Return ENOSYS instead of hard denying clone3

It's currently not possible to properly inspect arguments of clone3 via seccomp. As userspace (notably glibc) started using clone3, other sandbox solutions (e.g. in Firefox and Chrome) switched to returning ENOSYS for that syscall, which usually will result in libraries falling back to clone/clone2. PiperOrigin-RevId: 603332131 Change-Id: If2483f6f42eca46e1c8958ef17ca3c02fa82b658
2024-03-22 13:11:30 +08:00 · 2024-02-01 04:38:24 -08:00 · 2024-02-01 04:38:24 -08:00 · 044ba1cb90
commit 044ba1cb90
parent 29a3b8cd39
1 changed files with 3 additions and 2 deletions
--- a/sandboxed_api/sandbox2/policy.cc
+++ b/sandboxed_api/sandbox2/policy.cc
@ -183,8 +183,9 @@ std::vector<sock_filter> Policy::GetDefaultPolicy(bool user_notif) const {
  policy.insert(policy.end(),
                {
 #ifdef __NR_clone3
-                    // Disallow clone3
-                    JEQ32(__NR_clone3, DENY),
+                    // Disallow clone3. Errno instead of DENY so that libraries
+                    // can fallback to regular clone/clone2.
+                    JEQ32(__NR_clone3, ERRNO(ENOSYS)),
 #endif
                    // Disallow clone3 and clone with unsafe flags.  This uses
                    // LOAD_SYSCALL_NR from above.