linux-x64/bin
+ ln -s /usr/bin/node third_party/node/linux/node-linux-x64/bin/
+
+ # Remove bundled libraries for which we will use the system copies; this
+ # *should* do what the remove_bundled_libraries.py script does, with the
+ # added benefit of not having to list all the remaining libraries
+ local _lib
+ for _lib in ${_unwanted_bundled_libs[@]}; do
+ find "third_party/$_lib" -type f \
+ \! -path "third_party/$_lib/chromium/*" \
+ \! -path "third_party/$_lib/google/*" \
+ \! -path 'third_party/yasm/run_yasm.py' \
+ \! -regex '.*\.\(gn\|gni\|isolate\)' \
+ -delete
+ done
+
+ python2 build/linux/unbundle/replace_gn_files.py \
+ --system-libraries "${!_system_libs[@]}"
+}
+
+build() {
+ make -C chromium-launcher-$_launcher_ver
+
+ cd "$srcdir/$pkgname-$pkgver"
+
+ if check_buildoption ccache y; then
+ # Avoid falling back to preprocessor mode when sources contain time macros
+ export CCACHE_SLOPPINESS=time_macros
+ fi
+
+ export CC=clang
+ export CXX=clang++
+ export AR=ar
+ export NM=nm
+
+ local _flags=(
+ 'custom_toolchain="//build/toolchain/linux/unbundle:default"'
+ 'host_toolchain="//build/toolchain/linux/unbundle:default"'
+ 'clang_use_chrome_plugins=false'
+ 'is_official_build=true' # implies is_cfi=true on x86_64
+ 'treat_warnings_as_errors=false'
+ 'fieldtrial_testing_like_official_build=true'
+ 'ffmpeg_branding="Chrome"'
+ 'proprietary_codecs=true'
+ 'link_pulseaudio=true'
+ 'use_gnome_keyring=false'
+ 'use_sysroot=false'
+ 'linux_use_bundled_binutils=false'
+ 'use_custom_libcxx=false'
+ 'enable_hangout_services_extension=true'
+ 'enable_widevine=true'
+ 'enable_nacl=false'
+ 'enable_swiftshader=false'
+ "google_api_key=\"${_google_api_key}\""
+ "google_default_client_id=\"${_google_default_client_id}\""
+ "google_default_client_secret=\"${_google_default_client_secret}\""
+ )
+
+ # Facilitate deterministic builds (taken from build/config/compiler/BUILD.gn)
+ CFLAGS+=' -Wno-builtin-macro-redefined'
+ CXXFLAGS+=' -Wno-builtin-macro-redefined'
+ CPPFLAGS+=' -D__DATE__= -D__TIME__= -D__TIMESTAMP__='
+
+ if check_option strip y; then
+ _flags+=('symbol_level=0')
+
+ # Mimic exclude_unwind_tables=true
+ CFLAGS+=' -fno-unwind-tables -fno-asynchronous-unwind-tables'
+ CXXFLAGS+=' -fno-unwind-tables -fno-asynchronous-unwind-tables'
+ CPPFLAGS+=' -DNO_UNWIND_TABLES'
+ fi
+
+ gn gen out/Release --args="${_flags[*]}" --script-executable=/usr/bin/python2
+ ninja -C out/Release chrome chrome_sandbox chromedriver
+}
+
+package() {
+ cd chromium-launcher-$_launcher_ver
+ make PREFIX=/usr DESTDIR="$pkgdir" install
+ install -Dm644 LICENSE \
+ "$pkgdir/usr/share/licenses/chromium/LICENSE.launcher"
+
+ cd "$srcdir/$pkgname-$pkgver"
+
+ install -D out/Release/chrome "$pkgdir/usr/lib/chromium/chromium"
+ install -Dm4755 out/Release/chrome_sandbox "$pkgdir/usr/lib/chromium/chrome-sandbox"
+ ln -s /usr/lib/chromium/chromedriver "$pkgdir/usr/bin/chromedriver"
+
+ install -Dm644 chrome/installer/linux/common/desktop.template \
