sandbox: Fix Android clone flags

sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc

Index: sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
index 8dd8b454fbaef995f9914a4ef309b70293a09e6f..2f7578586ed8640ffc79be80cb428b646aafa816 100644
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
@@ -101,14 +101,16 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
                                      CLONE_SIGHAND | CLONE_THREAD |
                                      CLONE_SYSVSEM;
   const uint64_t kObsoleteAndroidCloneMask = kAndroidCloneMask | CLONE_DETACHED;
-  const BoolExpr android_test =
-      flags == kAndroidCloneMask || flags == kObsoleteAndroidCloneMask;
 
   const uint64_t kGlibcPthreadFlags =
       CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD |
       CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
   const BoolExpr glibc_test = flags == kGlibcPthreadFlags;
 
+  const BoolExpr android_test = flags == kAndroidCloneMask ||
+                                flags == kObsoleteAndroidCloneMask ||
+                                flags == kGlibcPthreadFlags;
+
   return If(IsAndroid() ? android_test : glibc_test, Allow())
       .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM))
       .Else(CrashSIGSYSClone());