diff options
author | Wiktor Garbacz <wiktorg@google.com> | 2024-02-01 04:38:24 -0800 |
---|---|---|
committer | Copybara-Service <copybara-worker@google.com> | 2024-02-01 04:39:02 -0800 |
commit | 044ba1cb90cd9947141f87225a02a3cfd7e868f8 (patch) | |
tree | 329116ea61e4374ad4ae667f2f2b6f65700db640 | |
parent | 29a3b8cd39904e17665279a4787a932f351739d8 (diff) | |
download | sandboxed-api-044ba1cb90cd9947141f87225a02a3cfd7e868f8.tar.gz |
Return ENOSYS instead of hard denying clone3
It's currently not possible to properly inspect arguments of clone3 via seccomp.
As userspace (notably glibc) started using clone3, other sandbox solutions (e.g. in Firefox and Chrome) switched to returning ENOSYS for that syscall, which usually will result in libraries falling back to clone/clone2.
PiperOrigin-RevId: 603332131
Change-Id: If2483f6f42eca46e1c8958ef17ca3c02fa82b658
-rw-r--r-- | sandboxed_api/sandbox2/policy.cc | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sandboxed_api/sandbox2/policy.cc b/sandboxed_api/sandbox2/policy.cc index 6a4b2f4..721abcf 100644 --- a/sandboxed_api/sandbox2/policy.cc +++ b/sandboxed_api/sandbox2/policy.cc @@ -183,8 +183,9 @@ std::vector<sock_filter> Policy::GetDefaultPolicy(bool user_notif) const { policy.insert(policy.end(), { #ifdef __NR_clone3 - // Disallow clone3 - JEQ32(__NR_clone3, DENY), + // Disallow clone3. Errno instead of DENY so that libraries + // can fallback to regular clone/clone2. + JEQ32(__NR_clone3, ERRNO(ENOSYS)), #endif // Disallow clone3 and clone with unsafe flags. This uses // LOAD_SYSCALL_NR from above. |