executor/android: updated x86 seccomp policy

The recent docker upgrade to debian `bookworm` caused
x86_64 instances to fail in `pthread_create()` due to the
android seccomp filter.

On `bookworm`, `pthread_create()` calls `clone3()` and
`set_robust_list()` which aren't on the seccomp filter (instead
of `clone()`), which is. Added these calls to the seccomp policy.

1 files changed, 7 insertions, 0 deletions

diff --git a/executor/android/android_seccomp.h b/executor/android/android_seccomp.h
index 8546350c5..e534ac411 100644
--- a/executor/android/android_seccomp.h
+++ b/executor/android/android_seccomp.h
@@ -2,6 +2,11 @@
 // Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
 
 // These headers are generated by the Android build system and need to be updated periodically.
+
+// Header files are generated by `genseccomp.py`
+// (https://android.googlesource.com/platform/bionic/+/refs/heads/main/libc/tools/genseccomp.py).
+// Arguments are taken from the android build file
+// (https://android.googlesource.com/platform/bionic/+/refs/heads/main/libc/Android.bp).
 #if GOARCH_arm64
 #define PRIMARY_ARCH AUDIT_ARCH_AARCH64
 #include "arm64_app_policy.h"
@@ -23,6 +28,8 @@ static const struct sock_filter* system_filter = arm_system_filter;
 static const size_t system_filter_size = arm_system_filter_size;
 #define kFilterMaxSize (arm_app_filter_size + 3 + 1 + 4 + 2)
 
+// Note: clone3() and set/get_robust_list() are added as they are used
+// by pthread_create().
 #elif GOARCH_amd64
 #define PRIMARY_ARCH AUDIT_ARCH_X86_64
 #include "x86_64_app_policy.h"