Allow Landlock Syscalls Allowlisting the three Landlock syscalls, because these would allow the Clank GPU process to run under a stronger sandbox. There is low risk from allowlisting these, because all they allow a caller to do is to further restrict its capabilities. For background on the motivation here, see go/landlock-clank-design. We don’t require a libc wrapper for this allowlisting to be useful. Bug: http://b/399173273 Test: Verified successful Landlock syscall execution in a modified Chrome binary Change-Id: I5fcbffc290ab51906cd06a5994bfe68de54aa384

commit: ba0301243404cd599583a908077ebb39dd237a27 [log] [tgz]
author: Ben Scarlato <akhna@google.com> Mon Mar 24 10:18:01 2025 -0700
committer: Ben Scarlato <akhna@google.com> Mon Mar 24 10:18:01 2025 -0700
tree: 850fee86ccb59b874627362aa2beff87c43b76a6
parent: 9407555ae263d66268b7d10abf08866178e15653 [diff]
diff --git a/libc/SECCOMP_ALLOWLIST_COMMON.TXT b/libc/SECCOMP_ALLOWLIST_COMMON.TXT
index b921aae..41db4e8 100644
--- a/libc/SECCOMP_ALLOWLIST_COMMON.TXT
+++ b/libc/SECCOMP_ALLOWLIST_COMMON.TXT

@@ -79,3 +79,8 @@
 # support seems potentially useful for Android (though the struct that
 # changes size over time is obviously problematic).
 clone3(clone_args*, size_t) all
+# Since 5.13, not in glibc. Probed for and conditionally used by
+# Chrome GPU processes.
+landlock_add_rule(int, uint64_t, const void*, uint32_t) all
+landlock_create_ruleset(const landlock_ruleset_attr*, size_t, uint64_t) all
+landlock_restrict_self(int, uint64_t) all
commit	ba0301243404cd599583a908077ebb39dd237a27	[log] [tgz]
author	Ben Scarlato <akhna@google.com>	Mon Mar 24 10:18:01 2025 -0700
committer	Ben Scarlato <akhna@google.com>	Mon Mar 24 10:18:01 2025 -0700
tree	850fee86ccb59b874627362aa2beff87c43b76a6
parent	9407555ae263d66268b7d10abf08866178e15653 [diff]