0ct0pu5/bromite
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Release 100.0.4896.92

Browse source
This commit is contained in:
csagan5 2022-04-15 16:41:31 +02:00 committed by Yifeng Wu
parent a228f406c3
commit 7eafa450b8
14 changed files with 664 additions and 51 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
CHANGELOG.md
View file

@ -1,3 +1,14 @@
# 100.0.4896.92
* improve user script errors and visualized name (thanks to @uazo)
* fix autofill password not working anymore (thanks to @uazo, fixes https://github.com/bromite/bromite/issues/1956)
* mark sites as visited when they have an already-parsed OpenSearch descriptor
* disable TLS resumption by default (thanks to @uazo)
* partition DoH requests by top-frame NIK (thanks to @uazo)
* allow moving navigation bar to bottom (thanks to @uazo)
* restrict creation of dynamic code
* forbid dynamic code generation on Linux
* remove mremap from system call whitelist
# 100.0.4896.83
* update zh_CN translations (thanks to @zhmars)
* fix custom UA reported via Javascript (thanks to @uazo, fixes https://github.com/bromite/bromite/issues/1936)

3
README.md
View file

@ -86,6 +86,8 @@ ETH donations address: `0x5d392F8FBf3465afe05B1Adc575e248D33B891F6`
* customize history expiration threshold
* disable idle detection
* HTTPS-only mode enabled by default
* disable TLS resumption by default
* partition DoH requests by top-frame NIK
## Features not related to privacy
* browser automatic updates, enabled by default
@ -116,6 +118,7 @@ ETH donations address: `0x5d392F8FBf3465afe05B1Adc575e248D33B891F6`
* allow OpenSearch search engine detection with paths
* keyboard dictionary hints in address bar
* always allow `view-source:` URLs
* allow moving navigation bar to bottom
You can inspect all functionality/privacy changes by reading the [patches](https://github.com/bromite/bromite/tree/master/build/patches) and/or the [CHANGELOG](./CHANGELOG.md).

2
build/LASTCHANGE
View file

@ -1 +1 @@
17f8da1ef67b77611d7b5bd3df25c8d47a806d40-
632df56956c7c1fbf97342310857031d01774f7b-

2
build/RELEASE
View file

@ -1 +1 @@
100.0.4896.83
100.0.4896.92

2
build/RELEASE_COMMIT
View file

@ -1 +1 @@
dbf631e66a15472a4689fea5550ad16a1be64922
81820453ed7ee46ca0606074034b35f2e0817592

8
build/bromite_patches_list.txt
View file

@ -181,7 +181,7 @@ Disable-minidump-upload-scheduling.patch
Revert-Permit-blocking-of-view-source-with-URLBlocklist.patch
Disable-safety-check.patch
Disable-all-predictors-code.patch
OpenSearch-allow-paths-and-incognito-mode.patch
OpenSearch-miscellaneous.patch
Enable-Certificate-Transparency.patch
Update-i18n-zh_CN-support.patch
Add-flag-for-save-data-header.patch
@ -190,6 +190,10 @@ Revert-Disable-Dictionary-suggestions-for-the-Omnibox.patch
Disable-AsyncDNS-by-default.patch
Add-lifetime-options-for-permissions.patch
Disable-crash-reporting.patch
Partition-DNS-requests-by-topframe-NIK.patch
Samsung-Note-9-SDK27-crazylinker-workaround.patch
Disable-TLS-resumption.patch
Partition-DNS-requests-by-top-frame-NIK.patch
Restrict-creation-of-dynamic-code.patch
Forbid-dynamic-code-generation-on-Linux.patch
Remove-mremap-from-system-call-whitelist.patch
Automated-domain-substitution.patch

40
build/patches/Disable-tls-resumption.patch → build/patches/Disable-TLS-resumption.patch
View file

