15 files changed, 605 insertions, 0 deletions

diff --git a/chromium/patches/008-fstatat64.patch b/chromium/patches/008-fstatat64.patch
new file mode 100644
index 0000000..1627ffa
--- /dev/null
+++ b/chromium/patches/008-fstatat64.patch
@@ -0,0 +1,17 @@
+fstatat64 is macrod to fstatat in sys/stat.h in musl- but then that fstatat is
+used in the _syscall4 macro mapping to __NR_$name, and __NR_fstatat is not
+defined anywhere here, as it wants the 64 name.
+
+so, just let it keep the name with an undef of the stat.h macro, then the macro
+expansion below evaluates correctly.
+--- a/third_party/lss/linux_syscall_support.h
++++ b/third_party/lss/linux_syscall_support.h
+@@ -4947,7 +4947,8 @@
+   # endif
+   #endif
+   #if defined(__NR_fstatat64)
++    #undef fstatat64
+     LSS_INLINE _syscall4(int,   fstatat64,        int,   d,
+                          const char *,      p,
+                          struct kernel_stat64 *,   b,    int,   f)
+   #endif
diff --git a/chromium/patches/016-musl-sandbox.patch b/chromium/patches/016-musl-sandbox.patch
new file mode 100644
index 0000000..41abc50
--- /dev/null
+++ b/chromium/patches/016-musl-sandbox.patch
@@ -0,0 +1,113 @@
+musl uses different syscalls from glibc for some functions, so the sandbox has
+to account for that
+--
+diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+index ff5a1c0..da56b9b 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
++++ ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+@@ -139,21 +139,11 @@ namespace sandbox {
+ // present (as in newer versions of posix_spawn).
+ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
+   const Arg<unsigned long> flags(0);
+-
+-  // TODO(mdempsky): Extend DSL to support (flags & ~mask1) == mask2.
+-  const uint64_t kAndroidCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES |
+-                                     CLONE_SIGHAND | CLONE_THREAD |
+-                                     CLONE_SYSVSEM;
+-  const uint64_t kObsoleteAndroidCloneMask = kAndroidCloneMask | CLONE_DETACHED;
+-
+-  const uint64_t kGlibcPthreadFlags =
+-      CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD |
+-      CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
+-  const BoolExpr glibc_test = flags == kGlibcPthreadFlags;
+-
+-  const BoolExpr android_test =
+-      AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
+-            flags == kGlibcPthreadFlags);
++  const int required = CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
++                       CLONE_THREAD | CLONE_SYSVSEM;
++  const int safe = CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID |
++                   CLONE_DETACHED;
++  const BoolExpr thread_clone_ok = (flags&~safe)==required;
+ 
+   // The following two flags are the two important flags in any vfork-emulating
+   // clone call. EPERM any clone call that contains both of them.
+@@ -163,7 +153,7 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
+       AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
+             (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
+ 
+-  return If(IsAndroid() ? android_test : glibc_test, Allow())
++  return If(thread_clone_ok, Allow())
+       .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
+       .Else(CrashSIGSYSClone());
+ }
+diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+index d9d1882..0567557 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
++++ ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+@@ -392,6 +392,7 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
+ #if defined(__i386__)
+     case __NR_waitpid:
+ #endif
++    case __NR_set_tid_address:
+       return true;
+     case __NR_clone:  // Should be parameter-restricted.
+     case __NR_setns:  // Privileged.
