summaryrefslogtreecommitdiffstats
path: root/security/sandbox
diff options
context:
space:
mode:
Diffstat (limited to 'security/sandbox')
-rw-r--r--security/sandbox/chromium-shim/patches/with_update/chromium_syscalls_6_8_update.patch469
-rwxr-xr-xsecurity/sandbox/chromium-shim/patches/with_update/patch_order.txt1
-rw-r--r--security/sandbox/chromium/sandbox/linux/system_headers/arm64_linux_syscalls.h90
-rw-r--r--security/sandbox/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h90
-rw-r--r--security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h94
-rw-r--r--security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h94
-rw-r--r--security/sandbox/linux/SandboxFilterUtil.h7
-rw-r--r--security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp5
8 files changed, 840 insertions, 10 deletions
diff --git a/security/sandbox/chromium-shim/patches/with_update/chromium_syscalls_6_8_update.patch b/security/sandbox/chromium-shim/patches/with_update/chromium_syscalls_6_8_update.patch
new file mode 100644
index 0000000000..834a9b2b5e
--- /dev/null
+++ b/security/sandbox/chromium-shim/patches/with_update/chromium_syscalls_6_8_update.patch
@@ -0,0 +1,469 @@
+commit 142d1560cb5d65b66a4c0c6f427fa2f04150245f
+Author: Jed Davis <jld@mozilla.com>
+Date: Wed Apr 17 13:52:26 2024 -0700
+
+ Bug 1889045 - Update Linux sandbox syscall defs to v6.8
+
+diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/arm64_linux_syscalls.h b/security/sandbox/chromium/sandbox/linux/system_headers/arm64_linux_syscalls.h
+index 2224d324383f7..b8efe0da2f897 100644
+--- a/security/sandbox/chromium/sandbox/linux/system_headers/arm64_linux_syscalls.h
++++ b/security/sandbox/chromium/sandbox/linux/system_headers/arm64_linux_syscalls.h
+@@ -3,7 +3,7 @@
+ // found in the LICENSE file.
+
+ /* Constructed by running:
+- * curl -vsSL https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/include/uapi/asm-generic/unistd.h?h=v5.8
++ * curl -vsSL https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/include/uapi/asm-generic/unistd.h?h=v6.8
+ * | gcc -D__BITS_PER_LONG=64 -D__ARCH_WANT_STAT64 -D__ARCH_WANT_SET_GET_RLIMIT -D__ARCH_WANT_SYS_CLONE3 -D__ARCH_WANT_RENAMEAT -E -dD -
+ * | grep __NR | grep -vE '__NR_arch_specific_syscall|__NR_syscalls' | sort -n -k 3 | sed -e 's/__NR3264/__NR/g'
+ * | awk '{ if ($2 != $3) { print "#if !defined(" $2 ")\n#define " $2 " " $3 "\n#endif\n"; } }
+@@ -1182,6 +1182,10 @@
+ #define __NR_clone3 435
+ #endif
+
++#if !defined(__NR_close_range)
++#define __NR_close_range 436
++#endif
++
+ #if !defined(__NR_openat2)
+ #define __NR_openat2 437
+ #endif
+@@ -1194,4 +1198,88 @@
+ #define __NR_faccessat2 439
+ #endif
+
++#if !defined(__NR_process_madvise)
++#define __NR_process_madvise 440
++#endif
++
++#if !defined(__NR_epoll_pwait2)
++#define __NR_epoll_pwait2 441
++#endif
++
++#if !defined(__NR_mount_setattr)
++#define __NR_mount_setattr 442
++#endif
++
++#if !defined(__NR_quotactl_fd)
++#define __NR_quotactl_fd 443
++#endif
++
++#if !defined(__NR_landlock_create_ruleset)
++#define __NR_landlock_create_ruleset 444
++#endif
++
++#if !defined(__NR_landlock_add_rule)
++#define __NR_landlock_add_rule 445
++#endif
++
++#if !defined(__NR_landlock_restrict_self)
++#define __NR_landlock_restrict_self 446
++#endif
++
++#if !defined(__NR_process_mrelease)
++#define __NR_process_mrelease 448
++#endif
++
++#if !defined(__NR_futex_waitv)
++#define __NR_futex_waitv 449
++#endif
++
++#if !defined(__NR_set_mempolicy_home_node)
++#define __NR_set_mempolicy_home_node 450
++#endif
++
++#if !defined(__NR_cachestat)
++#define __NR_cachestat 451
++#endif
++
++#if !defined(__NR_fchmodat2)
++#define __NR_fchmodat2 452
++#endif
++
++#if !defined(__NR_map_shadow_stack)
