1 files changed, 468 insertions, 0 deletions
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2021-42762.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2021-42762.patch
new file mode 100644
index 0000000000..1d012271cb
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2021-42762.patch
@@ -0,0 +1,468 @@
+Backport and rebase patch to fix CVE-2021-42762 for webkitgtk 2.30.5.
+CVE: CVE-2021-42762
+Upstream-Status: Backport [https://trac.webkit.org/changeset/284451/webkit]
+Ref:
+* https://bugs.webkit.org/show_bug.cgi?id=231479#c8
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+From 035ac439855c7bef0a4525897f783121e4a6055c Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Tue, 19 Oct 2021 14:27:17 +0000
+Subject: [PATCH] Update seccomp filters with latest changes from flatpak
+ https://bugs.webkit.org/show_bug.cgi?id=231479
+Patch by Michael Catanzaro <mcatanzaro@gnome.org> on 2021-10-19
+Reviewed by Adrian Perez de Castro.
+Additionally, let's fix a minor inconsistency in our error-handling code: all but one of
+our codepaths carefully free and close resources, but the process is about to crash so
+there's not really any reason to do so. The code is slightly simpler if we don't bother.
+The seemingly-extraneous include order changes are required to placate the style checker.
+* UIProcess/Launcher/glib/BubblewrapLauncher.cpp:
+(WebKit::seccompStrerror):
+(WebKit::setupSeccomp):
+* UIProcess/Launcher/glib/Syscalls.h: Added.
+Canonical link: https://commits.webkit.org/243211@main
+git-svn-id: https://svn.webkit.org/repository/webkit/trunk@284451 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+---
+ .../UIProcess/Launcher/glib/BubblewrapLauncher.cpp | 139 +++++++++-----
+ Source/WebKit/UIProcess/Launcher/glib/Syscalls.h   | 200 +++++++++++++++++++++
+ 2 files changed, 293 insertions(+), 46 deletions(-)
+diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+index 889388ac..c2f7e502 100644
+--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+@@ -25,11 +25,18 @@
+ #include <glib.h>
+ #include <seccomp.h>
+ #include <sys/ioctl.h>
+#include <sys/mman.h>
+ #include <wtf/FileSystem.h>
+ #include <wtf/glib/GLibUtilities.h>
+ #include <wtf/glib/GRefPtr.h>
+ #include <wtf/glib/GUniquePtr.h>
+ 
+#if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H)
+#include <linux/memfd.h>
+#endif
+
+#include "Syscalls.h"
+
+ #if PLATFORM(GTK)
+ #include "WaylandCompositor.h"
+ #endif
+@@ -40,13 +47,7 @@
+ #define BASE_DIRECTORY "wpe"
+ #endif
+ 
+-#include <sys/mman.h>
+-
+-#ifndef MFD_ALLOW_SEALING
+-
+-#if HAVE(LINUX_MEMFD_H)
+-
+-#include <linux/memfd.h>
+#if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H)
+ 
+ // These defines were added in glibc 2.27, the same release that added memfd_create.
+ // But the kernel added all of this in Linux 3.17. So it's totally safe for us to
+@@ -65,9 +66,7 @@ static int memfd_create(const char* name, unsigned flags)
+ {
+     return syscall(__NR_memfd_create, name, flags);
+ }
+-#endif // #if HAVE(LINUX_MEMFD_H)
+-
+-#endif // #ifndef MFD_ALLOW_SEALING
+#endif // #if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H)
+ 
+ namespace WebKit {
+ using namespace WebCore;
+@@ -573,6 +572,28 @@ static void bindSymlinksRealPath(Vector<CString>& args, const char* path)
+     }
+ }
+ 
+// Translate a libseccomp error code into an error message. libseccomp
+// mostly returns negative errno values such as -ENOMEM, but some
+// standard errno values are used for non-standard purposes where their
+// strerror() would be misleading.
+static const char* seccompStrerror(int negativeErrno)
+{
+    RELEASE_ASSERT_WITH_MESSAGE(negativeErrno < 0, "Non-negative error value from libseccomp?");
+    RELEASE_ASSERT_WITH_MESSAGE(negativeErrno > INT_MIN, "Out of range error value from libseccomp?");
+
+    switch (negativeErrno) {
+    case -EDOM:
+        return "Architecture-specific failure";
+    case -EFAULT:
+        return "Internal libseccomp failure (unknown syscall?)";
+    case -ECANCELED:
+        return "System failure beyond the control of libseccomp";
+    }
+
+    // e.g. -ENOMEM: the result of strerror() is good enough
+    return g_strerror(-negativeErrno);
+}
+
+ static int setupSeccomp()
+ {
+     // NOTE: This is shared code (flatpak-run.c - LGPLv2.1+)
+@@ -600,6 +621,10 @@ static int setupSeccomp()
+     //    in common/flatpak-run.c
+     //  https://git.gnome.org/browse/linux-user-chroot
+     //    in src/setup-seccomp.c
+    //
+    // Other useful resources:
+    // https://github.com/systemd/systemd/blob/HEAD/src/shared/seccomp-util.c
+    // https://github.com/moby/moby/blob/HEAD/profiles/seccomp/default.json
+ 
+ #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
+     // Architectures with CONFIG_CLONE_BACKWARDS2: the child stack
+@@ -613,47 +638,70 @@ static int setupSeccomp()
+     struct scmp_arg_cmp ttyArg = SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, TIOCSTI);
+     struct {
+         int scall;
+        int errnum;
+         struct scmp_arg_cmp* arg;
+     } syscallBlockList[] = {
+         // Block dmesg
+-        { SCMP_SYS(syslog), nullptr },
+        { SCMP_SYS(syslog), EPERM, nullptr },
+         // Useless old syscall.
