diff options
author | Stephan Hartmann <sultan@gentoo.org> | 2021-07-27 19:38:58 +0200 |
---|---|---|
committer | Stephan Hartmann <sultan@gentoo.org> | 2021-07-27 19:39:17 +0200 |
commit | afa4f06bc7e383b77191f6325ed4efef50ac49f8 (patch) | |
tree | 93c4592c82fd50882e56480c65d6da5930ed9e99 /www-client | |
parent | sys-apps/systemd: drop 248.5 (diff) | |
download | gentoo-afa4f06bc7e383b77191f6325ed4efef50ac49f8.tar.gz gentoo-afa4f06bc7e383b77191f6325ed4efef50ac49f8.tar.bz2 gentoo-afa4f06bc7e383b77191f6325ed4efef50ac49f8.zip |
www-client/chromium: security cleanup
Bug: https://bugs.gentoo.org/803167
Closes: https://bugs.gentoo.org/803467
Closes: https://bugs.gentoo.org/769989
Closes: https://bugs.gentoo.org/796527
Package-Manager: Portage-3.0.20, Repoman-3.0.2
Signed-off-by: Stephan Hartmann <sultan@gentoo.org>
Diffstat (limited to 'www-client')
-rw-r--r-- | www-client/chromium/Manifest | 3 | ||||
-rw-r--r-- | www-client/chromium/chromium-91.0.4472.164.ebuild | 944 | ||||
-rw-r--r-- | www-client/chromium/files/chromium-89-EnumTable-crash.patch | 71 | ||||
-rw-r--r-- | www-client/chromium/files/chromium-91-ThemeService-crash.patch | 36 | ||||
-rw-r--r-- | www-client/chromium/files/chromium-91-system-icu.patch | 29 | ||||
-rw-r--r-- | www-client/chromium/files/chromium-glibc-2.33.patch | 141 |
6 files changed, 0 insertions, 1224 deletions
diff --git a/www-client/chromium/Manifest b/www-client/chromium/Manifest index 17bdadfd4989..70ae8403bf5e 100644 --- a/www-client/chromium/Manifest +++ b/www-client/chromium/Manifest @@ -1,6 +1,3 @@ -DIST chromium-91-patchset-6.tar.xz 4280 BLAKE2B 18887953453133589cfc5df58d24725047235fac3652cc7af7bd117fbc94aa9a2e1b1dd3147f772f84d8fa3e7b5b77159abc1e408d7b24b065bb1f12cebbfb2f SHA512 49b4aaedfbb1fa5629dbb453bb74f5735c05b14407ea3d2bb1eaee9686e03661a3c471357d085ab839dff16df92d71dae3a6f17486c017a79a836c1d8780a250 -DIST chromium-91-ppc64le-6.tar.xz 28968 BLAKE2B 5153be672aec91899d9eabe3ddf4c3d0b4b2d307e396afa2a83bf3102bc540fa62d69df365057128227428bd3abfc8cab9203fae41e5150191025d8ecea935ab SHA512 78071d204bf04a13a132a63a3d268a0d6d05a895c1ee55a41176fb5cca975c502e69a83ca0388ecea92c041f24235c452abdfbf0ee557e93db6685589fb9428b -DIST chromium-91.0.4472.164.tar.xz 950253100 BLAKE2B 4de7222dbf8fb22115518625ebc8eb62eca281bd4a28ee9d4f4450545aa4155a5bf7478f56d9ba482c102deea5c7b3214299549480c19d972b1380931f7ba4df SHA512 3d15b7df6d6627084bc82cfb6f9c52f917cdb03cea73f85199e6d41eb9636db867e56ea60d69a8bbc92dd8cb59f13b4ae6c609d59f32fe04f88c33252225f8a5 DIST chromium-92-glibc-2.33-patch.tar.xz 12636 BLAKE2B 0621d2135c1a0864374010c36959deda7b612d448e28780bfe8968fcd45363c091a84413eb3c6f560e9f805a421b910f33e9cc023055e7bf7801aa374d41dc80 SHA512 6d9e999c0b18186f2db28a804f9f84f6b472cf2fac33d72a0b09ded3106f43378a6eaf52b316e0b07a3876d9074ba299a285bdf06193553ee81bdbea4bc66294 DIST chromium-92-patchset-7.tar.xz 4004 BLAKE2B 8587663a072eb08abacbc2e54924855f29efefdbec46acf5cb8b0cc40b816b96ba7694c4ab1abe997572a6dbecf94ea27f368a7337263adfff44f2b4b042d862 SHA512 65c8267ab0921719c71d4b03a4315bbb1ceec35ce4794de9dcc6099b2c349baf4782b67316ebb8c9db233630b7fc89fa0baf719f9f0f41eb39972cdeb437e612 DIST chromium-92-ppc64le-1.tar.xz 30416 BLAKE2B e953e3ba1ac0ff4bae437328eb1c52fb3863007ff92db91c6858c8c5f7b4c5c39fb8bf6898c3385c7faa82666f1a18aae7fcb5379b9199e58c5c0526fbd9dbee SHA512 b5a20076a34705c53c56d7763189ebfd860a456ca544a7f0c9ce30c877be92270ea724f1bebb9b597b301def27dde0a672b0c30e16e6abbf958cecfd60b07ec5 diff --git a/www-client/chromium/chromium-91.0.4472.164.ebuild b/www-client/chromium/chromium-91.0.4472.164.ebuild deleted file mode 100644 index ba08b840323b..000000000000 --- a/www-client/chromium/chromium-91.0.4472.164.ebuild +++ /dev/null @@ -1,944 +0,0 @@ -# Copyright 2009-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 -PYTHON_COMPAT=( python2_7 ) -PYTHON_REQ_USE="xml" - -CHROMIUM_LANGS="am ar bg bn ca cs da de el en-GB es es-419 et fa fi fil fr gu he - hi hr hu id it ja kn ko lt lv ml mr ms nb nl pl pt-BR pt-PT ro ru sk sl sr - sv sw ta te th tr uk vi zh-CN zh-TW" - -inherit check-reqs chromium-2 desktop flag-o-matic multilib ninja-utils pax-utils portability python-any-r1 readme.gentoo-r1 toolchain-funcs xdg-utils - -DESCRIPTION="Open-source version of Google Chrome web browser" -HOMEPAGE="https://chromium.org/" -PATCHSET="6" -PATCHSET_NAME="chromium-$(ver_cut 1)-patchset-${PATCHSET}" -PPC64LE_PATCHSET="6" -SRC_URI="https://commondatastorage.googleapis.com/chromium-browser-official/${P}.tar.xz - https://files.pythonhosted.org/packages/ed/7b/bbf89ca71e722b7f9464ebffe4b5ee20a9e5c9a555a56e2d3914bb9119a6/setuptools-44.1.0.zip - https://github.com/stha09/chromium-patches/releases/download/${PATCHSET_NAME}/${PATCHSET_NAME}.tar.xz - arm64? ( https://github.com/google/highway/archive/refs/tags/0.12.1.tar.gz -> highway-0.12.1.tar.gz ) - ppc64? ( https://dev.gentoo.org/~gyakovlev/distfiles/${PN}-$(ver_cut 1)-ppc64le-${PPC64LE_PATCHSET}.tar.xz )" - -LICENSE="BSD" -SLOT="0" -KEYWORDS="amd64 arm64 ~ppc64 ~x86" -IUSE="component-build cups cpu_flags_arm_neon +hangouts headless +js-type-check kerberos official pic +proprietary-codecs pulseaudio screencast selinux +suid +system-ffmpeg +system-icu vaapi wayland widevine" -REQUIRED_USE=" - component-build? ( !suid ) - screencast? ( wayland ) -" - -COMMON_X_DEPEND=" - media-libs/mesa:=[gbm] - x11-libs/libX11:= - x11-libs/libXcomposite:= - x11-libs/libXcursor:= - x11-libs/libXdamage:= - x11-libs/libXext:= - x11-libs/libXfixes:= - >=x11-libs/libXi-1.6.0:= - x11-libs/libXrandr:= - x11-libs/libXrender:= - x11-libs/libXtst:= - x11-libs/libxcb:= - x11-libs/libxshmfence:= - vaapi? ( >=x11-libs/libva-2.7:=[X,drm] ) -" - -COMMON_DEPEND=" - app-arch/bzip2:= - cups? ( >=net-print/cups-1.3.11:= ) - dev-libs/expat:= - dev-libs/glib:2 - >=dev-libs/libxml2-2.9.4-r3:=[icu] - dev-libs/nspr:= - >=dev-libs/nss-3.26:= - >=media-libs/alsa-lib-1.0.19:= - media-libs/fontconfig:= - media-libs/freetype:= - >=media-libs/harfbuzz-2.4.0:0=[icu(-)] - media-libs/libjpeg-turbo:= - media-libs/libpng:= - pulseaudio? ( media-sound/pulseaudio:= ) - system-ffmpeg? ( - >=media-video/ffmpeg-4.3:= - || ( - media-video/ffmpeg[-samba] - >=net-fs/samba-4.5.10-r1[-debug(-)] - ) - >=media-libs/opus-1.3.1:= - ) - sys-apps/dbus:= - sys-apps/pciutils:= - virtual/udev - x11-libs/cairo:= - x11-libs/gdk-pixbuf:2 - x11-libs/libxkbcommon:= - x11-libs/pango:= - media-libs/flac:= - >=media-libs/libwebp-0.4.0:= - sys-libs/zlib:=[minizip] - kerberos? ( virtual/krb5 ) - !headless? ( - ${COMMON_X_DEPEND} - >=app-accessibility/at-spi2-atk-2.26:2 - >=app-accessibility/at-spi2-core-2.26:2 - >=dev-libs/atk-2.26 - x11-libs/gtk+:3[X] - wayland? ( - dev-libs/wayland:= - screencast? ( media-video/pipewire:0/0.3 ) - x11-libs/gtk+:3[wayland,X] - x11-libs/libdrm:= - ) - ) -" -RDEPEND="${COMMON_DEPEND} - x11-misc/xdg-utils - virtual/opengl - virtual/ttf-fonts - selinux? ( sec-policy/selinux-chromium ) -" -DEPEND="${COMMON_DEPEND} -" -# dev-vcs/git - https://bugs.gentoo.org/593476 -BDEPEND=" - ${PYTHON_DEPS} - >=app-arch/gzip-1.7 - app-arch/unzip - dev-lang/perl - >=dev-util/gn-0.1807 - dev-vcs/git - >=dev-util/gperf-3.0.3 - >=dev-util/ninja-1.7.2 - >=net-libs/nodejs-7.6.0[inspector] - sys-apps/hwids[usb(+)] - >=sys-devel/bison-2.4.3 - sys-devel/flex - virtual/pkgconfig - js-type-check? ( virtual/jre ) -" - -# These are intended for ebuild maintainer use to force clang if GCC is broken. -: ${CHROMIUM_FORCE_CLANG=no} -: ${CHROMIUM_FORCE_LIBCXX=no} - -if [[ ${CHROMIUM_FORCE_CLANG} == yes ]]; then - BDEPEND+=" >=sys-devel/clang-12" -fi - -if [[ ${CHROMIUM_FORCE_LIBCXX} == yes ]]; then - RDEPEND+=" >=sys-libs/libcxx-12" - DEPEND+=" >=sys-libs/libcxx-12" -else - COMMON_DEPEND=" - app-arch/snappy:= - dev-libs/libxslt:= - >=dev-libs/re2-0.2019.08.01:= - >=media-libs/openh264-1.6.0:= - system-icu? ( >=dev-libs/icu-69.1:= ) - " - RDEPEND+="${COMMON_DEPEND}" - DEPEND+="${COMMON_DEPEND}" -fi - -if ! has chromium_pkg_die ${EBUILD_DEATH_HOOKS}; then - EBUILD_DEATH_HOOKS+=" chromium_pkg_die"; -fi - -DISABLE_AUTOFORMATTING="yes" -DOC_CONTENTS=" -Some web pages may require additional fonts to display properly. -Try installing some of the following packages if some characters -are not displayed properly: -- media-fonts/arphicfonts -- media-fonts/droid -- media-fonts/ipamonafont -- media-fonts/noto -- media-fonts/ja-ipafonts -- media-fonts/takao-fonts -- media-fonts/wqy-microhei -- media-fonts/wqy-zenhei - -To fix broken icons on the Downloads page, you should install an icon -theme that covers the appropriate MIME types, and configure this as your -GTK+ icon theme. - -For native file dialogs in KDE, install kde-apps/kdialog. - -To make password storage work with your desktop environment you may -have install one of the supported credentials management applications: -- app-crypt/libsecret (GNOME) -- kde-frameworks/kwallet (KDE) -If you have one of above packages installed, but don't want to use -them in Chromium, then add --password-store=basic to CHROMIUM_FLAGS -in /etc/chromium/default. -" - -pre_build_checks() { - if [[ ${MERGE_TYPE} != binary ]]; then - local -x CPP="$(tc-getCXX) -E" - if tc-is-gcc && ! ver_test "$(gcc-version)" -ge 9.2; then - die "At least gcc 9.2 is required" - fi - if [[ ${CHROMIUM_FORCE_CLANG} == yes ]] || tc-is-clang; then - CPP="${CHOST}-clang++ -E" - if ! ver_test "$(clang-major-version)" -ge 12; then - die "At least clang 12 is required" - fi - fi - fi - - # Check build requirements, bug #541816 and bug #471810 . - CHECKREQS_MEMORY="3G" - CHECKREQS_DISK_BUILD="8G" - if ( shopt -s extglob; is-flagq '-g?(gdb)?([1-9])' ); then - if use custom-cflags || use component-build; then - CHECKREQS_DISK_BUILD="25G" - fi - if ! use component-build; then - CHECKREQS_MEMORY="16G" - fi - fi - check-reqs_pkg_setup -} - -pkg_pretend() { - pre_build_checks -} - -pkg_setup() { - pre_build_checks - - chromium_suid_sandbox_check_kernel_config - - # nvidia-drivers does not work correctly with Wayland due to unsupported EGLStreams - if use wayland && ! use headless && has_version "x11-drivers/nvidia-drivers"; then - ewarn "Proprietary nVidia driver does not work with Wayland. You can disable" - ewarn "Wayland by setting DISABLE_OZONE_PLATFORM=true in /etc/chromium/default." - fi -} - -src_prepare() { - # Calling this here supports resumption via FEATURES=keepwork - python_setup - - local PATCHES=( - "${WORKDIR}/patches" - "${FILESDIR}/chromium-89-EnumTable-crash.patch" - "${FILESDIR}/chromium-91-ThemeService-crash.patch" - "${FILESDIR}/chromium-91-system-icu.patch" - "${FILESDIR}/chromium-shim_headers.patch" - ) - - # seccomp sandbox is broken if compiled against >=sys-libs/glibc-2.33, bug #769989 - if has_version -d ">=sys-libs/glibc-2.33"; then - ewarn "Adding experimental glibc-2.33 sandbox patch. Seccomp sandbox might" - ewarn "still not work correctly. In case of issues, try to disable seccomp" - ewarn "sandbox by adding --disable-seccomp-filter-sandbox to CHROMIUM_FLAGS" - ewarn "in /etc/chromium/default." - PATCHES+=( - "${FILESDIR}/chromium-glibc-2.33.patch" - ) - fi - - use ppc64 && eapply -p0 "${WORKDIR}/${PN}"-ppc64le - - default - - mkdir -p third_party/node/linux/node-linux-x64/bin || die - ln -s "${EPREFIX}"/usr/bin/node third_party/node/linux/node-linux-x64/bin/node || die - - # bundled highway library does not support arm64 with GCC - if use arm64; then - rm -r third_party/highway/src || die - ln -s "${WORKDIR}/highway-0.12.1" third_party/highway/src || die - fi - - local keeplibs=( - base/third_party/cityhash - base/third_party/double_conversion - base/third_party/dynamic_annotations - base/third_party/icu - base/third_party/nspr - base/third_party/superfasthash - base/third_party/symbolize - base/third_party/valgrind - base/third_party/xdg_mime - base/third_party/xdg_user_dirs - buildtools/third_party/libc++ - buildtools/third_party/libc++abi - chrome/third_party/mozilla_security_manager - courgette/third_party - net/third_party/mozilla_security_manager - net/third_party/nss - net/third_party/quic - net/third_party/uri_template - third_party/abseil-cpp - third_party/angle - third_party/angle/src/common/third_party/base - third_party/angle/src/common/third_party/smhasher - third_party/angle/src/common/third_party/xxhash - third_party/angle/src/third_party/compiler - third_party/angle/src/third_party/libXNVCtrl - third_party/angle/src/third_party/trace_event - third_party/angle/src/third_party/volk - third_party/apple_apsl - third_party/axe-core - third_party/blink - third_party/boringssl - third_party/boringssl/src/third_party/fiat - third_party/breakpad - third_party/breakpad/breakpad/src/third_party/curl - third_party/brotli - third_party/catapult - third_party/catapult/common/py_vulcanize/third_party/rcssmin - third_party/catapult/common/py_vulcanize/third_party/rjsmin - third_party/catapult/third_party/beautifulsoup4 - third_party/catapult/third_party/html5lib-python - third_party/catapult/third_party/polymer - third_party/catapult/third_party/six - third_party/catapult/tracing/third_party/d3 - third_party/catapult/tracing/third_party/gl-matrix - third_party/catapult/tracing/third_party/jpeg-js - third_party/catapult/tracing/third_party/jszip - third_party/catapult/tracing/third_party/mannwhitneyu - third_party/catapult/tracing/third_party/oboe - third_party/catapult/tracing/third_party/pako - third_party/ced - third_party/cld_3 - third_party/closure_compiler - third_party/crashpad - third_party/crashpad/crashpad/third_party/lss - third_party/crashpad/crashpad/third_party/zlib - third_party/crc32c - third_party/cros_system_api - third_party/dav1d - third_party/dawn - third_party/dawn/third_party/khronos - third_party/depot_tools - third_party/devscripts - third_party/devtools-frontend - third_party/devtools-frontend/src/front_end/third_party/acorn - third_party/devtools-frontend/src/front_end/third_party/axe-core - third_party/devtools-frontend/src/front_end/third_party/chromium - third_party/devtools-frontend/src/front_end/third_party/codemirror - third_party/devtools-frontend/src/front_end/third_party/fabricjs - third_party/devtools-frontend/src/front_end/third_party/i18n - third_party/devtools-frontend/src/front_end/third_party/intl-messageformat - third_party/devtools-frontend/src/front_end/third_party/lighthouse - third_party/devtools-frontend/src/front_end/third_party/lit-html - third_party/devtools-frontend/src/front_end/third_party/lodash-isequal - third_party/devtools-frontend/src/front_end/third_party/marked - third_party/devtools-frontend/src/front_end/third_party/puppeteer - third_party/devtools-frontend/src/front_end/third_party/wasmparser - third_party/devtools-frontend/src/third_party - third_party/dom_distiller_js - third_party/eigen3 - third_party/emoji-segmenter - third_party/farmhash - third_party/fdlibm - third_party/fft2d - third_party/flatbuffers - third_party/freetype - third_party/fusejs - third_party/highway - third_party/libgifcodec - third_party/liburlpattern - third_party/libzip - third_party/gemmlowp - third_party/google_input_tools - third_party/google_input_tools/third_party/closure_library - third_party/google_input_tools/third_party/closure_library/third_party/closure - third_party/googletest - third_party/harfbuzz-ng/utils - third_party/hunspell - third_party/iccjpeg - third_party/inspector_protocol - third_party/jinja2 - third_party/jsoncpp - third_party/jstemplate - third_party/khronos - third_party/leveldatabase - third_party/libXNVCtrl - third_party/libaddressinput - third_party/libaom - third_party/libaom/source/libaom/third_party/fastfeat - third_party/libaom/source/libaom/third_party/vector - third_party/libaom/source/libaom/third_party/x86inc - third_party/libavif - third_party/libgav1 - third_party/libjingle - third_party/libjxl - third_party/libphonenumber - third_party/libsecret - third_party/libsrtp - third_party/libsync - third_party/libudev - third_party/libva_protected_content - third_party/libvpx - third_party/libvpx/source/libvpx/third_party/x86inc - third_party/libwebm - third_party/libx11 - third_party/libxcb-keysyms - third_party/libxml/chromium - third_party/libyuv - third_party/llvm - third_party/lottie - third_party/lss - third_party/lzma_sdk - third_party/mako - third_party/markupsafe - third_party/mesa - third_party/metrics_proto - third_party/minigbm - third_party/modp_b64 - third_party/nasm - third_party/nearby - third_party/neon_2_sse - third_party/node - third_party/node/node_modules/polymer-bundler/lib/third_party/UglifyJS2 - third_party/one_euro_filter - third_party/opencv - third_party/openscreen - third_party/openscreen/src/third_party/mozilla - third_party/openscreen/src/third_party/tinycbor/src/src - third_party/ots - third_party/pdfium - third_party/pdfium/third_party/agg23 - third_party/pdfium/third_party/base - third_party/pdfium/third_party/bigint - third_party/pdfium/third_party/freetype - third_party/pdfium/third_party/lcms - third_party/pdfium/third_party/libopenjpeg20 - third_party/pdfium/third_party/libpng16 - third_party/pdfium/third_party/libtiff - third_party/pdfium/third_party/skia_shared - third_party/perfetto - third_party/perfetto/protos/third_party/chromium - third_party/pffft - third_party/ply - third_party/polymer - third_party/private-join-and-compute - third_party/private_membership - third_party/protobuf - third_party/protobuf/third_party/six - third_party/pyjson5 - third_party/qcms - third_party/rnnoise - third_party/s2cellid - third_party/securemessage - third_party/shell-encryption - third_party/simplejson - third_party/skia - third_party/skia/include/third_party/skcms - third_party/skia/include/third_party/vulkan - third_party/skia/third_party/skcms - third_party/skia/third_party/vulkan - third_party/smhasher - third_party/sqlite - third_party/swiftshader - third_party/swiftshader/third_party/astc-encoder - third_party/swiftshader/third_party/llvm-subzero - third_party/swiftshader/third_party/marl - third_party/swiftshader/third_party/subzero - third_party/swiftshader/third_party/SPIRV-Headers/include/spirv/unified1 - third_party/tcmalloc - third_party/tensorflow-text - third_party/tflite - third_party/tflite/src/third_party/eigen3 - third_party/tflite/src/third_party/fft2d - third_party/tflite-support - third_party/tint - third_party/ruy - third_party/ukey2 - third_party/unrar - third_party/usrsctp - third_party/utf - third_party/vulkan - third_party/web-animations-js - third_party/webdriver - third_party/webgpu-cts - third_party/webrtc - third_party/webrtc/common_audio/third_party/ooura - third_party/webrtc/common_audio/third_party/spl_sqrt_floor - third_party/webrtc/modules/third_party/fft - third_party/webrtc/modules/third_party/g711 - third_party/webrtc/modules/third_party/g722 - third_party/webrtc/rtc_base/third_party/base64 - third_party/webrtc/rtc_base/third_party/sigslot - third_party/widevine - third_party/woff2 - third_party/wuffs - third_party/x11proto - third_party/xcbproto - third_party/zxcvbn-cpp - third_party/zlib/google - tools/grit/third_party/six - url/third_party/mozilla - v8/src/third_party/siphash - v8/src/third_party/valgrind - v8/src/third_party/utf8-decoder - v8/third_party/inspector_protocol - v8/third_party/v8 - - # gyp -> gn leftovers - base/third_party/libevent - third_party/speech-dispatcher - third_party/usb_ids - third_party/xdg-utils - ) - if ! use system-ffmpeg; then - keeplibs+=( third_party/ffmpeg third_party/opus ) - fi - if ! use system-icu; then - keeplibs+=( third_party/icu ) - fi - if use wayland && ! use headless ; then - keeplibs+=( third_party/wayland ) - fi - if [[ ${CHROMIUM_FORCE_LIBCXX} == yes ]]; then - keeplibs+=( third_party/libxml ) - keeplibs+=( third_party/libxslt ) - keeplibs+=( third_party/openh264 ) - keeplibs+=( third_party/re2 ) - keeplibs+=( third_party/snappy ) - if use system-icu; then - keeplibs+=( third_party/icu ) - fi - fi - if use arm64 || use ppc64 ; then - keeplibs+=( third_party/swiftshader/third_party/llvm-10.0 ) - fi - # we need to generate ppc64 stuff because upstream does not ship it yet - # it has to be done before unbundling. - if use ppc64; then - pushd third_party/libvpx >/dev/null || die - mkdir -p source/config/linux/ppc64 || die - ./generate_gni.sh || die - popd >/dev/null || die - fi - - # Remove most bundled libraries. Some are still needed. - build/linux/unbundle/remove_bundled_libraries.py "${keeplibs[@]}" --do-remove || die - - if use js-type-check; then - ln -s "${EPREFIX}"/usr/bin/java third_party/jdk/current/bin/java || die - fi -} - -src_configure() { - # Calling this here supports resumption via FEATURES=keepwork - python_setup - - local myconf_gn="" - - # Make sure the build system will use the right tools, bug #340795. - tc-export AR CC CXX NM - - if [[ ${CHROMIUM_FORCE_CLANG} == yes ]] && ! tc-is-clang; then - # Force clang since gcc is pretty broken at the moment. - CC=${CHOST}-clang - CXX=${CHOST}-clang++ - strip-unsupported-flags - fi - - if tc-is-clang; then - myconf_gn+=" is_clang=true clang_use_chrome_plugins=false" - else - if [[ ${CHROMIUM_FORCE_LIBCXX} == yes ]]; then - die "Compiling with sys-libs/libcxx requires clang." - fi - myconf_gn+=" is_clang=false" - fi - - # Define a custom toolchain for GN - myconf_gn+=" custom_toolchain=\"//build/toolchain/linux/unbundle:default\"" - - if tc-is-cross-compiler; then - tc-export BUILD_{AR,CC,CXX,NM} - myconf_gn+=" host_toolchain=\"//build/toolchain/linux/unbundle:host\"" - myconf_gn+=" v8_snapshot_toolchain=\"//build/toolchain/linux/unbundle:host\"" - else - myconf_gn+=" host_toolchain=\"//build/toolchain/linux/unbundle:default\"" - fi - - # GN needs explicit config for Debug/Release as opposed to inferring it from build directory. - myconf_gn+=" is_debug=false" - - # Component build isn't generally intended for use by end users. It's mostly useful - # for development and debugging. - myconf_gn+=" is_component_build=$(usex component-build true false)" - - # Disable nacl, we can't build without pnacl (http://crbug.com/269560). - myconf_gn+=" enable_nacl=false" - - # Use system-provided libraries. - # TODO: freetype -- remove sources (https://bugs.chromium.org/p/pdfium/issues/detail?id=733). - # TODO: use_system_hunspell (upstream changes needed). - # TODO: use_system_libsrtp (bug #459932). - # TODO: use_system_protobuf (bug #525560). - # TODO: use_system_ssl (http://crbug.com/58087). - # TODO: use_system_sqlite (http://crbug.com/22208). - - # libevent: https://bugs.gentoo.org/593458 - local gn_system_libraries=( - flac - fontconfig - freetype - # Need harfbuzz_from_pkgconfig target - #harfbuzz-ng - libdrm - libjpeg - libpng - libwebp - zlib - ) - if use system-ffmpeg; then - gn_system_libraries+=( ffmpeg opus ) - fi - if use system-icu; then - gn_system_libraries+=( icu ) - fi - if [[ ${CHROMIUM_FORCE_LIBCXX} != yes ]]; then - # unbundle only without libc++, because libc++ is not fully ABI compatible with libstdc++ - gn_system_libraries+=( libxml ) - gn_system_libraries+=( libxslt ) - gn_system_libraries+=( openh264 ) - gn_system_libraries+=( re2 ) - gn_system_libraries+=( snappy ) - fi - build/linux/unbundle/replace_gn_files.py --system-libraries "${gn_system_libraries[@]}" || die - - # See dependency logic in third_party/BUILD.gn - myconf_gn+=" use_system_harfbuzz=true" - - # Disable deprecated libgnome-keyring dependency, bug #713012 - myconf_gn+=" use_gnome_keyring=false" - - # Optional dependencies. - myconf_gn+=" enable_js_type_check=$(usex js-type-check true false)" - myconf_gn+=" enable_hangout_services_extension=$(usex hangouts true false)" - myconf_gn+=" enable_widevine=$(usex widevine true false)" - myconf_gn+=" use_cups=$(usex cups true false)" - myconf_gn+=" use_kerberos=$(usex kerberos true false)" - myconf_gn+=" use_pulseaudio=$(usex pulseaudio true false)" - myconf_gn+=" use_vaapi=$(usex vaapi true false)" - myconf_gn+=" rtc_use_pipewire=$(usex screencast true false) rtc_pipewire_version=\"0.3\"" - - # TODO: link_pulseaudio=true for GN. - - myconf_gn+=" fieldtrial_testing_like_official_build=true" - - # Never use bundled gold binary. Disable gold linker flags for now. - # Do not use bundled clang. - # Trying to use gold results in linker crash. - myconf_gn+=" use_gold=false use_sysroot=false use_custom_libcxx=false" - - # Disable forced lld, bug 641556 - myconf_gn+=" use_lld=false" - - # Disable pseudolocales, only used for testing - myconf_gn+=" enable_pseudolocales=false" - - ffmpeg_branding="$(usex proprietary-codecs Chrome Chromium)" - myconf_gn+=" proprietary_codecs=$(usex proprietary-codecs true false)" - myconf_gn+=" ffmpeg_branding=\"${ffmpeg_branding}\"" - - # Set up Google API keys, see http://www.chromium.org/developers/how-tos/api-keys . - # Note: these are for Gentoo use ONLY. For your own distribution, - # please get your own set of keys. Feel free to contact chromium@gentoo.org - # for more info. - local google_api_key="AIzaSyDEAOvatFo0eTgsV_ZlEzx0ObmepsMzfAc" - local google_default_client_id="329227923882.apps.googleusercontent.com" - local google_default_client_secret="vgKG0NNv7GoDpbtoFNLxCUXu" - myconf_gn+=" google_api_key=\"${google_api_key}\"" - myconf_gn+=" google_default_client_id=\"${google_default_client_id}\"" - myconf_gn+=" google_default_client_secret=\"${google_default_client_secret}\"" - local myarch="$(tc-arch)" - - # Avoid CFLAGS problems, bug #352457, bug #390147. - if ! use custom-cflags; then - replace-flags "-Os" "-O2" - strip-flags - - # Debug info section overflows without component build - # Prevent linker from running out of address space, bug #471810 . - if ! use component-build || use x86; then - filter-flags "-g*" - fi - - # Prevent libvpx build failures. Bug 530248, 544702, 546984. - if [[ ${myarch} == amd64 || ${myarch} == x86 ]]; then - filter-flags -mno-mmx -mno-sse2 -mno-ssse3 -mno-sse4.1 -mno-avx -mno-avx2 -mno-fma -mno-fma4 - fi - fi - - if [[ ${CHROMIUM_FORCE_LIBCXX} == yes ]]; then - append-flags -stdlib=libc++ - append-ldflags -stdlib=libc++ - fi - - if [[ $myarch = amd64 ]] ; then - myconf_gn+=" target_cpu=\"x64\"" - ffmpeg_target_arch=x64 - elif [[ $myarch = x86 ]] ; then - myconf_gn+=" target_cpu=\"x86\"" - ffmpeg_target_arch=ia32 - - # This is normally defined by compiler_cpu_abi in - # build/config/compiler/BUILD.gn, but we patch that part out. - append-flags -msse2 -mfpmath=sse -mmmx - elif [[ $myarch = arm64 ]] ; then - myconf_gn+=" target_cpu=\"arm64\"" - ffmpeg_target_arch=arm64 - elif [[ $myarch = arm ]] ; then - myconf_gn+=" target_cpu=\"arm\"" - ffmpeg_target_arch=$(usex cpu_flags_arm_neon arm-neon arm) - elif [[ $myarch = ppc64 ]] ; then - myconf_gn+=" target_cpu=\"ppc64\"" - ffmpeg_target_arch=ppc64 - else - die "Failed to determine target arch, got '$myarch'." - fi - - # Make sure that -Werror doesn't get added to CFLAGS by the build system. - # Depending on GCC version the warnings are different and we don't want - # the build to fail because of that. - myconf_gn+=" treat_warnings_as_errors=false" - - # Disable fatal linker warnings, bug 506268. - myconf_gn+=" fatal_linker_warnings=false" - - # Bug 491582. - export TMPDIR="${WORKDIR}/temp" - mkdir -p -m 755 "${TMPDIR}" || die - - # https://bugs.gentoo.org/654216 - addpredict /dev/dri/ #nowarn - - #if ! use system-ffmpeg; then - if false; then - local build_ffmpeg_args="" - if use pic && [[ "${ffmpeg_target_arch}" == "ia32" ]]; then - build_ffmpeg_args+=" --disable-asm" - fi - - # Re-configure bundled ffmpeg. See bug #491378 for example reasons. - einfo "Configuring bundled ffmpeg..." - pushd third_party/ffmpeg > /dev/null || die - chromium/scripts/build_ffmpeg.py linux ${ffmpeg_target_arch} \ - --branding ${ffmpeg_branding} -- ${build_ffmpeg_args} || die - chromium/scripts/copy_config.sh || die - chromium/scripts/generate_gn.py || die - popd > /dev/null || die - fi - - # Chromium relies on this, but was disabled in >=clang-10, crbug.com/1042470 - append-cxxflags $(test-flags-CXX -flax-vector-conversions=all) - - # highway/libjxl relies on this with arm64 - if use arm64 && tc-is-gcc; then - append-cxxflags -flax-vector-conversions - fi - - # highway/libjxl fail on ppc64 without extra patches, disable for now. - use ppc64 && myconf_gn+=" enable_jxl_decoder=false" - - # Disable unknown warning message from clang. - tc-is-clang && append-flags -Wno-unknown-warning-option - - # Explicitly disable ICU data file support for system-icu builds. - if use system-icu; then - myconf_gn+=" icu_use_data_file=false" - fi - - # Enable ozone wayland and/or