diff options
Diffstat (limited to 'devel/electron17/files/patch-sandbox_policy_freebsd_sandbox__freebsd.h')
| -rw-r--r-- | devel/electron17/files/patch-sandbox_policy_freebsd_sandbox__freebsd.h | 281 |
1 files changed, 0 insertions, 281 deletions
diff --git a/devel/electron17/files/patch-sandbox_policy_freebsd_sandbox__freebsd.h b/devel/electron17/files/patch-sandbox_policy_freebsd_sandbox__freebsd.h deleted file mode 100644 index e70aa0344687..000000000000 --- a/devel/electron17/files/patch-sandbox_policy_freebsd_sandbox__freebsd.h +++ /dev/null @@ -1,281 +0,0 @@ ---- sandbox/policy/freebsd/sandbox_freebsd.h.orig 2022-05-13 07:20:05 UTC -+++ sandbox/policy/freebsd/sandbox_freebsd.h -@@ -0,0 +1,278 @@ -+// Copyright (c) 2012 The Chromium Authors. All rights reserved. -+// Use of this source code is governed by a BSD-style license that can be -+// found in the LICENSE file. -+#ifndef SANDBOX_POLICY_LINUX_SANDBOX_OPENBSD_H_ -+#define SANDBOX_POLICY_LINUX_SANDBOX_OPENBSD_H_ -+ -+#include <memory> -+#include <string> -+#include <vector> -+ -+#include "base/logging.h" -+#include "base/posix/global_descriptors.h" -+#include "sandbox/policy/export.h" -+#include "sandbox/policy/linux/sandbox_seccomp_bpf_linux.h" -+#include "sandbox/policy/mojom/sandbox.mojom.h" -+#include "sandbox/policy/sanitizer_buildflags.h" -+ -+#if BUILDFLAG(USING_SANITIZER) -+#include <sanitizer/common_interface_defs.h> -+#endif -+ -+namespace base { -+template <typename T> -+struct DefaultSingletonTraits; -+class Thread; -+} // namespace base -+ -+namespace sandbox { -+namespace syscall_broker { -+class BrokerProcess; -+} // namespace syscall_broker -+} // namespace sandbox -+ -+namespace sandbox { -+namespace policy { -+ -+// A singleton class to represent and change our sandboxing state for the -+// three main Linux sandboxes. -+// The sandboxing model allows using two layers of sandboxing. The first layer -+// can be implemented either with unprivileged namespaces or with the setuid -+// sandbox. This class provides a way to engage the namespace sandbox, but does -+// not deal with the legacy setuid sandbox directly. -+// The second layer is mainly based on seccomp-bpf and is engaged with -+// InitializeSandbox(). InitializeSandbox() is also responsible for "sealing" -+// the first layer of sandboxing. That is, InitializeSandbox must always be -+// called to have any meaningful sandboxing at all. -+class SANDBOX_POLICY_EXPORT SandboxLinux { -+ public: -+ // This is a list of sandbox IPC methods which the renderer may send to the -+ // sandbox host. See -+ // https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandbox_ipc.md -+ // This isn't the full list, values < 32 are reserved for methods called from -+ // Skia, and values < 64 are reserved for libc_interceptor.cc. -+ enum LinuxSandboxIPCMethods { -+ DEPRECATED_METHOD_GET_FALLBACK_FONT_FOR_CHAR = 64, -+ DEPRECATED_METHOD_GET_CHILD_WITH_INODE, -+ DEPRECATED_METHOD_GET_STYLE_FOR_STRIKE, -+ METHOD_MAKE_SHARED_MEMORY_SEGMENT, -+ DEPRECATED_METHOD_MATCH_WITH_FALLBACK, -+ }; -+ -+ // These form a bitmask which describes the conditions of the Linux sandbox. -+ // Note: this doesn't strictly give you the current status, it states -+ // what will be enabled when the relevant processes are initialized. -+ enum Status { -+ // SUID sandbox active. -+ kSUID = 1 << 0, -+ -+ // Sandbox is using a new PID namespace. -+ kPIDNS = 1 << 1, -+ -+ // Sandbox is using a new network namespace. -+ kNetNS = 1 << 2, -+ -+ // seccomp-bpf sandbox active. -+ kSeccompBPF = 1 << 3, -+ -+ // The Yama LSM module is present and enforcing. -+ kYama = 1 << 4, -+ -+ // seccomp-bpf sandbox is active and the kernel supports TSYNC. -+ kSeccompTSYNC = 1 << 5, -+ -+ // User namespace sandbox active. -+ kUserNS = 1 << 6, -+ -+ // A flag that denotes an invalid sandbox status. -+ kInvalid = 1 << 31, -+ }; -+ -+ // SandboxLinux Options are a superset of SandboxSecompBPF Options. -+ struct Options : public SandboxSeccompBPF::Options { -+ // When running with a zygote, the namespace sandbox will have already -+ // been engaged prior to initializing SandboxLinux itself, and need not -+ // be done so again. Set to true to indicate that there isn't a zygote -+ // for this process and the step is to be performed here explicitly. -+ bool engage_namespace_sandbox = false; -+ -+ // Allow starting the sandbox with multiple threads already running. This -+ // will enable TSYNC for seccomp-BPF, which syncs the seccomp-BPF policy -+ // across all running threads. -+ bool allow_threads_during_sandbox_init = false; -+ -+ // Enables the CHECK for open directories. The open directory check is only -+ // useful for the chroot jail (from the semantic layer of the sandbox), and -+ // can safely be disabled if we are only enabling the seccomp-BPF layer. -+ bool check_for_open_directories = true; -+ }; -+ -+ // Callers can provide this hook to run code right before the policy -+ // is passed to the BPF compiler and the sandbox is engaged. If -+ // pre_sandbox_hook() returns true, the sandbox will be engaged -+ // afterwards, otherwise the process is terminated. -+ using PreSandboxHook = base::OnceCallback<bool(Options)>; -+ -+ // Get our singleton instance. -+ static SandboxLinux* GetInstance(); -+ -+ SandboxLinux(const SandboxLinux&) = delete; -+ SandboxLinux& operator=(const SandboxLinux&) = delete; -+ -+ bool SetPledge(const char *pstring, const char *ppath); -+ bool SetUnveil(const std::string process_type, sandbox::mojom::Sandbox sandbox_type); -+ -+ // Do some initialization that can only be done before any of the sandboxes -+ // are enabled. If using the setuid sandbox, this should be called manually -+ // before the setuid sandbox is engaged. -+ // Security: When this runs, it is imperative that either InitializeSandbox() -+ // runs as well or that all file descriptors returned in -+ // GetFileDescriptorsToClose() get closed. -+ // Otherwise file descriptors that bypass the security of the setuid sandbox -+ // would be kept open. One must be particularly careful if a process performs -+ // a fork(). -+ void PreinitializeSandbox(sandbox::mojom::Sandbox sandbox_type); -+ -+ // Check that the current process is the init process of a new PID -+ // namespace and then proceed to drop access to the file system by using -+ // a new unprivileged namespace. This is a layer-1 sandbox. -+ // In order for this sandbox to be effective, it must be "sealed" by calling -+ // InitializeSandbox(). -+ void EngageNamespaceSandbox(bool from_zygote); -+ -+ // Return a list of file descriptors to close if PreinitializeSandbox() ran -+ // but InitializeSandbox() won't. Avoid using. -+ // TODO(jln): get rid of this hack. -+ std::vector<int> GetFileDescriptorsToClose(); -+ -+ // Seal an eventual layer-1 sandbox and initialize the layer-2 sandbox with -+ // an adequate policy depending on the process type and command line -+ // arguments. -+ // Currently the layer-2 sandbox is composed of seccomp-bpf and address space -+ // limitations. -+ // This function should only be called without any thread running. -+ bool InitializeSandbox(sandbox::mojom::Sandbox sandbox_type, -+ PreSandboxHook hook, -+ const Options& options); -+ -+ // Stop |thread| in a way that can be trusted by the sandbox. -+ void StopThread(base::Thread* thread); -+ -+ // Returns the status of the renderer, worker and ppapi sandbox. Can only -+ // be queried after going through PreinitializeSandbox(). This is a bitmask -+ // and uses the constants defined in "enum Status" above. Since the -+ // status needs to be provided before the sandboxes are actually started, -+ // this returns what will actually happen once InitializeSandbox() -+ // is called from inside these processes. -+ int GetStatus(); -+ -+ static std::string GetSandboxTypeInEnglish(sandbox::mojom::Sandbox sandbox_type); -+ -+ // Returns true if the current process is single-threaded or if the number -+ // of threads cannot be determined. -+ bool IsSingleThreaded() const; -+ -+ // Returns true if we started Seccomp BPF. -+ bool seccomp_bpf_started() const; -+ -+ // Check the policy and eventually start the seccomp-bpf