fix seccomp prevented call to disallowed arm system call 422 on 32bits Androids <= 10

wwqgtxx · wwqgtxx · commit 5cd01b178a6b · 2026-02-21T17:53:04.000+08:00
diff --git a/.github/patch/disable_pidfd_on_android.patch b/.github/patch/disable_pidfd_on_android.patch
@@ -0,0 +1,33 @@
+From 7115c480196f4bdcbdae5e14ebaa4510540680e9 Mon Sep 17 00:00:00 2001
+From: Brad Fitzpatrick <bradfitz@tailscale.com>
+Date: Tue, 27 Jan 2026 09:52:22 -0800
+Subject: [PATCH] [tailscale] os: disable pidfd on Android
+
+Updates tailscale/tailscale#13452
+Updates golang/go#70508
+Updates tailscale/go#99
+---
+ src/os/pidfd_linux.go | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/os/pidfd_linux.go b/src/os/pidfd_linux.go
+index 796d8c018c7f2a..5cdbf1175e0db5 100644
+--- a/src/os/pidfd_linux.go
++++ b/src/os/pidfd_linux.go
+@@ -138,6 +138,16 @@ func (p *Process) pidfdSendSignal(s syscall.Signal) error {
+ 
+ // pidfdWorks returns whether we can use pidfd on this system.
+ func pidfdWorks() bool {
++	if runtime.GOOS == "android" {
++		// Tailscale-specific workaround since https://github.com/golang/go/pull/69543/commits/aad6b3b32c81795f86bc4a9e81aad94899daf520
++		// does not solve https://github.com/golang/go/issues/69065 for Android apps using Go libraries.
++		//
++		// See: https://github.com/tailscale/tailscale/issues/13452
++		//
++		// For now (2025-04-09), we'll just disable pidfd
++		// on all Android releases.
++		return false
++	}
+ 	return checkPidfdOnce() == nil
+ }
+ 
diff --git a/.github/patch/remove_64bits_syscall_on_32bit_linux.patch b/.github/patch/remove_64bits_syscall_on_32bit_linux.patch
@@ -0,0 +1,56 @@
+Subject: [PATCH] remove 64bits syscall on 32bit linux
+---
+Index: src/runtime/os_linux32.go
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/src/runtime/os_linux32.go b/src/runtime/os_linux32.go
+--- a/src/runtime/os_linux32.go	(revision 030384681641464bf71ed16500075c458363510f)
++++ b/src/runtime/os_linux32.go	(date 1771666707318)
+@@ -21,14 +21,14 @@
+ 
+ //go:nosplit
+ func futex(addr unsafe.Pointer, op int32, val uint32, ts *timespec, addr2 unsafe.Pointer, val3 uint32) int32 {
+-	if !isFutexTime32bitOnly.Load() {
+-		ret := futex_time64(addr, op, val, ts, addr2, val3)
+-		// futex_time64 is only supported on Linux 5.0+
+-		if ret != -_ENOSYS {
+-			return ret
+-		}
+-		isFutexTime32bitOnly.Store(true)
+-	}
++	//if !isFutexTime32bitOnly.Load() {
++	//	ret := futex_time64(addr, op, val, ts, addr2, val3)
++	//	// futex_time64 is only supported on Linux 5.0+
++	//	if ret != -_ENOSYS {
++	//		return ret
++	//	}
++	//	isFutexTime32bitOnly.Store(true)
++	//}
+ 	// Downgrade ts.
+ 	var ts32 timespec32
+ 	var pts32 *timespec32
+@@ -49,14 +49,14 @@
+ 
+ //go:nosplit
+ func timer_settime(timerid int32, flags int32, new, old *itimerspec) int32 {
+-	if !isSetTime32bitOnly.Load() {
+-		ret := timer_settime64(timerid, flags, new, old)
+-		// timer_settime64 is only supported on Linux 5.0+
+-		if ret != -_ENOSYS {
+-			return ret
+-		}
+-		isSetTime32bitOnly.Store(true)
+-	}
++	//if !isSetTime32bitOnly.Load() {
++	//	ret := timer_settime64(timerid, flags, new, old)
++	//	// timer_settime64 is only supported on Linux 5.0+
++	//	if ret != -_ENOSYS {
++	//		return ret
++	//	}
++	//	isSetTime32bitOnly.Store(true)
++	//}
+ 
+ 	var newts, oldts itimerspec32
+ 	var new32, old32 *itimerspec32
diff --git a/.github/workflows/build-debug.yaml b/.github/workflows/build-debug.yaml
@@ -32,6 +32,11 @@ jobs:
           go-version: "1.26"
           check-latest: true # Always check for the latest patch release
 
+      - name: Apply Patches
+        run: |
+          cd $(go env GOROOT)
+          for p in $GITHUB_WORKSPACE/.github/patch/*.patch; do patch --verbose -p 1 < "$p"; done
+
       - uses: actions/cache@v4
         with:
           path: |
diff --git a/.github/workflows/build-pre-release.yaml b/.github/workflows/build-pre-release.yaml
@@ -30,6 +30,11 @@ jobs:
           go-version: "1.26"
           check-latest: true # Always check for the latest patch release
 
+      - name: Apply Patches
+        run: |
+          cd $(go env GOROOT)
+          for p in $GITHUB_WORKSPACE/.github/patch/*.patch; do patch --verbose -p 1 < "$p"; done
+
       - uses: actions/cache@v4
         with:
           path: |
diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml
@@ -34,6 +34,11 @@ jobs:
           go-version: "1.26"
           check-latest: true # Always check for the latest patch release
 
+      - name: Apply Patches
+        run: |
+          cd $(go env GOROOT)
+          for p in $GITHUB_WORKSPACE/.github/patch/*.patch; do patch --verbose -p 1 < "$p"; done
+
       - uses: actions/cache@v4
         with:
           path: |
diff --git a/.github/workflows/update-dependencies.yaml b/.github/workflows/update-dependencies.yaml
@@ -26,6 +26,11 @@ jobs:
         with:
           go-version: "1.26"
           check-latest: true # Always check for the latest patch release
+
+      - name: Apply Patches
+        run: |
+          cd $(go env GOROOT)
+          for p in $GITHUB_WORKSPACE/.github/patch/*.patch; do patch --verbose -p 1 < "$p"; done
       
       - uses: actions/cache@v4
         with:
