diff -up chromium-74.0.3729.169/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.glibc229 chromium-74.0.3729.169/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
--- chromium-74.0.3729.169/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.glibc229	2019-05-31 13:45:04.165403187 -0400
+++ chromium-74.0.3729.169/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc	2019-05-31 13:45:38.200830150 -0400
@@ -162,6 +162,15 @@ ResultExpr EvaluateSyscallImpl(int fs_de
   }
 #endif
 
+#if defined(__NR_vfork)
+  // vfork() is almost never used as a system call, but some libc versions (e.g.
+  // older versions of bionic) might use it in a posix_spawn() implementation,
+  // which is used by system();
+  if (sysno == __NR_vfork) {
+    return Error(EPERM);
+  }
+#endif
+
   if (sysno == __NR_futex)
     return RestrictFutex();
 
diff -up chromium-74.0.3729.169/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc.glibc229 chromium-74.0.3729.169/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
--- chromium-74.0.3729.169/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc.glibc229	2019-05-31 13:45:54.653553140 -0400
+++ chromium-74.0.3729.169/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc	2019-05-31 13:47:19.357675791 -0400
@@ -134,7 +134,8 @@ namespace sandbox {
 #if !defined(OS_NACL_NONSFI)
 // Allow Glibc's and Android pthread creation flags, crash on any other
 // thread creation attempts and EPERM attempts to use neither
-// CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations.
+// CLONE_VM nor CLONE_THREAD (all fork implementations), unless CLONE_VFORK is
+// present (as in newer versions of posix_spawn).
 ResultExpr RestrictCloneToThreadsAndEPERMFork() {
   const Arg<unsigned long> flags(0);
 
@@ -153,8 +154,16 @@ ResultExpr RestrictCloneToThreadsAndEPER
       AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
             flags == kGlibcPthreadFlags);
 
+  // The following two flags are the two important flags in any vfork-emulating
+  // clone call. EPERM any clone call that contains both of them.
+  const uint64_t kImportantCloneVforkFlags = CLONE_VFORK | CLONE_VM;
+
+  const BoolExpr is_fork_or_clone_vfork =
+      AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
+            (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
+
   return If(IsAndroid() ? android_test : glibc_test, Allow())
-      .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM))
+      .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
       .Else(CrashSIGSYSClone());
 }