@ -1,7 +1,23 @@
From: uazo <uazo@users.noreply.github.com>
Date: Thu, 24 Mar 2022 10:08:00 +0000
Subject: Disable TLS Resumption
Subject: Disable TLS resumption
Disable resumption feature for all HTTPS and QUIC connections;
the feature could be used to track users even without cookies.
Sessions are not currently saved to disk in Chromium (although
there is support for it) but are long enough to constitute a
privacy risk (2h for TLS 1.2 and 7 days for TLS 1.3) if user
does not frequently close the browser.
Since session information is not kept in the HTTP cache it is
not cleared when deleting navigation data (although it is possible
to clear it by selecting "passwords").
Two new user configurable flags are introduced:
* kDisableTLSResumption, active by default
* kLogTLSResumption, that would allow to find in logcat reused
sessions in lines matching "SSL Log:"
---
chrome/browser/about_flags.cc | 6 +++
chrome/browser/flag_descriptions.cc | 8 ++++
@ -147,7 +163,7 @@ diff --git a/net/quic/quic_stream_factory.cc b/net/quic/quic_stream_factory.cc
+ auto value = quic::QuicClientSessionCache::Lookup(server_id, now, ctx);
+ if (value != nullptr &&
+ base::FeatureList::IsEnabled(net::features::kLogTLSResumption)) {
+ LOG(INFO) << "SSL Log: quic session resumpted "
+ LOG(INFO) << "SSL Log: QUIC session resumed "
+ << server_id.host();
+ }
+ return value;
@ -178,7 +194,7 @@ diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket
+ LOG(INFO) << "SSL Log: "
+ << tag
+ << " host: " << host_and_port_.ToString()
+ << " nik: " << ssl_config_.network_isolation_key.ToDebugString();
+ << " NIK: " << ssl_config_.network_isolation_key.ToDebugString();
+ return;
+ }
+
@ -192,7 +208,7 @@ diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket
+ LOG(INFO) << "SSL Log: "
+ << tag
+ << " host: " << host_and_port_.ToString()
+ << " nik: " << ssl_config_.network_isolation_key.ToDebugString()
+ << " NIK: " << ssl_config_.network_isolation_key.ToDebugString()
+ << " sessionid: " << base::HexEncode(session_id, len)
+ << (ticklen > 0 ? " ticket:" + base::HexEncode(ticket, ticklen) : "");
+}
@ -220,28 +236,28 @@ diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket
+ switch(details)
+ {
+ case SSLHandshakeDetails::kTLS13Early:
+ Log_ssl_session_data("SSL session reused: kTLS13Early mode", NULL);
+ Log_ssl_session_data("SSL Log: session reused: kTLS13Early mode", NULL);
+ break;
+ case SSLHandshakeDetails::kTLS13ResumeWithHelloRetryRequest:
+ Log_ssl_session_data("SSL session reused: kTLS13ResumeWithHelloRetryRequest mode", NULL);
+ Log_ssl_session_data("SSL Log: session reused: kTLS13ResumeWithHelloRetryRequest mode", NULL);
+ break;
+ case SSLHandshakeDetails::kTLS13Resume:
+ Log_ssl_session_data("SSL session reused: kTLS13Resume mode", NULL);
+ Log_ssl_session_data("SSL Log: session reused: kTLS13Resume mode", NULL);
+ break;
+ case SSLHandshakeDetails::kTLS12Resume:
+ Log_ssl_session_data("SSL session reused: kTLS12Resume mode", NULL);
+ Log_ssl_session_data("SSL Log: session reused: kTLS12Resume mode", NULL);
+ break;
+ case SSLHandshakeDetails::kTLS12Full:
+ Log_ssl_session_data("SSL session reused: kTLS12Full mode", NULL);
+ Log_ssl_session_data("SSL Log: session reused: kTLS12Full mode", NULL);
+ break;
+ case SSLHandshakeDetails::kTLS12FalseStart:
+ Log_ssl_session_data("SSL session reused: kTLS12FalseStart mode", NULL);
+ Log_ssl_session_data("SSL Log: session reused: kTLS12FalseStart mode", NULL);
+ break;
+ case SSLHandshakeDetails::kTLS13Full:
+ Log_ssl_session_data("SSL session reused: kTLS13Full mode", NULL);
+ Log_ssl_session_data("SSL Log: session reused: kTLS13Full mode", NULL);
+ break;
+ case SSLHandshakeDetails::kTLS13FullWithHelloRetryRequest:
+ Log_ssl_session_data("SSL session reused: kTLS13FullWithHelloRetryRequest mode", NULL);
+ Log_ssl_session_data("SSL Log: session reused: kTLS13FullWithHelloRetryRequest mode", NULL);
+ break;
+ }
+ }

7
build/patches/Disable-smart-selection-by-default.patch
View file

@ -2,14 +2,11 @@ From: csagan5 <32685696+csagan5@users.noreply.github.com>
Date: Fri, 24 Jan 2020 19:17:22 +0100
Subject: Disable smart selection by default
Allow web search in incognito mode (reverts
commit 48d4ae54f7565c429bf29cd63806aee5d7e93e69)
Allow web search in incognito mode; Smart Selection still
disabled in incognito as per upstream.
Partial revert of da1d809c003749846cb4ade8c11b6d038e44416b to restore
the ChromeSmartSelection feature flag.
Notice that re-enabling smart selection would make incognito mode potentially
leak information through the TextClassifier set by OEM, if any
---
.../contextualsearch/SelectionClientManager.java | 4 +++-
.../browser/flags/android/chrome_feature_list.cc | 4 ++++

334
build/patches/Forbid-dynamic-code-generation-on-Linux.patch Normal file
View file

