[packages/qt6] update webengine's seccomp filter for glibc 2.41; rel 2

Thu Feb 6 16:53:51 CET 2025

commit 997dd19e325ce75a1c441803172b6cf715b4e5fb
Author: Jan Palus <atler at pld-linux.org>
Date:   Thu Feb 6 16:19:21 2025 +0100

    update webengine's seccomp filter for glibc 2.41; rel 2

 qt6.spec                          |  4 +++-
 webengine-seccomp-glibc2.41.patch | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)
---

diff --git a/qt6.spec b/qt6.spec
index 46951d9..a6c6591 100644
--- a/qt6.spec
+++ b/qt6.spec
@@ -110,7 +110,7 @@ Summary:	Qt6 Library
 Summary(pl.UTF-8):	Biblioteka Qt6
 Name:		qt6
 Version:	6.8.2
-Release:	1
+Release:	2
 License:	LGPL v3 or GPL v2 or GPL v3 or commercial
 Group:		X11/Libraries
 Source0:	https://download.qt.io/official_releases/qt/6.8/%{version}/single/qt-everywhere-src-%{version}.tar.xz
@@ -122,6 +122,7 @@ Patch3:		no-implicit-sse2.patch
 Patch4:		x32.patch
 Patch5:		qtwebengine-cmake-build-type.patch
 Patch6:		qtquick3d-6.6.2-gcc14.patch
+Patch7:		webengine-seccomp-glibc2.41.patch
 URL:		https://www.qt.io/
 %{?with_directfb:BuildRequires:	DirectFB-devel}
 BuildRequires:	EGL-devel
@@ -3730,6 +3731,7 @@ narzędzia.
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1 -d qtquick3d
+%patch7 -p1 -d qtwebengine/src/3rdparty/chromium
 
 %{__sed} -i -e 's,usr/X11R6/,usr/,g' qtbase/mkspecs/linux-g++-64/qmake.conf
 
diff --git a/webengine-seccomp-glibc2.41.patch b/webengine-seccomp-glibc2.41.patch
new file mode 100644
index 0000000..e854216
--- /dev/null
+++ b/webengine-seccomp-glibc2.41.patch
@@ -0,0 +1,34 @@
+glibc 2.41 ships with support for getrandom() in vdso on x86-65 and aarch64. in
+turn it started using mmap() sysctl internally on these platforms. chromium's
+seccomp filter allows mmap() but only with specific set of flags which do not
+include newly introduced one for getrandom(): MAP_DROPPABLE. it results in
+blocking syscall usually on chromium->fontconfig->expat code path and an
+eventual crash.
+
+add MAP_DROPPABLE to allowed flags and define it if not yet defined to avoid
+dependency on most recent glibc
+
+Signed-off-by: Jan Palus <atler at pld-linux.org>
+--- chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc.orig	2025-01-24 11:49:20.000000000 +0100
++++ chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc	2025-02-06 15:52:33.188403354 +0100
+@@ -68,6 +68,11 @@
+ #define PROT_BTI 0x10
+ #endif
+ 
++// Introduced in glibc 2.41
++#ifndef MAP_DROPPABLE
++#define MAP_DROPPABLE   0x08            /* Zero memory under memory pressure.  */
++#endif
++
+ namespace {
+ 
+ inline bool IsArchitectureX86_64() {
+@@ -238,7 +243,7 @@
+   // TODO(davidung), remove MAP_DENYWRITE with updated Tegra libraries.
+   const uint64_t kAllowedMask = MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |
+                                 MAP_STACK | MAP_NORESERVE | MAP_FIXED |
+-                                MAP_DENYWRITE | MAP_LOCKED |
++                                MAP_DENYWRITE | MAP_LOCKED | MAP_DROPPABLE |
+                                 kArchSpecificAllowedMask;
+   const Arg<int> flags(3);
+   return If((flags & ~kAllowedMask) == 0, Allow()).Else(CrashSIGSYS());
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/qt6.git/commitdiff/997dd19e325ce75a1c441803172b6cf715b4e5fb

