diff options
Diffstat (limited to 'chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc')
| -rw-r--r-- | chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc index f33aa90c1b0..479d1ed55a3 100644 --- a/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +++ b/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc @@ -162,6 +162,15 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno, } #endif +#if defined(__NR_vfork) + // vfork() is almost never used as a system call, but some libc versions (e.g. + // older versions of bionic) might use it in a posix_spawn() implementation, + // which is used by system(); + if (sysno == __NR_vfork) { + return Error(EPERM); + } +#endif + if (sysno == __NR_futex) return RestrictFutex(); |