++#define __NR_map_shadow_stack 453
++#endif
++
++#if !defined(__NR_futex_wake)
++#define __NR_futex_wake 454
++#endif
++
++#if !defined(__NR_futex_wait)
++#define __NR_futex_wait 455
++#endif
++
++#if !defined(__NR_futex_requeue)
++#define __NR_futex_requeue 456
++#endif
++
++#if !defined(__NR_statmount)
++#define __NR_statmount 457
++#endif
++
++#if !defined(__NR_listmount)
++#define __NR_listmount 458
++#endif
++
++#if !defined(__NR_lsm_get_self_attr)
++#define __NR_lsm_get_self_attr 459
++#endif
++
++#if !defined(__NR_lsm_set_self_attr)
++#define __NR_lsm_set_self_attr 460
++#endif
++
++#if !defined(__NR_lsm_list_modules)
++#define __NR_lsm_list_modules 461
++#endif
++
+ #endif // SANDBOX_LINUX_SYSTEM_HEADERS_ARM64_LINUX_SYSCALLS_H_
+diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h b/security/sandbox/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h
+index 5b7f4e511a61d..06d0a6d5801e1 100644
+--- a/security/sandbox/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h
++++ b/security/sandbox/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h
+@@ -3,7 +3,7 @@
+ // found in the LICENSE file.
+
+ /* Constructed by running:
+- * curl -vsSL https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/arch/arm/tools/syscall.tbl?h=v5.8
++ * curl -vsSL https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/arch/arm/tools/syscall.tbl?h=v6.8
+ * | grep -vE '^#|^$'
+ * | awk '{ if ($2 != "oabi") { print "#if !defined(__NR_" $3 ")\n#define __NR_" $3 " (__NR_SYSCALL_BASE+" $1 ")\n#endif\n"; } }'
+ * */
+@@ -1578,6 +1578,10 @@
+ #define __NR_clone3 (__NR_SYSCALL_BASE+435)
+ #endif
+
++#if !defined(__NR_close_range)
++#define __NR_close_range (__NR_SYSCALL_BASE+436)
++#endif
++
+ #if !defined(__NR_openat2)
+ #define __NR_openat2 (__NR_SYSCALL_BASE+437)
+ #endif
+@@ -1590,6 +1594,90 @@
+ #define __NR_faccessat2 (__NR_SYSCALL_BASE+439)
+ #endif
+
++#if !defined(__NR_process_madvise)
++#define __NR_process_madvise (__NR_SYSCALL_BASE+440)
++#endif
++
++#if !defined(__NR_epoll_pwait2)
++#define __NR_epoll_pwait2 (__NR_SYSCALL_BASE+441)
++#endif
++
++#if !defined(__NR_mount_setattr)
++#define __NR_mount_setattr (__NR_SYSCALL_BASE+442)
++#endif
++
++#if !defined(__NR_quotactl_fd)
++#define __NR_quotactl_fd (__NR_SYSCALL_BASE+443)
++#endif
++
++#if !defined(__NR_landlock_create_ruleset)
++#define __NR_landlock_create_ruleset (__NR_SYSCALL_BASE+444)
++#endif
++
++#if !defined(__NR_landlock_add_rule)
++#define __NR_landlock_add_rule (__NR_SYSCALL_BASE+445)
++#endif
++
++#if !defined(__NR_landlock_restrict_self)
++#define __NR_landlock_restrict_self (__NR_SYSCALL_BASE+446)
++#endif
++
++#if !defined(__NR_process_mrelease)
++#define __NR_process_mrelease (__NR_SYSCALL_BASE+448)
++#endif
++
++#if !defined(__NR_futex_waitv)
++#define __NR_futex_waitv (__NR_SYSCALL_BASE+449)
++#endif
++
++#if !defined(__NR_set_mempolicy_home_node)
++#define __NR_set_mempolicy_home_node (__NR_SYSCALL_BASE+450)
++#endif
++
++#if !defined(__NR_cachestat)
++#define __NR_cachestat (__NR_SYSCALL_BASE+451)
++#endif
++
++#if !defined(__NR_fchmodat2)
++#define __NR_fchmodat2 (__NR_SYSCALL_BASE+452)
++#endif
++
++#if !defined(__NR_map_shadow_stack)
++#define __NR_map_shadow_stack (__NR_SYSCALL_BASE+453)
++#endif
++
++#if !defined(__NR_futex_wake)
++#define __NR_futex_wake (__NR_SYSCALL_BASE+454)
++#endif
++
++#if !defined(__NR_futex_wait)
++#define __NR_futex_wait (__NR_SYSCALL_BASE+455)
++#endif
++
++#if !defined(__NR_futex_requeue)
++#define __NR_futex_requeue (__NR_SYSCALL_BASE+456)
++#endif
++
++#if !defined(__NR_statmount)
++#define __NR_statmount (__NR_SYSCALL_BASE+457)
++#endif
++
++#if !defined(__NR_listmount)
++#define __NR_listmount (__NR_SYSCALL_BASE+458)
