Return ENOSYS instead of hard denying clone3

It's currently not possible to properly inspect arguments of clone3 via seccomp. As userspace (notably glibc) started using clone3, other sandbox solutions (e.g. in Firefox and Chrome) switched to returning ENOSYS for that syscall, which usually will result in libraries falling back to clone/clone2. PiperOrigin-RevId: 603332131 Change-Id: If2483f6f42eca46e1c8958ef17ca3c02fa82b658
author: Wiktor Garbacz <wiktorg@google.com> 2024-02-01 04:38:24 -0800
committer: Copybara-Service <copybara-worker@google.com> 2024-02-01 04:39:02 -0800
commit: 044ba1cb90cd9947141f87225a02a3cfd7e868f8 (patch)
tree: 329116ea61e4374ad4ae667f2f2b6f65700db640
parent: 29a3b8cd39904e17665279a4787a932f351739d8 (diff)
download: sandboxed-api-044ba1cb90cd9947141f87225a02a3cfd7e868f8.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/sandboxed_api/sandbox2/policy.cc b/sandboxed_api/sandbox2/policy.cc
index 6a4b2f4..721abcf 100644
--- a/sandboxed_api/sandbox2/policy.cc
+++ b/sandboxed_api/sandbox2/policy.cc
@@ -183,8 +183,9 @@ std::vector<sock_filter> Policy::GetDefaultPolicy(bool user_notif) const {
   policy.insert(policy.end(),
                 {
 #ifdef __NR_clone3
-                    // Disallow clone3
-                    JEQ32(__NR_clone3, DENY),
+                    // Disallow clone3. Errno instead of DENY so that libraries
+                    // can fallback to regular clone/clone2.
+                    JEQ32(__NR_clone3, ERRNO(ENOSYS)),
 #endif
                     // Disallow clone3 and clone with unsafe flags.  This uses
                     // LOAD_SYSCALL_NR from above.
author	Wiktor Garbacz <wiktorg@google.com>	2024-02-01 04:38:24 -0800
committer	Copybara-Service <copybara-worker@google.com>	2024-02-01 04:39:02 -0800
commit	044ba1cb90cd9947141f87225a02a3cfd7e868f8 (patch)
tree	329116ea61e4374ad4ae667f2f2b6f65700db640
parent	29a3b8cd39904e17665279a4787a932f351739d8 (diff)
download	sandboxed-api-044ba1cb90cd9947141f87225a02a3cfd7e868f8.tar.gz