Return ENOSYS instead of hard denying clone3

It's currently not possible to properly inspect arguments of clone3 via seccomp.
As userspace (notably glibc) started using clone3, other sandbox solutions (e.g. in Firefox and Chrome) switched to returning ENOSYS for that syscall, which usually will result in libraries falling back to clone/clone2.

PiperOrigin-RevId: 603332131
Change-Id: If2483f6f42eca46e1c8958ef17ca3c02fa82b658
This commit is contained in:
Wiktor Garbacz 2024-02-01 04:38:24 -08:00 committed by Copybara-Service
parent 29a3b8cd39
commit 044ba1cb90

View File

@ -183,8 +183,9 @@ std::vector<sock_filter> Policy::GetDefaultPolicy(bool user_notif) const {
policy.insert(policy.end(),
{
#ifdef __NR_clone3
// Disallow clone3
JEQ32(__NR_clone3, DENY),
// Disallow clone3. Errno instead of DENY so that libraries
// can fallback to regular clone/clone2.
JEQ32(__NR_clone3, ERRNO(ENOSYS)),
#endif
// Disallow clone3 and clone with unsafe flags. This uses
// LOAD_SYSCALL_NR from above.