path: root/user/firefox-esr/seccomp-musl.patch



Backport of https://hg.mozilla.org/mozilla-central/rev/a0be746532f437055e4190cc8db802ad1239405e

diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -419,16 +419,20 @@ class SandboxPolicyCommon : public Sandb
         case __NR_faccessat:
           return Trap(AccessAtTrap, mBroker);
         CASES_FOR_stat:
           return Trap(StatTrap, mBroker);
         CASES_FOR_lstat:
           return Trap(LStatTrap, mBroker);
         CASES_FOR_fstatat:
           return Trap(StatAtTrap, mBroker);
+        // Used by new libc and Rust's stdlib, if available.
+        // We don't have broker support yet so claim it does not exist.
+        case __NR_statx:
+          return Error(ENOSYS);
         case __NR_chmod:
           return Trap(ChmodTrap, mBroker);
         case __NR_link:
           return Trap(LinkTrap, mBroker);
         case __NR_mkdir:
           return Trap(MkdirTrap, mBroker);
         case __NR_symlink:
           return Trap(SymlinkTrap, mBroker);
@@ -538,16 +542,20 @@ class SandboxPolicyCommon : public Sandb
             .ElseIf(advice == MADV_HUGEPAGE, Allow())
             .ElseIf(advice == MADV_NOHUGEPAGE, Allow())
 #ifdef MOZ_ASAN
             .ElseIf(advice == MADV_DONTDUMP, Allow())
 #endif
             .Else(InvalidSyscall());
       }
 
+        // musl libc will set this up in pthreads support.
+      case __NR_membarrier:
+        return Allow();
+
       // Signal handling
 #if defined(ANDROID) || defined(MOZ_ASAN)
       case __NR_sigaltstack:
 #endif
       CASES_FOR_sigreturn:
       CASES_FOR_sigprocmask:
       CASES_FOR_sigaction:
         return Allow();
Backport of https://hg.mozilla.org/mozilla-central/rev/a0be746532f437055e4190cc8db802ad1239405e

diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -419,16 +419,20 @@ class SandboxPolicyCommon : public Sandb
         case __NR_faccessat:
           return Trap(AccessAtTrap, mBroker);
         CASES_FOR_stat:
           return Trap(StatTrap, mBroker);
         CASES_FOR_lstat:
           return Trap(LStatTrap, mBroker);
         CASES_FOR_fstatat:
           return Trap(StatAtTrap, mBroker);
+        // Used by new libc and Rust's stdlib, if available.
+        // We don't have broker support yet so claim it does not exist.
+        case __NR_statx:
+          return Error(ENOSYS);
         case __NR_chmod:
           return Trap(ChmodTrap, mBroker);
         case __NR_link:
           return Trap(LinkTrap, mBroker);
         case __NR_mkdir:
           return Trap(MkdirTrap, mBroker);
         case __NR_symlink:
           return Trap(SymlinkTrap, mBroker);
@@ -538,16 +542,20 @@ class SandboxPolicyCommon : public Sandb
             .ElseIf(advice == MADV_HUGEPAGE, Allow())
             .ElseIf(advice == MADV_NOHUGEPAGE, Allow())
 #ifdef MOZ_ASAN
             .ElseIf(advice == MADV_DONTDUMP, Allow())
 #endif
             .Else(InvalidSyscall());
       }
 
+        // musl libc will set this up in pthreads support.
+      case __NR_membarrier:
+        return Allow();
+
       // Signal handling
 #if defined(ANDROID) || defined(MOZ_ASAN)
       case __NR_sigaltstack:
 #endif
       CASES_FOR_sigreturn:
       CASES_FOR_sigprocmask:
       CASES_FOR_sigaction:
         return Allow();