+ "$pkgdir/usr/share/applications/chromium.desktop"
+ install -Dm644 chrome/app/resources/manpage.1.in \
+ "$pkgdir/usr/share/man/man1/chromium.1"
+ sed -i \
+ -e "s/@@MENUNAME@@/Chromium/g" \
+ -e "s/@@PACKAGE@@/chromium/g" \
+ -e "s/@@USR_BIN_SYMLINK_NAME@@/chromium/g" \
+ "$pkgdir/usr/share/applications/chromium.desktop" \
+ "$pkgdir/usr/share/man/man1/chromium.1"
+
+ cp \
+ out/Release/{chrome_{100,200}_percent,resources}.pak \
+ out/Release/{*.bin,chromedriver} \
+ "$pkgdir/usr/lib/chromium/"
+ install -Dm644 -t "$pkgdir/usr/lib/chromium/locales" out/Release/locales/*.pak
+
+ if [[ -z ${_system_libs[icu]+set} ]]; then
+ cp out/Release/icudtl.dat "$pkgdir/usr/lib/chromium/"
+ fi
+
+ for size in 22 24 48 64 128 256; do
+ install -Dm644 "chrome/app/theme/chromium/product_logo_$size.png" \
+ "$pkgdir/usr/share/icons/hicolor/${size}x${size}/apps/chromium.png"
+ done
+
+ for size in 16 32; do
+ install -Dm644 "chrome/app/theme/default_100_percent/chromium/product_logo_$size.png" \
+ "$pkgdir/usr/share/icons/hicolor/${size}x${size}/apps/chromium.png"
+ done
+
+ install -Dm644 LICENSE "$pkgdir/usr/share/licenses/chromium/LICENSE"
+}
+
+# vim:set ts=2 sw=2 et:
Deleted: chromium-glibc-2.29.patch
===================================================================
--- chromium-glibc-2.29.patch 2019-05-01 04:00:09 UTC (rev 352332)
+++ chromium-glibc-2.29.patch 2019-05-01 04:00:17 UTC (rev 352333)
@@ -1,98 +0,0 @@
-tree 0f4b37852646eae176de06a5d92cd2f68ffaf318
-parent a38dc4152f043e81310b0deff46f9a770b9f5fcb
-author Matthew Denton <mpdenton at chromium.org> 1555962368 -0700
-committer Matthew Denton <mpdenton at chromium.org> 1555962368 -0700
-
-Update Linux Seccomp syscall restrictions to EPERM posix_spawn/vfork
-
-Glibc's system() function switched to using posix_spawn, which uses
-CLONE_VFORK. Pepperflash includes a sandbox debugging check which
-relies on us EPERM-ing process creation like this, rather than crashing
-the process with SIGSYS.
-
-So whitelist clone() calls, like posix_spawn, that include the flags
-CLONE_VFORK and CLONE_VM.
-
-Bug: 949312
-Change-Id: I3f4b90114b2fc1d9929e3c0a85bbe8f10def3c20
-
-diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
-index cdeb210..40fcebf 100644
---- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
-+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
-@@ -10,7 +10,9 @@
- #include <sched.h>
- #include <signal.h>
- #include <stddef.h>
-+#include <stdlib.h>
- #include <string.h>
-+#include <sys/mman.h>
- #include <sys/prctl.h>
- #include <sys/resource.h>
- #include <sys/socket.h>
-@@ -130,6 +132,33 @@
- BPF_ASSERT_EQ(EPERM, fork_errno);
- }
-
-+BPF_TEST_C(BaselinePolicy, SystemEperm, BaselinePolicy) {
-+ errno = 0;
-+ int ret_val = system("echo SHOULD NEVER RUN");
-+ BPF_ASSERT_EQ(-1, ret_val);
-+ BPF_ASSERT_EQ(EPERM, errno);
-+}
-+
-+BPF_TEST_C(BaselinePolicy, CloneVforkEperm, BaselinePolicy) {
-+ errno = 0;
-+ // Allocate a couple pages for the child's stack even though the child should
-+ // never start.