+-        { SCMP_SYS(uselib), nullptr },
+        { SCMP_SYS(uselib), EPERM, nullptr },
+         // Don't allow disabling accounting.
+-        { SCMP_SYS(acct), nullptr },
+        { SCMP_SYS(acct), EPERM, nullptr },
+         // 16-bit code is unnecessary in the sandbox, and modify_ldt is a
+         // historic source of interesting information leaks.
+-        { SCMP_SYS(modify_ldt), nullptr },
+        { SCMP_SYS(modify_ldt), EPERM, nullptr },
+         // Don't allow reading current quota use.
+-        { SCMP_SYS(quotactl), nullptr },
+        { SCMP_SYS(quotactl), EPERM, nullptr },
+ 
+         // Don't allow access to the kernel keyring.
+-        { SCMP_SYS(add_key), nullptr },
+-        { SCMP_SYS(keyctl), nullptr },
+-        { SCMP_SYS(request_key), nullptr },
+        { SCMP_SYS(add_key), EPERM, nullptr },
+        { SCMP_SYS(keyctl), EPERM, nullptr },
+        { SCMP_SYS(request_key), EPERM, nullptr },
+ 
+         // Scary VM/NUMA ops 
+-        { SCMP_SYS(move_pages), nullptr },
+-        { SCMP_SYS(mbind), nullptr },
+-        { SCMP_SYS(get_mempolicy), nullptr },
+-        { SCMP_SYS(set_mempolicy), nullptr },
+-        { SCMP_SYS(migrate_pages), nullptr },
+        { SCMP_SYS(move_pages), EPERM, nullptr },
+        { SCMP_SYS(mbind), EPERM, nullptr },
+        { SCMP_SYS(get_mempolicy), EPERM, nullptr },
+        { SCMP_SYS(set_mempolicy), EPERM, nullptr },
+        { SCMP_SYS(migrate_pages), EPERM, nullptr },
+ 
+         // Don't allow subnamespace setups:
+-        { SCMP_SYS(unshare), nullptr },
+-        { SCMP_SYS(mount), nullptr },
+-        { SCMP_SYS(pivot_root), nullptr },
+-        { SCMP_SYS(clone), &cloneArg },
+        { SCMP_SYS(unshare), EPERM, nullptr },
+        { SCMP_SYS(setns), EPERM, nullptr },
+        { SCMP_SYS(mount), EPERM, nullptr },
+        { SCMP_SYS(umount), EPERM, nullptr },
+        { SCMP_SYS(umount2), EPERM, nullptr },
+        { SCMP_SYS(pivot_root), EPERM, nullptr },
+        { SCMP_SYS(chroot), EPERM, nullptr },
+        { SCMP_SYS(clone), EPERM, &cloneArg },
+ 
+         // Don't allow faking input to the controlling tty (CVE-2017-5226)
+-        { SCMP_SYS(ioctl), &ttyArg },
+        { SCMP_SYS(ioctl), EPERM, &ttyArg },
+
+        // seccomp can't look into clone3()'s struct clone_args to check whether
+        // the flags are OK, so we have no choice but to block clone3().
+        // Return ENOSYS so user-space will fall back to clone().
+        // (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d)
+        { SCMP_SYS(clone3), ENOSYS, nullptr },
+
+        // New mount manipulation APIs can also change our VFS. There's no
+        // legitimate reason to do these in the sandbox, so block all of them
+        // rather than thinking about which ones might be dangerous.
+        // (GHSA-67h7-w3jq-vh4q)
+        { SCMP_SYS(open_tree), ENOSYS, nullptr },
+        { SCMP_SYS(move_mount), ENOSYS, nullptr },
+        { SCMP_SYS(fsopen), ENOSYS, nullptr },
+        { SCMP_SYS(fsconfig), ENOSYS, nullptr },
+        { SCMP_SYS(fsmount), ENOSYS, nullptr },
+        { SCMP_SYS(fspick), ENOSYS, nullptr },
+        { SCMP_SYS(mount_setattr), ENOSYS, nullptr },
+ 
+         // Profiling operations; we expect these to be done by tools from outside
+         // the sandbox. In particular perf has been the source of many CVEs.
+-        { SCMP_SYS(perf_event_open), nullptr },
+        { SCMP_SYS(perf_event_open), EPERM, nullptr },
+         // Don't allow you to switch to bsd emulation or whatnot.
+-        { SCMP_SYS(personality), nullptr },
+-        { SCMP_SYS(ptrace), nullptr }
+        { SCMP_SYS(personality), EPERM, nullptr },
+        { SCMP_SYS(ptrace), EPERM, nullptr }
+     };
+ 
+     scmp_filter_ctx seccomp = seccomp_init(SCMP_ACT_ALLOW);
+@@ -661,29 +709,28 @@ static int setupSeccomp()
+         g_error("Failed to init seccomp");
+ 
+     for (auto& rule : syscallBlockList) {
+-        int scall = rule.scall;
+         int r;
+         if (rule.arg)
+-            r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 1, *rule.arg);
+            r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(rule.errnum), rule.scall, 1, *rule.arg);
+         else
+-            r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 0);
+-        if (r == -EFAULT) {
+-            seccomp_release(seccomp);
+-            g_error("Failed to add seccomp rule");
+-        }
+            r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(rule.errnum), rule.scall, 0);
+        // EFAULT means "internal libseccomp error", but in practice we get
+        // this for syscall numbers added via Syscalls.h (flatpak-syscalls-private.h)
+        // when trying to filter them on a non-native architecture, because
+        // libseccomp cannot map the syscall number to a name and back to a
+        // number for the non-native architecture.