+@@ -404,7 +405,6 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
+ #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+     case __NR_set_thread_area:
+ #endif
+-    case __NR_set_tid_address:
+     case __NR_unshare:
+ #if !defined(__mips__) && !defined(__aarch64__)
+     case __NR_vfork:
+@@ -514,6 +514,8 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
+     case __NR_munlock:
+     case __NR_munmap:
+     case __NR_mseal:
++    case __NR_mremap:
++    case __NR_membarrier:
+       return true;
+     case __NR_madvise:
+     case __NR_mincore:
+@@ -531,7 +533,6 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
+     case __NR_modify_ldt:
+ #endif
+     case __NR_mprotect:
+-    case __NR_mremap:
+     case __NR_msync:
+     case __NR_munlockall:
+     case __NR_readahead:
+--- a/sandbox/policy/linux/bpf_renderer_policy_linux.cc
++++ b/sandbox/policy/linux/bpf_renderer_policy_linux.cc
+@@ -94,6 +94,10 @@
+     case __NR_pwrite64:
++    case __NR_pwritev2:
+     case __NR_sched_get_priority_max:
+     case __NR_sched_get_priority_min:
++    case __NR_sched_getparam:
++    case __NR_sched_getscheduler:
++    case __NR_sched_setscheduler:
+     case __NR_sysinfo:
+     case __NR_times:
+     case __NR_uname:
+--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
++++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+@@ -225,10 +225,15 @@
+   if (sysno == __NR_getpriority || sysno ==__NR_setpriority)
+     return RestrictGetSetpriority(current_pid);
+ 
++  // XXX: hacks for musl sandbox, calls needed?
++  if (sysno == __NR_sched_getparam || sysno == __NR_sched_getscheduler ||
++      sysno == __NR_sched_setscheduler) {
++    return Allow();
++  }
++
+   // The scheduling syscalls are used in threading libraries and also heavily in
+   // abseil. See for example https://crbug.com/1370394.
+-  if (sysno == __NR_sched_getaffinity || sysno == __NR_sched_getparam ||
+-      sysno == __NR_sched_getscheduler || sysno == __NR_sched_setscheduler) {
++  if (sysno == __NR_sched_getaffinity) {
+     return RestrictSchedTarget(current_pid, sysno);
+   }
+ 
diff --git a/chromium/patches/017-musl-tid-caching.patch b/chromium/patches/017-musl-tid-caching.patch
new file mode 100644
index 0000000..498ce82
--- /dev/null
+++ b/chromium/patches/017-musl-tid-caching.patch
@@ -0,0 +1,85 @@
+the sandbox caching of thread id's only works with glibc
+see: https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/32356
+see: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13579
+--
+--- a/sandbox/linux/services/namespace_sandbox.cc
++++ b/sandbox/linux/services/namespace_sandbox.cc
+@@ -209,6 +209,70 @@
+   return base::LaunchProcess(argv, launch_options_copy);
+ }
+ 
++#if defined(__aarch64__)
++#define TLS_ABOVE_TP
++#endif
++
++struct musl_pthread
++{
++  /* Part 1 -- these fields may be external or
++  * internal (accessed via asm) ABI. Do not change. */
++  struct pthread *self;
++#ifndef TLS_ABOVE_TP
++  uintptr_t *dtv;
++#endif
++  struct pthread *prev, *next; /* non-ABI */
++  uintptr_t sysinfo;
++#ifndef TLS_ABOVE_TP
++#ifdef CANARY_PAD
++  uintptr_t canary_pad;
++#endif
++  uintptr_t canary;
++#endif
++
++/* Part 2 -- implementation details, non-ABI. */
++  int tid;
++  int errno_val;
++  volatile int detach_state;
++  volatile int cancel;
