tests/tests/os/assets/minijail/isolated-arm.policy - platform/cts - Git at Google

 # Minijail Seccomp Policy for isolated_app processes on ARM (32-bit).

 access: return EPERM
 ARM_breakpoint: 1
 ARM_cacheflush: 1
 ARM_set_tls: 1
 ARM_usr26: 1
 ARM_usr32: 1
 chmod: return EPERM
 chown32: return EPERM
 chown: return EPERM
 creat: return EPERM
 dup2: 1
 epoll_create: 1
 epoll_wait: 1
 fchown32: return EPERM

 # fnctl64: restrict cmd
 fcntl64: arg1 == F_GETFL || arg1 == F_GETFD || arg1 == F_SETFD || arg1 == F_SETLK || arg1 == F_SETLKW || arg1 == F_GETLK || arg1 == F_DUPFD

 fork: return EPERM
 fstat64: 1
 fstatat64: 1
 ftruncate64: 1
 futimesat: return EPERM
 getdents: 1
 getdents64: return EPERM
 getegid32: 1
 geteuid32: 1
 getgid32: 1
 getgroups32: 1
 getresgid32: 1
 getresuid32: 1
 getuid32: 1
 lchown32: return EPERM
 lchown: return EPERM
 link: return EPERM
 _llseek: 1
 lstat64: return EPERM
 lstat: return EPERM
 mkdir: return EPERM
 mknod: return EPERM

 # mmap2: flags in {MAP_SHARED|MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK|MAP_NORESERVE|MAP_FIXED|MAP_DENYWRITE}
 mmap2: arg3 in 0x24833

 _newselect: 1
 open: 1
 pause: 1
 pipe: 1
 poll: 1
 readlink: return EPERM
 recv: 1
 rename: return EPERM
 rmdir: return EPERM
 send: 1
 setfsgid32: return EPERM
 setfsuid32: return EPERM
 setgid32: return EPERM
 setgroups32: return EPERM
 setregid32: return EPERM
 setresgid32: return EPERM
 setresuid32: return EPERM
 setreuid32: return EPERM
 setuid32: return EPERM
 sigaction: 1
 sigprocmask: 1
 sigreturn: 1
 stat64: return EPERM
 statfs64: return EPERM
 stat: return EPERM
 symlink: return EPERM
 truncate64: return EPERM
 ugetrlimit: 1
 unlink: return EPERM
 uselib: return EPERM
 ustat: return EPERM
 utimes: return EPERM
	# Minijail Seccomp Policy for isolated_app processes on ARM (32-bit).

	access: return EPERM
	ARM_breakpoint: 1
	ARM_cacheflush: 1
	ARM_set_tls: 1
	ARM_usr26: 1
	ARM_usr32: 1
	chmod: return EPERM
	chown32: return EPERM
	chown: return EPERM
	creat: return EPERM
	dup2: 1
	epoll_create: 1
	epoll_wait: 1
	fchown32: return EPERM

	# fnctl64: restrict cmd
	fcntl64: arg1 == F_GETFL \|\| arg1 == F_GETFD \|\| arg1 == F_SETFD \|\| arg1 == F_SETLK \|\| arg1 == F_SETLKW \|\| arg1 == F_GETLK \|\| arg1 == F_DUPFD

	fork: return EPERM
	fstat64: 1
	fstatat64: 1
	ftruncate64: 1
	futimesat: return EPERM
	getdents: 1
	getdents64: return EPERM
	getegid32: 1
	geteuid32: 1
	getgid32: 1
	getgroups32: 1
	getresgid32: 1
	getresuid32: 1
	getuid32: 1
	lchown32: return EPERM
	lchown: return EPERM
	link: return EPERM
	_llseek: 1
	lstat64: return EPERM
	lstat: return EPERM
	mkdir: return EPERM
	mknod: return EPERM

	# mmap2: flags in {MAP_SHARED\|MAP_PRIVATE\|MAP_ANONYMOUS\|MAP_STACK\|MAP_NORESERVE\|MAP_FIXED\|MAP_DENYWRITE}
	mmap2: arg3 in 0x24833

	_newselect: 1
	open: 1
	pause: 1
	pipe: 1
	poll: 1
	readlink: return EPERM
	recv: 1
	rename: return EPERM
	rmdir: return EPERM
	send: 1
	setfsgid32: return EPERM
	setfsuid32: return EPERM
	setgid32: return EPERM
	setgroups32: return EPERM
	setregid32: return EPERM
	setresgid32: return EPERM
	setresuid32: return EPERM
	setreuid32: return EPERM
	setuid32: return EPERM
	sigaction: 1
	sigprocmask: 1
	sigreturn: 1
	stat64: return EPERM
	statfs64: return EPERM
	stat: return EPERM
	symlink: return EPERM
	truncate64: return EPERM
	ugetrlimit: 1
	unlink: return EPERM
	uselib: return EPERM
	ustat: return EPERM
	utimes: return EPERM