+        if (r == -EFAULT)
+            g_info("Unable to block syscall %d: syscall not known to libseccomp?", rule.scall);
+        else if (r < 0)
+            g_error("Failed to block syscall %d: %s", rule.scall, seccompStrerror(r));
+     }
+ 
+     int tmpfd = memfd_create("seccomp-bpf", 0);
+-    if (tmpfd == -1) {
+-        seccomp_release(seccomp);
+    if (tmpfd == -1)
+         g_error("Failed to create memfd: %s", g_strerror(errno));
+-    }
+ 
+-    if (seccomp_export_bpf(seccomp, tmpfd)) {
+-        seccomp_release(seccomp);
+-        close(tmpfd);
+-        g_error("Failed to export seccomp bpf");
+-    }
+    if (int r = seccomp_export_bpf(seccomp, tmpfd))
+        g_error("Failed to export seccomp bpf: %s", seccompStrerror(r));
+ 
+     if (lseek(tmpfd, 0, SEEK_SET) < 0)
+         g_error("lseek failed: %s", g_strerror(errno));
+diff --git a/Source/WebKit/UIProcess/Launcher/glib/Syscalls.h b/Source/WebKit/UIProcess/Launcher/glib/Syscalls.h
+new file mode 100644
+index 00000000..18dea9a9
+--- /dev/null
+++ b/Source/WebKit/UIProcess/Launcher/glib/Syscalls.h
+@@ -0,0 +1,200 @@
+/*
+ * Copyright 2021 Collabora Ltd.
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+// This file is a copy of flatpak-syscalls-private.h, reformatted a bit to placate WebKit's style checker.
+//
+// Upstream is here:
+// https://github.com/flatpak/flatpak/blob/26b12484eb8a6219b9e7aa287b298a894b2f34ca/common/flatpak-syscalls-private.h
+
+#pragma once
+
+#include <sys/syscall.h>
+
+#if defined(_MIPS_SIM)
+# if _MIPS_SIM == _MIPS_SIM_ABI32
+#   define FLATPAK_MISSING_SYSCALL_BASE 4000
+# elif _MIPS_SIM == _MIPS_SIM_ABI64
+#   define FLATPAK_MISSING_SYSCALL_BASE 5000
+# elif _MIPS_SIM == _MIPS_SIM_NABI32
+#   define FLATPAK_MISSING_SYSCALL_BASE 6000
+# else
+#   error "Unknown MIPS ABI"
+# endif
+#endif
+
+#if defined(__ia64__)
+# define FLATPAK_MISSING_SYSCALL_BASE 1024
+#endif
+
+#if defined(__alpha__)
+# define FLATPAK_MISSING_SYSCALL_BASE 110
+#endif
+
+#if defined(__x86_64__) && defined(__ILP32__)
+# define FLATPAK_MISSING_SYSCALL_BASE 0x40000000
+#endif
+
+// FLATPAK_MISSING_SYSCALL_BASE:
+//
+// Number to add to the syscall numbers of recently-added syscalls
+// to get the appropriate syscall for the current ABI.
+#ifndef FLATPAK_MISSING_SYSCALL_BASE
+# define FLATPAK_MISSING_SYSCALL_BASE 0
+#endif
+
+#ifndef __NR_open_tree
+# define __NR_open_tree (FLATPAK_MISSING_SYSCALL_BASE + 428)
+#endif
+#ifndef __SNR_open_tree
+# define __SNR_open_tree __NR_open_tree
+#endif
+
+#ifndef __NR_move_mount
+# define __NR_move_mount (FLATPAK_MISSING_SYSCALL_BASE + 429)
+#endif
+#ifndef __SNR_move_mount
+# define __SNR_move_mount __NR_move_mount
+#endif
+
+#ifndef __NR_fsopen
+# define __NR_fsopen (FLATPAK_MISSING_SYSCALL_BASE + 430)
+#endif
+#ifndef __SNR_fsopen
+# define __SNR_fsopen __NR_fsopen
+#endif
+
+#ifndef __NR_fsconfig
+# define __NR_fsconfig (FLATPAK_MISSING_SYSCALL_BASE + 431)
+#endif
+#ifndef __SNR_fsconfig
+# define __SNR_fsconfig __NR_fsconfig
+#endif
+
+#ifndef __NR_fsmount
+# define __NR_fsmount (FLATPAK_MISSING_SYSCALL_BASE + 432)
+#endif
+#ifndef __SNR_fsmount
+# define __SNR_fsmount __NR_fsmount
+#endif
+
+#ifndef __NR_fspick
+# define __NR_fspick (FLATPAK_MISSING_SYSCALL_BASE + 433)
+#endif
+#ifndef __SNR_fspick
+# define __SNR_fspick __NR_fspick
+#endif
+
+#ifndef __NR_pidfd_open
+# define __NR_pidfd_open (FLATPAK_MISSING_SYSCALL_BASE + 434)
+#endif
+#ifndef __SNR_pidfd_open
+# define __SNR_pidfd_open __NR_pidfd_open
+#endif
+
+#ifndef __NR_clone3
+# define __NR_clone3 (FLATPAK_MISSING_SYSCALL_BASE + 435)
+#endif
+#ifndef __SNR_clone3
+# define __SNR_clone3 __NR_clone3
+#endif
+
+#ifndef __NR_close_range
+# define __NR_close_range (FLATPAK_MISSING_SYSCALL_BASE + 436)
+#endif
+#ifndef __SNR_close_range
