diff options
author | Kai Kang <kai.kang@windriver.com> | 2022-01-07 23:09:24 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-01-14 09:34:04 +0000 |
commit | 5f93a1c2ee139e49f21fe4b8a6bf47d4d02a547d (patch) | |
tree | 2ff937ebc087c37b27e3b95c39d5034823194bf3 /meta/recipes-sato | |
parent | b5010071e6291b3f5431b371907064b63c1565df (diff) | |
download | poky-5f93a1c2ee139e49f21fe4b8a6bf47d4d02a547d.tar.gz |
webkitgtk: fix fix CVE-2021-42762
Backport and rebase patch to fix CVE-2021-42762 for webkitgtk 2.30.5.
CVE: CVE-2021-42762
Ref:
* https://bugs.webkit.org/show_bug.cgi?id=231479#c8
(From OE-Core rev: 64170871293745254e4287cabeb7ceff5cbf64f8)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-sato')
-rw-r--r-- | meta/recipes-sato/webkit/webkitgtk/CVE-2021-42762.patch | 468 | ||||
-rw-r--r-- | meta/recipes-sato/webkit/webkitgtk_2.30.5.bb | 1 |
2 files changed, 469 insertions, 0 deletions
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2021-42762.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2021-42762.patch new file mode 100644 index 0000000000..1d012271cb --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2021-42762.patch | |||
@@ -0,0 +1,468 @@ | |||
1 | Backport and rebase patch to fix CVE-2021-42762 for webkitgtk 2.30.5. | ||
2 | |||
3 | CVE: CVE-2021-42762 | ||
4 | Upstream-Status: Backport [https://trac.webkit.org/changeset/284451/webkit] | ||
5 | |||
6 | Ref: | ||
7 | * https://bugs.webkit.org/show_bug.cgi?id=231479#c8 | ||
8 | |||
9 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
10 | |||
11 | From 035ac439855c7bef0a4525897f783121e4a6055c Mon Sep 17 00:00:00 2001 | ||
12 | From: Michael Catanzaro <mcatanzaro@gnome.org> | ||
13 | Date: Tue, 19 Oct 2021 14:27:17 +0000 | ||
14 | Subject: [PATCH] Update seccomp filters with latest changes from flatpak | ||
15 | https://bugs.webkit.org/show_bug.cgi?id=231479 | ||
16 | |||
17 | Patch by Michael Catanzaro <mcatanzaro@gnome.org> on 2021-10-19 | ||
18 | Reviewed by Adrian Perez de Castro. | ||
19 | |||
20 | Additionally, let's fix a minor inconsistency in our error-handling code: all but one of | ||
21 | our codepaths carefully free and close resources, but the process is about to crash so | ||
22 | there's not really any reason to do so. The code is slightly simpler if we don't bother. | ||
23 | |||
24 | The seemingly-extraneous include order changes are required to placate the style checker. | ||
25 | |||
26 | * UIProcess/Launcher/glib/BubblewrapLauncher.cpp: | ||
27 | (WebKit::seccompStrerror): | ||
28 | (WebKit::setupSeccomp): | ||
29 | * UIProcess/Launcher/glib/Syscalls.h: Added. | ||
30 | |||
31 | Canonical link: https://commits.webkit.org/243211@main | ||
32 | git-svn-id: https://svn.webkit.org/repository/webkit/trunk@284451 268f45cc-cd09-0410-ab3c-d52691b4dbfc | ||
33 | --- | ||
34 | .../UIProcess/Launcher/glib/BubblewrapLauncher.cpp | 139 +++++++++----- | ||
35 | Source/WebKit/UIProcess/Launcher/glib/Syscalls.h | 200 +++++++++++++++++++++ | ||
36 | 2 files changed, 293 insertions(+), 46 deletions(-) | ||
37 | |||
38 | diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp | ||
39 | index 889388ac..c2f7e502 100644 | ||
40 | --- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp | ||
41 | +++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp | ||
42 | @@ -25,11 +25,18 @@ | ||
43 | #include <glib.h> | ||
44 | #include <seccomp.h> | ||
45 | #include <sys/ioctl.h> | ||
46 | +#include <sys/mman.h> | ||
47 | #include <wtf/FileSystem.h> | ||
48 | #include <wtf/glib/GLibUtilities.h> | ||
49 | #include <wtf/glib/GRefPtr.h> | ||
50 | #include <wtf/glib/GUniquePtr.h> | ||
51 | |||
52 | +#if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H) | ||
53 | +#include <linux/memfd.h> | ||
54 | +#endif | ||
55 | + | ||
56 | +#include "Syscalls.h" | ||
57 | + | ||
58 | #if PLATFORM(GTK) | ||
59 | #include "WaylandCompositor.h" | ||
60 | #endif | ||
61 | @@ -40,13 +47,7 @@ | ||
62 | #define BASE_DIRECTORY "wpe" | ||
63 | #endif | ||
64 | |||
65 | -#include <sys/mman.h> | ||
66 | - | ||
67 | -#ifndef MFD_ALLOW_SEALING | ||
68 | - | ||
69 | -#if HAVE(LINUX_MEMFD_H) | ||
70 | - | ||
71 | -#include <linux/memfd.h> | ||
72 | +#if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H) | ||
73 | |||
74 | // These defines were added in glibc 2.27, the same release that added memfd_create. | ||
75 | // But the kernel added all of this in Linux 3.17. So it's totally safe for us to | ||
76 | @@ -65,9 +66,7 @@ static int memfd_create(const char* name, unsigned flags) | ||
77 | { | ||
78 | return syscall(__NR_memfd_create, name, flags); | ||
79 | } | ||
80 | -#endif // #if HAVE(LINUX_MEMFD_H) | ||
81 | - | ||
82 | -#endif // #ifndef MFD_ALLOW_SEALING | ||
83 | +#endif // #if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H) | ||
84 | |||
85 | namespace WebKit { | ||
86 | using namespace WebCore; | ||
87 | @@ -573,6 +572,28 @@ static void bindSymlinksRealPath(Vector<CString>& args, const char* path) | ||
88 | } | ||
89 | } | ||
90 | |||
91 | +// Translate a libseccomp error code into an error message. libseccomp | ||
92 | +// mostly returns negative errno values such as -ENOMEM, but some | ||
93 | +// standard errno values are used for non-standard purposes where their | ||
94 | +// strerror() would be misleading. | ||
95 | +static const char* seccompStrerror(int negativeErrno) | ||
96 | +{ | ||
97 | + RELEASE_ASSERT_WITH_MESSAGE(negativeErrno < 0, "Non-negative error value from libseccomp?"); | ||
98 | + RELEASE_ASSERT_WITH_MESSAGE(negativeErrno > INT_MIN, "Out of range error value from libseccomp?"); | ||
99 | + | ||
100 | + switch (negativeErrno) { | ||
101 | + case -EDOM: | ||
102 | + return "Architecture-specific failure"; | ||
103 | + case -EFAULT: | ||
104 | + return "Internal libseccomp failure (unknown syscall?)"; | ||
105 | + case -ECANCELED: | ||
106 | + return "System failure beyond the control of libseccomp"; | ||
107 | + } | ||
108 | + | ||
109 | + // e.g. -ENOMEM: the result of strerror() is good enough | ||
110 | + return g_strerror(-negativeErrno); | ||
111 | +} | ||
112 | + | ||
113 | static int setupSeccomp() | ||
114 | { | ||
115 | // NOTE: This is shared code (flatpak-run.c - LGPLv2.1+) | ||
116 | @@ -600,6 +621,10 @@ static int setupSeccomp() | ||
117 | // in common/flatpak-run.c | ||
118 | // https://git.gnome.org/browse/linux-user-chroot | ||
119 | // in src/setup-seccomp.c | ||
120 | + // | ||
121 | + // Other useful resources: | ||
122 | + // https://github.com/systemd/systemd/blob/HEAD/src/shared/seccomp-util.c | ||
123 | + // https://github.com/moby/moby/blob/HEAD/profiles/seccomp/default.json | ||
124 | |||
125 | #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) | ||
126 | // Architectures with CONFIG_CLONE_BACKWARDS2: the child stack | ||
127 | @@ -613,47 +638,70 @@ static int setupSeccomp() | ||
128 | struct scmp_arg_cmp ttyArg = SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, TIOCSTI); | ||
129 | struct { | ||
130 | int scall; | ||
131 | + int errnum; | ||
132 | struct scmp_arg_cmp* arg; | ||
133 | } syscallBlockList[] = { | ||
134 | // Block dmesg | ||
135 | - { SCMP_SYS(syslog), nullptr }, | ||
136 | + { SCMP_SYS(syslog), EPERM, nullptr }, | ||
137 | // Useless old syscall. | ||
138 | - { SCMP_SYS(uselib), nullptr }, | ||
139 | + { SCMP_SYS(uselib), EPERM, nullptr }, | ||
140 | // Don't allow disabling accounting. | ||
141 | - { SCMP_SYS(acct), nullptr }, | ||
142 | + { SCMP_SYS(acct), EPERM, nullptr }, | ||
143 | // 16-bit code is unnecessary in the sandbox, and modify_ldt is a | ||
144 | // historic source of interesting information leaks. | ||
145 | - { SCMP_SYS(modify_ldt), nullptr }, | ||
146 | + { SCMP_SYS(modify_ldt), EPERM, nullptr }, | ||
147 | // Don't allow reading current quota use. | ||
148 | - { SCMP_SYS(quotactl), nullptr }, | ||
149 | + { SCMP_SYS(quotactl), EPERM, nullptr }, | ||
150 | |||
151 | // Don't allow access to the kernel keyring. | ||
152 | - { SCMP_SYS(add_key), nullptr }, | ||
153 | - { SCMP_SYS(keyctl), nullptr }, | ||
154 | - { SCMP_SYS(request_key), nullptr }, | ||
155 | + { SCMP_SYS(add_key), EPERM, nullptr }, | ||
156 | + { SCMP_SYS(keyctl), EPERM, nullptr }, | ||
157 | + { SCMP_SYS(request_key), EPERM, nullptr }, | ||
158 | |||
159 | // Scary VM/NUMA ops | ||
160 | - { SCMP_SYS(move_pages), nullptr }, | ||
161 | - { SCMP_SYS(mbind), nullptr }, | ||
162 | - { SCMP_SYS(get_mempolicy), nullptr }, | ||
163 | - { SCMP_SYS(set_mempolicy), nullptr }, | ||
164 | - { SCMP_SYS(migrate_pages), nullptr }, | ||
165 | + { SCMP_SYS(move_pages), EPERM, nullptr }, | ||
166 | + { SCMP_SYS(mbind), EPERM, nullptr }, | ||
167 | + { SCMP_SYS(get_mempolicy), EPERM, nullptr }, | ||
168 | + { SCMP_SYS(set_mempolicy), EPERM, nullptr }, | ||
169 | + { SCMP_SYS(migrate_pages), EPERM, nullptr }, | ||
170 | |||
171 | // Don't allow subnamespace setups: | ||
172 | - { SCMP_SYS(unshare), nullptr }, | ||
173 | - { SCMP_SYS(mount), nullptr }, | ||
174 | - { SCMP_SYS(pivot_root), nullptr }, | ||
175 | - { SCMP_SYS(clone), &cloneArg }, | ||
176 | + { SCMP_SYS(unshare), EPERM, nullptr }, | ||
177 | + { SCMP_SYS(setns), EPERM, nullptr }, | ||
178 | + { SCMP_SYS(mount), EPERM, nullptr }, | ||
179 | + { SCMP_SYS(umount), EPERM, nullptr }, | ||
180 | + { SCMP_SYS(umount2), EPERM, nullptr }, | ||
181 | + { SCMP_SYS(pivot_root), EPERM, nullptr }, | ||
182 | + { SCMP_SYS(chroot), EPERM, nullptr }, | ||
183 | + { SCMP_SYS(clone), EPERM, &cloneArg }, | ||
184 | |||
185 | // Don't allow faking input to the controlling tty (CVE-2017-5226) | ||
186 | - { SCMP_SYS(ioctl), &ttyArg }, | ||