@ -0,0 +1,334 @@
From: qua3k <cliffmaceyak@gmail.com>
Date: Thu, 4 Nov 2021 00:00:00 +0000
Subject: Forbid dynamic code generation on Linux
The Windows sandbox prevents dynamic code generation via setting
MITIGATION_DYNAMIC_CODE_DISABLE on certain processes; prevent dynamic
code generation in the same processes on Linux via seccomp-bpf.
---
.../policy/linux/bpf_audio_policy_linux.cc | 18 +++++++++++
sandbox/policy/linux/bpf_cdm_policy_linux.cc | 12 +++++++
.../policy/linux/bpf_ppapi_policy_linux.cc | 12 +++++++
.../bpf_print_compositor_policy_linux.cc | 12 +++++++
.../policy/linux/bpf_renderer_policy_linux.cc | 21 +++++++++++-
.../policy/linux/bpf_renderer_policy_linux.h | 5 ++-
.../policy/linux/bpf_service_policy_linux.cc | 21 ++++++++++++
.../policy/linux/bpf_service_policy_linux.h | 5 ++-
.../bpf_speech_recognition_policy_linux.cc | 12 +++++++
.../policy/linux/bpf_utility_policy_linux.cc | 12 +++++++
.../policy/linux/sandbox_seccomp_bpf_linux.cc | 32 ++++++++++++++++---
11 files changed, 155 insertions(+), 7 deletions(-)
diff --git a/sandbox/policy/linux/bpf_audio_policy_linux.cc b/sandbox/policy/linux/bpf_audio_policy_linux.cc
--- a/sandbox/policy/linux/bpf_audio_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_audio_policy_linux.cc
@@ -118,6 +118,24 @@ ResultExpr AudioProcessPolicy::EvaluateSyscall(int system_call_number) const {
const Arg<int> domain(0);
return If(domain == AF_UNIX, Allow()).Else(Error(EPERM));
}
+#endif
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
+ case __NR_mmap:
+#endif
+#if defined(__i386__) || defined(__arm__) || \
+ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
+ case __NR_mmap2:
+#endif
+ return RestrictMmapFlagsNoWX();
+ case __NR_mprotect:
+ case __NR_pkey_mprotect:
+ return RestrictMprotectFlagsNoWX();
+#if defined(__i386__) || defined(__x86_64__) || defined(__arm__) || \
+ defined(__aarch64__) || \
+ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_64_BITS))
+ case __NR_shmat:
+ return RestrictShmatFlags();
#endif
default:
#if defined(__x86_64__)
diff --git a/sandbox/policy/linux/bpf_cdm_policy_linux.cc b/sandbox/policy/linux/bpf_cdm_policy_linux.cc
--- a/sandbox/policy/linux/bpf_cdm_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_cdm_policy_linux.cc
@@ -49,6 +49,18 @@ ResultExpr CdmProcessPolicy::EvaluateSyscall(int sysno) const {
return RestrictSchedTarget(GetPolicyPid(), sysno);
case __NR_prlimit64:
return RestrictPrlimitToGetrlimit(GetPolicyPid());
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
+ case __NR_mmap:
+#endif
+#if defined(__i386__) || defined(__arm__) || \
+ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
+ case __NR_mmap2:
+#endif
+ return RestrictMmapFlagsNoWX();
+ case __NR_mprotect:
+ case __NR_pkey_mprotect:
+ return RestrictMprotectFlagsNoWX();
default:
// Default on the content baseline policy.
return BPFBasePolicy::EvaluateSyscall(sysno);
diff --git a/sandbox/policy/linux/bpf_ppapi_policy_linux.cc b/sandbox/policy/linux/bpf_ppapi_policy_linux.cc
--- a/sandbox/policy/linux/bpf_ppapi_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_ppapi_policy_linux.cc
@@ -40,6 +40,18 @@ ResultExpr PpapiProcessPolicy::EvaluateSyscall(int sysno) const {
return RestrictSchedTarget(GetPolicyPid(), sysno);
case __NR_ioctl:
return Error(ENOTTY); // Flash Access.
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
+ case __NR_mmap:
+#endif
+#if defined(__i386__) || defined(__arm__) || \
+ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
+ case __NR_mmap2:
+#endif
+ return RestrictMmapFlagsNoWX();
+ case __NR_mprotect:
+ case __NR_pkey_mprotect:
+ return RestrictMprotectFlagsNoWX();
default:
// Default on the baseline policy.
return BPFBasePolicy::EvaluateSyscall(sysno);
diff --git a/sandbox/policy/linux/bpf_print_compositor_policy_linux.cc b/sandbox/policy/linux/bpf_print_compositor_policy_linux.cc
--- a/sandbox/policy/linux/bpf_print_compositor_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_print_compositor_policy_linux.cc
@@ -45,6 +45,18 @@ ResultExpr PrintCompositorProcessPolicy::EvaluateSyscall(int sysno) const {
case __NR_times:
case __NR_uname:
return Allow();
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
+ case __NR_mmap:
+#endif
+#if defined(__i386__) || defined(__arm__) || \
+ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
+ case __NR_mmap2:
+#endif
+ return RestrictMmapFlagsNoWX();
+ case __NR_mprotect:
+ case __NR_pkey_mprotect:
+ return RestrictMprotectFlagsNoWX();
default:
// Default on the content baseline policy.
return BPFBasePolicy::EvaluateSyscall(sysno);
diff --git a/sandbox/policy/linux/bpf_renderer_policy_linux.cc b/sandbox/policy/linux/bpf_renderer_policy_linux.cc
--- a/sandbox/policy/linux/bpf_renderer_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_renderer_policy_linux.cc
@@ -48,10 +48,29 @@ ResultExpr RestrictIoctl() {
} // namespace
-RendererProcessPolicy::RendererProcessPolicy() {}
+RendererProcessPolicy::RendererProcessPolicy(bool is_jit_disabled)
+ : is_jit_disabled_(is_jit_disabled) {}
RendererProcessPolicy::~RendererProcessPolicy() {}
ResultExpr RendererProcessPolicy::EvaluateSyscall(int sysno) const {
+
+ if (is_jit_disabled_) {
+ switch (sysno) {
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
+ case __NR_mmap:
+#endif
+#if defined(__i386__) || defined(__arm__) || \
+ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
+ case __NR_mmap2:
+#endif
+ return RestrictMmapFlagsNoWX();
+ case __NR_mprotect:
+ case __NR_pkey_mprotect:
+ return RestrictMprotectFlagsNoWX();
+ }
+ }
+
switch (sysno) {
// The baseline policy allows __NR_clock_gettime. Allow
// clock_getres() for V8. crbug.com/329053.
diff --git a/sandbox/policy/linux/bpf_renderer_policy_linux.h b/sandbox/policy/linux/bpf_renderer_policy_linux.h
--- a/sandbox/policy/linux/bpf_renderer_policy_linux.h
+++ b/sandbox/policy/linux/bpf_renderer_policy_linux.h
@@ -13,7 +13,7 @@ namespace policy {
// This policy can be used by both renderer and worker processes.
class RendererProcessPolicy : public BPFBasePolicy {
public:
- RendererProcessPolicy();
+ explicit RendererProcessPolicy(bool is_jit_disabled);
RendererProcessPolicy(const RendererProcessPolicy&) = delete;
RendererProcessPolicy& operator=(const RendererProcessPolicy&) = delete;
@@ -21,6 +21,9 @@ class RendererProcessPolicy : public BPFBasePolicy {
~RendererProcessPolicy() override;
bpf_dsl::ResultExpr EvaluateSyscall(int system_call_number) const override;
+
+ private:
+ const bool is_jit_disabled_; // Disable dynamic code generation if jitless
