From 5cd01b178a6b49d293278a20edaf8900630f19cb Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Sat, 21 Feb 2026 17:51:52 +0800 Subject: [PATCH] fix `seccomp prevented call to disallowed arm system call 422` on 32bits Androids <= 10 --- .github/patch/disable_pidfd_on_android.patch | 33 +++++++++++ ...remove_64bits_syscall_on_32bit_linux.patch | 56 +++++++++++++++++++ .github/workflows/build-debug.yaml | 5 ++ .github/workflows/build-pre-release.yaml | 5 ++ .github/workflows/build-release.yaml | 5 ++ .github/workflows/update-dependencies.yaml | 5 ++ 6 files changed, 109 insertions(+) create mode 100644 .github/patch/disable_pidfd_on_android.patch create mode 100644 .github/patch/remove_64bits_syscall_on_32bit_linux.patch diff --git a/.github/patch/disable_pidfd_on_android.patch b/.github/patch/disable_pidfd_on_android.patch new file mode 100644 index 00000000..c9943fd3 --- /dev/null +++ b/.github/patch/disable_pidfd_on_android.patch @@ -0,0 +1,33 @@ +From 7115c480196f4bdcbdae5e14ebaa4510540680e9 Mon Sep 17 00:00:00 2001 +From: Brad Fitzpatrick +Date: Tue, 27 Jan 2026 09:52:22 -0800 +Subject: [PATCH] [tailscale] os: disable pidfd on Android + +Updates tailscale/tailscale#13452 +Updates golang/go#70508 +Updates tailscale/go#99 +--- + src/os/pidfd_linux.go | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/os/pidfd_linux.go b/src/os/pidfd_linux.go +index 796d8c018c7f2a..5cdbf1175e0db5 100644 +--- a/src/os/pidfd_linux.go ++++ b/src/os/pidfd_linux.go +@@ -138,6 +138,16 @@ func (p *Process) pidfdSendSignal(s syscall.Signal) error { + + // pidfdWorks returns whether we can use pidfd on this system. + func pidfdWorks() bool { ++ if runtime.GOOS == "android" { ++ // Tailscale-specific workaround since https://github.com/golang/go/pull/69543/commits/aad6b3b32c81795f86bc4a9e81aad94899daf520 ++ // does not solve https://github.com/golang/go/issues/69065 for Android apps using Go libraries. ++ // ++ // See: https://github.com/tailscale/tailscale/issues/13452 ++ // ++ // For now (2025-04-09), we'll just disable pidfd ++ // on all Android releases. ++ return false ++ } + return checkPidfdOnce() == nil + } + diff --git a/.github/patch/remove_64bits_syscall_on_32bit_linux.patch b/.github/patch/remove_64bits_syscall_on_32bit_linux.patch new file mode 100644 index 00000000..bc0b9a02 --- /dev/null +++ b/.github/patch/remove_64bits_syscall_on_32bit_linux.patch @@ -0,0 +1,56 @@ +Subject: [PATCH] remove 64bits syscall on 32bit linux +--- +Index: src/runtime/os_linux32.go +IDEA additional info: +Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP +<+>UTF-8 +=================================================================== +diff --git a/src/runtime/os_linux32.go b/src/runtime/os_linux32.go +--- a/src/runtime/os_linux32.go (revision 030384681641464bf71ed16500075c458363510f) ++++ b/src/runtime/os_linux32.go (date 1771666707318) +@@ -21,14 +21,14 @@ + + //go:nosplit + func futex(addr unsafe.Pointer, op int32, val uint32, ts *timespec, addr2 unsafe.Pointer, val3 uint32) int32 { +- if !isFutexTime32bitOnly.Load() { +- ret := futex_time64(addr, op, val, ts, addr2, val3) +- // futex_time64 is only supported on Linux 5.0+ +- if ret != -_ENOSYS { +- return ret +- } +- isFutexTime32bitOnly.Store(true) +- } ++ //if !isFutexTime32bitOnly.Load() { ++ // ret := futex_time64(addr, op, val, ts, addr2, val3) ++ // // futex_time64 is only supported on Linux 5.0+ ++ // if ret != -_ENOSYS { ++ // return ret ++ // } ++ // isFutexTime32bitOnly.Store(true) ++ //} + // Downgrade ts. + var ts32 timespec32 + var pts32 *timespec32 +@@ -49,14 +49,14 @@ + + //go:nosplit + func timer_settime(timerid int32, flags int32, new, old *itimerspec) int32 { +- if !isSetTime32bitOnly.Load() { +- ret := timer_settime64(timerid, flags, new, old) +- // timer_settime64 is only supported on Linux 5.0+ +- if ret != -_ENOSYS { +- return ret +- } +- isSetTime32bitOnly.Store(true) +- } ++ //if !isSetTime32bitOnly.Load() { ++ // ret := timer_settime64(timerid, flags, new, old) ++ // // timer_settime64 is only supported on Linux 5.0+ ++ // if ret != -_ENOSYS { ++ // return ret ++ // } ++ // isSetTime32bitOnly.Store(true) ++ //} + + var newts, oldts itimerspec32 + var new32, old32 *itimerspec32 diff --git a/.github/workflows/build-debug.yaml b/.github/workflows/build-debug.yaml index 95350708..5ee25b5d 100644 --- a/.github/workflows/build-debug.yaml +++ b/.github/workflows/build-debug.yaml @@ -32,6 +32,11 @@ jobs: go-version: "1.26" check-latest: true # Always check for the latest patch release + - name: Apply Patches + run: | + cd $(go env GOROOT) + for p in $GITHUB_WORKSPACE/.github/patch/*.patch; do patch --verbose -p 1 < "$p"; done + - uses: actions/cache@v4 with: path: | diff --git a/.github/workflows/build-pre-release.yaml b/.github/workflows/build-pre-release.yaml index ca131028..d4715d7b 100644 --- a/.github/workflows/build-pre-release.yaml +++ b/.github/workflows/build-pre-release.yaml @@ -30,6 +30,11 @@ jobs: go-version: "1.26" check-latest: true # Always check for the latest patch release + - name: Apply Patches + run: | + cd $(go env GOROOT) + for p in $GITHUB_WORKSPACE/.github/patch/*.patch; do patch --verbose -p 1 < "$p"; done + - uses: actions/cache@v4 with: path: | diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index 2f3e2d73..3f9c3e9f 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -34,6 +34,11 @@ jobs: go-version: "1.26" check-latest: true # Always check for the latest patch release + - name: Apply Patches + run: | + cd $(go env GOROOT) + for p in $GITHUB_WORKSPACE/.github/patch/*.patch; do patch --verbose -p 1 < "$p"; done + - uses: actions/cache@v4 with: path: | diff --git a/.github/workflows/update-dependencies.yaml b/.github/workflows/update-dependencies.yaml index 355f0fd3..71524443 100644 --- a/.github/workflows/update-dependencies.yaml +++ b/.github/workflows/update-dependencies.yaml @@ -26,6 +26,11 @@ jobs: with: go-version: "1.26" check-latest: true # Always check for the latest patch release + + - name: Apply Patches + run: | + cd $(go env GOROOT) + for p in $GITHUB_WORKSPACE/.github/patch/*.patch; do patch --verbose -p 1 < "$p"; done - uses: actions/cache@v4 with: