18 files changed, 874 insertions, 0 deletions

diff --git a/chromium/.footprint b/chromium/.footprint
new file mode 100644
index 0000000..c7202b9
--- /dev/null
+++ b/chromium/.footprint
@@ -0,0 +1,32 @@
+drwxr-xr-x      root/root       usr/
+drwxr-xr-x      root/root       usr/bin/
+-rwxr-xr-x      root/root       usr/bin/chromium
+drwxr-xr-x      root/root       usr/lib/
+drwxr-xr-x      root/root       usr/lib/chromium/
+-rwxr-xr-x      root/root       usr/lib/chromium/chrome
+-rw-r--r--      root/root       usr/lib/chromium/chrome_100_percent.pak
+-rw-r--r--      root/root       usr/lib/chromium/chrome_200_percent.pak
+-rwxr-xr-x      root/root       usr/lib/chromium/chrome_crashpad_handler
+-rw-r--r--      root/root       usr/lib/chromium/headless_command_resources.pak
+-rw-r--r--      root/root       usr/lib/chromium/icudtl.dat
+-rw-r--r--      root/root       usr/lib/chromium/libEGL.so
+-rw-r--r--      root/root       usr/lib/chromium/libGLESv2.so
+-rw-r--r--      root/root       usr/lib/chromium/libVkICD_mock_icd.so
+-rw-r--r--      root/root       usr/lib/chromium/libVkLayer_khronos_validation.so
+-rw-r--r--      root/root       usr/lib/chromium/libvk_swiftshader.so
+-rw-r--r--      root/root       usr/lib/chromium/libvulkan.so.1
+-rw-r--r--      root/root       usr/lib/chromium/resources.pak
+-rw-r--r--      root/root       usr/lib/chromium/snapshot_blob.bin
+-rw-r--r--      root/root       usr/lib/chromium/v8_context_snapshot.bin
+-rw-r--r--      root/root       usr/lib/chromium/vk_swiftshader_icd.json
+-rwxr-xr-x      root/root       usr/lib/chromium/xdg-mime
+-rwxr-xr-x      root/root       usr/lib/chromium/xdg-settings
+drwxr-xr-x      root/root       usr/lib/chromium/locales/
+-rw-r--r--      root/root       usr/lib/chromium/locales/el.pak
+-rw-r--r--      root/root       usr/lib/chromium/locales/el_FEMININE.pak
+-rw-r--r--      root/root       usr/lib/chromium/locales/el_MASCULINE.pak
+-rw-r--r--      root/root       usr/lib/chromium/locales/el_NEUTER.pak
+-rw-r--r--      root/root       usr/lib/chromium/locales/en-US.pak
+-rw-r--r--      root/root       usr/lib/chromium/locales/en-US_FEMININE.pak
+-rw-r--r--      root/root       usr/lib/chromium/locales/en-US_MASCULINE.pak
+-rw-r--r--      root/root       usr/lib/chromium/locales/en-US_NEUTER.pak
diff --git a/chromium/.signature b/chromium/.signature
new file mode 100644
index 0000000..064f303
--- /dev/null
+++ b/chromium/.signature
@@ -0,0 +1,9 @@
+untrusted comment: verify with zorz.pub
+RWTZ9IduCSQ/mCt+MgmxBCIacoMiOpx/pJrUjF2156FsIgXHCpa5qubj+P0qLEMcjEuigwxGpU7wggR655yIeh8pB027Dd2/OQI=
+
+SHA256 (MAKEPKG) = 2c8217075139a73fd4a4333c38f7a6a37b8145192cd4e9664efdc608b54e79e1
+SHA256 (.footprint) = bc40549f131fb1b986f7944ffd59685b8a2d183a21de2cf12403c5e1dda76df4
+SHA256 (chromium-145.0.7632.159-linux.tar.xz) = ea7350702cb827c94b786fc1fa51c24c0401e782c9c08dd7ca25a676da4a8f8c
+SHA256 (wasm-node-4.53.3.tgz) = 04b101456db24503a6facaade777f4bfb58909195208d4dbbf7dc4217bf71289
+SHA256 (145.4.tar.gz) = bd7bd0984d048d6844195f4aa18b24a0f56603814c243ed32190746d8ba8d7c5
+SHA256 (chromium-patches-145.tar.gz) = 96d6562120964b0c9e1a2bedf4335e0bf20f5e7d67a443bb26c651b0167a6a6b
diff --git a/chromium/MAKEPKG b/chromium/MAKEPKG
new file mode 100644
index 0000000..4674fe9
--- /dev/null
+++ b/chromium/MAKEPKG
@@ -0,0 +1,228 @@
+#!/bin/mkpkg
+# description: Open-source web browser
+# url: https://www.chromium.org/
+#
+# Patches:
+#   copium     — musl basics (Alpine/selfisekai)
+#   gentoo     — system toolchain support (Matt Jolly)
+#   patches/   — musl deep fixes (Chimera cports + flux)
+
+name=chromium
+version=146.0.7680.164
+release=1
+_copium=146.4
+_gentoo=146-1
+depends=(gtk3 nss nspr harfbuzz icu libpng libjpeg-turbo libwebp
+  zlib libxml2 fontconfig freetype libffi libxkbcommon alsa-lib
+  wayland mesa libdrm dbus)
+makedeps=(gn ninja rust rust-bindgen python3 nodejs flatbuffers gperf
+  bsd-headers gcc-compat)
+source=(https://github.com/chromium-linux-tarballs/chromium-tarballs/releases/download/$version/chromium-$version-linux.tar.xz
+  https://registry.npmjs.org/@rollup/wasm-node/-/wasm-node-4.53.3.tgz
+  https://codeberg.org/selfisekai/copium/archive/$_copium.tar.gz
+  https://gitlab.com/Matt.Jolly/chromium-patches/-/archive/$_gentoo/chromium-patches-$_gentoo.tar.gz)
+
+patch() {
+  cd chromium-$version
+
+  # Replace bundled rollup with wasm-node (pure WASM — no native binary needed on musl)
+  rm -rf third_party/devtools-frontend/src/node_modules/rollup
+  cp -a "$SRC"/package \
+    third_party/devtools-frontend/src/node_modules/rollup
+
+  # Copium patches (musl basics)
+  for p in "$SRC"/copium/cr*.patch; do
+    case "$p" in *rust-pre1.8*|*rust-pre1.90*|*no-unrar*) continue ;; esac
+    patch -Np1 -i "$p"
+  done
+
+  # Gentoo patches (system toolchain)
+  patch -Np1 -i "$SRC"/chromium-patches-$_gentoo/chromium-145-compiler.patch
+  patch -Np1 -i "$SRC"/chromium-patches-$_gentoo/chromium-144-bindgen-custom-toolchain.patch
+  patch -Np1 -i "$SRC"/chromium-patches-$_gentoo/chromium-117-material-color-include.patch
+  patch -Np1 -i "$SRC"/chromium-patches-$_gentoo/chromium-145-revert-rustfmt.patch || true
+
+  # flux musl patches
+  for p in \
+    008-fstatat64 \
+    016-musl-sandbox \
+    017-musl-tid-caching \
+    019-musl-no-execinfo \
+    020-musl-no-mallinfo \
+    021-musl-no-res-ninit \
+    022-no-sandbox-settls \
+    027-temp-failure-retry \
+    033-perfetto-get-thread-name \
+    035-breakpad-no-getcontext \
+    disable-dns_config_service \
+    noclanglibs \
+    sanitizer-no-death-callback \
+    terminal-fdset \
+    llvm21-fixes \
+  ; do
+    patch -Np1 -i "$PKGMK_SOURCE_DIR"/patches/$p.patch
+  done
+
+  # Rust target triple
+  sed -i 's/unknown-linux-gnu/unknown-linux-musl/g' build/config/rust.gni
+  echo 'x86_64-unknown-linux-musl' >> build/rust/known-target-triples.txt
+
+  # Enable nightly Rust features
+  sed -i '1a import os; os.environ["RUSTC_BOOTSTRAP"] = "1"' \
+    build/rust/gni_impl/rustc_wrapper.py
+
+  # Strip -Werror
+  sed -i 's/-Werror//g' build/config/compiler/BUILD.gn
+
+  # musl: libc++ rune table
+  sed -i '1i #define _LIBCPP_PROVIDES_DEFAULT_RUNE_TABLE' \
+    third_party/libc++/src/include/__config
+
+  # musl: guard glibc-only stack trace helper
+  sed -i 's/OutputToStreamWithPrefixImpl(os, prefix_string);/#if defined(__GLIBC__)\n  OutputToStreamWithPrefixImpl(os, prefix_string);\n#endif/' \
+    base/debug/stack_trace.cc
+
+  # Fix dbus::Bus incomplete type
+  sed -i '/chrome_browser_main_linux.h/a #include "dbus/bus.h"' \
+    chrome/browser/chrome_browser_main_linux.cc
+}
+
+sha256sums=(
+    "ea7350702cb827c94b786fc1fa51c24c0401e782c9c08dd7ca25a676da4a8f8c"
+    "04b101456db24503a6facaade777f4bfb58909195208d4dbbf7dc4217bf71289"
+    "bd7bd0984d048d6844195f4aa18b24a0f56603814c243ed32190746d8ba8d7c5"
+    "96d6562120964b0c9e1a2bedf4335e0bf20f5e7d67a443bb26c651b0167a6a6b"
+)
+
+build() {
+  cd chromium-$version
+
+  export CC=clang CXX=clang++ AR=llvm-ar NM=llvm-nm RANLIB=llvm-ranlib LD=ld.lld
+  export CFLAGS="-O2 -pipe -Wno-unknown-warning-option -Wno-builtin-macro-redefined -Wno-deprecated-declarations"
+  export CXXFLAGS="$CFLAGS -Wno-invalid-constexpr"
+  export LDFLAGS="-fuse-ld=lld"
+  export RUSTC_BOOTSTRAP=1
+  export DEPOT_TOOLS_UPDATE=0
+  export VPYTHON_BYPASS="manually managed python not supported by chrome operations"
+  export PKG_CONFIG_PATH=/lib/pkgconfig:/usr/lib/pkgconfig:/usr/share/pkgconfig
+  export HOME="$PWD"/fake-home && mkdir -p "$HOME"
+
+  # System node + toolchain stubs
+  mkdir -p third_party/node/linux/node-linux-x64/bin
+  ln -sf /usr/bin/node third_party/node/linux/node-linux-x64/bin/node
+  mkdir -p third_party/llvm-build/Release+Asserts/bin
+  ln -sf /usr/bin/clang   third_party/llvm-build/Release+Asserts/bin/
+  ln -sf /usr/bin/clang++ third_party/llvm-build/Release+Asserts/bin/
+
+  # Stub node version check
+  printf '#!/usr/bin/env python3\nimport sys; open(sys.argv[sys.argv.index("--out_file")+1], "w").write("ok")\n' \
+    > third_party/node/check_version.py
+
+  mkdir -p out/Release
+  cat > out/Release/args.gn << EOF
+is_clang = true
+use_lld = true
+is_debug = false
+is_official_build = true
+symbol_level = 0
+is_musl = true
+custom_toolchain = "//build/toolchain/linux/unbundle:default"
+host_toolchain = "//build/toolchain/linux/unbundle:default"
+rust_sysroot_absolute = "$(rustc --print sysroot)"
+rust_bindgen_root = "/usr"
+bindgen_libclang_path = "/usr/lib"
+clang_base_path = "/usr"
+rustc_version = "0"
+use_sysroot = false
+treat_warnings_as_errors = false
+fatal_linker_warnings = false
+clang_use_chrome_plugins = false
+use_custom_libcxx = true
+use_safe_libstdcxx = false
+chrome_pgo_phase = 0
+is_cfi = false
+use_thin_lto = false
+use_clang_modules = false
+blink_enable_generated_code_formatting = false
+use_system_harfbuzz = true
+use_system_libffi = true
+use_bundled_fontconfig = false
+use_ozone = true
+ozone_platform_wayland = true
+ozone_platform_x11 = false
+ozone_platform_headless = true
+use_xkbcommon = true
+use_alsa = true
+use_pulseaudio = false
+rtc_use_pipewire = false
+use_vaapi = true
+use_dbus = true
+use_cups = false
+use_kerberos = false
+enable_widevine = false
+enable_hangout_services_extension = false
+enable_nocompile_tests = false
+safe_browsing_use_unrar = false
+proprietary_codecs = true
+ffmpeg_branding = "Chrome"
+enable_ml_internal = false