headless support - myconf_gn+=" use_ozone=true ozone_auto_platforms=false" - myconf_gn+=" ozone_platform_headless=true" - if use wayland || use headless; then - if use headless; then - myconf_gn+=" ozone_platform=\"headless\"" - myconf_gn+=" use_x11=false" - else - myconf_gn+=" ozone_platform_wayland=true" - myconf_gn+=" use_system_libdrm=true" - myconf_gn+=" use_system_minigbm=true" - myconf_gn+=" use_xkbcommon=true" - myconf_gn+=" ozone_platform=\"wayland\"" - fi - fi - - # Enable official builds - myconf_gn+=" is_official_build=$(usex official true false)" - myconf_gn+=" use_thin_lto=false" - if use official; then - # Allow building against system libraries in official builds - sed -i 's/OFFICIAL_BUILD/GOOGLE_CHROME_BUILD/' \ - tools/generate_shim_headers/generate_shim_headers.py || die - # Disable CFI: unsupported for GCC, requires clang+lto+lld - myconf_gn+=" is_cfi=false" - # Disable PGO, because profile data is only compatible with >=clang-11 - myconf_gn+=" chrome_pgo_phase=0" - fi - - einfo "Configuring Chromium..." - set -- gn gen --args="${myconf_gn} ${EXTRA_GN}" out/Release - echo "$@" - "$@" || die -} - -src_compile() { - # Final link uses lots of file descriptors. - ulimit -n 2048 - - # Calling this here supports resumption via FEATURES=keepwork - python_setup - - # https://bugs.gentoo.org/717456 - # don't inherit PYTHONPATH from environment, bug #789021 - local -x PYTHONPATH="${WORKDIR}/setuptools-44.1.0" - - #"${EPYTHON}" tools/clang/scripts/update.py --force-local-build --gcc-toolchain /usr --skip-checkout --use-system-cmake --without-android || die - - # Build mksnapshot and pax-mark it. - local x - for x in mksnapshot v8_context_snapshot_generator; do - if tc-is-cross-compiler; then - eninja -C out/Release "host/${x}" - pax-mark m "out/Release/host/${x}" - else - eninja -C out/Release "${x}" - pax-mark m "out/Release/${x}" - fi - done - - # Even though ninja autodetects number of CPUs, we respect - # user's options, for debugging with -j 1 or any other reason. - eninja -C out/Release chrome chromedriver - use suid && eninja -C out/Release chrome_sandbox - - pax-mark m out/Release/chrome - - # Build manpage; bug #684550 - sed -e 's|@@PACKAGE@@|chromium-browser|g; - s|@@MENUNAME@@|Chromium|g;' \ - chrome/app/resources/manpage.1.in > \ - out/Release/chromium-browser.1 || die - - # Build desktop file; bug #706786 - sed -e 's|@@MENUNAME@@|Chromium|g; - s|@@USR_BIN_SYMLINK_NAME@@|chromium-browser|g; - s|@@PACKAGE@@|chromium-browser|g; - s|\(^Exec=\)/usr/bin/|\1|g;' \ - chrome/installer/linux/common/desktop.template > \ - out/Release/chromium-browser-chromium.desktop || die -} - -src_install() { - local CHROMIUM_HOME="/usr/$(get_libdir)/chromium-browser" - exeinto "${CHROMIUM_HOME}" - doexe out/Release/chrome - - if use suid; then - newexe out/Release/chrome_sandbox chrome-sandbox - fperms 4755 "${CHROMIUM_HOME}/chrome-sandbox" - fi - - doexe out/Release/chromedriver - - local sedargs=( -e - "s:/usr/lib/:/usr/$(get_libdir)/:g; - s:@@OZONE_AUTO_SESSION@@:$(usex wayland true false):g; - s:@@FORCE_OZONE_PLATFORM@@:$(usex headless true false):g" - ) - sed "${sedargs[@]}" "${FILESDIR}/chromium-launcher-r6.sh" > chromium-launcher.sh || die - doexe chromium-launcher.sh - - # It is important that we name the target "chromium-browser", - # xdg-utils expect it; bug #355517. - dosym "${CHROMIUM_HOME}/chromium-launcher.sh" /usr/bin/chromium-browser - # keep the old symlink around for consistency - dosym "${CHROMIUM_HOME}/chromium-launcher.sh" /usr/bin/chromium - - dosym "${CHROMIUM_HOME}/chromedriver" /usr/bin/chromedriver - - # Allow users to override command-line options, bug #357629. - insinto /etc/chromium - newins "${FILESDIR}/chromium.default" "default" - - pushd out/Release/locales > /dev/null || die - chromium_remove_language_paks - popd - - insinto "${CHROMIUM_HOME}" - doins out/Release/*.bin - doins out/Release/*.pak - ( - shopt -s nullglob - local files=(out/Release/*.so out/Release/*.so.[0-9]) - [[ ${#files[@]} -gt 0 ]] && doins "${files[@]}" - ) - - if ! use system-icu; then - doins out/Release/icudtl.dat - fi - - doins -r out/Release/locales - doins -r out/Release/resources - - if [[ -d out/Release/swiftshader ]]; then - insinto "${CHROMIUM_HOME}/swiftshader" - doins out/Release/swiftshader/*.so - fi - - # Install icons - local branding size - for size in 16 24 32 48 64 128 256 ; do - case ${size} in - 16|32) branding="chrome/app/theme/default_100_percent/chromium" ;; - *) branding="chrome/app/theme/chromium" ;; - esac - newicon -s ${size} "${branding}/product_logo_${size}.png" \ - chromium-browser.png - done - - # Install desktop entry - domenu out/Release/chromium-browser-chromium.desktop - - # Install GNOME default application entry (bug #303100). - insinto /usr/share/gnome-control-center/default-apps - newins "${FILESDIR}"/chromium-browser.xml chromium-browser.xml - - # Install manpage; bug #684550 - doman out/Release/chromium-browser.1 - dosym chromium-browser.1 /usr/share/man/man1/chromium.1 - - readme.gentoo_create_doc -} - -pkg_postrm() { - xdg_icon_cache_update - xdg_desktop_database_update -} - -pkg_postinst() { - xdg_icon_cache_update - xdg_desktop_database_update - readme.gentoo_print_elog - - if use vaapi; then - elog "VA-API is disabled by default at runtime. You have to enable it" - elog "by adding --enable-features=VaapiVideoDecoder to CHROMIUM_FLAGS" - elog "in /etc/chromium/default." - fi - if use screencast; then - elog "Screencast is disabled by default at runtime. Either enable it" - elog "by navigating to chrome://flags/#enable-webrtc-pipewire-capturer" - elog "inside Chromium or add --enable-webrtc-pipewire-capturer" - elog "to CHROMIUM_FLAGS