+# define __SNR_close_range __NR_close_range
+#endif
+
+#ifndef __NR_openat2
+# define __NR_openat2 (FLATPAK_MISSING_SYSCALL_BASE + 437)
+#endif
+#ifndef __SNR_openat2
+# define __SNR_openat2 __NR_openat2
+#endif
+
+#ifndef __NR_pidfd_getfd
+# define __NR_pidfd_getfd (FLATPAK_MISSING_SYSCALL_BASE + 438)
+#endif
+#ifndef __SNR_pidfd_getfd
+# define __SNR_pidfd_getfd __NR_pidfd_getfd
+#endif
+
+#ifndef __NR_faccessat2
+# define __NR_faccessat2 (FLATPAK_MISSING_SYSCALL_BASE + 439)
+#endif
+#ifndef __SNR_faccessat2
+# define __SNR_faccessat2 __NR_faccessat2
+#endif
+
+#ifndef __NR_process_madvise
+# define __NR_process_madvise (FLATPAK_MISSING_SYSCALL_BASE + 440)
+#endif
+#ifndef __SNR_process_madvise
+# define __SNR_process_madvise __NR_process_madvise
+#endif
+
+#ifndef __NR_epoll_pwait2
+# define __NR_epoll_pwait2 (FLATPAK_MISSING_SYSCALL_BASE + 441)
+#endif
+#ifndef __SNR_epoll_pwait2
+# define __SNR_epoll_pwait2 __NR_epoll_pwait2
+#endif
+
+#ifndef __NR_mount_setattr
+# define __NR_mount_setattr (FLATPAK_MISSING_SYSCALL_BASE + 442)
+#endif
+#ifndef __SNR_mount_setattr
+# define __SNR_mount_setattr __NR_mount_setattr
+#endif
+
+#ifndef __NR_quotactl_fd
+# define __NR_quotactl_fd (FLATPAK_MISSING_SYSCALL_BASE + 443)
+#endif
+#ifndef __SNR_quotactl_fd
+# define __SNR_quotactl_fd __NR_quotactl_fd
+#endif
+
+#ifndef __NR_landlock_create_ruleset
+# define __NR_landlock_create_ruleset (FLATPAK_MISSING_SYSCALL_BASE + 444)
+#endif
+#ifndef __SNR_landlock_create_ruleset
+# define __SNR_landlock_create_ruleset __NR_landlock_create_ruleset
+#endif
+
+#ifndef __NR_landlock_add_rule
+# define __NR_landlock_add_rule (FLATPAK_MISSING_SYSCALL_BASE + 445)
+#endif
+#ifndef __SNR_landlock_add_rule
+# define __SNR_landlock_add_rule __NR_landlock_add_rule
+#endif
+
+#ifndef __NR_landlock_restrict_self
+# define __NR_landlock_restrict_self (FLATPAK_MISSING_SYSCALL_BASE + 446)
+#endif
+#ifndef __SNR_landlock_restrict_self
+# define __SNR_landlock_restrict_self __NR_landlock_restrict_self
+#endif
+
+#ifndef __NR_memfd_secret
+# define __NR_memfd_secret (FLATPAK_MISSING_SYSCALL_BASE + 447)
+#endif
+#ifndef __SNR_memfd_secret
+# define __SNR_memfd_secret __NR_memfd_secret
+#endif
+
+// Last updated: Linux 5.14, syscall numbers < 448

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2021-42762.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2021-42762.patch new file mode 100644 index 0000000000..1d012271cb --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2021-42762.patch
@@ -0,0 +1,468 @@
	1	Backport and rebase patch to fix CVE-2021-42762 for webkitgtk 2.30.5.
	2
	3	CVE: CVE-2021-42762
	4	Upstream-Status: Backport [https://trac.webkit.org/changeset/284451/webkit]
	5
	6	Ref:
	7	* https://bugs.webkit.org/show_bug.cgi?id=231479#c8
	8
	9	Signed-off-by: Kai Kang <kai.kang@windriver.com>
	10
	11	From 035ac439855c7bef0a4525897f783121e4a6055c Mon Sep 17 00:00:00 2001
	12	From: Michael Catanzaro <mcatanzaro@gnome.org>
	13	Date: Tue, 19 Oct 2021 14:27:17 +0000
	14	Subject: [PATCH] Update seccomp filters with latest changes from flatpak
	15	https://bugs.webkit.org/show_bug.cgi?id=231479
	16
	17	Patch by Michael Catanzaro <mcatanzaro@gnome.org> on 2021-10-19
	18	Reviewed by Adrian Perez de Castro.
	19
	20	Additionally, let's fix a minor inconsistency in our error-handling code: all but one of
	21	our codepaths carefully free and close resources, but the process is about to crash so
	22	there's not really any reason to do so. The code is slightly simpler if we don't bother.
	23
	24	The seemingly-extraneous include order changes are required to placate the style checker.
	25
	26	* UIProcess/Launcher/glib/BubblewrapLauncher.cpp:
	27	(WebKit::seccompStrerror):
	28	(WebKit::setupSeccomp):
	29	* UIProcess/Launcher/glib/Syscalls.h: Added.