+target_cpu = "x64"
+EOF
+
+  gn gen out/Release || return 1
+
+  # Remove bogus -I/include from generated ninja files
+  find out/Release -name '*.ninja' -exec sed -i 's| -I/include||g; s| -isystem/include||g' {} +
+
+  # System flatbuffers
+  ln -sf /usr/bin/flatc out/Release/flatc
+
+  ulimit -n 4096
+  ninja -C out/Release -j8 chrome chrome_crashpad_handler || return 1
+
+  # Install
+  d="$PKG/usr/lib/chromium"
+  install -d "$d" "$PKG/usr/bin"
+
+  install -m755 out/Release/chrome "$d/"
+  install -m755 out/Release/chrome_crashpad_handler "$d/"
+
+  # Data files
+  install -m644 out/Release/*.pak "$d/"
+  install -m644 out/Release/*.bin "$d/" 2>/dev/null || true
+  [ -f out/Release/icudtl.dat ] && install -m644 out/Release/icudtl.dat "$d/"
+
+  # Shared libraries (skip .TOC build artifacts)
+  for f in out/Release/*.so out/Release/*.so.*; do
+    [ -f "$f" ] && case "$f" in *.TOC) continue ;; esac && install -m644 "$f" "$d/"
+  done
+
+  # Vulkan SwiftShader ICD
+  [ -f out/Release/vk_swiftshader_icd.json ] && install -m644 out/Release/vk_swiftshader_icd.json "$d/"
+
+  # XDG helpers
+  for f in xdg-mime xdg-settings; do
+    [ -f out/Release/$f ] && install -m755 out/Release/$f "$d/"
+  done
+
+  # Locales — only en-US and el (Greek)
+  install -d "$d/locales"
+  for loc in en-US el; do
+    install -m644 out/Release/locales/${loc}.pak "$d/locales/"
+    for v in FEMININE MASCULINE NEUTER; do
+      [ -f out/Release/locales/${loc}_${v}.pak ] && \
+        install -m644 out/Release/locales/${loc}_${v}.pak "$d/locales/"
+    done
+  done
+
+  # Wrapper
+  printf '#!/bin/sh\nexec /usr/lib/chromium/chrome --ozone-platform-hint=auto "$@"\n' > "$PKG/usr/bin/chromium"
+  chmod 755 "$PKG/usr/bin/chromium"
+}
+
+signify() {
+    untrusted comment: public key
+    RWTZ9IduCSQ/mL8337TEUinPwT92xFEUpD92hkS7IxcOnzTt9QdpohT3
+}
+
+# vim: filetype=sh
diff --git a/chromium/patches/008-fstatat64.patch b/chromium/patches/008-fstatat64.patch
new file mode 100644
index 0000000..1627ffa
--- /dev/null
+++ b/chromium/patches/008-fstatat64.patch
@@ -0,0 +1,17 @@
+fstatat64 is macrod to fstatat in sys/stat.h in musl- but then that fstatat is
+used in the _syscall4 macro mapping to __NR_$name, and __NR_fstatat is not
+defined anywhere here, as it wants the 64 name.
+
+so, just let it keep the name with an undef of the stat.h macro, then the macro
+expansion below evaluates correctly.
+--- a/third_party/lss/linux_syscall_support.h
++++ b/third_party/lss/linux_syscall_support.h
+@@ -4947,7 +4947,8 @@
+   # endif
+   #endif
+   #if defined(__NR_fstatat64)
++    #undef fstatat64
+     LSS_INLINE _syscall4(int,   fstatat64,        int,   d,
+                          const char *,      p,
+                          struct kernel_stat64 *,   b,    int,   f)
+   #endif
diff --git a/chromium/patches/016-musl-sandbox.patch b/chromium/patches/016-musl-sandbox.patch
new file mode 100644
index 0000000..41abc50
--- /dev/null
+++ b/chromium/patches/016-musl-sandbox.patch
@@ -0,0 +1,113 @@
+musl uses different syscalls from glibc for some functions, so the sandbox has
+to account for that
+--
+diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+index ff5a1c0..da56b9b 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
++++ ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+@@ -139,21 +139,11 @@ namespace sandbox {
+ // present (as in newer versions of posix_spawn).
+ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
+   const Arg<unsigned long> flags(0);
+-
+-  // TODO(mdempsky): Extend DSL to support (flags & ~mask1) == mask2.
+-  const uint64_t kAndroidCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES |
+-                                     CLONE_SIGHAND | CLONE_THREAD |
+-                                     CLONE_SYSVSEM;
+-  const uint64_t kObsoleteAndroidCloneMask = kAndroidCloneMask | CLONE_DETACHED;
+-
+-  const uint64_t kGlibcPthreadFlags =
+-      CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD |
+-      CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
+-  const BoolExpr glibc_test = flags == kGlibcPthreadFlags;
+-
+-  const BoolExpr android_test =
+-      AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
+-            flags == kGlibcPthreadFlags);
++  const int required = CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
++                       CLONE_THREAD | CLONE_SYSVSEM;
++  const int safe = CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID |
++                   CLONE_DETACHED;
++  const BoolExpr thread_clone_ok = (flags&~safe)==required;
+ 
+   // The following two flags are the two important flags in any vfork-emulating
+   // clone call. EPERM any clone call that contains both of them.