};
} // namespace policy
diff --git a/sandbox/policy/linux/bpf_service_policy_linux.cc b/sandbox/policy/linux/bpf_service_policy_linux.cc
--- a/sandbox/policy/linux/bpf_service_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_service_policy_linux.cc
@@ -20,7 +20,28 @@ using sandbox::bpf_dsl::ResultExpr;
namespace sandbox {
namespace policy {
+ServiceProcessPolicy::ServiceProcessPolicy(bool is_jit_disabled)
+ : is_jit_disabled_(is_jit_disabled) {}
+
ResultExpr ServiceProcessPolicy::EvaluateSyscall(int sysno) const {
+
+ if (is_jit_disabled_) {
+ switch (sysno) {
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
+ case __NR_mmap:
+#endif
+#if defined(__i386__) || defined(__arm__) || \
+ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
+ case __NR_mmap2:
+#endif
+ return RestrictMmapFlagsNoWX();
+ case __NR_mprotect:
+ case __NR_pkey_mprotect:
+ return RestrictMprotectFlagsNoWX();
+ }
+ }
+
switch (sysno) {
case __NR_ioctl:
return RestrictIoctl();
diff --git a/sandbox/policy/linux/bpf_service_policy_linux.h b/sandbox/policy/linux/bpf_service_policy_linux.h
--- a/sandbox/policy/linux/bpf_service_policy_linux.h
+++ b/sandbox/policy/linux/bpf_service_policy_linux.h
@@ -16,13 +16,16 @@ namespace policy {
// Consider UtilityProcessPolicy if this is too restrictive.
class ServiceProcessPolicy : public BPFBasePolicy {
public:
- ServiceProcessPolicy() = default;
+ explicit ServiceProcessPolicy(bool is_jit_disabled);
~ServiceProcessPolicy() override = default;
bpf_dsl::ResultExpr EvaluateSyscall(int system_call_number) const override;
ServiceProcessPolicy(const ServiceProcessPolicy&) = delete;
ServiceProcessPolicy& operator=(const ServiceProcessPolicy&) = delete;
+
+ private:
+ const bool is_jit_disabled_; // Disable dynamic code generation if jitless
};
} // namespace policy
diff --git a/sandbox/policy/linux/bpf_speech_recognition_policy_linux.cc b/sandbox/policy/linux/bpf_speech_recognition_policy_linux.cc
--- a/sandbox/policy/linux/bpf_speech_recognition_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_speech_recognition_policy_linux.cc
@@ -37,6 +37,18 @@ ResultExpr SpeechRecognitionProcessPolicy::EvaluateSyscall(
case __NR_sched_setscheduler:
// Used for starting an AudioStream when recognizing microphone data.
return RestrictSchedTarget(GetPolicyPid(), system_call_number);
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
+ case __NR_mmap:
+#endif
+#if defined(__i386__) || defined(__arm__) || \
+ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
+ case __NR_mmap2:
+#endif
+ return RestrictMmapFlagsNoWX();
+ case __NR_mprotect:
+ case __NR_pkey_mprotect:
+ return RestrictMprotectFlagsNoWX();
default:
auto* sandbox_linux = SandboxLinux::GetInstance();
if (sandbox_linux->ShouldBrokerHandleSyscall(system_call_number))
diff --git a/sandbox/policy/linux/bpf_utility_policy_linux.cc b/sandbox/policy/linux/bpf_utility_policy_linux.cc
--- a/sandbox/policy/linux/bpf_utility_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_utility_policy_linux.cc
@@ -46,6 +46,18 @@ ResultExpr UtilityProcessPolicy::EvaluateSyscall(int sysno) const {
case __NR_times:
case __NR_uname:
return Allow();
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+ defined(__aarch64__)
+ case __NR_mmap:
+#endif
+#if defined(__i386__) || defined(__arm__) || \
+ (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
+ case __NR_mmap2:
+#endif
+ return RestrictMmapFlagsNoWX();
+ case __NR_mprotect:
+ case __NR_pkey_mprotect:
+ return RestrictMprotectFlagsNoWX();
default:
// Default on the content baseline policy.
return BPFBasePolicy::EvaluateSyscall(sysno);
diff --git a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc b/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc
--- a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc
+++ b/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc
@@ -30,6 +30,8 @@
#include "base/files/scoped_file.h"
#include "base/posix/eintr_wrapper.h"
+#include "base/strings/string_split.h"
+#include "gin/gin_features.h"
#include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"
#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
@@ -51,6 +53,7 @@
#include "sandbox/policy/linux/bpf_service_policy_linux.h"
#include "sandbox/policy/linux/bpf_speech_recognition_policy_linux.h"
#include "sandbox/policy/linux/bpf_utility_policy_linux.h"
+#include "third_party/blink/public/common/switches.h"
#if BUILDFLAG(IS_CHROMEOS_ASH)
#include "sandbox/policy/features.h"
@@ -164,8 +167,29 @@ std::unique_ptr<BPFBasePolicy> SandboxSeccompBPF::PolicyForSandboxType(
switch (sandbox_type) {
case sandbox::mojom::Sandbox::kGpu:
return GetGpuProcessSandbox(options.use_amd_specific_policies);
- case sandbox::mojom::Sandbox::kRenderer:
- return std::make_unique<RendererProcessPolicy>();
+ case sandbox::mojom::Sandbox::kRenderer: {
+ const base::CommandLine& command_line =
+ *base::CommandLine::ForCurrentProcess();
+ bool dynamic_code_can_be_disabled = false;
+ if (base::FeatureList::IsEnabled(features::kV8NoJIT)) {
+ dynamic_code_can_be_disabled = true;
+ }
+ else if (command_line.HasSwitch(blink::switches::kJavaScriptFlags)) {
+ std::string js_flags =
+ command_line.GetSwitchValueASCII(blink::switches::kJavaScriptFlags);
+ std::vector<base::StringPiece> js_flag_list = base::SplitStringPiece(
+ js_flags, ",", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY);
+ for (const auto& js_flag : js_flag_list) {
+ if (js_flag == "--jitless") {
+ // If v8 is running jitless then there is no need for the ability to
+ // mark writable pages as executable to be available to the process.
+ dynamic_code_can_be_disabled = true;
+ break;
+ }
+ }
+ }
+ return std::make_unique<RendererProcessPolicy>(dynamic_code_can_be_disabled);
+ }
#if BUILDFLAG(ENABLE_PLUGINS)
case sandbox::mojom::Sandbox::kPpapi:
return std::make_unique<PpapiProcessPolicy>();
@@ -185,9 +209,9 @@ std::unique_ptr<BPFBasePolicy> SandboxSeccompBPF::PolicyForSandboxType(
case sandbox::mojom::Sandbox::kAudio:
return std::make_unique<AudioProcessPolicy>();
case sandbox::mojom::Sandbox::kService:
- return std::make_unique<ServiceProcessPolicy>();
+ return std::make_unique<ServiceProcessPolicy>(true);
case sandbox::mojom::Sandbox::kServiceWithJit:
- return std::make_unique<ServiceProcessPolicy>();
+ return std::make_unique<ServiceProcessPolicy>(false);
case sandbox::mojom::Sandbox::kSpeechRecognition:
return std::make_unique<SpeechRecognitionProcessPolicy>();
#if BUILDFLAG(IS_CHROMEOS_ASH)
--
2.25.1