-+ constexpr size_t kStackSize = 4096 * 4;
-+ void* child_stack = mmap(nullptr, kStackSize, PROT_READ | PROT_WRITE,
-+ MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK, -1, 0);
-+ BPF_ASSERT_NE(child_stack, nullptr);
-+ pid_t pid = syscall(__NR_clone, CLONE_VM | CLONE_VFORK | SIGCHLD,
-+ static_cast<char*>(child_stack) + kStackSize, nullptr,
-+ nullptr, nullptr);
-+ const int clone_errno = errno;
-+ TestUtils::HandlePostForkReturn(pid);
-+
-+ munmap(child_stack, kStackSize);
-+
-+ BPF_ASSERT_EQ(-1, pid);
-+ BPF_ASSERT_EQ(EPERM, clone_errno);
-+}
-+
- BPF_TEST_C(BaselinePolicy, CreateThread, BaselinePolicy) {
- base::Thread thread("sandbox_tests");
- BPF_ASSERT(thread.Start());
-diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
-index 100afe5..348ab6e 100644
---- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
-+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
-@@ -135,7 +135,8 @@
- #if !defined(OS_NACL_NONSFI)
- // Allow Glibc's and Android pthread creation flags, crash on any other
- // thread creation attempts and EPERM attempts to use neither
--// CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations.
-+// CLONE_VM nor CLONE_THREAD (all fork implementations), unless CLONE_VFORK is
-+// present (as in newer versions of posix_spawn).
- ResultExpr RestrictCloneToThreadsAndEPERMFork() {
- const Arg<unsigned long> flags(0);
-
-@@ -154,8 +155,16 @@
- AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
- flags == kGlibcPthreadFlags);
-
-+ // The following two flags are the two important flags in any vfork-emulating
-+ // clone call. EPERM any clone call that contains both of them.
-+ const uint64_t kImportantCloneVforkFlags = CLONE_VFORK | CLONE_VM;
-+
-+ const BoolExpr is_fork_or_clone_vfork =
-+ AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
-+ (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
-+
- return If(IsAndroid() ? android_test : glibc_test, Allow())
-- .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM))
-+ .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
- .Else(CrashSIGSYSClone());
- }
-
Copied: chromium/repos/extra-x86_64/chromium-glibc-2.29.patch (from rev 352332, chromium/trunk/chromium-glibc-2.29.patch)
===================================================================
--- chromium-glibc-2.29.patch (rev 0)
+++ chromium-glibc-2.29.patch 2019-05-01 04:00:17 UTC (rev 352333)
@@ -0,0 +1,105 @@
+From 65046b8f90d0336cbe5f2f15cc7da5cb798360ad Mon Sep 17 00:00:00 2001
+From: Matthew Denton <mpdenton at chromium.org>
+Date: Wed, 24 Apr 2019 15:44:40 +0000
+Subject: [PATCH] Update Linux Seccomp syscall restrictions to EPERM
+ posix_spawn/vfork
+
+Glibc's system() function switched to using posix_spawn, which uses
+CLONE_VFORK. Pepperflash includes a sandbox debugging check which
+relies on us EPERM-ing process creation like this, rather than crashing
+the process with SIGSYS.
+
+So whitelist clone() calls, like posix_spawn, that include the flags
+CLONE_VFORK and CLONE_VM.