++#endif
++
++#if !defined(__NR_lsm_get_self_attr)
++#define __NR_lsm_get_self_attr (__NR_SYSCALL_BASE+459)
++#endif
++
++#if !defined(__NR_lsm_set_self_attr)
++#define __NR_lsm_set_self_attr (__NR_SYSCALL_BASE+460)
++#endif
++
++#if !defined(__NR_lsm_list_modules)
++#define __NR_lsm_list_modules (__NR_SYSCALL_BASE+461)
++#endif
++
+ // ARM private syscalls.
+ #if !defined(__ARM_NR_BASE)
+ #define __ARM_NR_BASE (__NR_SYSCALL_BASE + 0xF0000)
+diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h b/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h
+index dc846ee7ad1ab..edcfd05004139 100644
+--- a/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h
++++ b/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h
+@@ -3,7 +3,7 @@
+ // found in the LICENSE file.
+
+ /* Constructed by running:
+- * curl -vsSL https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/arch/x86/entry/syscalls/syscall_32.tbl?h=v5.8
++ * curl -vsSL https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/arch/x86/entry/syscalls/syscall_32.tbl?h=v6.8
+ * | grep -vE '^#|^$'
+ * | awk '{ if ($2 == "i386") { print "#if !defined(__NR_" $3 ")\n#define __NR_" $3 " " $1 "\n#endif\n"; } }'
+ * */
+@@ -1715,6 +1715,10 @@
+ #define __NR_clone3 435
+ #endif
+
++#if !defined(__NR_close_range)
++#define __NR_close_range 436
++#endif
++
+ #if !defined(__NR_openat2)
+ #define __NR_openat2 437
+ #endif
+@@ -1727,5 +1731,93 @@
+ #define __NR_faccessat2 439
+ #endif
+
++#if !defined(__NR_process_madvise)
++#define __NR_process_madvise 440
++#endif
++
++#if !defined(__NR_epoll_pwait2)
++#define __NR_epoll_pwait2 441
++#endif
++
++#if !defined(__NR_mount_setattr)
++#define __NR_mount_setattr 442
++#endif
++
++#if !defined(__NR_quotactl_fd)
++#define __NR_quotactl_fd 443
++#endif
++
++#if !defined(__NR_landlock_create_ruleset)
++#define __NR_landlock_create_ruleset 444
++#endif
++
++#if !defined(__NR_landlock_add_rule)
++#define __NR_landlock_add_rule 445
++#endif
++
++#if !defined(__NR_landlock_restrict_self)
++#define __NR_landlock_restrict_self 446
++#endif
++
++#if !defined(__NR_memfd_secret)
++#define __NR_memfd_secret 447
++#endif
++
++#if !defined(__NR_process_mrelease)
++#define __NR_process_mrelease 448
++#endif
++
++#if !defined(__NR_futex_waitv)
++#define __NR_futex_waitv 449
++#endif
++
++#if !defined(__NR_set_mempolicy_home_node)
++#define __NR_set_mempolicy_home_node 450
++#endif
++
++#if !defined(__NR_cachestat)
++#define __NR_cachestat 451
++#endif
++
++#if !defined(__NR_fchmodat2)
++#define __NR_fchmodat2 452
++#endif
++
++#if !defined(__NR_map_shadow_stack)
++#define __NR_map_shadow_stack 453
++#endif
++
++#if !defined(__NR_futex_wake)
++#define __NR_futex_wake 454
++#endif
++
++#if !defined(__NR_futex_wait)
++#define __NR_futex_wait 455
++#endif
++
++#if !defined(__NR_futex_requeue)
++#define __NR_futex_requeue 456
++#endif
++
++#if !defined(__NR_statmount)
++#define __NR_statmount 457
++#endif
++
++#if !defined(__NR_listmount)
++#define __NR_listmount 458
++#endif
++
++#if !defined(__NR_lsm_get_self_attr)
++#define __NR_lsm_get_self_attr 459
++#endif
++
++#if !defined(__NR_lsm_set_self_attr)
++#define __NR_lsm_set_self_attr 460
++#endif
++
++#if !defined(__NR_lsm_list_modules)
++#define __NR_lsm_list_modules 461
++#endif
++
+
+ #endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_32_LINUX_SYSCALLS_H_
+diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h b/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h
+index ab51703464aa0..6767d88702f3d 100644
+--- a/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h
++++ b/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h
+@@ -3,7 +3,7 @@
+ // found in the LICENSE file.
+
+ /* Constructed by running:
+- * curl -vsSL https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/arch/x86/entry/syscalls/syscall_64.tbl?h=v5.8
++ * curl -vsSL https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/arch/x86/entry/syscalls/syscall_64.tbl?h=v6.8
+ * | grep -vE '^#|^$'
+ * | awk '{ if ($2 != "x32") { print "#if !defined(__NR_" $3 ")\n#define __NR_" $3 " " $1 "\n#endif\n"; } }'
+ * */
+@@ -1403,6 +1403,10 @@
+ #define __NR_clone3 435
+ #endif
+
++#if !defined(__NR_close_range)
++#define __NR_close_range 436
++#endif
++
+ #if !defined(__NR_openat2)
+ #define __NR_openat2 437
+ #endif
+@@ -1415,4 +1419,92 @@
+ #define __NR_faccessat2 439
+ #endif
+
++#if !defined(__NR_process_madvise)
++#define __NR_process_madvise 440
++#endif
++
++#if !defined(__NR_epoll_pwait2)
++#define __NR_epoll_pwait2 441
++#endif
++
++#if !defined(__NR_mount_setattr)
++#define __NR_mount_setattr 442
++#endif
++
++#if !defined(__NR_quotactl_fd)
++#define __NR_quotactl_fd 443
++#endif
++
++#if !defined(__NR_landlock_create_ruleset)
++#define __NR_landlock_create_ruleset 444
++#endif
++
++#if !defined(__NR_landlock_add_rule)
++#define __NR_landlock_add_rule 445
++#endif
++
++#if !defined(__NR_landlock_restrict_self)
++#define __NR_landlock_restrict_self 446
++#endif
++
++#if !defined(__NR_memfd_secret)
++#define __NR_memfd_secret 447
++#endif
++
++#if !defined(__NR_process_mrelease)
++#define __NR_process_mrelease 448
++#endif
++
++#if !defined(__NR_futex_waitv)
++#define __NR_futex_waitv 449
++#endif
++
++#if !defined(__NR_set_mempolicy_home_node)
++#define __NR_set_mempolicy_home_node 450
++#endif
++
++#if !defined(__NR_cachestat)
++#define __NR_cachestat 451
++#endif
++
++#if !defined(__NR_fchmodat2)
++#define __NR_fchmodat2 452
++#endif
++
++#if !defined(__NR_map_shadow_stack)
++#define __NR_map_shadow_stack 453
++#endif
++
++#if !defined(__NR_futex_wake)
++#define __NR_futex_wake 454
++#endif
++
++#if !defined(__NR_futex_wait)
++#define __NR_futex_wait 455
++#endif
++
++#if !defined(__NR_futex_requeue)
++#define __NR_futex_requeue 456
++#endif
++
++#if !defined(__NR_statmount)
++#define __NR_statmount 457
++#endif
++
++#if !defined(__NR_listmount)
++#define __NR_listmount 458
++#endif
++
++#if !defined(__NR_lsm_get_self_attr)
++#define __NR_lsm_get_self_attr 459
++#endif
++
++#if !defined(__NR_lsm_set_self_attr)
++#define __NR_lsm_set_self_attr 460
++#endif
++
++#if !defined(__NR_lsm_list_modules)
++#define __NR_lsm_list_modules 461
++#endif
++
+ #endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_
diff --git a/security/sandbox/chromium-shim/patches/with_update/patch_order.txt b/security/sandbox/chromium-shim/patches/with_update/patch_order.txt
index 703be7a3cb..ba2027aced 100755
--- a/security/sandbox/chromium-shim/patches/with_update/patch_order.txt
+++ b/security/sandbox/chromium-shim/patches/with_update/patch_order.txt
@@ -32,3 +32,4 @@ block_NtImpersonateAnonymousToken_before_LowerToken.patch
fix_broker_alive_mutex.patch
fix_max_syscalls_linux_aarch64.patch
set_delayed_integrity_on_process_acl.patch
+chromium_syscalls_6_8_update.patch
diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/arm64_linux_syscalls.h b/security/sandbox/chromium/sandbox/linux/system_headers/arm64_linux_syscalls.h
index 2224d32438..b8efe0da2f 100644
--- a/security/sandbox/chromium/sandbox/linux/system_headers/arm64_linux_syscalls.h
+++ b/security/sandbox/chromium/sandbox/linux/system_headers/arm64_linux_syscalls.h
@@ -3,7 +3,7 @@
// found in the LICENSE file.
/* Constructed by running:
- * curl -vsSL https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/include/uapi/asm-generic/unistd.h?h=v5.8
+ * curl -vsSL https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/include/uapi/asm-generic/unistd.h?h=v6.8
* | gcc -D__BITS_PER_LONG=64 -D__ARCH_WANT_STAT64 -D__ARCH_WANT_SET_GET_RLIMIT -D__ARCH_WANT_SYS_CLONE3 -D__ARCH_WANT_RENAMEAT -E -dD -
* | grep __NR | grep -vE '__NR_arch_specific_syscall|__NR_syscalls' | sort -n -k 3 | sed -e 's/__NR3264/__NR/g'
* | awk '{ if ($2 != $3) { print "#if !defined(" $2 ")\n#define " $2 " " $3 "\n#endif\n"; } }
@@ -1182,6 +1182,10 @@
#define __NR_clone3 435
#endif
+#if !defined(__NR_close_range)
+#define __NR_close_range 436
+#endif
+
#if !defined(__NR_openat2)
#define __NR_openat2 437
#endif
@@ -1194,4 +1198,88 @@
#define __NR_faccessat2 439
#endif
+#if !defined(__NR_process_madvise)
+#define __NR_process_madvise 440
+#endif
+
+#if !defined(__NR_epoll_pwait2)
+#define __NR_epoll_pwait2 441
+#endif
+
+#if !defined(__NR_mount_setattr)
+#define __NR_mount_setattr 442
+#endif
+
+#if !defined(__NR_quotactl_fd)
+#define __NR_quotactl_fd 443
+#endif
+
+#if !defined(__NR_landlock_create_ruleset)
+#define __NR_landlock_create_ruleset 444
+#endif
+
+#if !defined(__NR_landlock_add_rule)
+#define __NR_landlock_add_rule 445
+#endif
+
+#if !defined(__NR_landlock_restrict_self)
+#define __NR_landlock_restrict_self 446
+#endif
+
+#if !defined(__NR_process_mrelease)
+#define __NR_process_mrelease 448
+#endif
+
+#if !defined(__NR_futex_waitv)
+#define __NR_futex_waitv 449
+#endif
+
+#if !defined(__NR_set_mempolicy_home_node)
+#define __NR_set_mempolicy_home_node 450
+#endif
+
+#if !defined(__NR_cachestat)
+#define __NR_cachestat 451
+#endif
+
+#if !defined(__NR_fchmodat2)
+#define __NR_fchmodat2 452
+#endif
+
+#if !defined(__NR_map_shadow_stack)
+#define __NR_map_shadow_stack 453
+#endif
+
+#if !defined(__NR_futex_wake)
+#define __NR_futex_wake 454
+#endif
+
+#if !defined(__NR_futex_wait)
+#define __NR_futex_wait 455
+#endif
+
+#if !defined(__NR_futex_requeue)
+#define __NR_futex_requeue 456
+#endif
+
+#if !defined(__NR_statmount)
+#define __NR_statmount 457
+#endif
+
+#if !defined(__NR_listmount)
+#define __NR_listmount 458
+#endif
+
+#if !defined(__NR_lsm_get_self_attr)
+#define __NR_lsm_get_self_attr 459
+#endif
+
+#if !defined(__NR_lsm_set_self_attr)
+#define __NR_lsm_set_self_attr 460
+#endif
+
+#if !defined(__NR_lsm_list_modules)
+#define __NR_lsm_list_modules 461
+#endif
+
#endif // SANDBOX_LINUX_SYSTEM_HEADERS_ARM64_LINUX_SYSCALLS_H_
diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h b/security/sandbox/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h
index 5b7f4e511a..06d0a6d580 100644
--- a/security/sandbox/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h
+++ b/security/sandbox/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h
@@ -3,7 +3,7 @@
// found in the LICENSE file.
