Sandbox: Permit the clone3 system call

Apparently glibc-2.34 uses clone3, when previously it just used clone. Closes ticket #40590.
author: Nick Mathewson <nickm@torproject.org> 2022-03-27 18:34:25 -0400
committer: Nick Mathewson <nickm@torproject.org> 2022-03-27 18:34:25 -0400
commit: de3872656a8d3a79ca3d5fc55f1b64c4862b4c8a (patch)
tree: 0b3b8806523fe2865e6df47ee7e625e8d1ea8b69
parent: 421ce94395ecf9cea65ab6c3841df8bcf0a48cbb (diff)
download: tor-de3872656a8d3a79ca3d5fc55f1b64c4862b4c8a.tar.gz
tor-de3872656a8d3a79ca3d5fc55f1b64c4862b4c8a.zip
2 files changed, 6 insertions, 0 deletions
diff --git a/changes/clone3-sandbox b/changes/clone3-sandbox
new file mode 100644
index 0000000000..dac8fe72da
--- /dev/null
+++ b/changes/clone3-sandbox
@@ -0,0 +1,3 @@
+  o Minor features (linux seccomp2 sandbox):
+    - Permit the clone3 syscall, which is apparently used in glibc-2.34 and
+      later. Closes ticket 40590.
diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c
index 8f577b0660..df676fad2f 100644
--- a/src/lib/sandbox/sandbox.c
+++ b/src/lib/sandbox/sandbox.c
@@ -144,6 +144,9 @@ static int filter_nopar_gen[] = {
     SCMP_SYS(clock_gettime),
     SCMP_SYS(close),
     SCMP_SYS(clone),
+#ifdef __NR_clone3
+    SCMP_SYS(clone3),
+#endif
     SCMP_SYS(epoll_create),
     SCMP_SYS(epoll_wait),
 #ifdef __NR_epoll_pwait
author	Nick Mathewson <nickm@torproject.org>	2022-03-27 18:34:25 -0400
committer	Nick Mathewson <nickm@torproject.org>	2022-03-27 18:34:25 -0400
commit	de3872656a8d3a79ca3d5fc55f1b64c4862b4c8a (patch)
tree	0b3b8806523fe2865e6df47ee7e625e8d1ea8b69
parent	421ce94395ecf9cea65ab6c3841df8bcf0a48cbb (diff)
download	tor-de3872656a8d3a79ca3d5fc55f1b64c4862b4c8a.tar.gz tor-de3872656a8d3a79ca3d5fc55f1b64c4862b4c8a.zip