	30
	31	Canonical link: https://commits.webkit.org/243211@main
	32	git-svn-id: https://svn.webkit.org/repository/webkit/trunk@284451 268f45cc-cd09-0410-ab3c-d52691b4dbfc
	33	---
	34	.../UIProcess/Launcher/glib/BubblewrapLauncher.cpp \| 139 +++++++++-----
	35	Source/WebKit/UIProcess/Launcher/glib/Syscalls.h \| 200 +++++++++++++++++++++
	36	2 files changed, 293 insertions(+), 46 deletions(-)
	37
	38	diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
	39	index 889388ac..c2f7e502 100644
	40	--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
	41	+++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
	42	@@ -25,11 +25,18 @@
	43	#include <glib.h>
	44	#include <seccomp.h>
	45	#include <sys/ioctl.h>
	46	+#include <sys/mman.h>
	47	#include <wtf/FileSystem.h>
	48	#include <wtf/glib/GLibUtilities.h>
	49	#include <wtf/glib/GRefPtr.h>
	50	#include <wtf/glib/GUniquePtr.h>
	51
	52	+#if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H)
	53	+#include <linux/memfd.h>
	54	+#endif
	55	+
	56	+#include "Syscalls.h"
	57	+
	58	#if PLATFORM(GTK)
	59	#include "WaylandCompositor.h"
	60	#endif
	61	@@ -40,13 +47,7 @@
	62	#define BASE_DIRECTORY "wpe"
	63	#endif
	64
	65	-#include <sys/mman.h>
	66	-
	67	-#ifndef MFD_ALLOW_SEALING
	68	-
	69	-#if HAVE(LINUX_MEMFD_H)
	70	-
	71	-#include <linux/memfd.h>
	72	+#if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H)
	73
	74	// These defines were added in glibc 2.27, the same release that added memfd_create.
	75	// But the kernel added all of this in Linux 3.17. So it's totally safe for us to
	76	@@ -65,9 +66,7 @@ static int memfd_create(const char* name, unsigned flags)
	77	{
	78	return syscall(__NR_memfd_create, name, flags);
	79	}
	80	-#endif // #if HAVE(LINUX_MEMFD_H)
	81	-
	82	-#endif // #ifndef MFD_ALLOW_SEALING
	83	+#endif // #if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H)
	84
	85	namespace WebKit {
	86	using namespace WebCore;
	87	@@ -573,6 +572,28 @@ static void bindSymlinksRealPath(Vector<CString>& args, const char* path)
	88	}
	89	}
	90
	91	+// Translate a libseccomp error code into an error message. libseccomp
	92	+// mostly returns negative errno values such as -ENOMEM, but some
	93	+// standard errno values are used for non-standard purposes where their
	94	+// strerror() would be misleading.
	95	+static const char* seccompStrerror(int negativeErrno)
	96	+{
	97	+ RELEASE_ASSERT_WITH_MESSAGE(negativeErrno < 0, "Non-negative error value from libseccomp?");
	98	+ RELEASE_ASSERT_WITH_MESSAGE(negativeErrno > INT_MIN, "Out of range error value from libseccomp?");
	99	+
	100	+ switch (negativeErrno) {
	101	+ case -EDOM:
	102	+ return "Architecture-specific failure";
	103	+ case -EFAULT:
	104	+ return "Internal libseccomp failure (unknown syscall?)";
	105	+ case -ECANCELED:
	106	+ return "System failure beyond the control of libseccomp";
	107	+ }
	108	+
	109	+ // e.g. -ENOMEM: the result of strerror() is good enough
	110	+ return g_strerror(-negativeErrno);
	111	+}
	112	+
	113	static int setupSeccomp()
	114	{
	115	// NOTE: This is shared code (flatpak-run.c - LGPLv2.1+)
	116	@@ -600,6 +621,10 @@ static int setupSeccomp()
	117	// in common/flatpak-run.c
	118	// https://git.gnome.org/browse/linux-user-chroot
	119	// in src/setup-seccomp.c
	120	+ //
	121	+ // Other useful resources:
	122	+ // https://github.com/systemd/systemd/blob/HEAD/src/shared/seccomp-util.c
	123	+ // https://github.com/moby/moby/blob/HEAD/profiles/seccomp/default.json
	124
	125	#if defined(__s390__) \|\| defined(__s390x__) \|\| defined(__CRIS__)
	126	// Architectures with CONFIG_CLONE_BACKWARDS2: the child stack
	127	@@ -613,47 +638,70 @@ static int setupSeccomp()
	128	struct scmp_arg_cmp ttyArg = SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, TIOCSTI);
	129	struct {
	130	int scall;
	131	+ int errnum;
	132	struct scmp_arg_cmp* arg;
	133	} syscallBlockList[] = {
	134	// Block dmesg
	135	- { SCMP_SYS(syslog), nullptr },
	136	+ { SCMP_SYS(syslog), EPERM, nullptr },
	137	// Useless old syscall.
	138	- { SCMP_SYS(uselib), nullptr },
	139	+ { SCMP_SYS(uselib), EPERM, nullptr },
	140	// Don't allow disabling accounting.
	141	- { SCMP_SYS(acct), nullptr },
	142	+ { SCMP_SYS(acct), EPERM, nullptr },
	143	// 16-bit code is unnecessary in the sandbox, and modify_ldt is a
	144	// historic source of interesting information leaks.
	145	- { SCMP_SYS(modify_ldt), nullptr },
	146	+ { SCMP_SYS(modify_ldt), EPERM, nullptr },
	147	// Don't allow reading current quota use.
	148	- { SCMP_SYS(quotactl), nullptr },
	149	+ { SCMP_SYS(quotactl), EPERM, nullptr },
	150
	151	// Don't allow access to the kernel keyring.
	152	- { SCMP_SYS(add_key), nullptr },
	153	- { SCMP_SYS(keyctl), nullptr },
	154	- { SCMP_SYS(request_key), nullptr },
	155	+ { SCMP_SYS(add_key), EPERM, nullptr },
	156	+ { SCMP_SYS(keyctl), EPERM, nullptr },
	157	+ { SCMP_SYS(request_key), EPERM, nullptr },
	158
	159	// Scary VM/NUMA ops
	160	- { SCMP_SYS(move_pages), nullptr },
	161	- { SCMP_SYS(mbind), nullptr },
	162	- { SCMP_SYS(get_mempolicy), nullptr },
	163	- { SCMP_SYS(set_mempolicy), nullptr },
	164	- { SCMP_SYS(migrate_pages), nullptr },
	165	+ { SCMP_SYS(move_pages), EPERM, nullptr },
	166	+ { SCMP_SYS(mbind), EPERM, nullptr },
	167	+ { SCMP_SYS(get_mempolicy), EPERM, nullptr },
	168	+ { SCMP_SYS(set_mempolicy), EPERM, nullptr },
	169	+ { SCMP_SYS(migrate_pages), EPERM, nullptr },
	170
	171	// Don't allow subnamespace setups:
	172	- { SCMP_SYS(unshare), nullptr },
	173	- { SCMP_SYS(mount), nullptr },
	174	- { SCMP_SYS(pivot_root), nullptr },
	175	- { SCMP_SYS(clone), &cloneArg },
	176	+ { SCMP_SYS(unshare), EPERM, nullptr },
	177	+ { SCMP_SYS(setns), EPERM, nullptr },
	178	+ { SCMP_SYS(mount), EPERM, nullptr },
	179	+ { SCMP_SYS(umount), EPERM, nullptr },
	180	+ { SCMP_SYS(umount2), EPERM, nullptr },
	181	+ { SCMP_SYS(pivot_root), EPERM, nullptr },
	182	+ { SCMP_SYS(chroot), EPERM, nullptr },
	183	+ { SCMP_SYS(clone), EPERM, &cloneArg },
	184
	185	// Don't allow faking input to the controlling tty (CVE-2017-5226)
	186	- { SCMP_SYS(ioctl), &ttyArg },
	187	+ { SCMP_SYS(ioctl), EPERM, &ttyArg },
	188	+
	189	+ // seccomp can't look into clone3()'s struct clone_args to check whether
	190	+ // the flags are OK, so we have no choice but to block clone3().
	191	+ // Return ENOSYS so user-space will fall back to clone().
	192	+ // (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d)
	193	+ { SCMP_SYS(clone3), ENOSYS, nullptr },
	194	+
	195	+ // New mount manipulation APIs can also change our VFS. There's no
	196	+ // legitimate reason to do these in the sandbox, so block all of them
	197	+ // rather than thinking about which ones might be dangerous.
	198	+ // (GHSA-67h7-w3jq-vh4q)
	199	+ { SCMP_SYS(open_tree), ENOSYS, nullptr },
	200	+ { SCMP_SYS(move_mount), ENOSYS, nullptr },
	201	+ { SCMP_SYS(fsopen), ENOSYS, nullptr },
	202	+ { SCMP_SYS(fsconfig), ENOSYS, nullptr },
	203	+ { SCMP_SYS(fsmount), ENOSYS, nullptr },
	204	+ { SCMP_SYS(fspick), ENOSYS, nullptr },
	205	+ { SCMP_SYS(mount_setattr), ENOSYS, nullptr },
	206
	207	// Profiling operations; we expect these to be done by tools from outside
	208	// the sandbox. In particular perf has been the source of many CVEs.
	209	- { SCMP_SYS(perf_event_open), nullptr },
	210	+ { SCMP_SYS(perf_event_open), EPERM, nullptr },
	211	// Don't allow you to switch to bsd emulation or whatnot.
	212	- { SCMP_SYS(personality), nullptr },
	213	- { SCMP_SYS(ptrace), nullptr }
	214	+ { SCMP_SYS(personality), EPERM, nullptr },
	215	+ { SCMP_SYS(ptrace), EPERM, nullptr }
	216	};
	217
	218	scmp_filter_ctx seccomp = seccomp_init(SCMP_ACT_ALLOW);
	219	@@ -661,29 +709,28 @@ static int setupSeccomp()
	220	g_error("Failed to init seccomp");
	221
	222	for (auto& rule : syscallBlockList) {
	223	- int scall = rule.scall;
	224	int r;
	225	if (rule.arg)
	226	- r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 1, *rule.arg);
	227	+ r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(rule.errnum), rule.scall, 1, *rule.arg);
	228	else
	229	- r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 0);
	230	- if (r == -EFAULT) {
	231	- seccomp_release(seccomp);
	232	- g_error("Failed to add seccomp rule");
	233	- }
	234	+ r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(rule.errnum), rule.scall, 0);
	235	+ // EFAULT means "internal libseccomp error", but in practice we get
	236	+ // this for syscall numbers added via Syscalls.h (flatpak-syscalls-private.h)
	237	+ // when trying to filter them on a non-native architecture, because
	238	+ // libseccomp cannot map the syscall number to a name and back to a
	239	+ // number for the non-native architecture.