27
build/patches/Move-toptoolbar-to-bottom.patch → build/patches/Move-navigation-bar-to-bottom.patch
View file

@ -1,9 +1,13 @@
From: uazo <uazo@users.noreply.github.com>
Date: Tue, 18 Jan 2022 07:43:32 +0000
Subject: Move top toolbar to bottom
Subject: Move navigation bar to bottom
Adds an accessibility flag that allows the top toolbar to be moved to the bottom.
The patch also includes tablet mode.
Adds an accessibility flag that allows navigation bar to be moved to the bottom.
Unlike what is present in other browsers, this actually moves the bar below,
without creating other elements.
The bottom bar will also be colored as the navigation bar to make the interface
more pleasant and fixes upstream bug 1285311.
Support for tablet mode is also included.
---
cc/base/features.cc | 3 ++
cc/base/features.h | 1 +
@ -462,9 +466,9 @@ diff --git a/chrome/android/java/src/org/chromium/chrome/browser/accessibility/s
+ mSnackbarManager.showSnackbar(mSnackbar);
+ }
+
private static class ForceTabletUIDelegate implements BooleanPreferenceDelegate {
@Override
public boolean isEnabled() {
@Override
public void addExtraPreferences(PreferenceFragmentCompat fragment) {
if (ImageDescriptionsController.getInstance().shouldShowImageDescriptionsMenuItem()) {
diff --git a/chrome/android/java/src/org/chromium/chrome/browser/app/ChromeActivity.java b/chrome/android/java/src/org/chromium/chrome/browser/app/ChromeActivity.java
--- a/chrome/android/java/src/org/chromium/chrome/browser/app/ChromeActivity.java
+++ b/chrome/android/java/src/org/chromium/chrome/browser/app/ChromeActivity.java
@ -2074,7 +2078,7 @@ diff --git a/components/browser_ui/accessibility/android/java/res/xml/accessibil
diff --git a/components/browser_ui/accessibility/android/java/src/org/chromium/components/browser_ui/accessibility/AccessibilitySettings.java b/components/browser_ui/accessibility/android/java/src/org/chromium/components/browser_ui/accessibility/AccessibilitySettings.java
--- a/components/browser_ui/accessibility/android/java/src/org/chromium/components/browser_ui/accessibility/AccessibilitySettings.java
+++ b/components/browser_ui/accessibility/android/java/src/org/chromium/components/browser_ui/accessibility/AccessibilitySettings.java
@@ -28,6 +28,8 @@ public class AccessibilitySettings
@@ -31,12 +31,15 @@ public class AccessibilitySettings
public static final String PREF_CAPTIONS = "captions";
static final String PREF_FORCE_TABLET_UI = "force_tablet_ui";
@ -2083,15 +2087,14 @@ diff --git a/components/browser_ui/accessibility/android/java/src/org/chromium/c
private TextScalePreference mTextScalePref;
private ChromeBaseCheckBoxPreference mForceEnableZoomPref;
private boolean mRecordFontSizeChangeOnStop;
@@ -35,6 +37,7 @@ public class AccessibilitySettings
private BooleanPreferenceDelegate mForceTabletUIDelegate;
private AccessibilitySettingsDelegate mDelegate;
private BooleanPreferenceDelegate mReaderForAccessibilityDelegate;
private BooleanPreferenceDelegate mAccessibilityTabSwitcherDelegate;
+ private BooleanPreferenceDelegate mMoveTopToolbarToBottomDelegate;
private FontSizePrefs mFontSizePrefs;
private FontSizePrefsObserver mFontSizePrefsObserver = new FontSizePrefsObserver() {
@@ -54,6 +57,10 @@ public class AccessibilitySettings
@@ -56,6 +59,10 @@ public class AccessibilitySettings
mFontSizePrefs = FontSizePrefs.getInstance(delegate.getBrowserContextHandle());
}
@ -2102,7 +2105,7 @@ diff --git a/components/browser_ui/accessibility/android/java/src/org/chromium/c
@Override
public void onActivityCreated(Bundle savedInstanceState) {
super.onActivityCreated(savedInstanceState);
@@ -103,6 +110,12 @@ public class AccessibilitySettings
@@ -105,6 +112,12 @@ public class AccessibilitySettings
getPreferenceScreen().removePreference(accessibilityTabSwitcherPref);
}
@ -2115,7 +2118,7 @@ diff --git a/components/browser_ui/accessibility/android/java/src/org/chromium/c
Preference captions = findPreference(PREF_CAPTIONS);
captions.setOnPreferenceClickListener(preference -> {
Intent intent = new Intent(Settings.ACTION_CAPTIONING_SETTINGS);
@@ -147,6 +160,9 @@ public class AccessibilitySettings
@@ -150,6 +163,9 @@ public class AccessibilitySettings
if (mReaderForAccessibilityDelegate != null) {
mReaderForAccessibilityDelegate.setEnabled((Boolean) newValue);
}