++  volatile unsigned char canceldisable, cancelasync;
++  unsigned char tsd_used:1;
++  unsigned char dlerror_flag:1;
++  unsigned char *map_base;
++  size_t map_size;
++  void *stack;
++  size_t stack_size;
++  size_t guard_size;
++  void *result;
++  struct __ptcb *cancelbuf;
++  void **tsd;
++  struct {
++    volatile void *volatile head;
++    long off;
++    volatile void *volatile pending;
++  } robust_list;
++  int h_errno_val;
++  volatile int timer_id;
++  locale_t locale;
++  volatile int killlock[1];
++  char *dlerror_buf;
++  void *stdio_locks;
++
++  /* Part 3 -- the positions of these fields relative to
++  * the end of the structure is external and internal ABI. */
++#ifdef TLS_ABOVE_TP
++  uintptr_t canary;
++  uintptr_t *dtv;
++#endif
++};
++
++void MaybeUpdateMuslTidCache()
++{
++  pid_t real_tid = sys_gettid();
++  pid_t* cached_tid_location = &reinterpret_cast<struct musl_pthread*>(pthread_self())->tid;
++  *cached_tid_location = real_tid;
++}
++
+ // static
+ pid_t NamespaceSandbox::ForkInNewPidNamespace(bool drop_capabilities_in_child) {
+   const pid_t pid =
+@@ -226,6 +290,7 @@
+ #if defined(LIBC_GLIBC)
+     MaybeUpdateGlibcTidCache();
+ #endif
++    MaybeUpdateMuslTidCache();
+     return 0;
+   }
+ 
diff --git a/chromium/patches/019-musl-no-execinfo.patch b/chromium/patches/019-musl-no-execinfo.patch
new file mode 100644
index 0000000..7447919
--- /dev/null
+++ b/chromium/patches/019-musl-no-execinfo.patch
@@ -0,0 +1,68 @@
+musl does not have execinfo.h, and hence no implementation of
+. backtrace()
+. backtrace_symbols()
+for discussion about this, see https://www.openwall.com/lists/musl/2021/07/16/1
+--
+--- a/v8/src/codegen/external-reference-table.cc
++++ b/v8/src/codegen/external-reference-table.cc
+@@ -11,7 +11,9 @@
+
+ #if defined(DEBUG) && defined(V8_OS_LINUX) && !defined(V8_OS_ANDROID)
+ #define SYMBOLIZE_FUNCTION
++#if defined(__GLIBC__)
+ #include <execinfo.h>
++#endif
+
+ #include <vector>
+
+@@ -96,7 +98,7 @@
+ }
+
+ const char* ExternalReferenceTable::ResolveSymbol(void* address) {
+-#ifdef SYMBOLIZE_FUNCTION
++#if defined(SYMBOLIZE_FUNCTION) && defined(__GLIBC__)
+   char** names = backtrace_symbols(&address, 1);
+   const char* name = names[0];
+   // The array of names is malloc'ed. However, each name string is static
+--- a/third_party/swiftshader/third_party/llvm-subzero/build/Linux/include/llvm/Config/config.h
++++ b/third_party/swiftshader/third_party/llvm-subzero/build/Linux/include/llvm/Config/config.h
+@@ -58,7 +58,7 @@
+ #define HAVE_ERRNO_H 1
+ 
+ /* Define to 1 if you have the <execinfo.h> header file. */
+-#define HAVE_EXECINFO_H 1
++/* #define HAVE_EXECINFO_H 1 */
+ 
+ /* Define to 1 if you have the <fcntl.h> header file. */
+ #define HAVE_FCNTL_H 1
+--- a/base/debug/stack_trace.cc
++++ b/base/debug/stack_trace.cc
+@@ -291,7 +291,9 @@
+ }
+ 
+ void StackTrace::OutputToStream(std::ostream* os) const {
++#if defined(__GLIBC__)
+   OutputToStreamWithPrefix(os, {});
++#endif
+ }
+ 
+ void StackTrace::OutputToStreamWithPrefix(std::ostream* os,
+@@ -311,7 +313,7 @@
+ 
+ std::string StackTrace::ToStringWithPrefix(cstring_view prefix_string) const {
+   std::stringstream stream;
+-#if !defined(__UCLIBC__) && !defined(_AIX)
++#if defined(__GLIBC__) && !defined(_AIX)
+   OutputToStreamWithPrefix(&stream, prefix_string);
+ #endif
+   return stream.str();
+@@ -335,7 +335,7 @@
+ }
+ 
+ std::ostream& operator<<(std::ostream& os, const StackTrace& s) {
+-#if !defined(__UCLIBC__) && !defined(_AIX)
++#if defined(__GLIBC__) && !defined(_AIX)
+   s.OutputToStream(&os);
+ #else
+   os << "StackTrace::OutputToStream not implemented.";
+
diff --git a/chromium/patches/020-musl-no-mallinfo.patch b/chromium/patches/020-musl-no-mallinfo.patch
new file mode 100644
index 0000000..dc18ca5
--- /dev/null
+++ b/chromium/patches/020-musl-no-mallinfo.patch
@@ -0,0 +1,93 @@
+musl does not implement mallinfo()/mallinfo2()
+(or rather, malloc-ng, musl's allocator, doesn't)
+
+for some reason only outside of x86_64 HAVE_MALLINFO gets weirdly set by something
+--
+--- a/base/allocator/partition_allocator/src/partition_alloc/shim/allocator_shim_default_dispatch_to_partition_alloc.cc
++++ b/base/allocator/partition_allocator/src/partition_alloc/shim/allocator_shim_default_dispatch_to_partition_alloc.cc
+@@ -646,7 +645,7 @@ SHIM_ALWAYS_EXPORT int mallopt(int cmd, int value) __THROW {
+ 
+ #endif  // !PA_BUILDFLAG(IS_APPLE) && !PA_BUILDFLAG(IS_ANDROID)
+ 
+-#if PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)
++#if 0
+ SHIM_ALWAYS_EXPORT struct mallinfo mallinfo(void) __THROW {
+   partition_alloc::SimplePartitionStatsDumper allocator_dumper;
+   Allocator()->DumpStats("malloc", true, &allocator_dumper);
+--- a/base/process/process_metrics_posix.cc
++++ b/base/process/process_metrics_posix.cc
+@@ -106,7 +107,8 @@ void IncreaseFdLimitTo(unsigned int max_descriptors) {
+ 
+ #endif  // !BUILDFLAG(IS_FUCHSIA)
+ 
+-#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(IS_ANDROID)
++#if (BUILDFLAG(IS_LINUX) && defined(__GLIBC__)) || BUILDFLAG(IS_CHROMEOS) || \
++    BUILDFLAG(IS_ANDROID)
+ namespace {
+ 
+ size_t GetMallocUsageMallinfo() {
+@@ -132,7 +134,8 @@ size_t ProcessMetrics::GetMallocUsage() {
+   malloc_statistics_t stats = {0};
+   malloc_zone_statistics(nullptr, &stats);
+   return stats.size_in_use;
+-#elif BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(IS_ANDROID)
++#elif (BUILDFLAG(IS_LINUX) && defined(__GLIBC__)) || BUILDFLAG(IS_CHROMEOS) || \
++    BUILDFLAG(IS_ANDROID)
+   return GetMallocUsageMallinfo();
+ #elif BUILDFLAG(IS_FUCHSIA)
+   // TODO(fuchsia): Not currently exposed. https://crbug.com/735087.
+diff --git a/base/trace_event/malloc_dump_provider.cc b/base/trace_event/malloc_dump_provider.cc
+index e37fc69c00..394f5dfdbb 100644
+--- a/base/trace_event/malloc_dump_provider.cc
++++ b/base/trace_event/malloc_dump_provider.cc
+@@ -189,7 +188,6 @@ void ReportMallinfoStats(ProcessMemoryDump* pmd,
+ #define MALLINFO2_FOUND_IN_LIBC
+   struct mallinfo2 info = mallinfo2();
+ #endif
+-#endif  // defined(__GLIBC__) && defined(__GLIBC_PREREQ)
+ #if !defined(MALLINFO2_FOUND_IN_LIBC)
+   struct mallinfo info = mallinfo();
+ #endif
+@@ -211,6 +209,7 @@ void ReportMallinfoStats(ProcessMemoryDump* pmd,
+                               MemoryAllocatorDump::kUnitsBytes,
+                               total_allocated_size);
+   }
++#endif  // defined(__GLIBC__) && defined(__GLIBC_PREREQ)
+ }
+ #endif
+ 
+@@ -368,7 +367,7 @@ bool MallocDumpProvider::OnMemoryDump(const MemoryDumpArgs& args,
+                      &allocated_objects_count);
+ #elif BUILDFLAG(IS_FUCHSIA)
+ // TODO(fuchsia): Port, see https://crbug.com/706592.
