1 diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
2 index cc0e91b..8836e77 100644
3 --- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
4 +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
5 @@ -130,21 +130,11 @@ namespace sandbox {
6 // present (as in newer versions of posix_spawn).
7 ResultExpr RestrictCloneToThreadsAndEPERMFork() {
8 const Arg<unsigned long> flags(0);
10 - // TODO(mdempsky): Extend DSL to support (flags & ~mask1) == mask2.
11 - const uint64_t kAndroidCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES |
12 - CLONE_SIGHAND | CLONE_THREAD |
14 - const uint64_t kObsoleteAndroidCloneMask = kAndroidCloneMask | CLONE_DETACHED;
16 - const uint64_t kGlibcPthreadFlags =
17 - CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD |
18 - CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
19 - const BoolExpr glibc_test = flags == kGlibcPthreadFlags;
21 - const BoolExpr android_test =
22 - AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
23 - flags == kGlibcPthreadFlags);
24 + const int required = CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
25 + CLONE_THREAD | CLONE_SYSVSEM;
26 + const int safe = CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID |
28 + const BoolExpr thread_clone_ok = (flags&~safe)==required;
30 // The following two flags are the two important flags in any vfork-emulating
31 // clone call. EPERM any clone call that contains both of them.
32 @@ -154,7 +144,7 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
33 AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
34 (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
36 - return If(IsAndroid() ? android_test : glibc_test, Allow())
37 + return If(thread_clone_ok, Allow())
38 .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
39 .Else(CrashSIGSYSClone());
41 diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
42 index 96c9f49..225823c 100644
43 --- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
44 +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
45 @@ -417,6 +417,7 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
49 + case __NR_set_tid_address:
51 case __NR_clone: // Should be parameter-restricted.
52 case __NR_setns: // Privileged.
53 @@ -429,7 +430,6 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
54 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
55 case __NR_set_thread_area:
57 - case __NR_set_tid_address:
59 #if !defined(__mips__) && !defined(__aarch64__)
61 @@ -543,6 +543,8 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
66 + case __NR_membarrier:
70 @@ -560,7 +562,6 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
78 diff --git a/sandbox/linux/system_headers/arm64_linux_syscalls.h b/sandbox/linux/system_headers/arm64_linux_syscalls.h
79 index a242c18..bb80da6 100644
80 --- a/sandbox/linux/system_headers/arm64_linux_syscalls.h
81 +++ b/sandbox/linux/system_headers/arm64_linux_syscalls.h
82 @@ -1063,6 +1063,10 @@
83 #define __NR_memfd_create 279
86 +#if !defined(__NR_membarrier)
87 +#define __NR_membarrier 283
90 #if !defined(__NR_bpf)
93 diff --git a/sandbox/linux/system_headers/arm_linux_syscalls.h b/sandbox/linux/system_headers/arm_linux_syscalls.h
94 index 85da6f4..7a26b31 100644
95 --- a/sandbox/linux/system_headers/arm_linux_syscalls.h
96 +++ b/sandbox/linux/system_headers/arm_linux_syscalls.h
97 @@ -1385,6 +1385,10 @@
98 #define __NR_memfd_create (__NR_SYSCALL_BASE+385)
101 +#if !defined(__NR_membarrier)
102 +#define __NR_membarrier (__NR_SYSCALL_BASE+389)
105 #if !defined(__NR_bpf)
106 #define __NR_bpf (__NR_SYSCALL_BASE+386)
108 diff --git a/sandbox/linux/system_headers/linux_syscalls.h b/sandbox/linux/system_headers/linux_syscalls.h
109 index 2b78a0c..b6fedb5 100644
110 --- a/sandbox/linux/system_headers/linux_syscalls.h
111 +++ b/sandbox/linux/system_headers/linux_syscalls.h
113 #define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SYSCALLS_H_
115 #include "build/build_config.h"
116 +#include <sys/syscall.h>
118 #if defined(__x86_64__)
119 #include "sandbox/linux/system_headers/x86_64_linux_syscalls.h"
120 diff --git a/sandbox/linux/system_headers/mips64_linux_syscalls.h b/sandbox/linux/system_headers/mips64_linux_syscalls.h
121 index ec75815..5515270 100644
122 --- a/sandbox/linux/system_headers/mips64_linux_syscalls.h
123 +++ b/sandbox/linux/system_headers/mips64_linux_syscalls.h
124 @@ -1271,4 +1271,8 @@
125 #define __NR_memfd_create (__NR_Linux + 314)
128 +#if !defined(__NR_membarrier)
129 +#define __NR_membarrier (__NR_Linux 318)
132 #endif // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS64_LINUX_SYSCALLS_H_
133 diff --git a/sandbox/linux/system_headers/mips_linux_syscalls.h b/sandbox/linux/system_headers/mips_linux_syscalls.h
134 index 50d9ea1..0caffae 100644
135 --- a/sandbox/linux/system_headers/mips_linux_syscalls.h
136 +++ b/sandbox/linux/system_headers/mips_linux_syscalls.h
137 @@ -1685,4 +1685,8 @@
138 #define __NR_mount_setattr (__NR_Linux + 442)
141 +#if !defined(__NR_membarrier)
142 +#define __NR_membarrier (__NR_Linux 358)
145 #endif // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS_LINUX_SYSCALLS_H_
146 diff --git a/sandbox/linux/system_headers/x86_64_linux_syscalls.h b/sandbox/linux/system_headers/x86_64_linux_syscalls.h
147 index b0ae0a2..8b12029 100644
148 --- a/sandbox/linux/system_headers/x86_64_linux_syscalls.h
149 +++ b/sandbox/linux/system_headers/x86_64_linux_syscalls.h
150 @@ -1350,5 +1350,9 @@
151 #define __NR_rseq 334
154 +#if !defined(__NR_membarrier)
155 +#define __NR_membarrier 324
158 #endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_
160 diff --git a/sandbox/policy/linux/bpf_renderer_policy_linux.cc b/sandbox/policy/linux/bpf_renderer_policy_linux.cc
161 index f789e92..5cc0861 100644
162 --- a/sandbox/policy/linux/bpf_renderer_policy_linux.cc
163 +++ b/sandbox/policy/linux/bpf_renderer_policy_linux.cc
164 @@ -97,11 +97,11 @@ ResultExpr RendererProcessPolicy::EvaluateSyscall(int sysno) const {
169 - case __NR_sched_getaffinity:
170 case __NR_sched_getparam:
171 case __NR_sched_getscheduler:
172 case __NR_sched_setscheduler:
174 + case __NR_sched_getaffinity:
175 return RestrictSchedTarget(GetPolicyPid(), sysno);
177 // See crbug.com/662450 and setrlimit comment above.