187 | + { SCMP_SYS(ioctl), EPERM, &ttyArg }, | ||
188 | + | ||
189 | + // seccomp can't look into clone3()'s struct clone_args to check whether | ||
190 | + // the flags are OK, so we have no choice but to block clone3(). | ||
191 | + // Return ENOSYS so user-space will fall back to clone(). | ||
192 | + // (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) | ||
193 | + { SCMP_SYS(clone3), ENOSYS, nullptr }, | ||
194 | + | ||
195 | + // New mount manipulation APIs can also change our VFS. There's no | ||
196 | + // legitimate reason to do these in the sandbox, so block all of them | ||
197 | + // rather than thinking about which ones might be dangerous. | ||
198 | + // (GHSA-67h7-w3jq-vh4q) | ||
199 | + { SCMP_SYS(open_tree), ENOSYS, nullptr }, | ||
200 | + { SCMP_SYS(move_mount), ENOSYS, nullptr }, | ||
201 | + { SCMP_SYS(fsopen), ENOSYS, nullptr }, | ||
202 | + { SCMP_SYS(fsconfig), ENOSYS, nullptr }, | ||
203 | + { SCMP_SYS(fsmount), ENOSYS, nullptr }, | ||
204 | + { SCMP_SYS(fspick), ENOSYS, nullptr }, | ||
205 | + { SCMP_SYS(mount_setattr), ENOSYS, nullptr }, | ||
206 | |||
207 | // Profiling operations; we expect these to be done by tools from outside | ||
208 | // the sandbox. In particular perf has been the source of many CVEs. | ||
209 | - { SCMP_SYS(perf_event_open), nullptr }, | ||
210 | + { SCMP_SYS(perf_event_open), EPERM, nullptr }, | ||
211 | // Don't allow you to switch to bsd emulation or whatnot. | ||
212 | - { SCMP_SYS(personality), nullptr }, | ||
213 | - { SCMP_SYS(ptrace), nullptr } | ||
214 | + { SCMP_SYS(personality), EPERM, nullptr }, | ||
215 | + { SCMP_SYS(ptrace), EPERM, nullptr } | ||
216 | }; | ||
217 | |||
218 | scmp_filter_ctx seccomp = seccomp_init(SCMP_ACT_ALLOW); | ||
219 | @@ -661,29 +709,28 @@ static int setupSeccomp() | ||
220 | g_error("Failed to init seccomp"); | ||
221 | |||
222 | for (auto& rule : syscallBlockList) { | ||
223 | - int scall = rule.scall; | ||
224 | int r; | ||
225 | if (rule.arg) | ||
226 | - r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 1, *rule.arg); | ||
227 | + r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(rule.errnum), rule.scall, 1, *rule.arg); | ||
228 | else | ||
229 | - r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 0); | ||
230 | - if (r == -EFAULT) { | ||
231 | - seccomp_release(seccomp); | ||
232 | - g_error("Failed to add seccomp rule"); | ||
233 | - } | ||
234 | + r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(rule.errnum), rule.scall, 0); | ||
235 | + // EFAULT means "internal libseccomp error", but in practice we get | ||
236 | + // this for syscall numbers added via Syscalls.h (flatpak-syscalls-private.h) | ||
237 | + // when trying to filter them on a non-native architecture, because | ||
238 | + // libseccomp cannot map the syscall number to a name and back to a | ||
239 | + // number for the non-native architecture. | ||
240 | + if (r == -EFAULT) | ||
241 | + g_info("Unable to block syscall %d: syscall not known to libseccomp?", rule.scall); | ||
242 | + else if (r < 0) | ||
243 | + g_error("Failed to block syscall %d: %s", rule.scall, seccompStrerror(r)); | ||
244 | } | ||
245 | |||
