Merge branch 'sec/2020.05.10' into 'master'

Security updates for 2020.05.10 See merge request adelie/packages!448
author: A. Wilcox <awilcox@wilcox-tech.com> 2020-06-04 01:08:19 +0000
committer: A. Wilcox <awilcox@wilcox-tech.com> 2020-06-04 01:08:19 +0000
commit: 925fabf5441a16a7d347fed2b3bd36ef46fc1f62 (patch)
tree: b94adbbf7965292c0a94e6ab8719bacbc73efa7e /user/firefox-esr/seccomp-musl.patch
parent: 62d1b55bc2450280702234aa414761df0865332b (diff)
parent: 98a725069b0538ef835c6aed5895425b52db7e0e (diff)
download: packages-925fabf5441a16a7d347fed2b3bd36ef46fc1f62.tar.gz
packages-925fabf5441a16a7d347fed2b3bd36ef46fc1f62.tar.bz2
packages-925fabf5441a16a7d347fed2b3bd36ef46fc1f62.tar.xz
packages-925fabf5441a16a7d347fed2b3bd36ef46fc1f62.zip
1 files changed, 49 insertions, 0 deletions
diff --git a/user/firefox-esr/seccomp-musl.patch b/user/firefox-esr/seccomp-musl.patch
new file mode 100644
index 000000000..edd4a3024
--- /dev/null
+++ b/user/firefox-esr/seccomp-musl.patch
@@ -0,0 +1,49 @@
+Backport of https://hg.mozilla.org/mozilla-central/rev/a0be746532f437055e4190cc8db802ad1239405e
+
+diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
+--- a/security/sandbox/linux/SandboxFilter.cpp
++++ b/security/sandbox/linux/SandboxFilter.cpp
+@@ -419,16 +419,20 @@ class SandboxPolicyCommon : public Sandb
+         case __NR_faccessat:
+           return Trap(AccessAtTrap, mBroker);
+         CASES_FOR_stat:
+           return Trap(StatTrap, mBroker);
+         CASES_FOR_lstat:
+           return Trap(LStatTrap, mBroker);
+         CASES_FOR_fstatat:
+           return Trap(StatAtTrap, mBroker);
++        // Used by new libc and Rust's stdlib, if available.
++        // We don't have broker support yet so claim it does not exist.
++        case __NR_statx:
++          return Error(ENOSYS);
+         case __NR_chmod:
+           return Trap(ChmodTrap, mBroker);
+         case __NR_link:
+           return Trap(LinkTrap, mBroker);
+         case __NR_mkdir:
+           return Trap(MkdirTrap, mBroker);
+         case __NR_symlink:
+           return Trap(SymlinkTrap, mBroker);
+@@ -538,16 +542,20 @@ class SandboxPolicyCommon : public Sandb
+             .ElseIf(advice == MADV_HUGEPAGE, Allow())
+             .ElseIf(advice == MADV_NOHUGEPAGE, Allow())
+ #ifdef MOZ_ASAN
+             .ElseIf(advice == MADV_DONTDUMP, Allow())
+ #endif
+             .Else(InvalidSyscall());
+       }
+ 
++        // musl libc will set this up in pthreads support.
++      case __NR_membarrier:
++        return Allow();
++
+       // Signal handling
+ #if defined(ANDROID) || defined(MOZ_ASAN)
+       case __NR_sigaltstack:
+ #endif
+       CASES_FOR_sigreturn:
+       CASES_FOR_sigprocmask:
+       CASES_FOR_sigaction:
+         return Allow();
+
+
author	A. Wilcox <awilcox@wilcox-tech.com>	2020-06-04 01:08:19 +0000
committer	A. Wilcox <awilcox@wilcox-tech.com>	2020-06-04 01:08:19 +0000
commit	925fabf5441a16a7d347fed2b3bd36ef46fc1f62 (patch)
tree	b94adbbf7965292c0a94e6ab8719bacbc73efa7e /user/firefox-esr/seccomp-musl.patch
parent	62d1b55bc2450280702234aa414761df0865332b (diff)
parent	98a725069b0538ef835c6aed5895425b52db7e0e (diff)
download	packages-925fabf5441a16a7d347fed2b3bd36ef46fc1f62.tar.gz packages-925fabf5441a16a7d347fed2b3bd36ef46fc1f62.tar.bz2 packages-925fabf5441a16a7d347fed2b3bd36ef46fc1f62.tar.xz packages-925fabf5441a16a7d347fed2b3bd36ef46fc1f62.zip