	240	+ if (r == -EFAULT)
	241	+ g_info("Unable to block syscall %d: syscall not known to libseccomp?", rule.scall);
	242	+ else if (r < 0)
	243	+ g_error("Failed to block syscall %d: %s", rule.scall, seccompStrerror(r));
	244	}
	245
	246	int tmpfd = memfd_create("seccomp-bpf", 0);
	247	- if (tmpfd == -1) {
	248	- seccomp_release(seccomp);
	249	+ if (tmpfd == -1)
	250	g_error("Failed to create memfd: %s", g_strerror(errno));
	251	- }
	252
	253	- if (seccomp_export_bpf(seccomp, tmpfd)) {
	254	- seccomp_release(seccomp);
	255	- close(tmpfd);
	256	- g_error("Failed to export seccomp bpf");
	257	- }
	258	+ if (int r = seccomp_export_bpf(seccomp, tmpfd))
	259	+ g_error("Failed to export seccomp bpf: %s", seccompStrerror(r));
	260
	261	if (lseek(tmpfd, 0, SEEK_SET) < 0)
	262	g_error("lseek failed: %s", g_strerror(errno));
	263	diff --git a/Source/WebKit/UIProcess/Launcher/glib/Syscalls.h b/Source/WebKit/UIProcess/Launcher/glib/Syscalls.h
	264	new file mode 100644
	265	index 00000000..18dea9a9
	266	--- /dev/null
	267	+++ b/Source/WebKit/UIProcess/Launcher/glib/Syscalls.h
	268	@@ -0,0 +1,200 @@
	269	+/*
	270	+ * Copyright 2021 Collabora Ltd.
	271	+ * SPDX-License-Identifier: LGPL-2.1-or-later
	272	+ *
	273	+ * This program is free software; you can redistribute it and/or
	274	+ * modify it under the terms of the GNU Lesser General Public
	275	+ * License as published by the Free Software Foundation; either
	276	+ * version 2.1 of the License, or (at your option) any later version.
	277	+ *
	278	+ * This library is distributed in the hope that it will be useful,
	279	+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
	280	+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	281	+ * Lesser General Public License for more details.
	282	+ *
	283	+ * You should have received a copy of the GNU Lesser General Public
	284	+ * License along with this library. If not, see <http://www.gnu.org/licenses/>.
	285	+ */
	286	+
	287	+// This file is a copy of flatpak-syscalls-private.h, reformatted a bit to placate WebKit's style checker.
	288	+//
	289	+// Upstream is here:
	290	+// https://github.com/flatpak/flatpak/blob/26b12484eb8a6219b9e7aa287b298a894b2f34ca/common/flatpak-syscalls-private.h
	291	+
	292	+#pragma once
	293	+
	294	+#include <sys/syscall.h>
	295	+
	296	+#if defined(_MIPS_SIM)
	297	+# if _MIPS_SIM == _MIPS_SIM_ABI32
	298	+# define FLATPAK_MISSING_SYSCALL_BASE 4000
	299	+# elif _MIPS_SIM == _MIPS_SIM_ABI64
	300	+# define FLATPAK_MISSING_SYSCALL_BASE 5000
	301	+# elif _MIPS_SIM == _MIPS_SIM_NABI32
	302	+# define FLATPAK_MISSING_SYSCALL_BASE 6000
	303	+# else
	304	+# error "Unknown MIPS ABI"
	305	+# endif
	306	+#endif
	307	+
	308	+#if defined(__ia64__)
	309	+# define FLATPAK_MISSING_SYSCALL_BASE 1024
	310	+#endif
	311	+
	312	+#if defined(__alpha__)
	313	+# define FLATPAK_MISSING_SYSCALL_BASE 110
	314	+#endif
	315	+
	316	+#if defined(__x86_64__) && defined(__ILP32__)
	317	+# define FLATPAK_MISSING_SYSCALL_BASE 0x40000000
	318	+#endif
	319	+
	320	+// FLATPAK_MISSING_SYSCALL_BASE:
	321	+//
	322	+// Number to add to the syscall numbers of recently-added syscalls
	323	+// to get the appropriate syscall for the current ABI.