246 | int tmpfd = memfd_create("seccomp-bpf", 0); | ||
247 | - if (tmpfd == -1) { | ||
248 | - seccomp_release(seccomp); | ||
249 | + if (tmpfd == -1) | ||
250 | g_error("Failed to create memfd: %s", g_strerror(errno)); | ||
251 | - } | ||
252 | |||
253 | - if (seccomp_export_bpf(seccomp, tmpfd)) { | ||
254 | - seccomp_release(seccomp); | ||
255 | - close(tmpfd); | ||
256 | - g_error("Failed to export seccomp bpf"); | ||
257 | - } | ||
258 | + if (int r = seccomp_export_bpf(seccomp, tmpfd)) | ||
259 | + g_error("Failed to export seccomp bpf: %s", seccompStrerror(r)); | ||
260 | |||
261 | if (lseek(tmpfd, 0, SEEK_SET) < 0) | ||
262 | g_error("lseek failed: %s", g_strerror(errno)); | ||
263 | diff --git a/Source/WebKit/UIProcess/Launcher/glib/Syscalls.h b/Source/WebKit/UIProcess/Launcher/glib/Syscalls.h | ||
264 | new file mode 100644 | ||
265 | index 00000000..18dea9a9 | ||
266 | --- /dev/null | ||
267 | +++ b/Source/WebKit/UIProcess/Launcher/glib/Syscalls.h | ||
268 | @@ -0,0 +1,200 @@ | ||
269 | +/* | ||
270 | + * Copyright 2021 Collabora Ltd. | ||
271 | + * SPDX-License-Identifier: LGPL-2.1-or-later | ||
272 | + * | ||
273 | + * This program is free software; you can redistribute it and/or | ||
274 | + * modify it under the terms of the GNU Lesser General Public | ||
275 | + * License as published by the Free Software Foundation; either | ||
276 | + * version 2.1 of the License, or (at your option) any later version. | ||
277 | + * | ||
278 | + * This library is distributed in the hope that it will be useful, | ||
279 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
280 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
281 | + * Lesser General Public License for more details. | ||
282 | + * | ||
283 | + * You should have received a copy of the GNU Lesser General Public | ||
284 | + * License along with this library. If not, see <http://www.gnu.org/licenses/>. | ||
285 | + */ | ||
286 | + | ||
287 | +// This file is a copy of flatpak-syscalls-private.h, reformatted a bit to placate WebKit's style checker. | ||
288 | +// | ||
289 | +// Upstream is here: | ||
290 | +// https://github.com/flatpak/flatpak/blob/26b12484eb8a6219b9e7aa287b298a894b2f34ca/common/flatpak-syscalls-private.h | ||
291 | + | ||
292 | +#pragma once | ||
293 | + | ||
294 | +#include <sys/syscall.h> | ||
295 | + | ||
296 | +#if defined(_MIPS_SIM) | ||
297 | +# if _MIPS_SIM == _MIPS_SIM_ABI32 | ||
298 | +# define FLATPAK_MISSING_SYSCALL_BASE 4000 | ||
299 | +# elif _MIPS_SIM == _MIPS_SIM_ABI64 | ||
300 | +# define FLATPAK_MISSING_SYSCALL_BASE 5000 | ||
301 | +# elif _MIPS_SIM == _MIPS_SIM_NABI32 | ||
302 | +# define FLATPAK_MISSING_SYSCALL_BASE 6000 | ||
303 | +# else | ||
304 | +# error "Unknown MIPS ABI" | ||
305 | +# endif | ||
306 | +#endif | ||
307 | + | ||
308 | +#if defined(__ia64__) | ||
309 | +# define FLATPAK_MISSING_SYSCALL_BASE 1024 | ||
310 | +#endif | ||
311 | + | ||
312 | +#if defined(__alpha__) | ||
313 | +# define FLATPAK_MISSING_SYSCALL_BASE 110 | ||
314 | +#endif | ||
315 | + | ||
316 | +#if defined(__x86_64__) && defined(__ILP32__) | ||
317 | +# define FLATPAK_MISSING_SYSCALL_BASE 0x40000000 | ||
318 | +#endif | ||
319 | + | ||
