From: Fabian Vogt Subject: Sandbox: Handle statx and futex_time64 glibc uses statx in some more places now (e.g stat64 -> __fstatat64_time64), but it's caught by the sandbox, which doesn't handle it and breaks. Return -ENOSYS instead to trigger the fallback in glibc. futex_time64 is also used internally in glibc, so handle that as well. The signature is identical where it matters. diff --git a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc index 3c67b124786..4772dc096f5 100644 --- a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +++ b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc @@ -194,6 +194,11 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno, if (sysno == __NR_futex) return RestrictFutex(); +#if defined(__NR_futex_time64) + if (sysno == __NR_futex_time64) + return RestrictFutex(); +#endif + if (sysno == __NR_set_robust_list) return Error(EPERM); @@ -257,6 +262,12 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno, return RestrictKillTarget(current_pid, sysno); } +#if defined(__NR_statx) + if (sysno == __NR_statx) { + return Error(ENOSYS); + } +#endif + if (SyscallSets::IsFileSystem(sysno) || SyscallSets::IsCurrentDirectory(sysno)) { return Error(fs_denied_errno);