+-#else
++#elif defined(__GLIBC__)
+   ReportMallinfoStats(/*pmd=*/nullptr, &total_virtual_size, &resident_size,
+                       &allocated_objects_size, &allocated_objects_count);
+ #endif
+--- a/third_party/swiftshader/third_party/llvm-subzero/build/Linux/include/llvm/Config/config.h
++++ b/third_party/swiftshader/third_party/llvm-subzero/build/Linux/include/llvm/Config/config.h
+@@ -133,7 +133,6 @@
+ /* #undef HAVE_MALLCTL */
+ 
+ /* Define to 1 if you have the `mallinfo' function. */
+-#define HAVE_MALLINFO 1
+ 
+ /* Some projects using SwiftShader bypass cmake (eg Chromium via gn) */
+ /* so we need to check glibc version for the new API to be safe */
+--- a/third_party/swiftshader/third_party/llvm-10.0/llvm/lib/Support/Unix/Process.inc
++++ b/third_party/swiftshader/third_party/llvm-10.0/llvm/lib/Support/Unix/Process.inc
+@@ -83,11 +83,11 @@ Expected<unsigned> Process::getPageSize() {
+ }
+ 
+ size_t Process::GetMallocUsage() {
+-#if defined(HAVE_MALLINFO2)
++#if 0
+   struct mallinfo2 mi;
+   mi = ::mallinfo2();
+   return mi.uordblks;
+-#elif defined(HAVE_MALLINFO)
++#elif 0
+   struct mallinfo mi;
+   mi = ::mallinfo();
+   return mi.uordblks;
diff --git a/chromium/patches/021-musl-no-res-ninit.patch b/chromium/patches/021-musl-no-res-ninit.patch
new file mode 100644
index 0000000..d74f6cd
--- /dev/null
+++ b/chromium/patches/021-musl-no-res-ninit.patch
@@ -0,0 +1,32 @@
+similar to dns-resolver.patch, musl doesn't have res_ninit and so on
+--
+--- a/net/dns/public/scoped_res_state.cc
++++ b/net/dns/public/scoped_res_state.cc
+@@ -13,7 +13,7 @@
+ namespace net {
+ 
+ ScopedResState::ScopedResState() {
+-#if BUILDFLAG(IS_OPENBSD) || BUILDFLAG(IS_FUCHSIA)
++#if BUILDFLAG(IS_OPENBSD) || BUILDFLAG(IS_FUCHSIA) || defined(_GNU_SOURCE)
+   // Note: res_ninit in glibc always returns 0 and sets RES_INIT.
+   // res_init behaves the same way.
+   memset(&_res, 0, sizeof(_res));
+@@ -25,16 +25,8 @@
+ }
+ 
+ ScopedResState::~ScopedResState() {
+-#if !BUILDFLAG(IS_OPENBSD) && !BUILDFLAG(IS_FUCHSIA)
+-
+-  // Prefer res_ndestroy where available.
+-#if BUILDFLAG(IS_APPLE) || BUILDFLAG(IS_FREEBSD)
+-  res_ndestroy(&res_);
+-#else
+-  res_nclose(&res_);
+-#endif  // BUILDFLAG(IS_APPLE) || BUILDFLAG(IS_FREEBSD)
+-
+-#endif  // !BUILDFLAG(IS_OPENBSD) && !BUILDFLAG(IS_FUCHSIA)
++  // musl res_init() doesn't actually do anything
++  // no destruction is necessary as no memory has been allocated
+ }
+ 
+ bool ScopedResState::IsValid() const {
diff --git a/chromium/patches/022-no-sandbox-settls.patch b/chromium/patches/022-no-sandbox-settls.patch
new file mode 100644
index 0000000..f04e105
--- /dev/null
+++ b/chromium/patches/022-no-sandbox-settls.patch
@@ -0,0 +1,16 @@
+this optimisation of CLONE_SETTLS is not valid used like this, and musl
+clone(3) will EINVAL on this use
+--
+diff --git a/sandbox/linux/services/credentials.cc b/sandbox/linux/services/credentials.cc
+index 7f925cc..993a9ee 100644
+--- a/sandbox/linux/services/credentials.cc
++++ b/sandbox/linux/services/credentials.cc
+@@ -104,7 +104,7 @@ bool ChrootToSafeEmptyDir() {
+   // glibc performs syscalls by calling a function pointer in TLS, so we do not
+   // attempt this optimization.
+   // TODO(crbug.com/40196869) Broken in MSan builds after LLVM f1bb30a4956f.
+-  clone_flags |= CLONE_VM | CLONE_VFORK | CLONE_SETTLS;
++  clone_flags |= CLONE_VM | CLONE_VFORK;
+ 
+   char tls_buf[PTHREAD_STACK_MIN_CONST] = {};
+   tls = tls_buf;
diff --git a/chromium/patches/027-temp-failure-retry.patch b/chromium/patches/027-temp-failure-retry.patch
new file mode 100644
index 0000000..dc9ac6f
--- /dev/null
+++ b/chromium/patches/027-temp-failure-retry.patch
@@ -0,0 +1,22 @@
+random glibc macro, not provided by musl.
+https://www.gnu.org/software/libc/manual/html_node/Interrupted-Primitives.html
+diff --git a/sandbox/linux/suid/process_util.h b/sandbox/linux/suid/process_util.h
+index b0b92c1bcc..db6a122ea8 100644
+--- a/sandbox/linux/suid/process_util.h
++++ b/sandbox/linux/suid/process_util.h
+@@ -12,6 +12,15 @@
+ #include <stdint.h>
+ #include <sys/types.h>
+ 
++#define TEMP_FAILURE_RETRY(expression)         \
++  (__extension__({                             \
++    long int __result;                         \
++    do                                         \
++      __result = (long int)(expression);       \
++    while (__result == -1L && errno == EINTR); \
++    __result;                                  \
++  }))
++
+ // This adjusts /proc/process/oom_score_adj so the Linux OOM killer
+ // will prefer certain process types over others. The range for the
+ // adjustment is [-1000, 1000], with [0, 1000] being user accessible.
diff --git a/chromium/patches/033-perfetto-get-thread-name.patch b/chromium/patches/033-perfetto-get-thread-name.patch
new file mode 100644
index 0000000..4014d1e
--- /dev/null
+++ b/chromium/patches/033-perfetto-get-thread-name.patch
@@ -0,0 +1,22 @@
+--- a/third_party/perfetto/include/perfetto/ext/base/thread_utils.h
++++ b/third_party/perfetto/include/perfetto/ext/base/thread_utils.h
+@@ -30,7 +30,8 @@
+ #include <algorithm>
+ #endif
+ 
+-#if PERFETTO_BUILDFLAG(PERFETTO_OS_ANDROID)
++#if PERFETTO_BUILDFLAG(PERFETTO_OS_ANDROID) || \
++    (PERFETTO_BUILDFLAG(PERFETTO_OS_LINUX) && !defined(__GLIBC__))
+ #include <sys/prctl.h>
+ #endif
+ 
+@@ -58,7 +59,8 @@
+ 
+ inline bool GetThreadName(std::string& out_result) {
+   char buf[16] = {};
+-#if PERFETTO_BUILDFLAG(PERFETTO_OS_ANDROID)
++#if PERFETTO_BUILDFLAG(PERFETTO_OS_ANDROID) || \
++    (PERFETTO_BUILDFLAG(PERFETTO_OS_LINUX) && !defined(__GLIBC__))
+   if (prctl(PR_GET_NAME, buf) != 0)
+     return false;
+ #else
diff --git a/chromium/patches/035-breakpad-no-getcontext.patch b/chromium/patches/035-breakpad-no-getcontext.patch
new file mode 100644
index 0000000..f9bc2e0
--- /dev/null
+++ b/chromium/patches/035-breakpad-no-getcontext.patch
@@ -0,0 +1,27 @@
+--- a/third_party/breakpad/breakpad/src/client/linux/handler/exception_handler.cc       2015-12-06 09:59:55.554536646 +0100
++++ b/third_party/breakpad/breakpad/src/client/linux/handler/exception_handler.cc       2015-12-06 10:01:16.818238035 +0100
+@@ -477,7 +477,9 @@ bool ExceptionHandler::SimulateSignalDel
+   siginfo.si_code = SI_USER;
+   siginfo.si_pid = getpid();
+   ucontext_t context;
++#if defined(__GLIBC__)
+   getcontext(&context);
++#endif
+   return HandleSignal(sig, &siginfo, &context);