320 | +// FLATPAK_MISSING_SYSCALL_BASE: | ||
321 | +// | ||
322 | +// Number to add to the syscall numbers of recently-added syscalls | ||
323 | +// to get the appropriate syscall for the current ABI. | ||
324 | +#ifndef FLATPAK_MISSING_SYSCALL_BASE | ||
325 | +# define FLATPAK_MISSING_SYSCALL_BASE 0 | ||
326 | +#endif | ||
327 | + | ||
328 | +#ifndef __NR_open_tree | ||
329 | +# define __NR_open_tree (FLATPAK_MISSING_SYSCALL_BASE + 428) | ||
330 | +#endif | ||
331 | +#ifndef __SNR_open_tree | ||
332 | +# define __SNR_open_tree __NR_open_tree | ||
333 | +#endif | ||
334 | + | ||
335 | +#ifndef __NR_move_mount | ||
336 | +# define __NR_move_mount (FLATPAK_MISSING_SYSCALL_BASE + 429) | ||
337 | +#endif | ||
338 | +#ifndef __SNR_move_mount | ||
339 | +# define __SNR_move_mount __NR_move_mount | ||
340 | +#endif | ||
341 | + | ||
342 | +#ifndef __NR_fsopen | ||
343 | +# define __NR_fsopen (FLATPAK_MISSING_SYSCALL_BASE + 430) | ||
344 | +#endif | ||
345 | +#ifndef __SNR_fsopen | ||
346 | +# define __SNR_fsopen __NR_fsopen | ||
347 | +#endif | ||
348 | + | ||
349 | +#ifndef __NR_fsconfig | ||
350 | +# define __NR_fsconfig (FLATPAK_MISSING_SYSCALL_BASE + 431) | ||
351 | +#endif | ||
352 | +#ifndef __SNR_fsconfig | ||
353 | +# define __SNR_fsconfig __NR_fsconfig | ||
354 | +#endif | ||
355 | + | ||
356 | +#ifndef __NR_fsmount | ||
357 | +# define __NR_fsmount (FLATPAK_MISSING_SYSCALL_BASE + 432) | ||
358 | +#endif | ||
359 | +#ifndef __SNR_fsmount | ||
360 | +# define __SNR_fsmount __NR_fsmount | ||
361 | +#endif | ||
362 | + | ||
363 | +#ifndef __NR_fspick | ||
364 | +# define __NR_fspick (FLATPAK_MISSING_SYSCALL_BASE + 433) | ||
365 | +#endif | ||
366 | +#ifndef __SNR_fspick | ||
367 | +# define __SNR_fspick __NR_fspick | ||
368 | +#endif | ||
369 | + | ||
370 | +#ifndef __NR_pidfd_open | ||
371 | +# define __NR_pidfd_open (FLATPAK_MISSING_SYSCALL_BASE + 434) | ||
372 | +#endif | ||
373 | +#ifndef __SNR_pidfd_open | ||
374 | +# define __SNR_pidfd_open __NR_pidfd_open | ||
375 | +#endif | ||
376 | + | ||
377 | +#ifndef __NR_clone3 | ||
378 | +# define __NR_clone3 (FLATPAK_MISSING_SYSCALL_BASE + 435) | ||
379 | +#endif | ||
380 | +#ifndef __SNR_clone3 | ||
381 | +# define __SNR_clone3 __NR_clone3 | ||
382 | +#endif | ||
383 | + | ||
384 | +#ifndef __NR_close_range | ||
385 | +# define __NR_close_range (FLATPAK_MISSING_SYSCALL_BASE + 436) | ||
386 | +#endif | ||
387 | +#ifndef __SNR_close_range | ||
388 | +# define __SNR_close_range __NR_close_range | ||
389 | +#endif | ||
390 | + | ||
391 | +#ifndef __NR_openat2 | ||
392 | +# define __NR_openat2 (FLATPAK_MISSING_SYSCALL_BASE + 437) | ||
393 | +#endif | ||
394 | +#ifndef __SNR_openat2 | ||
395 | +# define __SNR_openat2 __NR_openat2 | ||
396 | +#endif | ||
397 | + | ||
398 | +#ifndef __NR_pidfd_getfd | ||
399 | +# define __NR_pidfd_getfd (FLATPAK_MISSING_SYSCALL_BASE + 438) | ||
400 | +#endif | ||
401 | +#ifndef __SNR_pidfd_getfd | ||
402 | +# define __SNR_pidfd_getfd __NR_pidfd_getfd | ||
403 | +#endif | ||
404 | + | ||
405 | +#ifndef __NR_faccessat2 | ||
406 | +# define __NR_faccessat2 (FLATPAK_MISSING_SYSCALL_BASE + 439) | ||
407 | +#endif | ||
408 | +#ifndef __SNR_faccessat2 | ||