+@@ -163,7 +153,7 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
+       AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
+             (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
+ 
+-  return If(IsAndroid() ? android_test : glibc_test, Allow())
++  return If(thread_clone_ok, Allow())
+       .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
+       .Else(CrashSIGSYSClone());
+ }
+diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+index d9d1882..0567557 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
++++ ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+@@ -392,6 +392,7 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
+ #if defined(__i386__)
+     case __NR_waitpid:
+ #endif
++    case __NR_set_tid_address:
+       return true;
+     case __NR_clone:  // Should be parameter-restricted.
+     case __NR_setns:  // Privileged.
+@@ -404,7 +405,6 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
+ #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+     case __NR_set_thread_area:
+ #endif
+-    case __NR_set_tid_address:
+     case __NR_unshare:
+ #if !defined(__mips__) && !defined(__aarch64__)
+     case __NR_vfork:
+@@ -514,6 +514,8 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
+     case __NR_munlock:
+     case __NR_munmap:
+     case __NR_mseal:
++    case __NR_mremap:
++    case __NR_membarrier:
+       return true;
+     case __NR_madvise:
+     case __NR_mincore:
+@@ -531,7 +533,6 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
+     case __NR_modify_ldt:
+ #endif
+     case __NR_mprotect:
+-    case __NR_mremap:
+     case __NR_msync:
+     case __NR_munlockall:
+     case __NR_readahead:
+--- a/sandbox/policy/linux/bpf_renderer_policy_linux.cc
++++ b/sandbox/policy/linux/bpf_renderer_policy_linux.cc
+@@ -94,6 +94,10 @@
+     case __NR_pwrite64:
++    case __NR_pwritev2:
+     case __NR_sched_get_priority_max:
+     case __NR_sched_get_priority_min:
++    case __NR_sched_getparam:
++    case __NR_sched_getscheduler:
++    case __NR_sched_setscheduler:
+     case __NR_sysinfo:
+     case __NR_times:
+     case __NR_uname:
+--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
++++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+@@ -225,10 +225,15 @@
+   if (sysno == __NR_getpriority || sysno ==__NR_setpriority)
+     return RestrictGetSetpriority(current_pid);
+ 
++  // XXX: hacks for musl sandbox, calls needed?
++  if (sysno == __NR_sched_getparam || sysno == __NR_sched_getscheduler ||
++      sysno == __NR_sched_setscheduler) {
++    return Allow();
++  }
++
+   // The scheduling syscalls are used in threading libraries and also heavily in
+   // abseil. See for example https://crbug.com/1370394.
+-  if (sysno == __NR_sched_getaffinity || sysno == __NR_sched_getparam ||
+-      sysno == __NR_sched_getscheduler || sysno == __NR_sched_setscheduler) {
++  if (sysno == __NR_sched_getaffinity) {
+     return RestrictSchedTarget(current_pid, sysno);
+   }
+ 
diff --git a/chromium/patches/017-musl-tid-caching.patch b/chromium/patches/017-musl-tid-caching.patch
new file mode 100644
index 0000000..498ce82
--- /dev/null
+++ b/chromium/patches/017-musl-tid-caching.patch
@@ -0,0 +1,85 @@
+the sandbox caching of thread id's only works with glibc
+see: https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/32356
+see: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13579
+--
+--- a/sandbox/linux/services/namespace_sandbox.cc
++++ b/sandbox/linux/services/namespace_sandbox.cc
+@@ -209,6 +209,70 @@
+   return base::LaunchProcess(argv, launch_options_copy);
+ }
+ 
++#if defined(__aarch64__)
++#define TLS_ABOVE_TP
++#endif
++
++struct musl_pthread
++{
++  /* Part 1 -- these fields may be external or
++  * internal (accessed via asm) ABI. Do not change. */
++  struct pthread *self;
++#ifndef TLS_ABOVE_TP
++  uintptr_t *dtv;
++#endif
++  struct pthread *prev, *next; /* non-ABI */
++  uintptr_t sysinfo;
++#ifndef TLS_ABOVE_TP
++#ifdef CANARY_PAD
++  uintptr_t canary_pad;
++#endif
++  uintptr_t canary;
++#endif
++
++/* Part 2 -- implementation details, non-ABI. */
++  int tid;
++  int errno_val;
++  volatile int detach_state;
++  volatile int cancel;
++  volatile unsigned char canceldisable, cancelasync;
++  unsigned char tsd_used:1;
++  unsigned char dlerror_flag:1;
++  unsigned char *map_base;
++  size_t map_size;
++  void *stack;
++  size_t stack_size;
++  size_t guard_size;
++  void *result;
++  struct __ptcb *cancelbuf;
++  void **tsd;
++  struct {
++    volatile void *volatile head;
++    long off;
++    volatile void *volatile pending;
++  } robust_list;
++  int h_errno_val;
++  volatile int timer_id;
++  locale_t locale;
++  volatile int killlock[1];
++  char *dlerror_buf;
++  void *stdio_locks;
++
++  /* Part 3 -- the positions of these fields relative to
++  * the end of the structure is external and internal ABI. */
++#ifdef TLS_ABOVE_TP
++  uintptr_t canary;
++  uintptr_t *dtv;
++#endif
++};
++
++void MaybeUpdateMuslTidCache()
++{
++  pid_t real_tid = sys_gettid();
++  pid_t* cached_tid_location = &reinterpret_cast<struct musl_pthread*>(pthread_self())->tid;
++  *cached_tid_location = real_tid;
++}
++
+ // static
+ pid_t NamespaceSandbox::ForkInNewPidNamespace(bool drop_capabilities_in_child) {
+   const pid_t pid =
+@@ -226,6 +290,7 @@
+ #if defined(LIBC_GLIBC)
+     MaybeUpdateGlibcTidCache();
+ #endif
++    MaybeUpdateMuslTidCache();
+     return 0;
+   }
+ 
diff --git a/chromium/patches/019-musl-no-execinfo.patch b/chromium/patches/019-musl-no-execinfo.patch
new file mode 100644
index 0000000..7447919
--- /dev/null
+++ b/chromium/patches/019-musl-no-execinfo.patch
@@ -0,0 +1,68 @@
+musl does not have execinfo.h, and hence no implementation of
+. backtrace()
+. backtrace_symbols()
+for discussion about this, see https://www.openwall.com/lists/musl/2021/07/16/1
+--
+--- a/v8/src/codegen/external-reference-table.cc
++++ b/v8/src/codegen/external-reference-table.cc
+@@ -11,7 +11,9 @@
+
+ #if defined(DEBUG) && defined(V8_OS_LINUX) && !defined(V8_OS_ANDROID)
+ #define SYMBOLIZE_FUNCTION
++#if defined(__GLIBC__)
+ #include <execinfo.h>
++#endif
+
+ #include <vector>
+
+@@ -96,7 +98,7 @@
+ }
+
+ const char* ExternalReferenceTable::ResolveSymbol(void* address) {
+-#ifdef SYMBOLIZE_FUNCTION
++#if defined(SYMBOLIZE_FUNCTION) && defined(__GLIBC__)
+   char** names = backtrace_symbols(&address, 1);
+   const char* name = names[0];
+   // The array of names is malloc'ed. However, each name string is static
+--- a/third_party/swiftshader/third_party/llvm-subzero/build/Linux/include/llvm/Config/config.h
++++ b/third_party/swiftshader/third_party/llvm-subzero/build/Linux/include/llvm/Config/config.h
+@@ -58,7 +58,7 @@
+ #define HAVE_ERRNO_H 1
+ 
+ /* Define to 1 if you have the <execinfo.h> header file. */
+-#define HAVE_EXECINFO_H 1
++/* #define HAVE_EXECINFO_H 1 */
+ 
+ /* Define to 1 if you have the <fcntl.h> header file. */
+ #define HAVE_FCNTL_H 1
+--- a/base/debug/stack_trace.cc
++++ b/base/debug/stack_trace.cc
+@@ -291,7 +291,9 @@
+ }
+ 
+ void StackTrace::OutputToStream(std::ostream* os) const {
++#if defined(__GLIBC__)
+   OutputToStreamWithPrefix(os, {});
++#endif
+ }
+ 
+ void StackTrace::OutputToStreamWithPrefix(std::ostream* os,
+@@ -311,7 +313,7 @@
+ 
+ std::string StackTrace::ToStringWithPrefix(cstring_view prefix_string) const {
+   std::stringstream stream;
+-#if !defined(__UCLIBC__) && !defined(_AIX)
++#if defined(__GLIBC__) && !defined(_AIX)
+   OutputToStreamWithPrefix(&stream, prefix_string);
+ #endif
+   return stream.str();
+@@ -335,7 +335,7 @@
+ }
+ 
+ std::ostream& operator<<(std::ostream& os, const StackTrace& s) {
+-#if !defined(__UCLIBC__) && !defined(_AIX)
++#if defined(__GLIBC__) && !defined(_AIX)
+   s.OutputToStream(&os);
+ #else
+   os << "StackTrace::OutputToStream not implemented.";
+
diff --git a/chromium/patches/020-musl-no-mallinfo.patch b/chromium/patches/020-musl-no-mallinfo.patch
new file mode 100644
index 0000000..dc18ca5
--- /dev/null
+++ b/chromium/patches/020-musl-no-mallinfo.patch
@@ -0,0 +1,93 @@
+musl does not implement mallinfo()/mallinfo2()
+(or rather, malloc-ng, musl's allocator, doesn't)
+
+for some reason only outside of x86_64 HAVE_MALLINFO gets weirdly set by something
+--
+--- a/base/allocator/partition_allocator/src/partition_alloc/shim/allocator_shim_default_dispatch_to_partition_alloc.cc
++++ b/base/allocator/partition_allocator/src/partition_alloc/shim/allocator_shim_default_dispatch_to_partition_alloc.cc
+@@ -646,7 +645,7 @@ SHIM_ALWAYS_EXPORT int mallopt(int cmd, int value) __THROW {
+ 
+ #endif  // !PA_BUILDFLAG(IS_APPLE) && !PA_BUILDFLAG(IS_ANDROID)
+ 
+-#if PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)
++#if 0
+ SHIM_ALWAYS_EXPORT struct mallinfo mallinfo(void) __THROW {
+   partition_alloc::SimplePartitionStatsDumper allocator_dumper;
+   Allocator()->DumpStats("malloc", true, &allocator_dumper);
+--- a/base/process/process_metrics_posix.cc
++++ b/base/process/process_metrics_posix.cc
+@@ -106,7 +107,8 @@ void IncreaseFdLimitTo(unsigned int max_descriptors) {
+ 
+ #endif  // !BUILDFLAG(IS_FUCHSIA)
+ 
+-#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(IS_ANDROID)
++#if (BUILDFLAG(IS_LINUX) && defined(__GLIBC__)) || BUILDFLAG(IS_CHROMEOS) || \
++    BUILDFLAG(IS_ANDROID)
+ namespace {
+ 
+ size_t GetMallocUsageMallinfo() {
+@@ -132,7 +134,8 @@ size_t ProcessMetrics::GetMallocUsage() {
+   malloc_statistics_t stats = {0};
+   malloc_zone_statistics(nullptr, &stats);
+   return stats.size_in_use;
+-#elif BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(IS_ANDROID)
++#elif (BUILDFLAG(IS_LINUX) && defined(__GLIBC__)) || BUILDFLAG(IS_CHROMEOS) || \
++    BUILDFLAG(IS_ANDROID)
+   return GetMallocUsageMallinfo();
+ #elif BUILDFLAG(IS_FUCHSIA)
+   // TODO(fuchsia): Not currently exposed. https://crbug.com/735087.
+diff --git a/base/trace_event/malloc_dump_provider.cc b/base/trace_event/malloc_dump_provider.cc
+index e37fc69c00..394f5dfdbb 100644
+--- a/base/trace_event/malloc_dump_provider.cc
++++ b/base/trace_event/malloc_dump_provider.cc
+@@ -189,7 +188,6 @@ void ReportMallinfoStats(ProcessMemoryDump* pmd,
+ #define MALLINFO2_FOUND_IN_LIBC
+   struct mallinfo2 info = mallinfo2();
+ #endif
+-#endif  // defined(__GLIBC__) && defined(__GLIBC_PREREQ)
+ #if !defined(MALLINFO2_FOUND_IN_LIBC)
+   struct mallinfo info = mallinfo();
+ #endif
+@@ -211,6 +209,7 @@ void ReportMallinfoStats(ProcessMemoryDump* pmd,
+                               MemoryAllocatorDump::kUnitsBytes,
+                               total_allocated_size);
+   }
++#endif  // defined(__GLIBC__) && defined(__GLIBC_PREREQ)
+ }
+ #endif
+ 
+@@ -368,7 +367,7 @@ bool MallocDumpProvider::OnMemoryDump(const MemoryDumpArgs& args,
+                      &allocated_objects_count);
+ #elif BUILDFLAG(IS_FUCHSIA)
+ // TODO(fuchsia): Port, see https://crbug.com/706592.
+-#else
++#elif defined(__GLIBC__)
+   ReportMallinfoStats(/*pmd=*/nullptr, &total_virtual_size, &resident_size,
+                       &allocated_objects_size, &allocated_objects_count);
+ #endif
+--- a/third_party/swiftshader/third_party/llvm-subzero/build/Linux/include/llvm/Config/config.h
++++ b/third_party/swiftshader/third_party/llvm-subzero/build/Linux/include/llvm/Config/config.h
+@@ -133,7 +133,6 @@
+ /* #undef HAVE_MALLCTL */
+ 
+ /* Define to 1 if you have the `mallinfo' function. */
+-#define HAVE_MALLINFO 1
+ 
+ /* Some projects using SwiftShader bypass cmake (eg Chromium via gn) */
+ /* so we need to check glibc version for the new API to be safe */
+--- a/third_party/swiftshader/third_party/llvm-10.0/llvm/lib/Support/Unix/Process.inc
++++ b/third_party/swiftshader/third_party/llvm-10.0/llvm/lib/Support/Unix/Process.inc
+@@ -83,11 +83,11 @@ Expected<unsigned> Process::getPageSize() {
+ }
+ 
+ size_t Process::GetMallocUsage() {
+-#if defined(HAVE_MALLINFO2)
++#if 0
+   struct mallinfo2 mi;
+   mi = ::mallinfo2();
+   return mi.uordblks;
+-#elif defined(HAVE_MALLINFO)
++#elif 0
+   struct mallinfo mi;
+   mi = ::mallinfo();
+   return mi.uordblks;
diff --git a/chromium/patches/021-musl-no-res-ninit.patch b/chromium/patches/021-musl-no-res-ninit.patch
new file mode 100644
index 0000000..d74f6cd
--- /dev/null
+++ b/chromium/patches/021-musl-no-res-ninit.patch
@@ -0,0 +1,32 @@
+similar to dns-resolver.patch, musl doesn't have res_ninit and so on
+--
+--- a/net/dns/public/scoped_res_state.cc
++++ b/net/dns/public/scoped_res_state.cc
+@@ -13,7 +13,7 @@
+ namespace net {
+ 
+ ScopedResState::ScopedResState() {
+-#if BUILDFLAG(IS_OPENBSD) || BUILDFLAG(IS_FUCHSIA)
++#if BUILDFLAG(IS_OPENBSD) || BUILDFLAG(IS_FUCHSIA) || defined(_GNU_SOURCE)
+   // Note: res_ninit in glibc always returns 0 and sets RES_INIT.
+   // res_init behaves the same way.
+   memset(&_res, 0, sizeof(_res));
+@@ -25,16 +25,8 @@
+ }
+ 
+ ScopedResState::~ScopedResState() {
+-#if !BUILDFLAG(IS_OPENBSD) && !BUILDFLAG(IS_FUCHSIA)
+-
+-  // Prefer res_ndestroy where available.
+-#if BUILDFLAG(IS_APPLE) || BUILDFLAG(IS_FREEBSD)
+-  res_ndestroy(&res_);
+-#else
+-  res_nclose(&res_);
+-#endif  // BUILDFLAG(IS_APPLE) || BUILDFLAG(IS_FREEBSD)
+-
+-#endif  // !BUILDFLAG(IS_OPENBSD) && !BUILDFLAG(IS_FUCHSIA)
++  // musl res_init() doesn't actually do anything
++  // no destruction is necessary as no memory has been allocated
+ }
+ 
+ bool ScopedResState::IsValid() const {
diff --git a/chromium/patches/022-no-sandbox-settls.patch b/chromium/patches/022-no-sandbox-settls.patch
new file mode 100644
index 0000000..f04e105
--- /dev/null
+++ b/chromium/patches/022-no-sandbox-settls.patch
@@ -0,0 +1,16 @@
+this optimisation of CLONE_SETTLS is not valid used like this, and musl
+clone(3) will EINVAL on this use
+--
+diff --git a/sandbox/linux/services/credentials.cc b/sandbox/linux/services/credentials.cc
+index 7f925cc..993a9ee 100644
+--- a/sandbox/linux/services/credentials.cc
++++ b/sandbox/linux/services/credentials.cc
+@@ -104,7 +104,7 @@ bool ChrootToSafeEmptyDir() {
+   // glibc performs syscalls by calling a function pointer in TLS, so we do not
+   // attempt this optimization.