44
build/patches/OpenSearch-allow-paths-and-incognito-mode.patch → build/patches/OpenSearch-miscellaneous.patch
View file

@ -1,9 +1,10 @@
From: csagan5 <32685696+csagan5@users.noreply.github.com>
Date: Sun, 6 Mar 2022 18:55:58 +0100
Subject: OpenSearch: allow paths and incognito mode
Subject: OpenSearch: miscellaneous
Fix bug with recently added engines prematurely discarded
Fix upstream bug with recently added engines prematurely discarded
because they have no last-visit timestamp
Fix upstream bug with visited engines visit time not updated
Allow adding search engines in incognito mode
Allow using search engine URLs with non-empty paths
Add verbose logging
@ -11,9 +12,10 @@ Add verbose logging
.../settings/SearchEngineAdapter.java | 4 ++-
.../search_engine_tab_helper.cc | 34 +++++++++++++------
.../renderer/chrome_render_frame_observer.cc | 2 ++
.../search_engines/template_url_fetcher.cc | 19 ++++++++---
.../search_engines/template_url_fetcher.cc | 23 ++++++++++---
.../search_engines/template_url_service.cc | 1 -
5 files changed, 44 insertions(+), 16 deletions(-)
.../search_engines/template_url_service.h | 8 ++---
6 files changed, 51 insertions(+), 21 deletions(-)
diff --git a/chrome/browser/search_engines/android/java/src/org/chromium/chrome/browser/search_engines/settings/SearchEngineAdapter.java b/chrome/browser/search_engines/android/java/src/org/chromium/chrome/browser/search_engines/settings/SearchEngineAdapter.java
--- a/chrome/browser/search_engines/android/java/src/org/chromium/chrome/browser/search_engines/settings/SearchEngineAdapter.java
@ -152,9 +154,12 @@ diff --git a/chrome/renderer/chrome_render_frame_observer.cc b/chrome/renderer/c
diff --git a/components/search_engines/template_url_fetcher.cc b/components/search_engines/template_url_fetcher.cc
--- a/components/search_engines/template_url_fetcher.cc
+++ b/components/search_engines/template_url_fetcher.cc
@@ -260,14 +260,25 @@ void TemplateURLFetcher::ScheduleDownload(
@@ -258,16 +258,29 @@ void TemplateURLFetcher::ScheduleDownload(
return;
}
const TemplateURL* template_url =
- const TemplateURL* template_url =
+ TemplateURL* template_url =
template_url_service_->GetTemplateURLForKeyword(keyword);
- if (template_url && (!template_url->safe_for_autoreplace() ||
- template_url->originating_url() == osdd_url))
@ -168,6 +173,8 @@ diff --git a/components/search_engines/template_url_fetcher.cc b/components/sear
+ // Either there is a user created TemplateURL for this keyword, or the
+ // keyword has the same OSDD url and we've parsed it.
+ LOG(INFO) << "OpenSearch: OSDD URL was already parsed: " << osdd_url;
+ // always update the visit timestamp
+ template_url_service_->UpdateTemplateURLVisitTime(template_url);
+ return;
+ }
+ }
@ -193,5 +200,30 @@ diff --git a/components/search_engines/template_url_service.cc b/components/sear
return Add(std::move(template_url), true);
}
diff --git a/components/search_engines/template_url_service.h b/components/search_engines/template_url_service.h
--- a/components/search_engines/template_url_service.h
+++ b/components/search_engines/template_url_service.h
@@ -277,7 +277,10 @@ class TemplateURLService : public WebDataServiceConsumer,
void UpdateProviderFavicons(const GURL& potential_search_url,
const GURL& favicon_url);
- // Return true if the given |url| can be made the default. This returns false
+ // Updates the last_visited time of |url| to the current time.
+ void UpdateTemplateURLVisitTime(TemplateURL* url);
+
+ // Return true if the given |url| can be made the default. This returns false
// regardless of |url| if the default search provider is managed by policy or
// controlled by an extension.
bool CanMakeDefault(const TemplateURL* url) const;
@@ -598,9 +601,6 @@ class TemplateURLService : public WebDataServiceConsumer,
// SetKeywordSearchTermsForURL is invoked.
void UpdateKeywordSearchTermsForURL(const URLVisitedDetails& details);
- // Updates the last_visited time of |url| to the current time.
- void UpdateTemplateURLVisitTime(TemplateURL* url);
-
// If necessary, generates a visit for the site http:// + t_url.keyword().
void AddTabToSearchVisit(const TemplateURL& t_url);
--
2.25.1

21
build/patches/Partition-DNS-requests-by-topframe-NIK.patch → build/patches/Partition-DNS-requests-by-top-frame-NIK.patch
View file

@ -19,7 +19,6 @@ any type of upstream DoH server.
See also:
* https://bugs.chromium.org/p/chromium/issues/detail?id=1082311
* https://github.com/bromite/bromite/pull/1974
---
chrome/browser/about_flags.cc | 12 ++++++++++++
chrome/browser/flag_descriptions.cc | 9 +++++++++
@ -40,7 +39,7 @@ See also:
diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc
--- a/chrome/browser/about_flags.cc
+++ b/chrome/browser/about_flags.cc
@@ -7332,6 +7332,18 @@ const FeatureEntry kFeatureEntries[] = {
@@ -7327,6 +7327,18 @@ const FeatureEntry kFeatureEntries[] = {
FEATURE_VALUE_TYPE(features::kUIDebugTools),
},
#endif
@ -62,7 +61,7 @@ diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc
diff --git a/chrome/browser/flag_descriptions.cc b/chrome/browser/flag_descriptions.cc
--- a/chrome/browser/flag_descriptions.cc
+++ b/chrome/browser/flag_descriptions.cc
@@ -2448,6 +2448,15 @@ const char kWebOTPCrossDeviceName[] = "WebOTP Cross Device";
@@ -2444,6 +2444,15 @@ const char kWebOTPCrossDeviceName[] = "WebOTP Cross Device";
const char kWebOTPCrossDeviceDescription[] =
"Enable the WebOTP API to work across devices";
@ -81,7 +80,7 @@ diff --git a/chrome/browser/flag_descriptions.cc b/chrome/browser/flag_descripti
diff --git a/chrome/browser/flag_descriptions.h b/chrome/browser/flag_descriptions.h
--- a/chrome/browser/flag_descriptions.h
+++ b/chrome/browser/flag_descriptions.h
@@ -1408,6 +1408,12 @@ extern const char kSmoothScrollingDescription[];
@@ -1405,6 +1405,12 @@ extern const char kSmoothScrollingDescription[];
extern const char kWebOTPCrossDeviceName[];
extern const char kWebOTPCrossDeviceDescription[];
@ -473,18 +472,18 @@ diff --git a/net/dns/host_resolver_manager.cc b/net/dns/host_resolver_manager.cc
diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc
--- a/net/socket/ssl_client_socket_impl.cc
+++ b/net/socket/ssl_client_socket_impl.cc
@@ -432,6 +432,12 @@ void SSLClientSocketImpl::Log_ssl_session_data(const std::string& tag, SSL_SESSI
SSLClientSocketImpl::~SSLClientSocketImpl() {
if (base::FeatureList::IsEnabled(net::features::kLogTLSResumption))
Log_ssl_session_data("Disconnect", NULL);
@@ -406,6 +406,12 @@ SSLClientSocketImpl::SSLClientSocketImpl(
}
void SSLClientSocketImpl::Log_ssl_session_data(const std::string& tag, SSL_SESSION* session) {
+ if (base::FeatureList::IsEnabled(net::features::kLogSplitDnsByNetworkIsolationKey) &&
+ ssl_config_.network_isolation_key.IsDns()) {
+ LOG(INFO) << "DNS: Disconnected "
+ << host_and_port_.ToString() << " "
+ << ssl_config_.network_isolation_key.ToDebugString();
+ }
Disconnect();
}
if (session == NULL) {
LOG(INFO) << "SSL Log: "
<< tag
--
2.25.1

70
build/patches/Remove-mremap-from-system-call-whitelist.patch Normal file
View file

@ -0,0 +1,70 @@
From: qua3k <cliffmaceyak@gmail.com>
Date: Fri, 19 Nov 2021 00:00:00 +0000
Subject: Remove mremap from system call whitelist
It's not used in PartitionAlloc and should be removed.
---
sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc | 1 -
sandbox/policy/linux/bpf_cdm_policy_linux.cc | 1 -
sandbox/policy/linux/bpf_print_compositor_policy_linux.cc | 1 -
sandbox/policy/linux/bpf_service_policy_linux.cc | 1 -
sandbox/policy/linux/bpf_utility_policy_linux.cc | 1 -
5 files changed, 5 deletions(-)
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
@@ -566,7 +566,6 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
case __NR_modify_ldt:
#endif
case __NR_mprotect:
- case __NR_mremap:
case __NR_msync:
case __NR_munlockall:
case __NR_readahead:
diff --git a/sandbox/policy/linux/bpf_cdm_policy_linux.cc b/sandbox/policy/linux/bpf_cdm_policy_linux.cc
--- a/sandbox/policy/linux/bpf_cdm_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_cdm_policy_linux.cc
@@ -39,7 +39,6 @@ ResultExpr CdmProcessPolicy::EvaluateSyscall(int sysno) const {
#if defined(__i386__) || defined(__arm__)
case __NR_ugetrlimit:
#endif
- case __NR_mremap: // https://crbug.com/546204
case __NR_pwrite64:
case __NR_sysinfo:
case __NR_times:
diff --git a/sandbox/policy/linux/bpf_print_compositor_policy_linux.cc b/sandbox/policy/linux/bpf_print_compositor_policy_linux.cc
--- a/sandbox/policy/linux/bpf_print_compositor_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_print_compositor_policy_linux.cc
@@ -39,7 +39,6 @@ ResultExpr PrintCompositorProcessPolicy::EvaluateSyscall(int sysno) const {
#if defined(__i386__) || defined(__arm__)
case __NR_ugetrlimit:
#endif
- case __NR_mremap: // https://crbug.com/546204
case __NR_pwrite64:
case __NR_sysinfo:
case __NR_times:
diff --git a/sandbox/policy/linux/bpf_service_policy_linux.cc b/sandbox/policy/linux/bpf_service_policy_linux.cc
--- a/sandbox/policy/linux/bpf_service_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_service_policy_linux.cc
@@ -53,7 +53,6 @@ ResultExpr ServiceProcessPolicy::EvaluateSyscall(int sysno) const {
#if defined(__i386__) || defined(__arm__)
case __NR_ugetrlimit:
#endif
- case __NR_mremap: // https://crbug.com/546204
case __NR_pwrite64:
case __NR_times:
return Allow();
diff --git a/sandbox/policy/linux/bpf_utility_policy_linux.cc b/sandbox/policy/linux/bpf_utility_policy_linux.cc
--- a/sandbox/policy/linux/bpf_utility_policy_linux.cc
+++ b/sandbox/policy/linux/bpf_utility_policy_linux.cc
@@ -40,7 +40,6 @@ ResultExpr UtilityProcessPolicy::EvaluateSyscall(int sysno) const {
#if defined(__i386__) || defined(__arm__)
case __NR_ugetrlimit:
#endif
- case __NR_mremap: // https://crbug.com/546204
case __NR_pwrite64:
case __NR_sysinfo:
case __NR_times:
--
2.25.1