409 | +# define __SNR_faccessat2 __NR_faccessat2 | ||
410 | +#endif | ||
411 | + | ||
412 | +#ifndef __NR_process_madvise | ||
413 | +# define __NR_process_madvise (FLATPAK_MISSING_SYSCALL_BASE + 440) | ||
414 | +#endif | ||
415 | +#ifndef __SNR_process_madvise | ||
416 | +# define __SNR_process_madvise __NR_process_madvise | ||
417 | +#endif | ||
418 | + | ||
419 | +#ifndef __NR_epoll_pwait2 | ||
420 | +# define __NR_epoll_pwait2 (FLATPAK_MISSING_SYSCALL_BASE + 441) | ||
421 | +#endif | ||
422 | +#ifndef __SNR_epoll_pwait2 | ||
423 | +# define __SNR_epoll_pwait2 __NR_epoll_pwait2 | ||
424 | +#endif | ||
425 | + | ||
426 | +#ifndef __NR_mount_setattr | ||
427 | +# define __NR_mount_setattr (FLATPAK_MISSING_SYSCALL_BASE + 442) | ||
428 | +#endif | ||
429 | +#ifndef __SNR_mount_setattr | ||
430 | +# define __SNR_mount_setattr __NR_mount_setattr | ||
431 | +#endif | ||
432 | + | ||
433 | +#ifndef __NR_quotactl_fd | ||
434 | +# define __NR_quotactl_fd (FLATPAK_MISSING_SYSCALL_BASE + 443) | ||
435 | +#endif | ||
436 | +#ifndef __SNR_quotactl_fd | ||
437 | +# define __SNR_quotactl_fd __NR_quotactl_fd | ||
438 | +#endif | ||
439 | + | ||
440 | +#ifndef __NR_landlock_create_ruleset | ||
441 | +# define __NR_landlock_create_ruleset (FLATPAK_MISSING_SYSCALL_BASE + 444) | ||
442 | +#endif | ||
443 | +#ifndef __SNR_landlock_create_ruleset | ||
444 | +# define __SNR_landlock_create_ruleset __NR_landlock_create_ruleset | ||
445 | +#endif | ||
446 | + | ||
447 | +#ifndef __NR_landlock_add_rule | ||
448 | +# define __NR_landlock_add_rule (FLATPAK_MISSING_SYSCALL_BASE + 445) | ||
449 | +#endif | ||
450 | +#ifndef __SNR_landlock_add_rule | ||
451 | +# define __SNR_landlock_add_rule __NR_landlock_add_rule | ||
452 | +#endif | ||
453 | + | ||
454 | +#ifndef __NR_landlock_restrict_self | ||
455 | +# define __NR_landlock_restrict_self (FLATPAK_MISSING_SYSCALL_BASE + 446) | ||
456 | +#endif | ||
457 | +#ifndef __SNR_landlock_restrict_self | ||
458 | +# define __SNR_landlock_restrict_self __NR_landlock_restrict_self | ||
459 | +#endif | ||
460 | + | ||
461 | +#ifndef __NR_memfd_secret | ||
462 | +# define __NR_memfd_secret (FLATPAK_MISSING_SYSCALL_BASE + 447) | ||
463 | +#endif | ||
464 | +#ifndef __SNR_memfd_secret | ||
465 | +# define __SNR_memfd_secret __NR_memfd_secret | ||
466 | +#endif | ||
467 | + | ||
468 | +// Last updated: Linux 5.14, syscall numbers < 448 | ||
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb b/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb index 88b5056165..93cca20d01 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb | |||
@@ -22,6 +22,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \ | |||
22 | file://musl-lower-stack-usage.patch \ | 22 | file://musl-lower-stack-usage.patch \ |
23 | file://0001-MiniBrowser-Fix-reproduciblity.patch \ | 23 | file://0001-MiniBrowser-Fix-reproduciblity.patch \ |
24 | file://reproducibility.patch \ | 24 | file://reproducibility.patch \ |
25 | file://CVE-2021-42762.patch \ | ||
25 | " | 26 | " |
26 | 27 | ||
27 | SRC_URI[sha256sum] = "7d0dab08e3c5ae07bec80b2822ef42e952765d5724cac86eb23999bfed5a7f1f" | 28 | SRC_URI[sha256sum] = "7d0dab08e3c5ae07bec80b2822ef42e952765d5724cac86eb23999bfed5a7f1f" |