+   // TODO(crbug.com/40196869) Broken in MSan builds after LLVM f1bb30a4956f.
+-  clone_flags |= CLONE_VM | CLONE_VFORK | CLONE_SETTLS;
++  clone_flags |= CLONE_VM | CLONE_VFORK;
+ 
+   char tls_buf[PTHREAD_STACK_MIN_CONST] = {};
+   tls = tls_buf;
diff --git a/chromium/patches/027-temp-failure-retry.patch b/chromium/patches/027-temp-failure-retry.patch
new file mode 100644
index 0000000..dc9ac6f
--- /dev/null
+++ b/chromium/patches/027-temp-failure-retry.patch
@@ -0,0 +1,22 @@
+random glibc macro, not provided by musl.
+https://www.gnu.org/software/libc/manual/html_node/Interrupted-Primitives.html
+diff --git a/sandbox/linux/suid/process_util.h b/sandbox/linux/suid/process_util.h
+index b0b92c1bcc..db6a122ea8 100644
+--- a/sandbox/linux/suid/process_util.h
++++ b/sandbox/linux/suid/process_util.h
+@@ -12,6 +12,15 @@
+ #include <stdint.h>
+ #include <sys/types.h>
+ 
++#define TEMP_FAILURE_RETRY(expression)         \
++  (__extension__({                             \
++    long int __result;                         \
++    do                                         \
++      __result = (long int)(expression);       \
++    while (__result == -1L && errno == EINTR); \
++    __result;                                  \
++  }))
++
+ // This adjusts /proc/process/oom_score_adj so the Linux OOM killer
+ // will prefer certain process types over others. The range for the
+ // adjustment is [-1000, 1000], with [0, 1000] being user accessible.
diff --git a/chromium/patches/033-perfetto-get-thread-name.patch b/chromium/patches/033-perfetto-get-thread-name.patch
new file mode 100644
index 0000000..4014d1e
--- /dev/null
+++ b/chromium/patches/033-perfetto-get-thread-name.patch
@@ -0,0 +1,22 @@
+--- a/third_party/perfetto/include/perfetto/ext/base/thread_utils.h
++++ b/third_party/perfetto/include/perfetto/ext/base/thread_utils.h
+@@ -30,7 +30,8 @@
+ #include <algorithm>
+ #endif
+ 
+-#if PERFETTO_BUILDFLAG(PERFETTO_OS_ANDROID)
++#if PERFETTO_BUILDFLAG(PERFETTO_OS_ANDROID) || \
++    (PERFETTO_BUILDFLAG(PERFETTO_OS_LINUX) && !defined(__GLIBC__))
+ #include <sys/prctl.h>
+ #endif
+ 
+@@ -58,7 +59,8 @@
+ 
+ inline bool GetThreadName(std::string& out_result) {
+   char buf[16] = {};
+-#if PERFETTO_BUILDFLAG(PERFETTO_OS_ANDROID)
++#if PERFETTO_BUILDFLAG(PERFETTO_OS_ANDROID) || \
++    (PERFETTO_BUILDFLAG(PERFETTO_OS_LINUX) && !defined(__GLIBC__))
+   if (prctl(PR_GET_NAME, buf) != 0)
+     return false;
+ #else
diff --git a/chromium/patches/035-breakpad-no-getcontext.patch b/chromium/patches/035-breakpad-no-getcontext.patch
new file mode 100644
index 0000000..f9bc2e0
--- /dev/null
+++ b/chromium/patches/035-breakpad-no-getcontext.patch
@@ -0,0 +1,27 @@
+--- a/third_party/breakpad/breakpad/src/client/linux/handler/exception_handler.cc       2015-12-06 09:59:55.554536646 +0100
++++ b/third_party/breakpad/breakpad/src/client/linux/handler/exception_handler.cc       2015-12-06 10:01:16.818238035 +0100
+@@ -477,7 +477,9 @@ bool ExceptionHandler::SimulateSignalDel
+   siginfo.si_code = SI_USER;
+   siginfo.si_pid = getpid();
+   ucontext_t context;
++#if defined(__GLIBC__)
+   getcontext(&context);
++#endif
+   return HandleSignal(sig, &siginfo, &context);
+ }
+ 
+@@ -647,9 +649,14 @@ bool ExceptionHandler::WriteMinidump() {
+   sys_prctl(PR_SET_DUMPABLE, 1, 0, 0, 0);
+ 
+   CrashContext context;
++
++#if defined(__GLIBC__)
+   int getcontext_result = getcontext(&context.context);
+   if (getcontext_result)
+     return false;
++#else
++  return false;
++#endif
+ 
+ #if defined(__i386__)
+   // In CPUFillFromUContext in minidumpwriter.cc the stack pointer is retrieved
diff --git a/chromium/patches/disable-dns_config_service.patch b/chromium/patches/disable-dns_config_service.patch
new file mode 100644
index 0000000..3c8e593
--- /dev/null
+++ b/chromium/patches/disable-dns_config_service.patch
@@ -0,0 +1,19 @@
+the linux one sometimes crashes, and this is optional/not required, so use the
+stub fuschia one
+https://gitlab.alpinelinux.org/alpine/aports/-/issues/15660
+--
+diff --git a/net/dns/BUILD.gn b/net/dns/BUILD.gn
+index f36bf68..805d9a6 100644
+--- a/net/dns/BUILD.gn
++++ b/net/dns/BUILD.gn
+@@ -130,8 +130,8 @@ source_set("dns") {
+     ]
+   } else if (is_linux) {
+     sources += [
+-      "dns_config_service_linux.cc",
+-      "dns_config_service_linux.h",
++      "dns_config_service_fuchsia.cc",
++      "dns_config_service_fuchsia.h",
+     ]
+   } else if (is_posix) {
+     sources += [
