Index: sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc |
diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc |
index 79b5b023da4f07d429d18fe7a101c684ec7eb381..217bdac679391d8829fe9bce1f6a85921c1e8c41 100644 |
--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc |
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc |
@@ -97,6 +97,10 @@ ErrorCode EvaluateSyscallImpl(int fs_denied_errno, |
return ErrorCode(ErrorCode::ERR_ALLOWED); |
} |
+ if (sysno == __NR_clone) { |
+ return RestrictCloneToThreadsAndEPERMFork(sandbox); |
+ } |
+ |
#if defined(__x86_64__) || defined(__arm__) |
if (sysno == __NR_socketpair) { |
// Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen. |