/* Constructed by running:
- * curl -vsSL https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/arch/arm/tools/syscall.tbl?h=v5.8
+ * curl -vsSL https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/arch/arm/tools/syscall.tbl?h=v6.8
* | grep -vE '^#|^$'
* | awk '{ if ($2 != "oabi") { print "#if !defined(__NR_" $3 ")\n#define __NR_" $3 " (__NR_SYSCALL_BASE+" $1 ")\n#endif\n"; } }'
* */
@@ -1578,6 +1578,10 @@
#define __NR_clone3 (__NR_SYSCALL_BASE+435)
#endif
+#if !defined(__NR_close_range)
+#define __NR_close_range (__NR_SYSCALL_BASE+436)
+#endif
+
#if !defined(__NR_openat2)
#define __NR_openat2 (__NR_SYSCALL_BASE+437)
#endif
@@ -1590,6 +1594,90 @@
#define __NR_faccessat2 (__NR_SYSCALL_BASE+439)
#endif
+#if !defined(__NR_process_madvise)
+#define __NR_process_madvise (__NR_SYSCALL_BASE+440)
+#endif
+
+#if !defined(__NR_epoll_pwait2)
+#define __NR_epoll_pwait2 (__NR_SYSCALL_BASE+441)
+#endif
+
+#if !defined(__NR_mount_setattr)
+#define __NR_mount_setattr (__NR_SYSCALL_BASE+442)
+#endif
+
+#if !defined(__NR_quotactl_fd)
+#define __NR_quotactl_fd (__NR_SYSCALL_BASE+443)
+#endif
+
+#if !defined(__NR_landlock_create_ruleset)
+#define __NR_landlock_create_ruleset (__NR_SYSCALL_BASE+444)
+#endif
+
+#if !defined(__NR_landlock_add_rule)
+#define __NR_landlock_add_rule (__NR_SYSCALL_BASE+445)
+#endif
+
+#if !defined(__NR_landlock_restrict_self)
+#define __NR_landlock_restrict_self (__NR_SYSCALL_BASE+446)
+#endif
+
+#if !defined(__NR_process_mrelease)
+#define __NR_process_mrelease (__NR_SYSCALL_BASE+448)
+#endif
+
+#if !defined(__NR_futex_waitv)
+#define __NR_futex_waitv (__NR_SYSCALL_BASE+449)
+#endif
+
+#if !defined(__NR_set_mempolicy_home_node)
+#define __NR_set_mempolicy_home_node (__NR_SYSCALL_BASE+450)
+#endif
+
+#if !defined(__NR_cachestat)
+#define __NR_cachestat (__NR_SYSCALL_BASE+451)
+#endif
+
+#if !defined(__NR_fchmodat2)
+#define __NR_fchmodat2 (__NR_SYSCALL_BASE+452)
+#endif
+
+#if !defined(__NR_map_shadow_stack)
+#define __NR_map_shadow_stack (__NR_SYSCALL_BASE+453)
+#endif
+
+#if !defined(__NR_futex_wake)
+#define __NR_futex_wake (__NR_SYSCALL_BASE+454)
+#endif
+
+#if !defined(__NR_futex_wait)
+#define __NR_futex_wait (__NR_SYSCALL_BASE+455)
+#endif
+
+#if !defined(__NR_futex_requeue)
+#define __NR_futex_requeue (__NR_SYSCALL_BASE+456)
+#endif
+
+#if !defined(__NR_statmount)
+#define __NR_statmount (__NR_SYSCALL_BASE+457)
+#endif
+
+#if !defined(__NR_listmount)
+#define __NR_listmount (__NR_SYSCALL_BASE+458)
+#endif
+
+#if !defined(__NR_lsm_get_self_attr)
+#define __NR_lsm_get_self_attr (__NR_SYSCALL_BASE+459)
+#endif
+
+#if !defined(__NR_lsm_set_self_attr)
+#define __NR_lsm_set_self_attr (__NR_SYSCALL_BASE+460)
+#endif
+
+#if !defined(__NR_lsm_list_modules)
+#define __NR_lsm_list_modules (__NR_SYSCALL_BASE+461)
+#endif
+
// ARM private syscalls.