+
+Bug: 949312
+Change-Id: I3f4b90114b2fc1d9929e3c0a85bbe8f10def3c20
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1568086
+Commit-Queue: Robert Sesek <rsesek at chromium.org>
+Reviewed-by: Robert Sesek <rsesek at chromium.org>
+Cr-Commit-Position: refs/heads/master@{#653590}
+---
+ .../baseline_policy_unittest.cc | 29 +++++++++++++++++++
+ .../syscall_parameters_restrictions.cc | 13 +++++++--
+ 2 files changed, 40 insertions(+), 2 deletions(-)
+
+diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
+index cdeb210ccb..40fcebf933 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
++++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
+@@ -10,7 +10,9 @@
+ #include <sched.h>
+ #include <signal.h>
+ #include <stddef.h>
++#include <stdlib.h>
+ #include <string.h>
++#include <sys/mman.h>
+ #include <sys/prctl.h>
+ #include <sys/resource.h>
+ #include <sys/socket.h>
+@@ -130,6 +132,33 @@ BPF_TEST_C(BaselinePolicy, ForkArmEperm, BaselinePolicy) {
+ BPF_ASSERT_EQ(EPERM, fork_errno);
+ }
+
++BPF_TEST_C(BaselinePolicy, SystemEperm, BaselinePolicy) {
++ errno = 0;
++ int ret_val = system("echo SHOULD NEVER RUN");
++ BPF_ASSERT_EQ(-1, ret_val);
++ BPF_ASSERT_EQ(EPERM, errno);
++}
++
++BPF_TEST_C(BaselinePolicy, CloneVforkEperm, BaselinePolicy) {
++ errno = 0;
++ // Allocate a couple pages for the child's stack even though the child should
++ // never start.
++ constexpr size_t kStackSize = 4096 * 4;
++ void* child_stack = mmap(nullptr, kStackSize, PROT_READ | PROT_WRITE,
++ MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK, -1, 0);
++ BPF_ASSERT_NE(child_stack, nullptr);
++ pid_t pid = syscall(__NR_clone, CLONE_VM | CLONE_VFORK | SIGCHLD,
++ static_cast<char*>(child_stack) + kStackSize, nullptr,
++ nullptr, nullptr);
++ const int clone_errno = errno;
++ TestUtils::HandlePostForkReturn(pid);
++
++ munmap(child_stack, kStackSize);
++
++ BPF_ASSERT_EQ(-1, pid);
++ BPF_ASSERT_EQ(EPERM, clone_errno);
++}
++
+ BPF_TEST_C(BaselinePolicy, CreateThread, BaselinePolicy) {
+ base::Thread thread("sandbox_tests");
+ BPF_ASSERT(thread.Start());
+diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+index 100afe50e3..348ab6e8c5 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
++++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+@@ -135,7 +135,8 @@ namespace sandbox {
+ #if !defined(OS_NACL_NONSFI)
+ // Allow Glibc's and Android pthread creation flags, crash on any other
+ // thread creation attempts and EPERM attempts to use neither
+-// CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations.
++// CLONE_VM nor CLONE_THREAD (all fork implementations), unless CLONE_VFORK is
++// present (as in newer versions of posix_spawn).
+ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
+ const Arg<unsigned long> flags(0);
+
+@@ -154,8 +155,16 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
+ AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
+ flags == kGlibcPthreadFlags);
+
++ // The following two flags are the two important flags in any vfork-emulating
++ // clone call. EPERM any clone call that contains both of them.
