fix seccomp prevented call to disallowed arm system call 422 on 32bits Androids <= 10

2026-05-09 18:11:26 +08:00 · 2026-02-21 17:51:52 +08:00
parent fb9ffa0b82
commit 5cd01b178a
6 changed files with 109 additions and 0 deletions
--- a/.github/patch/disable_pidfd_on_android.patch
+++ b/.github/patch/disable_pidfd_on_android.patch
@@ -0,0 +1,33 @@
+From 7115c480196f4bdcbdae5e14ebaa4510540680e9 Mon Sep 17 00:00:00 2001
+From: Brad Fitzpatrick <bradfitz@tailscale.com>
+Date: Tue, 27 Jan 2026 09:52:22 -0800
+Subject: [PATCH] [tailscale] os: disable pidfd on Android
+
+Updates tailscale/tailscale#13452
+Updates golang/go#70508
+Updates tailscale/go#99
+---
+ src/os/pidfd_linux.go | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/os/pidfd_linux.go b/src/os/pidfd_linux.go
+index 796d8c018c7f2a..5cdbf1175e0db5 100644
+--- a/src/os/pidfd_linux.go
+++ b/src/os/pidfd_linux.go
+@@ -138,6 +138,16 @@ func (p *Process) pidfdSendSignal(s syscall.Signal) error {
+ 
+ // pidfdWorks returns whether we can use pidfd on this system.
+ func pidfdWorks() bool {
+	if runtime.GOOS == "android" {
+		// Tailscale-specific workaround since https://github.com/golang/go/pull/69543/commits/aad6b3b32c81795f86bc4a9e81aad94899daf520
+		// does not solve https://github.com/golang/go/issues/69065 for Android apps using Go libraries.
+		//
+		// See: https://github.com/tailscale/tailscale/issues/13452
+		//
+		// For now (2025-04-09), we'll just disable pidfd
+		// on all Android releases.
+		return false
+	}
+ 	return checkPidfdOnce() == nil
+ }
+ 
--- a/.github/patch/remove_64bits_syscall_on_32bit_linux.patch
+++ b/.github/patch/remove_64bits_syscall_on_32bit_linux.patch
@@ -0,0 +1,56 @@
+Subject: [PATCH] remove 64bits syscall on 32bit linux
+---
+Index: src/runtime/os_linux32.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/runtime/os_linux32.go b/src/runtime/os_linux32.go
+--- a/src/runtime/os_linux32.go	(revision 030384681641464bf71ed16500075c458363510f)
+++ b/src/runtime/os_linux32.go	(date 1771666707318)
+@@ -21,14 +21,14 @@
+ 
+ //go:nosplit
+ func futex(addr unsafe.Pointer, op int32, val uint32, ts *timespec, addr2 unsafe.Pointer, val3 uint32) int32 {
+-	if !isFutexTime32bitOnly.Load() {
+-		ret := futex_time64(addr, op, val, ts, addr2, val3)
+-		// futex_time64 is only supported on Linux 5.0+
+-		if ret != -_ENOSYS {
+-			return ret
+-		}
+-		isFutexTime32bitOnly.Store(true)
+-	}
+	//if !isFutexTime32bitOnly.Load() {
+	//	ret := futex_time64(addr, op, val, ts, addr2, val3)
+	//	// futex_time64 is only supported on Linux 5.0+
+	//	if ret != -_ENOSYS {
+	//		return ret
+	//	}
+	//	isFutexTime32bitOnly.Store(true)
+	//}
+ 	// Downgrade ts.
+ 	var ts32 timespec32
+ 	var pts32 *timespec32
+@@ -49,14 +49,14 @@
+ 
+ //go:nosplit
+ func timer_settime(timerid int32, flags int32, new, old *itimerspec) int32 {
+-	if !isSetTime32bitOnly.Load() {
+-		ret := timer_settime64(timerid, flags, new, old)
+-		// timer_settime64 is only supported on Linux 5.0+
+-		if ret != -_ENOSYS {
+-			return ret
+-		}
+-		isSetTime32bitOnly.Store(true)
+-	}
+	//if !isSetTime32bitOnly.Load() {
+	//	ret := timer_settime64(timerid, flags, new, old)
+	//	// timer_settime64 is only supported on Linux 5.0+
+	//	if ret != -_ENOSYS {
+	//		return ret
+	//	}
+	//	isSetTime32bitOnly.Store(true)
+	//}
+ 
+ 	var newts, oldts itimerspec32
+ 	var new32, old32 *itimerspec32