#if !defined(__ARM_NR_BASE)
#define __ARM_NR_BASE (__NR_SYSCALL_BASE + 0xF0000)
diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h b/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h
index dc846ee7ad..edcfd05004 100644
--- a/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h
+++ b/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h
@@ -3,7 +3,7 @@
// found in the LICENSE file.
/* Constructed by running:
- * curl -vsSL https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/arch/x86/entry/syscalls/syscall_32.tbl?h=v5.8
+ * curl -vsSL https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/arch/x86/entry/syscalls/syscall_32.tbl?h=v6.8
* | grep -vE '^#|^$'
* | awk '{ if ($2 == "i386") { print "#if !defined(__NR_" $3 ")\n#define __NR_" $3 " " $1 "\n#endif\n"; } }'
* */
@@ -1715,6 +1715,10 @@
#define __NR_clone3 435
#endif
+#if !defined(__NR_close_range)
+#define __NR_close_range 436
+#endif
+
#if !defined(__NR_openat2)
#define __NR_openat2 437
#endif
@@ -1727,5 +1731,93 @@
#define __NR_faccessat2 439
#endif
+#if !defined(__NR_process_madvise)
+#define __NR_process_madvise 440
+#endif
+
+#if !defined(__NR_epoll_pwait2)
+#define __NR_epoll_pwait2 441
+#endif
+
+#if !defined(__NR_mount_setattr)
+#define __NR_mount_setattr 442
+#endif
+
+#if !defined(__NR_quotactl_fd)
+#define __NR_quotactl_fd 443
+#endif
+
+#if !defined(__NR_landlock_create_ruleset)
+#define __NR_landlock_create_ruleset 444
+#endif
+
+#if !defined(__NR_landlock_add_rule)
+#define __NR_landlock_add_rule 445
+#endif
+
+#if !defined(__NR_landlock_restrict_self)
+#define __NR_landlock_restrict_self 446
+#endif
+
+#if !defined(__NR_memfd_secret)
+#define __NR_memfd_secret 447
+#endif
+
+#if !defined(__NR_process_mrelease)
+#define __NR_process_mrelease 448
+#endif
+
+#if !defined(__NR_futex_waitv)
+#define __NR_futex_waitv 449
+#endif
+
+#if !defined(__NR_set_mempolicy_home_node)
+#define __NR_set_mempolicy_home_node 450
+#endif
+
+#if !defined(__NR_cachestat)
+#define __NR_cachestat 451
+#endif
+
+#if !defined(__NR_fchmodat2)
+#define __NR_fchmodat2 452
+#endif
+
+#if !defined(__NR_map_shadow_stack)
+#define __NR_map_shadow_stack 453
+#endif
+
+#if !defined(__NR_futex_wake)
+#define __NR_futex_wake 454
+#endif
+
+#if !defined(__NR_futex_wait)
+#define __NR_futex_wait 455
+#endif
+
+#if !defined(__NR_futex_requeue)
+#define __NR_futex_requeue 456
+#endif
+
+#if !defined(__NR_statmount)
+#define __NR_statmount 457
+#endif
+
+#if !defined(__NR_listmount)
+#define __NR_listmount 458
+#endif
+
+#if !defined(__NR_lsm_get_self_attr)
+#define __NR_lsm_get_self_attr 459
+#endif
+
+#if !defined(__NR_lsm_set_self_attr)
+#define __NR_lsm_set_self_attr 460
+#endif
+
+#if !defined(__NR_lsm_list_modules)
+#define __NR_lsm_list_modules 461
+#endif
+
#endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_32_LINUX_SYSCALLS_H_
diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h b/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h
index ab51703464..6767d88702 100644
--- a/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h
+++ b/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h
@@ -3,7 +3,7 @@
// found in the LICENSE file.
