include common.chasc

# syscall nr is loaded in common.chasc

# for sendfd/recvfd
ifeqdef SYS_recvmsg allow
ifeqdef SYS_sendmsg allow

# following syscalls are rarely called
ifeqdef SYS_clock_gettime allow # used by QuickJS in atomics and cpuTime()
ifeqdef SYS_clock_gettime64 allow # 64-bit clock_gettime on 32-bit platforms
ifeqdef SYS_getpid allow	# for determining current PID after we fork
ifeqdef SYS_gettimeofday allow 	# used by QuickJS in Date.now()
ifeqdef SYS_rt_sigreturn allow 	# newer kernels have this instead of sigreturn
ifeqdef SYS_set_robust_list allow # glibc seems to need it for whatever reason
ifeqdef SYS_sigreturn allow	# called by signal trampoline

ifeqdef SYS_fork allow
# It would be great if this were enough to allow fork and only fork,
# but some Linuxen do not have fork, so most libcs prefer clone.
ifne SYS_clone not_clone
load args[0]	# flags
# musl only passes SIGCHLD.
# glibc and bionic also pass settid, cleartid.
ifeq SIGCHLD clone_musl
ifne CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD deny
: clone_musl
load args[1]	# child_stack
ifne 0 deny
load args[2]	# parent_tid
ifne 0 deny
# 3, 4 are child_tid and tls respectively. tls in particular is normally
# 0, but it is swapped with child_tid on some architectures.
# This still means that at least one of the two must be 0.
load args[3]
ifeq 0 allow
load args[4]
ifeq 0 allow
: not_clone

: deny
ret trap
: kill
ret kill
: eperm
ret errno EPERM
: allow
ret allow