++ const uint64_t kImportantCloneVforkFlags = CLONE_VFORK | CLONE_VM;
++
++ const BoolExpr is_fork_or_clone_vfork =
++ AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
++ (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
++
+ return If(IsAndroid() ? android_test : glibc_test, Allow())
+- .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM))
++ .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
+ .Else(CrashSIGSYSClone());
+ }
+
Deleted: chromium-skia-harmony.patch
===================================================================
--- chromium-skia-harmony.patch 2019-05-01 04:00:09 UTC (rev 352332)
+++ chromium-skia-harmony.patch 2019-05-01 04:00:17 UTC (rev 352333)
@@ -1,13 +0,0 @@
---- third_party/skia/src/ports/SkFontHost_FreeType.cpp.orig 2019-01-20 10:54:56.415239030 +0000
-+++ third_party/skia/src/ports/SkFontHost_FreeType.cpp 2019-01-20 10:55:05.695307733 +0000
-@@ -121,8 +121,8 @@ public:
- : fGetVarDesignCoordinates(nullptr)
- , fGetVarAxisFlags(nullptr)
- , fLibrary(nullptr)
-- , fIsLCDSupported(false)
-- , fLCDExtra(0)
-+ , fIsLCDSupported(true)
-+ , fLCDExtra(2)
- {
- if (FT_New_Library(&gFTMemory, &fLibrary)) {
- return;
Copied: chromium/repos/extra-x86_64/chromium-skia-harmony.patch (from rev 352332, chromium/trunk/chromium-skia-harmony.patch)
===================================================================
--- chromium-skia-harmony.patch (rev 0)
+++ chromium-skia-harmony.patch 2019-05-01 04:00:17 UTC (rev 352333)
@@ -0,0 +1,13 @@
+--- third_party/skia/src/ports/SkFontHost_FreeType.cpp.orig 2019-01-20 10:54:56.415239030 +0000
++++ third_party/skia/src/ports/SkFontHost_FreeType.cpp 2019-01-20 10:55:05.695307733 +0000
+@@ -121,8 +121,8 @@ public:
+ : fGetVarDesignCoordinates(nullptr)
+ , fGetVarAxisFlags(nullptr)
+ , fLibrary(nullptr)
+- , fIsLCDSupported(false)
+- , fLCDExtra(0)
++ , fIsLCDSupported(true)
++ , fLCDExtra(2)
+ {
+ if (FT_New_Library(&gFTMemory, &fLibrary)) {
+ return;
Deleted: chromium-system-icu.patch
===================================================================
--- chromium-system-icu.patch 2019-05-01 04:00:09 UTC (rev 352332)
+++ chromium-system-icu.patch 2019-05-01 04:00:17 UTC (rev 352333)
@@ -1,19 +0,0 @@
-diff --git a/third_party/blink/renderer/platform/text/character_property_data.h b/third_party/blink/renderer/platform/text/character_property_data.h
-index 28fb6a9..bb4dbd7 100644
---- a/third_party/blink/renderer/platform/text/character_property_data.h
-+++ b/third_party/blink/renderer/platform/text/character_property_data.h
-@@ -244,10 +244,12 @@ static const UChar32 kIsHangulRanges[] = {
- 0xD7B0, 0xD7FF,
- // Halfwidth Hangul Jamo
- // https://www.unicode.org/charts/nameslist/c_FF00.html
-- 0xFFA0, 0xFFDC,
-+ 0xFFA0, 0xFFDB,
- };
-
--static const UChar32 kIsHangulArray[] = {};
-+static const UChar32 kIsHangulArray[] = {
-+ 0xFFDC,
-+};
-
- #if !defined(USING_SYSTEM_ICU)
- // Freezed trie tree, see character_property_data_generator.cc.
Copied: chromium/repos/extra-x86_64/chromium-system-icu.patch (from rev 352332, chromium/trunk/chromium-system-icu.patch)
===================================================================
--- chromium-system-icu.patch (rev 0)
+++ chromium-system-icu.patch 2019-05-01 04:00:17 UTC (rev 352333)
@@ -0,0 +1,19 @@
+diff --git a/third_party/blink/renderer/platform/text/character_property_data.h b/third_party/blink/renderer/platform/text/character_property_data.h
+index 28fb6a9..bb4dbd7 100644
+--- a/third_party/blink/renderer/platform/text/character_property_data.h
++++ b/third_party/blink/renderer/platform/text/character_property_data.h
+@@ -244,10 +244,12 @@ static const UChar32 kIsHangulRanges[] = {
+ 0xD7B0, 0xD7FF,
+ // Halfwidth Hangul Jamo
+ // https://www.unicode.org/charts/nameslist/c_FF00.html
+- 0xFFA0, 0xFFDC,
++ 0xFFA0, 0xFFDB,
+ };
+
+-static const UChar32 kIsHangulArray[] = {};
++static const UChar32 kIsHangulArray[] = {
++ 0xFFDC,
++};
+
+ #if !defined(USING_SYSTEM_ICU)
+ // Freezed trie tree, see character_property_data_generator.cc.
Deleted: chromium-widevine.patch
===================================================================
--- chromium-widevine.patch 2019-05-01 04:00:09 UTC (rev 352332)
+++ chromium-widevine.patch 2019-05-01 04:00:17 UTC (rev 352333)
@@ -1,22 +0,0 @@
-diff -upr chromium-71.0.3578.80.orig/chrome/common/chrome_content_client.cc chromium-71.0.3578.80/chrome/common/chrome_content_client.cc
---- chromium-71.0.3578.80.orig/chrome/common/chrome_content_client.cc 2018-12-03 20:16:43.000000000 +0000
-+++ chromium-71.0.3578.80/chrome/common/chrome_content_client.cc 2018-12-04 21:34:28.658206942 +0000
-@@ -99,7 +99,7 @@
- // Registers Widevine CDM if Widevine is enabled, the Widevine CDM is
- // bundled and not a component. When the Widevine CDM is a component, it is
- // registered in widevine_cdm_component_installer.cc.
--#if BUILDFLAG(BUNDLE_WIDEVINE_CDM) && !BUILDFLAG(ENABLE_WIDEVINE_CDM_COMPONENT)
-+#if BUILDFLAG(ENABLE_WIDEVINE) && !BUILDFLAG(ENABLE_WIDEVINE_CDM_COMPONENT)
- #define REGISTER_BUNDLED_WIDEVINE_CDM
- #include "third_party/widevine/cdm/widevine_cdm_common.h" // nogncheck
- // TODO(crbug.com/663554): Needed for WIDEVINE_CDM_VERSION_STRING. Support
-diff -upr chromium-71.0.3578.80.orig/third_party/widevine/cdm/widevine_cdm_version.h chromium-71.0.3578.80/third_party/widevine/cdm/widevine_cdm_version.h
---- chromium-71.0.3578.80.orig/third_party/widevine/cdm/widevine_cdm_version.h 2018-12-03 20:18:01.000000000 +0000
-+++ chromium-71.0.3578.80/third_party/widevine/cdm/widevine_cdm_version.h 2018-12-04 21:37:45.635374949 +0000
-@@ -12,4 +12,6 @@
- // - WIDEVINE_CDM_VERSION_STRING (with the version of the CDM that's available
- // as a string, e.g., "1.0.123.456").
-
-+#define WIDEVINE_CDM_VERSION_STRING "unknown"
-+
- #endif // WIDEVINE_CDM_VERSION_H_
Copied: chromium/repos/extra-x86_64/chromium-widevine.patch (from rev 352332, chromium/trunk/chromium-widevine.patch)
===================================================================
--- chromium-widevine.patch (rev 0)
+++ chromium-widevine.patch 2019-05-01 04:00:17 UTC (rev 352333)
@@ -0,0 +1,22 @@
+diff -upr chromium-71.0.3578.80.orig/chrome/common/chrome_content_client.cc chromium-71.0.3578.80/chrome/common/chrome_content_client.cc
+--- chromium-71.0.3578.80.orig/chrome/common/chrome_content_client.cc 2018-12-03 20:16:43.000000000 +0000
++++ chromium-71.0.3578.80/chrome/common/chrome_content_client.cc 2018-12-04 21:34:28.658206942 +0000
+@@ -99,7 +99,7 @@
+ // Registers Widevine CDM if Widevine is enabled, the Widevine CDM is
+ // bundled and not a component. When the Widevine CDM is a component, it is
+ // registered in widevine_cdm_component_installer.cc.