	324	+#ifndef FLATPAK_MISSING_SYSCALL_BASE
	325	+# define FLATPAK_MISSING_SYSCALL_BASE 0
	326	+#endif
	327	+
	328	+#ifndef __NR_open_tree
	329	+# define __NR_open_tree (FLATPAK_MISSING_SYSCALL_BASE + 428)
	330	+#endif
	331	+#ifndef __SNR_open_tree
	332	+# define __SNR_open_tree __NR_open_tree
	333	+#endif
	334	+
	335	+#ifndef __NR_move_mount
	336	+# define __NR_move_mount (FLATPAK_MISSING_SYSCALL_BASE + 429)
	337	+#endif
	338	+#ifndef __SNR_move_mount
	339	+# define __SNR_move_mount __NR_move_mount
	340	+#endif
	341	+
	342	+#ifndef __NR_fsopen
	343	+# define __NR_fsopen (FLATPAK_MISSING_SYSCALL_BASE + 430)
	344	+#endif
	345	+#ifndef __SNR_fsopen
	346	+# define __SNR_fsopen __NR_fsopen
	347	+#endif
	348	+
	349	+#ifndef __NR_fsconfig
	350	+# define __NR_fsconfig (FLATPAK_MISSING_SYSCALL_BASE + 431)
	351	+#endif
	352	+#ifndef __SNR_fsconfig
	353	+# define __SNR_fsconfig __NR_fsconfig
	354	+#endif
	355	+
	356	+#ifndef __NR_fsmount
	357	+# define __NR_fsmount (FLATPAK_MISSING_SYSCALL_BASE + 432)
	358	+#endif
	359	+#ifndef __SNR_fsmount
	360	+# define __SNR_fsmount __NR_fsmount
	361	+#endif
	362	+
	363	+#ifndef __NR_fspick
	364	+# define __NR_fspick (FLATPAK_MISSING_SYSCALL_BASE + 433)
	365	+#endif
	366	+#ifndef __SNR_fspick
	367	+# define __SNR_fspick __NR_fspick
	368	+#endif
	369	+
	370	+#ifndef __NR_pidfd_open
	371	+# define __NR_pidfd_open (FLATPAK_MISSING_SYSCALL_BASE + 434)
	372	+#endif
	373	+#ifndef __SNR_pidfd_open
	374	+# define __SNR_pidfd_open __NR_pidfd_open
	375	+#endif
	376	+
	377	+#ifndef __NR_clone3
	378	+# define __NR_clone3 (FLATPAK_MISSING_SYSCALL_BASE + 435)
	379	+#endif
	380	+#ifndef __SNR_clone3
	381	+# define __SNR_clone3 __NR_clone3
	382	+#endif
	383	+
	384	+#ifndef __NR_close_range
	385	+# define __NR_close_range (FLATPAK_MISSING_SYSCALL_BASE + 436)
	386	+#endif
	387	+#ifndef __SNR_close_range
	388	+# define __SNR_close_range __NR_close_range
	389	+#endif
	390	+
	391	+#ifndef __NR_openat2
	392	+# define __NR_openat2 (FLATPAK_MISSING_SYSCALL_BASE + 437)
	393	+#endif
	394	+#ifndef __SNR_openat2
	395	+# define __SNR_openat2 __NR_openat2
	396	+#endif
	397	+
	398	+#ifndef __NR_pidfd_getfd
	399	+# define __NR_pidfd_getfd (FLATPAK_MISSING_SYSCALL_BASE + 438)
	400	+#endif
	401	+#ifndef __SNR_pidfd_getfd
	402	+# define __SNR_pidfd_getfd __NR_pidfd_getfd
	403	+#endif
	404	+
	405	+#ifndef __NR_faccessat2
	406	+# define __NR_faccessat2 (FLATPAK_MISSING_SYSCALL_BASE + 439)
	407	+#endif
	408	+#ifndef __SNR_faccessat2
	409	+# define __SNR_faccessat2 __NR_faccessat2
	410	+#endif
	411	+
	412	+#ifndef __NR_process_madvise
	413	+# define __NR_process_madvise (FLATPAK_MISSING_SYSCALL_BASE + 440)
	414	+#endif
	415	+#ifndef __SNR_process_madvise
	416	+# define __SNR_process_madvise __NR_process_madvise
	417	+#endif
	418	+
	419	+#ifndef __NR_epoll_pwait2
	420	+# define __NR_epoll_pwait2 (FLATPAK_MISSING_SYSCALL_BASE + 441)
	421	+#endif
	422	+#ifndef __SNR_epoll_pwait2
	423	+# define __SNR_epoll_pwait2 __NR_epoll_pwait2
	424	+#endif
	425	+
	426	+#ifndef __NR_mount_setattr
	427	+# define __NR_mount_setattr (FLATPAK_MISSING_SYSCALL_BASE + 442)
	428	+#endif
	429	+#ifndef __SNR_mount_setattr
	430	+# define __SNR_mount_setattr __NR_mount_setattr
	431	+#endif
	432	+
	433	+#ifndef __NR_quotactl_fd
	434	+# define __NR_quotactl_fd (FLATPAK_MISSING_SYSCALL_BASE + 443)
	435	+#endif
	436	+#ifndef __SNR_quotactl_fd
	437	+# define __SNR_quotactl_fd __NR_quotactl_fd
	438	+#endif
	439	+
	440	+#ifndef __NR_landlock_create_ruleset
	441	+# define __NR_landlock_create_ruleset (FLATPAK_MISSING_SYSCALL_BASE + 444)
	442	+#endif
	443	+#ifndef __SNR_landlock_create_ruleset
	444	+# define __SNR_landlock_create_ruleset __NR_landlock_create_ruleset
	445	+#endif
	446	+
	447	+#ifndef __NR_landlock_add_rule
	448	+# define __NR_landlock_add_rule (FLATPAK_MISSING_SYSCALL_BASE + 445)
	449	+#endif
	450	+#ifndef __SNR_landlock_add_rule
	451	+# define __SNR_landlock_add_rule __NR_landlock_add_rule
	452	+#endif
	453	+
	454	+#ifndef __NR_landlock_restrict_self
	455	+# define __NR_landlock_restrict_self (FLATPAK_MISSING_SYSCALL_BASE + 446)
	456	+#endif
	457	+#ifndef __SNR_landlock_restrict_self
	458	+# define __SNR_landlock_restrict_self __NR_landlock_restrict_self
	459	+#endif
	460	+
	461	+#ifndef __NR_memfd_secret
	462	+# define __NR_memfd_secret (FLATPAK_MISSING_SYSCALL_BASE + 447)
	463	+#endif
	464	+#ifndef __SNR_memfd_secret
	465	+# define __SNR_memfd_secret __NR_memfd_secret
	466	+#endif
	467	+
	468	+// Last updated: Linux 5.14, syscall numbers < 448