/* Constructed by running:
- * curl -vsSL https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/arch/x86/entry/syscalls/syscall_64.tbl?h=v5.8
+ * curl -vsSL https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/arch/x86/entry/syscalls/syscall_64.tbl?h=v6.8
* | grep -vE '^#|^$'
* | awk '{ if ($2 != "x32") { print "#if !defined(__NR_" $3 ")\n#define __NR_" $3 " " $1 "\n#endif\n"; } }'
* */
@@ -1403,6 +1403,10 @@
#define __NR_clone3 435
#endif
+#if !defined(__NR_close_range)
+#define __NR_close_range 436
+#endif
+
#if !defined(__NR_openat2)
#define __NR_openat2 437
#endif
@@ -1415,4 +1419,92 @@
#define __NR_faccessat2 439
#endif
+#if !defined(__NR_process_madvise)
+#define __NR_process_madvise 440
+#endif
+
+#if !defined(__NR_epoll_pwait2)
+#define __NR_epoll_pwait2 441
+#endif
+
+#if !defined(__NR_mount_setattr)
+#define __NR_mount_setattr 442
+#endif
+
+#if !defined(__NR_quotactl_fd)
+#define __NR_quotactl_fd 443
+#endif
+
+#if !defined(__NR_landlock_create_ruleset)
+#define __NR_landlock_create_ruleset 444
+#endif
+
+#if !defined(__NR_landlock_add_rule)
+#define __NR_landlock_add_rule 445
+#endif
+
+#if !defined(__NR_landlock_restrict_self)
+#define __NR_landlock_restrict_self 446
+#endif
+
+#if !defined(__NR_memfd_secret)
+#define __NR_memfd_secret 447
+#endif
+
+#if !defined(__NR_process_mrelease)
+#define __NR_process_mrelease 448
+#endif
+
+#if !defined(__NR_futex_waitv)
+#define __NR_futex_waitv 449
+#endif
+
+#if !defined(__NR_set_mempolicy_home_node)
+#define __NR_set_mempolicy_home_node 450
+#endif
+
+#if !defined(__NR_cachestat)
+#define __NR_cachestat 451
+#endif
+
+#if !defined(__NR_fchmodat2)
+#define __NR_fchmodat2 452
+#endif
+
+#if !defined(__NR_map_shadow_stack)
+#define __NR_map_shadow_stack 453
+#endif
+
+#if !defined(__NR_futex_wake)
+#define __NR_futex_wake 454
+#endif
+
+#if !defined(__NR_futex_wait)
+#define __NR_futex_wait 455
+#endif
+
+#if !defined(__NR_futex_requeue)
+#define __NR_futex_requeue 456
+#endif
+
+#if !defined(__NR_statmount)
+#define __NR_statmount 457
+#endif
+
+#if !defined(__NR_listmount)
+#define __NR_listmount 458
+#endif
+
+#if !defined(__NR_lsm_get_self_attr)
+#define __NR_lsm_get_self_attr 459
+#endif
+
+#if !defined(__NR_lsm_set_self_attr)
+#define __NR_lsm_set_self_attr 460
+#endif
+
+#if !defined(__NR_lsm_list_modules)
+#define __NR_lsm_list_modules 461
+#endif
+
#endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_
diff --git a/security/sandbox/linux/SandboxFilterUtil.h b/security/sandbox/linux/SandboxFilterUtil.h
index 6e9180bb95..3e07948c5a 100644
--- a/security/sandbox/linux/SandboxFilterUtil.h
+++ b/security/sandbox/linux/SandboxFilterUtil.h
@@ -218,9 +218,12 @@ class SandboxPolicyBase : public sandbox::bpf_dsl::Policy {
#ifdef __NR_epoll_wait
# define CASES_FOR_epoll_wait \
case __NR_epoll_wait: \
- case __NR_epoll_pwait
+ case __NR_epoll_pwait: \
+ case __NR_epoll_pwait2
#else
-# define CASES_FOR_epoll_wait case __NR_epoll_pwait
+# define CASES_FOR_epoll_wait \
+ case __NR_epoll_pwait: \
+ case __NR_epoll_pwait2
#endif
#ifdef __NR_pipe
diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
index 3e2ce617bd..7988842611 100644
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -866,10 +866,7 @@ void SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
}
if (aSandboxLevel > 4) {
- // Alternate winstation breaks native theming.
- bool useAlternateWinstation =
- StaticPrefs::widget_non_native_theme_enabled();
- result = mPolicy->SetAlternateDesktop(useAlternateWinstation);
+ result = mPolicy->SetAlternateDesktop(true);
if (NS_WARN_IF(result != sandbox::SBOX_ALL_OK)) {
LOG_W("SetAlternateDesktop failed, result: %i, last error: %lx", result,
::GetLastError());