sandbox. This should -+ // never be called with threads started. If we detect that threads have -+ // started we will crash. -+ bool StartSeccompBPF(sandbox::mojom::Sandbox sandbox_type, -+ PreSandboxHook hook, -+ const Options& options); -+ -+ // Limit the address space of the current process (and its children) to make -+ // some vulnerabilities harder to exploit. Writes the errno due to setrlimit -+ // (including 0 if no error) into |error|. -+ bool LimitAddressSpace(int* error); -+ -+ // Returns a file descriptor to proc. The file descriptor is no longer valid -+ // after the sandbox has been sealed. -+ int proc_fd() const { -+ DCHECK_NE(-1, proc_fd_); -+ return proc_fd_; -+ } -+ -+#if BUILDFLAG(USING_SANITIZER) -+ __sanitizer_sandbox_arguments* sanitizer_args() const { -+ return sanitizer_args_.get(); -+ }; -+#endif -+ -+ // A BrokerProcess is a helper that is started before the sandbox is engaged, -+ // typically from a pre-sandbox hook, that will serve requests to access -+ // files over an IPC channel. The client of this runs from a SIGSYS handler -+ // triggered by the seccomp-bpf sandbox. -+ // |client_sandbox_policy| is the policy being run by the client, and is -+ // used to derive the equivalent broker-side policy. -+ // |broker_side_hook| is an alternate pre-sandbox hook to be run before the -+ // broker itself gets sandboxed, to which the broker side policy and -+ // |options| are passed. -+ // Crashes the process if the broker can not be started since continuation -+ // is impossible (and presumably unsafe). -+ // This should never be destroyed, as after the sandbox is started it is -+ // vital to the process. -+#if 0 -+ void StartBrokerProcess( -+ const sandbox::syscall_broker::BrokerCommandSet& allowed_command_set, -+ std::vector<sandbox::syscall_broker::BrokerFilePermission> permissions, -+ PreSandboxHook broker_side_hook, -+ const Options& options); -+ -+ sandbox::syscall_broker::BrokerProcess* broker_process() const { -+ return broker_process_; -+ } -+#endif -+ -+ private: -+ friend struct base::DefaultSingletonTraits<SandboxLinux>; -+ -+ SandboxLinux(); -+ ~SandboxLinux(); -+ -+ // We must have been pre_initialized_ before using these. -+ bool seccomp_bpf_supported() const; -+ bool seccomp_bpf_with_tsync_supported() const; -+ -+ // Returns true if it can be determined that the current process has open -+ // directories that are not managed by the SandboxLinux class. This would -+ // be a vulnerability as it would allow to bypass the setuid sandbox. -+ bool HasOpenDirectories() const; -+ -+ // The last part of the initialization is to make sure any temporary "hole" -+ // in the sandbox is closed. For now, this consists of closing proc_fd_. -+ void SealSandbox(); -+ -+ // GetStatus() makes promises as to how the sandbox will behave. This -+ // checks that no promises have been broken. -+ void CheckForBrokenPromises(sandbox::mojom::Sandbox sandbox_type); -+ -+ // Stop |thread| and make sure it does not appear in /proc/self/tasks/ -+ // anymore. -+ void StopThreadAndEnsureNotCounted(base::Thread* thread) const; -+ -+ // A file descriptor to /proc. It's dangerous to have it around as it could -+ // allow for sandbox bypasses. It needs to be closed before we consider -+ // ourselves sandboxed. -+ int proc_fd_; -+ -+ bool seccomp_bpf_started_; -+ // The value returned by GetStatus(). Gets computed once and then cached. -+ int sandbox_status_flags_; -+ // Did PreinitializeSandbox() run? -+ bool pre_initialized_; -+ bool seccomp_bpf_supported_; // Accurate if pre_initialized_. -+ bool seccomp_bpf_with_tsync_supported_; // Accurate if pre_initialized_. -+ bool yama_is_enforcing_; // Accurate if pre_initialized_. -+ bool initialize_sandbox_ran_; // InitializeSandbox() was called. -+#if BUILDFLAG(USING_SANITIZER) -+ std::unique_ptr<__sanitizer_sandbox_arguments> sanitizer_args_; -+#endif -+ sandbox::syscall_broker::BrokerProcess* broker_process_; // Leaked as global. -+}; -+ -+} // namespace policy -+} // namespace sandbox -+ -+#endif // SANDBOX_POLICY_LINUX_SANDBOX_OPENBSD_H_ |