diff --git a/chromium/patches/llvm21-fixes.patch b/chromium/patches/llvm21-fixes.patch
new file mode 100644
index 0000000..01208af
--- /dev/null
+++ b/chromium/patches/llvm21-fixes.patch
@@ -0,0 +1,44 @@
+diff --git a/components/autofill/core/browser/payments/full_card_request.cc b/components/autofill/core/browser/payments/full_card_request.cc
+index 8b7319d..5a8ade3 100644
+--- a/components/autofill/core/browser/payments/full_card_request.cc
++++ b/components/autofill/core/browser/payments/full_card_request.cc
+@@ -124,7 +124,7 @@ void FullCardRequest::GetFullCardImpl(
+   request_->card = std::move(card);
+   request_->last_committed_primary_main_frame_origin =
+       last_committed_primary_main_frame_origin;
+-  request_->context_token = std::move(context_token).value_or({});
++  request_->context_token = std::move(context_token).value_or(std::string{});
+   request_->selected_challenge_option = std::move(selected_challenge_option);
+ 
+   should_unmask_card_ = request_->card.masked() ||
+diff --git a/ui/gfx/paint_vector_icon.cc b/ui/gfx/paint_vector_icon.cc
+index eef47b4..710f070 100644
+--- a/ui/gfx/paint_vector_icon.cc
++++ b/ui/gfx/paint_vector_icon.cc
+@@ -235,7 +235,7 @@ void PaintPath(Canvas* canvas,
+         break;
+ 
+       case H_LINE_TO: {
+-        const SkPoint last_point = path.getLastPt().value_or({0, 0});
++        const SkPoint last_point = path.getLastPt().value_or(SkPoint{0, 0});
+         path.lineTo(arg(0), last_point.fY);
+         break;
+       }
+@@ -245,7 +245,7 @@ void PaintPath(Canvas* canvas,
+         break;
+ 
+       case V_LINE_TO: {
+-        const SkPoint last_point = path.getLastPt().value_or({0, 0});
++        const SkPoint last_point = path.getLastPt().value_or(SkPoint{0, 0});
+         path.lineTo(last_point.fX, arg(0));
+         break;
+       }
+@@ -273,7 +273,7 @@ void PaintPath(Canvas* canvas,
+         // details.
+         // Note that |x1| and |y1| will correspond to the sole control point if
+         // calculating a quadratic curve.
+-        const SkPoint last_point = path.getLastPt().value_or({0, 0});
++        const SkPoint last_point = path.getLastPt().value_or(SkPoint{0, 0});
+         SkScalar delta_x = 0;
+         SkScalar delta_y = 0;
+         if (IsCommandTypeCurve(previous_command_type)) {
diff --git a/chromium/patches/noclanglibs.patch b/chromium/patches/noclanglibs.patch
new file mode 100644
index 0000000..4542171
--- /dev/null
+++ b/chromium/patches/noclanglibs.patch
@@ -0,0 +1,15 @@
+q66 doesn't want to pass clang_version for clanglib path since it's only used to
+link the libclang_rt.builtins.a. but those are linked by default already so skip
+it instead of computing the version
+--
+--- a/build/config/clang/BUILD.gn
++++ b/build/config/clang/BUILD.gn
+@@ -101,7 +101,7 @@
+ }
+ 
+ template("clang_lib") {
+-  if (!defined(invoker.libname) || is_wasm) {
++  if (true) {
+     not_needed(invoker, "*")
+     config(target_name) {
+     }
diff --git a/chromium/patches/sanitizer-no-death-callback.patch b/chromium/patches/sanitizer-no-death-callback.patch
new file mode 100644
index 0000000..b2c1e1f
--- /dev/null
+++ b/chromium/patches/sanitizer-no-death-callback.patch
@@ -0,0 +1,22 @@
+undefined symbol in our build
+
+--- a/v8/src/sandbox/testing.cc
++++ b/v8/src/sandbox/testing.cc
+@@ -578,7 +578,7 @@ void UninstallCrashFilter() {
+   // We should also uninstall the sanitizer death callback as our crash filter
+   // may hand a crash over to sanitizers, which should then not enter our crash
+   // filtering logic a second time.
+-#ifdef V8_USE_ANY_SANITIZER
++#if 0
+   __sanitizer_set_death_callback(nullptr);
+ #endif  // V8_USE_ANY_SANITIZER
+ }
+@@ -782,7 +782,7 @@ void InstallCrashFilter() {
+   }
+   CHECK(success);
+ 
+-#ifdef V8_USE_ANY_SANITIZER
++#if 0
+   // We install sanitizer specific crash handlers. These can only check for
+   // in-sandbox crashes on certain configurations.
+   //
diff --git a/chromium/patches/terminal-fdset.patch b/chromium/patches/terminal-fdset.patch
new file mode 100644
index 0000000..32c7421
--- /dev/null
+++ b/chromium/patches/terminal-fdset.patch
@@ -0,0 +1,10 @@
+--- a/third_party/dawn/src/tint/utils/system/terminal_posix.cc
++++ b/third_party/dawn/src/tint/utils/system/terminal_posix.cc
+@@ -37,6 +37,7 @@
+ #include <optional>
+ #include <string_view>
+ #include <utility>
++#include <sys/select.h>
+ 
+ #include "src/tint/utils/containers/vector.h"
+ #include "src/tint/utils/macros/compiler.h"