+-#if BUILDFLAG(BUNDLE_WIDEVINE_CDM) && !BUILDFLAG(ENABLE_WIDEVINE_CDM_COMPONENT)
++#if BUILDFLAG(ENABLE_WIDEVINE) && !BUILDFLAG(ENABLE_WIDEVINE_CDM_COMPONENT)
+ #define REGISTER_BUNDLED_WIDEVINE_CDM
+ #include "third_party/widevine/cdm/widevine_cdm_common.h" // nogncheck
+ // TODO(crbug.com/663554): Needed for WIDEVINE_CDM_VERSION_STRING. Support
+diff -upr chromium-71.0.3578.80.orig/third_party/widevine/cdm/widevine_cdm_version.h chromium-71.0.3578.80/third_party/widevine/cdm/widevine_cdm_version.h
+--- chromium-71.0.3578.80.orig/third_party/widevine/cdm/widevine_cdm_version.h 2018-12-03 20:18:01.000000000 +0000
++++ chromium-71.0.3578.80/third_party/widevine/cdm/widevine_cdm_version.h 2018-12-04 21:37:45.635374949 +0000
+@@ -12,4 +12,6 @@
+ // - WIDEVINE_CDM_VERSION_STRING (with the version of the CDM that's available
+ // as a string, e.g., "1.0.123.456").
+
++#define WIDEVINE_CDM_VERSION_STRING "unknown"
++
+ #endif // WIDEVINE_CDM_VERSION_H_
Deleted: chromium.install
===================================================================
--- chromium.install 2019-05-01 04:00:09 UTC (rev 352332)
+++ chromium.install 2019-05-01 04:00:17 UTC (rev 352333)
@@ -1,16 +0,0 @@
-post_upgrade() {
- if (($(vercmp $2 42.0.2311.90-1) < 0)); then
- echo ':: This Chromium package no longer supports custom flags passed via the'
- echo ' /etc/chromium/default file (or any other files under /etc/chromium/).'
- echo
- echo ' The new /usr/bin/chromium launcher script will automatically detect'
- echo ' Pepper Flash (if installed) and pass the correct flags to Chromium.'
- echo
- echo ' If you need to pass extra command-line arguments to Chromium, you'
- echo ' can put them in a "chromium-flags.conf" file under $HOME/.config/'
- echo ' (or $XDG_CONFIG_HOME). Arguments are split on whitespace and shell'
- echo ' quoting rules apply but no further parsing is performed.'
- fi
-}
-
-# vim:set ts=2 sw=2 et:
Copied: chromium/repos/extra-x86_64/chromium.install (from rev 352332, chromium/trunk/chromium.install)
===================================================================
--- chromium.install (rev 0)
+++ chromium.install 2019-05-01 04:00:17 UTC (rev 352333)
@@ -0,0 +1,16 @@
+post_upgrade() {
+ if (($(vercmp $2 42.0.2311.90-1) < 0)); then
+ echo ':: This Chromium package no longer supports custom flags passed via the'
+ echo ' /etc/chromium/default file (or any other files under /etc/chromium/).'
+ echo
+ echo ' The new /usr/bin/chromium launcher script will automatically detect'
+ echo ' Pepper Flash (if installed) and pass the correct flags to Chromium.'
+ echo
+ echo ' If you need to pass extra command-line arguments to Chromium, you'
+ echo ' can put them in a "chromium-flags.conf" file under $HOME/.config/'
+ echo ' (or $XDG_CONFIG_HOME). Arguments are split on whitespace and shell'
+ echo ' quoting rules apply but no further parsing is performed.'
+ fi
+}
+
+# vim:set ts=2 sw=2 et:
More information about the arch-commits
mailing list