in /etc/chromium/default." - fi -} diff --git a/www-client/chromium/files/chromium-89-EnumTable-crash.patch b/www-client/chromium/files/chromium-89-EnumTable-crash.patch deleted file mode 100644 index 89a50702dfae..000000000000 --- a/www-client/chromium/files/chromium-89-EnumTable-crash.patch +++ /dev/null @@ -1,71 +0,0 @@ -diff --git a/components/cast_channel/enum_table.h b/components/cast_channel/enum_table.h -index e3130c7..2ad16ea 100644 ---- a/components/cast_channel/enum_table.h -+++ b/components/cast_channel/enum_table.h -@@ -212,7 +212,7 @@ class - - template <typename E> - friend class EnumTable; -- DISALLOW_COPY_AND_ASSIGN(GenericEnumTableEntry); -+ DISALLOW_ASSIGN(GenericEnumTableEntry); - }; - - // Yes, these constructors really needs to be inlined. Even though they look -@@ -250,8 +250,7 @@ class EnumTable { - // Constructor for regular entries. - constexpr Entry(E value, base::StringPiece str) - : GenericEnumTableEntry(static_cast<int32_t>(value), str) {} -- -- DISALLOW_COPY_AND_ASSIGN(Entry); -+ DISALLOW_ASSIGN(Entry); - }; - - static_assert(sizeof(E) <= sizeof(int32_t), -@@ -306,15 +305,14 @@ class EnumTable { - if (is_sorted_) { - const std::size_t index = static_cast<std::size_t>(value); - if (ANALYZER_ASSUME_TRUE(index < data_.size())) { -- const auto& entry = data_.begin()[index]; -+ const auto& entry = data_[index]; - if (ANALYZER_ASSUME_TRUE(entry.has_str())) - return entry.str(); - } - return base::nullopt; - } - return GenericEnumTableEntry::FindByValue( -- reinterpret_cast<const GenericEnumTableEntry*>(data_.begin()), -- data_.size(), static_cast<int32_t>(value)); -+ &data_[0], data_.size(), static_cast<int32_t>(value)); - } - - // This overload of GetString is designed for cases where the argument is a -@@ -342,8 +340,7 @@ class EnumTable { - // enum value directly. - base::Optional<E> GetEnum(base::StringPiece str) const { - auto* entry = GenericEnumTableEntry::FindByString( -- reinterpret_cast<const GenericEnumTableEntry*>(data_.begin()), -- data_.size(), str); -+ &data_[0], data_.size(), str); - return entry ? static_cast<E>(entry->value) : base::Optional<E>(); - } - -@@ -358,7 +355,7 @@ class EnumTable { - // Align the data on a cache line boundary. - alignas(64) - #endif -- std::initializer_list<Entry> data_; -+ const std::vector<Entry> data_; - bool is_sorted_; - - constexpr EnumTable(std::initializer_list<Entry> data, bool is_sorted) -@@ -370,8 +367,8 @@ class EnumTable { - - for (std::size_t i = 0; i < data.size(); i++) { - for (std::size_t j = i + 1; j < data.size(); j++) { -- const Entry& ei = data.begin()[i]; -- const Entry& ej = data.begin()[j]; -+ const Entry& ei = data[i]; -+ const Entry& ej = data[j]; - DCHECK(ei.value != ej.value) - << "Found duplicate enum values at indices " << i << " and " << j; - DCHECK(!(ei.has_str() && ej.has_str() && ei.str() == ej.str())) diff --git a/www-client/chromium/files/chromium-91-ThemeService-crash.patch b/www-client/chromium/files/chromium-91-ThemeService-crash.patch deleted file mode 100644 index 455aef33e785..000000000000 --- a/www-client/chromium/files/chromium-91-ThemeService-crash.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 265192616d494ed586df9123ceb63389a7c48916 Mon Sep 17 00:00:00 2001 -From: Stephan Hartmann <stha09@googlemail.com> -Date: Tue, 13 Apr 2021 06:20:25 +0000 -Subject: [PATCH] fix crash in theme_service - ---- - chrome/browser/themes/theme_service.h | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/chrome/browser/themes/theme_service.h b/chrome/browser/themes/theme_service.h -index 592d40a..337dfac 100644 ---- a/chrome/browser/themes/theme_service.h -+++ b/chrome/browser/themes/theme_service.h -@@ -299,6 +299,10 @@ class ThemeService : public KeyedService, - // The number of infobars currently displayed. - int number_of_reinstallers_ = 0; - -+ // Declared before |theme_syncable_service_|, because ThemeSyncableService -+ // removes itself from the |observers_| list on destruction. -+ base::ObserverList<ThemeServiceObserver> observers_; -+ - std::unique_ptr<ThemeSyncableService> theme_syncable_service_; - - #if BUILDFLAG(ENABLE_EXTENSIONS) -@@ -320,8 +324,6 @@ class ThemeService : public KeyedService, - ScopedObserver<ui::NativeTheme, ui::NativeThemeObserver> - native_theme_observer_{this}; - -- base::ObserverList<ThemeServiceObserver> observers_; -- - base::WeakPtrFactory<ThemeService> weak_ptr_factory_{this}; - - DISALLOW_COPY_AND_ASSIGN(ThemeService); --- -2.26.3 - diff --git a/www-client/chromium/files/chromium-91-system-icu.patch b/www-client/chromium/files/chromium-91-system-icu.patch deleted file mode 100644 index 797ee33b374b..000000000000 --- a/www-client/chromium/files/chromium-91-system-icu.patch +++ /dev/null @@ -1,29 +0,0 @@ -From a0ddb153bdaf0ef83c8bfec744fedb97bf4ccfd0 Mon Sep 17 00:00:00 2001 -From: Stephan Hartmann <stha09@googlemail.com> -Date: Fri, 16 Apr 2021 14:09:29 +0000 -Subject: [PATCH] [unbundle] Use char16_t as UCHAR_TYPE - -Overriding UCHAR_TYPE was dropped with: -https://chromium-review.googlesource.com/c/chromium/deps/icu/+/2732628 ---- - build/linux/unbundle/icu.gn | 19 +++++++------------ - 1 file changed, 7 insertions(+), 12 deletions(-) - -diff --git a/build/linux/unbundle/icu.gn b/build/linux/unbundle/icu.gn -index 0f52fc1..33a0121 100644 ---- a/build/linux/unbundle/icu.gn -+++ b/build/linux/unbundle/icu.gn -@@ -16,7 +16,6 @@ config("icu_config") { - defines = [ - "USING_SYSTEM_ICU=1", - "ICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC", -- "UCHAR_TYPE=uint16_t", - - # U_EXPORT (defined in unicode/platform.h) is used to set public visibility - # on classes through the U_COMMON_API and U_I18N_API macros (among others). - ] - } - --- -2.26.3 - diff --git a/www-client/chromium/files/chromium-glibc-2.33.patch b/www-client/chromium/files/chromium-glibc-2.33.patch deleted file mode 100644 index 26e8003968d1..000000000000 --- a/www-client/chromium/files/chromium-glibc-2.33.patch +++ /dev/null @@ -1,141 +0,0 @@ -diff -up chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.fstatfix chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc ---- chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.fstatfix 2021-01-25 10:11:45.427436398 -0500 -+++ chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc 2021-01-25 10:12:51.337699003 -0500 -@@ -257,6 +257,18 @@ ResultExpr EvaluateSyscallImpl(int fs_de - return RestrictKillTarget(current_pid, sysno); - } - -+#if defined(__NR_newfstatat) -+ if (sysno == __NR_newfstatat) { -+ return RewriteFstatatSIGSYS(); -+ } -+#endif -+ -+#if defined(__NR_fstatat64) -+ if (sysno == __NR_fstatat64) { -+ return RewriteFstatatSIGSYS(); -+ } -+#endif -+ - if (SyscallSets::IsFileSystem(sysno) || - SyscallSets::IsCurrentDirectory(sysno)) { - return Error(fs_denied_errno); -diff -up chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc.fstatfix chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc ---- chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc.fstatfix 2021-01-25 10:13:10.179774081 -0500 -+++ chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc 2021-01-25 10:16:18.790525746 -0500 -@@ -6,6 +6,8 @@ - - #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" - -+#include <errno.h> -+#include <fcntl.h> - #include <stddef.h> - #include <stdint.h> - #include <string.h> -@@ -355,6 +357,35 @@ intptr_t SIGSYSSchedHandler(const struct - return -ENOSYS; - } - -+intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args, -+ void* aux) { -+ switch (args.nr) { -+#if defined(__NR_newfstatat) -+ case __NR_newfstatat: -+#endif -+#if defined(__NR_fstatat64) -+ case __NR_fstatat64: -+#endif -+#if defined(__NR_newfstatat) || defined(__NR_fstatat64) -+ if (*reinterpret_cast<const char *>(args.args[1]) == '\0' -+ && args.args[3] == static_cast<uint64_t>(AT_EMPTY_PATH)) { -+ return sandbox::sys_fstat64(static_cast<int>(args.args[0]), -+ reinterpret_cast<struct stat64 *>(args.args[2])); -+ } else { -+ errno = EACCES; -+ return -1; -+ } -+ break; -+#endif -+ } -+ -+ CrashSIGSYS_Handler(args, aux); -+ -+ // Should never be reached. -+ RAW_CHECK(false); -+ return -ENOSYS; -+} -+ - bpf_dsl::ResultExpr CrashSIGSYS() { - return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL); - } -@@ -387,6 +418,10 @@ bpf_dsl::ResultExpr RewriteSchedSIGSYS() - return bpf_dsl::Trap(SIGSYSSchedHandler, NULL); - } - -+bpf_dsl::ResultExpr RewriteFstatatSIGSYS() { -+ return bpf_dsl::Trap(SIGSYSFstatatHandler, NULL); -+} -+ - void AllocateCrashKeys() { - #if !defined(OS_NACL_NONSFI) - if (seccomp_crash_key) -diff -up chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h.fstatfix chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h ---- chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h.fstatfix 2021-01-25 10:16:36.982598236 -0500 -+++ chromium-88.0.4324.96/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h 2021-01-25 10:18:45.705111027 -0500 -@@ -62,6 +62,10 @@ SANDBOX_EXPORT intptr_t SIGSYSPtraceFail - // sched_setparam(), sched_setscheduler() - SANDBOX_EXPORT intptr_t SIGSYSSchedHandler(const arch_seccomp_data& args, - void* aux); -+// If the fstatat syscall is actually a disguised fstat, calls the regular fstat -+// syscall, otherwise, crashes in the same way as CrashSIGSYS_Handler. -+SANDBOX_EXPORT intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args, -+ void* aux); - - // Variants of the above functions for use with bpf_dsl. - SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYS(); -@@ -72,6 +76,7 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr Crash - SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSFutex(); - SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSPtrace(); - SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteSchedSIGSYS(); -+SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteFstatatSIGSYS(); - - // Allocates a crash key so that Seccomp information can be recorded. - void AllocateCrashKeys(); -diff -up chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc.fstatfix chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc ---- chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc.fstatfix 2021-01-25 10:18:53.307141311 -0500 -+++ chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.cc 2021-01-25 10:19:46.982355293 -0500 -@@ -261,4 +261,13 @@ int sys_sigaction(int signum, - - #endif // defined(MEMORY_SANITIZER) - -+SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf) -+{ -+#if defined(__NR_fstat64) -+ return syscall(__NR_fstat64, fd, buf); -+#else -+ return syscall(__NR_fstat, fd, buf); -+#endif -+} -+ - } // namespace sandbox -diff -up chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h.fstatfix chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h ---- chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h.fstatfix 2021-01-25 10:19:53.115379741 -0500 -+++ chromium-88.0.4324.96/sandbox/linux/services/syscall_wrappers.h 2021-01-25 10:20:45.485588421 -0500 -@@ -17,6 +17,7 @@ struct sock_fprog; - struct rlimit64; - struct cap_hdr; - struct cap_data; -+struct stat64; - - namespace sandbox { - -@@ -84,6 +85,9 @@ SANDBOX_EXPORT int sys_sigaction(int sig - const struct sigaction* act, - struct sigaction* oldact); - -+// Recent glibc rewrites fstat to fstatat. -+SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf); -+ - } // namespace sandbox - - #endif // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_ |