144
build/patches/Restrict-creation-of-dynamic-code.patch Normal file
View file

@ -0,0 +1,144 @@
From: qua3k <cliffmaceyak@gmail.com>
Date: Thu, 4 Nov 2021 00:00:00 +0000
Subject: Restrict creation of dynamic code
This commit has three parts, utilizing seccomp-bpf to prevent:
1. the creation of executable anonymous mappings
2. the creation of writable and executable file mappings
3. making a non-executable mapping executable
It's inspired by PaX MPROTECT restrictions.
---
.../syscall_parameters_restrictions.cc | 55 +++++++++++++++++++
.../syscall_parameters_restrictions.h | 18 ++++++
2 files changed, 73 insertions(+)
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
@@ -15,6 +15,7 @@
#include <sys/prctl.h>
#include <sys/ptrace.h>
#include <sys/resource.h>
+#include <sys/shm.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
@@ -227,6 +228,31 @@ ResultExpr RestrictMmapFlags() {
return If((flags & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS());
}
+ResultExpr RestrictMmapFlagsNoWX() {
+ // The flags you see are actually the allowed ones, and the variable is a
+ // "denied" mask because of the negation operator.
+ // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as
+ // MAP_POPULATE.
+ // TODO(davidung), remove MAP_DENYWRITE with updated Tegra libraries.
+
+ const Arg<int> prot(2);
+ const Arg<int> flags(3);
+
+ const BoolExpr is_mapping_w_x = (prot & (PROT_WRITE | PROT_EXEC)) != (PROT_WRITE | PROT_EXEC);
+
+ const BoolExpr is_anon_mapping_nx =
+ AllOf((prot & PROT_EXEC) == 0,
+ (flags & MAP_ANONYMOUS) == MAP_ANONYMOUS);
+
+ const uint64_t kAllowedMask = MAP_SHARED | MAP_PRIVATE | MAP_STACK |
+ MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE |
+ MAP_LOCKED;
+
+ return If(is_anon_mapping_nx, Allow())
+ .ElseIf(AllOf(is_mapping_w_x, (flags & ~kAllowedMask) == 0), Allow())
+ .Else(CrashSIGSYS());
+}
+
ResultExpr RestrictMprotectFlags() {
// The flags you see are actually the allowed ones, and the variable is a
// "denied" mask because of the negation operator.
@@ -245,6 +271,24 @@ ResultExpr RestrictMprotectFlags() {
return If((prot & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS());
}
+ResultExpr RestrictMprotectFlagsNoWX() {
+ // The flags you see are actually the allowed ones, and the variable is a
+ // "denied" mask because of the negation operator.
+ // Significantly, we don't permit making non-executable pages executable,
+ // as well as weird undocumented flags such as PROT_GROWSDOWN.
+#if defined(ARCH_CPU_ARM64)
+ // Allows PROT_MTE and PROT_BTI (as explained higher up) on only Arm
+ // platforms.
+ const uint64_t kArchSpecificFlags = PROT_MTE | PROT_BTI;
+#else
+ const uint64_t kArchSpecificFlags = 0;
+#endif
+ const uint64_t kAllowedMask =
+ PROT_READ | PROT_WRITE | kArchSpecificFlags;
+ const Arg<int> prot(2);
+ return If((prot & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS());
+}
+
ResultExpr RestrictFcntlCommands() {
// We also restrict the flags in F_SETFL. We don't want to permit flags with
// a history of trouble such as O_DIRECT. The flags you see are actually the
@@ -281,6 +325,17 @@ ResultExpr RestrictFcntlCommands() {
// clang-format on
}
+ResultExpr RestrictShmatFlags() {
+ // The flags you see are actually the allowed ones, and the variable is a
+ // "denied" mask because of the negation operator.
+ // Significantly, we don't permit flags that allow for dynamic code
+ // generation such as SHM_EXEC.
+ const uint64_t kAllowedMask =
+ 0 | SHM_RND | SHM_RDONLY | SHM_REMAP;
+ const Arg<int> shmflg(2);
+ return If((shmflg & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS());
+}
+
#if defined(__i386__) || defined(__mips__)
ResultExpr RestrictSocketcallCommand() {
// Unfortunately, we are unable to restrict the first parameter to
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
@@ -37,11 +37,25 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictIoctl();
// Crash if any other flag is used.
SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMmapFlags();
+// Restrict mmap(2) arguments to:
+// Allow: MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |
+// MAP_STACK | MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE.
+// Crash if any other flag is used.
+// Also, in prots, restrict the allowed protections to:
+// PROT_READ | PROT_WRITE ^ PROT_EXEC.
+// PROT_BTI | PROT_MTE is additionally allowed on 64-bit Arm.
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMmapFlagsNoWX();
+
// Restrict the prot argument in mprotect(2).
// Only allow: PROT_READ | PROT_WRITE | PROT_EXEC.
// PROT_BTI | PROT_MTE is additionally allowed on 64-bit Arm.
SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMprotectFlags();
+// Restrict the prot argument in mprotect(2).
+// Only allow: PROT_READ | PROT_WRITE.
+// PROT_BTI | PROT_MTE is additionally allowed on 64-bit Arm.
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMprotectFlagsNoWX();
+
// Restrict fcntl(2) cmd argument to:
// We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC,
// F_SETLK, F_SETLKW and F_GETLK.
@@ -49,6 +63,10 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictMprotectFlags();
// O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME.
SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictFcntlCommands();
+// Restrict the shmflg argument in shmat(2).
+// Only allow: SHM_RND | SHM_RDONLY | SHM_REMAP.
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictShmatFlags();
+
#if defined(__i386__) || defined(__mips__)
// Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2),
// sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2).
--
2.25.1