diff --git chromium-75.0.3770.100/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc chromium-75.0.3770.100/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
index 479d1ed..b06cec7 100644
--- chromium-75.0.3770.100/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+++ chromium-75.0.3770.100/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
@@ -216,6 +216,9 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
   if (sysno == __NR_prctl)
     return RestrictPrctl();
 
+  if (sysno == __NR_set_tid_address)
+    return RestrictSetTIDAddress();
+
 #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \
     defined(__aarch64__)
   if (sysno == __NR_socketpair) {
diff --git chromium-75.0.3770.100/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc chromium-75.0.3770.100/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
index 348ab6e..2e91cf7 100644
--- chromium-75.0.3770.100/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+++ chromium-75.0.3770.100/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
@@ -140,20 +140,11 @@ namespace sandbox {
 ResultExpr RestrictCloneToThreadsAndEPERMFork() {
   const Arg<unsigned long> flags(0);
 
-  // TODO(mdempsky): Extend DSL to support (flags & ~mask1) == mask2.
-  const uint64_t kAndroidCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES |
-                                     CLONE_SIGHAND | CLONE_THREAD |
-                                     CLONE_SYSVSEM;
-  const uint64_t kObsoleteAndroidCloneMask = kAndroidCloneMask | CLONE_DETACHED;
-
-  const uint64_t kGlibcPthreadFlags =
-      CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD |
-      CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
-  const BoolExpr glibc_test = flags == kGlibcPthreadFlags;
-
-  const BoolExpr android_test =
-      AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
-            flags == kGlibcPthreadFlags);
+  const int required = CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
+                       CLONE_THREAD | CLONE_SYSVSEM;
+  const int safe = CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID |
+                   CLONE_DETACHED;
+  const BoolExpr thread_clone_ok = (flags&~safe)==required;
 
   // The following two flags are the two important flags in any vfork-emulating
   // clone call. EPERM any clone call that contains both of them.
@@ -163,7 +154,7 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
       AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
             (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
 
-  return If(IsAndroid() ? android_test : glibc_test, Allow())
+  return If(thread_clone_ok, Allow())
       .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
       .Else(CrashSIGSYSClone());
 }
@@ -427,4 +418,10 @@ ResultExpr RestrictPtrace() {
 }
 #endif  // defined(OS_NACL_NONSFI)
 
+ResultExpr RestrictSetTIDAddress() {
+  const Arg<uintptr_t> address(0);
+  // Only allow clearing the TID address.
+  return If(address == 0, Allow()).Else(CrashSIGSYS());
+}
+
 }  // namespace sandbox.
diff --git chromium-75.0.3770.100/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h chromium-75.0.3770.100/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
index cb563df..8aef632 100644
--- chromium-75.0.3770.100/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
+++ chromium-75.0.3770.100/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
@@ -107,6 +107,9 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictPrlimit(pid_t target_pid);
 // reporting. See https://crbug.com/933418 for details.
 SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictPtrace();
 
+// Restrict the address to NULL.
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictSetTIDAddress();
+
 }  // namespace sandbox.
 
 #endif  // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
diff --git chromium-75.0.3770.100/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc chromium-75.0.3770.100/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
index 7dbcc87..41f3fd5 100644
--- chromium-75.0.3770.100/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+++ chromium-75.0.3770.100/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
@@ -386,6 +386,7 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
   switch (sysno) {
     case __NR_exit:
     case __NR_exit_group:
+    case __NR_membarrier:
     case __NR_wait4:
     case __NR_waitid:
 #if defined(__i386__)
@@ -513,6 +514,7 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
     case __NR_mlock:
     case __NR_munlock:
     case __NR_munmap:
+    case __NR_mremap:
       return true;
     case __NR_madvise:
     case __NR_mincore:
@@ -530,7 +532,6 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
     case __NR_modify_ldt:
 #endif
     case __NR_mprotect:
-    case __NR_mremap:
     case __NR_msync:
     case __NR_munlockall:
     case __NR_readahead:
diff --git chromium-75.0.3770.100/sandbox/linux/system_headers/x86_64_linux_syscalls.h chromium-75.0.3770.100/sandbox/linux/system_headers/x86_64_linux_syscalls.h
index 349504a..ea3c7c9 100644
--- chromium-75.0.3770.100/sandbox/linux/system_headers/x86_64_linux_syscalls.h
+++ chromium-75.0.3770.100/sandbox/linux/system_headers/x86_64_linux_syscalls.h
@@ -1290,5 +1290,9 @@
 #define __NR_memfd_create 319
 #endif
 
+#if !defined(__NR_membarrier)
+#define __NR_membarrier 324
+#endif
+
 #endif  // SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_