+ }
+ 
+@@ -647,9 +649,14 @@ bool ExceptionHandler::WriteMinidump() {
+   sys_prctl(PR_SET_DUMPABLE, 1, 0, 0, 0);
+ 
+   CrashContext context;
++
++#if defined(__GLIBC__)
+   int getcontext_result = getcontext(&context.context);
+   if (getcontext_result)
+     return false;
++#else
++  return false;
++#endif
+ 
+ #if defined(__i386__)
+   // In CPUFillFromUContext in minidumpwriter.cc the stack pointer is retrieved
diff --git a/chromium/patches/disable-dns_config_service.patch b/chromium/patches/disable-dns_config_service.patch
new file mode 100644
index 0000000..3c8e593
--- /dev/null
+++ b/chromium/patches/disable-dns_config_service.patch
@@ -0,0 +1,19 @@
+the linux one sometimes crashes, and this is optional/not required, so use the
+stub fuschia one
+https://gitlab.alpinelinux.org/alpine/aports/-/issues/15660
+--
+diff --git a/net/dns/BUILD.gn b/net/dns/BUILD.gn
+index f36bf68..805d9a6 100644
+--- a/net/dns/BUILD.gn
++++ b/net/dns/BUILD.gn
+@@ -130,8 +130,8 @@ source_set("dns") {
+     ]
+   } else if (is_linux) {
+     sources += [
+-      "dns_config_service_linux.cc",
+-      "dns_config_service_linux.h",
++      "dns_config_service_fuchsia.cc",
++      "dns_config_service_fuchsia.h",
+     ]
+   } else if (is_posix) {
+     sources += [
diff --git a/chromium/patches/llvm21-fixes.patch b/chromium/patches/llvm21-fixes.patch
new file mode 100644
index 0000000..01208af
--- /dev/null
+++ b/chromium/patches/llvm21-fixes.patch
@@ -0,0 +1,44 @@
+diff --git a/components/autofill/core/browser/payments/full_card_request.cc b/components/autofill/core/browser/payments/full_card_request.cc
+index 8b7319d..5a8ade3 100644
+--- a/components/autofill/core/browser/payments/full_card_request.cc
++++ b/components/autofill/core/browser/payments/full_card_request.cc
+@@ -124,7 +124,7 @@ void FullCardRequest::GetFullCardImpl(
+   request_->card = std::move(card);
+   request_->last_committed_primary_main_frame_origin =
+       last_committed_primary_main_frame_origin;
+-  request_->context_token = std::move(context_token).value_or({});
++  request_->context_token = std::move(context_token).value_or(std::string{});
+   request_->selected_challenge_option = std::move(selected_challenge_option);
+ 
+   should_unmask_card_ = request_->card.masked() ||
+diff --git a/ui/gfx/paint_vector_icon.cc b/ui/gfx/paint_vector_icon.cc
+index eef47b4..710f070 100644
+--- a/ui/gfx/paint_vector_icon.cc
++++ b/ui/gfx/paint_vector_icon.cc
+@@ -235,7 +235,7 @@ void PaintPath(Canvas* canvas,
+         break;
+ 
+       case H_LINE_TO: {
+-        const SkPoint last_point = path.getLastPt().value_or({0, 0});
++        const SkPoint last_point = path.getLastPt().value_or(SkPoint{0, 0});
+         path.lineTo(arg(0), last_point.fY);
+         break;
+       }
+@@ -245,7 +245,7 @@ void PaintPath(Canvas* canvas,
+         break;
+ 
+       case V_LINE_TO: {
+-        const SkPoint last_point = path.getLastPt().value_or({0, 0});
++        const SkPoint last_point = path.getLastPt().value_or(SkPoint{0, 0});
+         path.lineTo(last_point.fX, arg(0));
+         break;
+       }
+@@ -273,7 +273,7 @@ void PaintPath(Canvas* canvas,
+         // details.
+         // Note that |x1| and |y1| will correspond to the sole control point if
+         // calculating a quadratic curve.
+-        const SkPoint last_point = path.getLastPt().value_or({0, 0});
++        const SkPoint last_point = path.getLastPt().value_or(SkPoint{0, 0});
+         SkScalar delta_x = 0;
+         SkScalar delta_y = 0;
+         if (IsCommandTypeCurve(previous_command_type)) {
diff --git a/chromium/patches/noclanglibs.patch b/chromium/patches/noclanglibs.patch
new file mode 100644
index 0000000..4542171
--- /dev/null
+++ b/chromium/patches/noclanglibs.patch
@@ -0,0 +1,15 @@
+q66 doesn't want to pass clang_version for clanglib path since it's only used to
+link the libclang_rt.builtins.a. but those are linked by default already so skip
+it instead of computing the version
+--
+--- a/build/config/clang/BUILD.gn
++++ b/build/config/clang/BUILD.gn
+@@ -101,7 +101,7 @@
+ }
+ 
+ template("clang_lib") {
+-  if (!defined(invoker.libname) || is_wasm) {
++  if (true) {
+     not_needed(invoker, "*")
+     config(target_name) {
+     }
diff --git a/chromium/patches/sanitizer-no-death-callback.patch b/chromium/patches/sanitizer-no-death-callback.patch
new file mode 100644
index 0000000..b2c1e1f
--- /dev/null
+++ b/chromium/patches/sanitizer-no-death-callback.patch
@@ -0,0 +1,22 @@
+undefined symbol in our build
+
+--- a/v8/src/sandbox/testing.cc
++++ b/v8/src/sandbox/testing.cc
+@@ -578,7 +578,7 @@ void UninstallCrashFilter() {
+   // We should also uninstall the sanitizer death callback as our crash filter
+   // may hand a crash over to sanitizers, which should then not enter our crash
+   // filtering logic a second time.
+-#ifdef V8_USE_ANY_SANITIZER
++#if 0
+   __sanitizer_set_death_callback(nullptr);
+ #endif  // V8_USE_ANY_SANITIZER
+ }
+@@ -782,7 +782,7 @@ void InstallCrashFilter() {
+   }
+   CHECK(success);
+ 
+-#ifdef V8_USE_ANY_SANITIZER
++#if 0
+   // We install sanitizer specific crash handlers. These can only check for
+   // in-sandbox crashes on certain configurations.
+   //
diff --git a/chromium/patches/terminal-fdset.patch b/chromium/patches/terminal-fdset.patch
new file mode 100644
index 0000000..32c7421
--- /dev/null
+++ b/chromium/patches/terminal-fdset.patch
@@ -0,0 +1,10 @@
+--- a/third_party/dawn/src/tint/utils/system/terminal_posix.cc
++++ b/third_party/dawn/src/tint/utils/system/terminal_posix.cc
+@@ -37,6 +37,7 @@
+ #include <optional>
+ #include <string_view>
+ #include <utility>
++#include <sys/select.h>
+ 
+ #include "src/tint/utils/containers/vector.h"
+ #include "src/tint/utils/macros/compiler.h"