[Backport] sandbox: linux: allow clock_nanosleep & gettime64

Allan Sandfeld Jensen · Allan Sandfeld Jensen · commit faae106edb78 · 2021-10-18T11:14:42.000Z
This is a rewrite and expansion of https://crrev.com/c/2717027. Starting with newer versions of glibc (>=2.32), the timing syscalls are assumed to be 64bit to fix the Y2038 bug and are called unconditionally. Older 32bit systems where the 64bit syscalls return ENOSYS will fallback to the 32bit variants. Newer glibc versions also refactored the nanosleep() function to use clock_nanosleep syscalls, so allow it as well. BUG=chromium:1183928 TEST=Local builds & booting on kevin. Change-Id: I0c00ad527fbd8b0eab4d91b381bcc135624d1e9d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2744134 Commit-Queue: Adrian Ratiu <adrian.ratiu@collabora.corp-partner.google.com> Reviewed-by: Matthew Denton <mpdenton@chromium.org> Cr-Commit-Position: refs/heads/master@{#862126} Reviewed-by: Michal Klocek <michal.klocek@qt.io>
diff --git a/chromium/AUTHORS b/chromium/AUTHORS
@@ -33,6 +33,7 @@ Addanki Gandhi Kishor <kishor.ag@samsung.com>
 Adenilson Cavalcanti <a.cavalcanti@samsung.com>
 Aditya Bhargava <heuristicist@gmail.com>
 Adrian Belgun <adrian.belgun@intel.com>
+Adrian Ratiu <adrian.ratiu@collabora.corp-partner.google.com>
 Ahmet Emir Ercin <ahmetemiremir@gmail.com>
 Ajay Berwal <a.berwal@samsung.com>
 Ajay Berwal <ajay.berwal@samsung.com>
diff --git a/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
@@ -160,7 +160,7 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
     return Allow();
 #endif
 
-  if (sysno == __NR_clock_gettime || sysno == __NR_clock_nanosleep) {
+  if (SyscallSets::IsClockApi(sysno)) {
     return RestrictClockID();
   }
 
diff --git a/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc
@@ -55,8 +55,14 @@ class RestrictClockIdPolicy : public bpf_dsl::Policy {
   ResultExpr EvaluateSyscall(int sysno) const override {
     switch (sysno) {
       case __NR_clock_gettime:
+#if defined(__NR_clock_gettime64)
+      case __NR_clock_gettime64:
+#endif
       case __NR_clock_getres:
       case __NR_clock_nanosleep:
+#if defined(__NR_clock_nanosleep_time64)
+      case __NR_clock_nanosleep_time64:
+#endif
         return RestrictClockID();
       default:
         return Allow();
diff --git a/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
@@ -38,7 +38,13 @@ bool SyscallSets::IsAllowedGettime(int sysno) {
     case __NR_clock_getres:     // Allowed only on Android with parameters
                                 // filtered by RestrictClokID().
     case __NR_clock_gettime:    // Parameters filtered by RestrictClockID().
+#if defined(__NR_clock_gettime64)
+    case __NR_clock_gettime64:  // Parameters filtered by RestrictClockID().
+#endif
     case __NR_clock_nanosleep:  // Parameters filtered by RestrictClockID().
+#if defined(__NR_clock_nanosleep_time64)
+    case __NR_clock_nanosleep_time64:  // Parameters filtered by RestrictClockID().
+#endif
     case __NR_clock_settime:    // Privileged.
 #if defined(__i386__) || \
     (defined(ARCH_CPU_MIPS_FAMILY) && defined(ARCH_CPU_32_BITS))
@@ -975,6 +981,22 @@ bool SyscallSets::IsAdvancedTimer(int sysno) {
   }
 }
 
+bool SyscallSets::IsClockApi(int sysno) {
+  switch (sysno) {
+    case __NR_clock_gettime:
+#if defined(__NR_clock_gettime64)
+    case __NR_clock_gettime64:
+#endif
+    case __NR_clock_nanosleep:
+#if defined(__NR_clock_nanosleep_time64)
+    case __NR_clock_nanosleep_time64:
+#endif
+      return true;
+    default:
+      return false;
+  }
+}
+
 bool SyscallSets::IsExtendedAttributes(int sysno) {
   switch (sysno) {
     case __NR_fgetxattr:
diff --git a/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h b/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h
@@ -99,6 +99,7 @@ class SANDBOX_EXPORT SyscallSets {
   static bool IsFaNotify(int sysno);
   static bool IsTimer(int sysno);
   static bool IsAdvancedTimer(int sysno);
+  static bool IsClockApi(int sysno);
   static bool IsExtendedAttributes(int sysno);
   static bool IsMisc(int sysno);
 #if defined(__arm__)
diff --git a/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h b/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h
@@ -1453,6 +1453,14 @@
 #define __NR_landlock_restrict_self (__NR_SYSCALL_BASE + 446)
 #endif
 
+#if !defined(__NR_clock_gettime64)
+#define __NR_clock_gettime64 (__NR_SYSCALL_BASE+403)
+#endif
+
+#if !defined(__NR_clock_nanosleep_time64)
+#define __NR_clock_nanosleep_time64 (__NR_SYSCALL_BASE+407)
+#endif
+
 // ARM private syscalls.
 #if !defined(__ARM_NR_BASE)
 #define __ARM_NR_BASE (__NR_SYSCALL_BASE + 0xF0000)
diff --git a/chromium/sandbox/linux/system_headers/mips_linux_syscalls.h b/chromium/sandbox/linux/system_headers/mips_linux_syscalls.h
@@ -1445,4 +1445,12 @@
 #define __NR_landlock_restrict_self (__NR_Linux + 446)
 #endif
 
+#if !defined(__NR_clock_gettime64)
+#define __NR_clock_gettime64 (__NR_Linux + 403)
+#endif
+
+#if !defined(__NR_clock_nanosleep_time64)
+#define __NR_clock_nanosleep_time64 (__NR_Linux + 407)
+#endif
+
 #endif  // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS_LINUX_SYSCALLS_H_

Original file line number	Diff line number	Diff line change
`@@ -160,7 +160,7 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,`
`160`	`160`	`return Allow();`
`161`	`161`	`#endif`
`162`	`162`
`163`		`- if (sysno == __NR_clock_gettime \|\| sysno == __NR_clock_nanosleep) {`
	`163`	`+ if (SyscallSets::IsClockApi(sysno)) {`
`164`	`164`	`return RestrictClockID();`
`165`	`165`	`}`
`166`	`166`