| # Minijail Seccomp Policy for isolated_app processes on ARM (32-bit). |
| |
| access: return EPERM |
| ARM_breakpoint: 1 |
| ARM_cacheflush: 1 |
| ARM_set_tls: 1 |
| ARM_usr26: 1 |
| ARM_usr32: 1 |
| chmod: return EPERM |
| chown32: return EPERM |
| chown: return EPERM |
| creat: return EPERM |
| dup2: 1 |
| epoll_create: 1 |
| epoll_wait: 1 |
| fchown32: return EPERM |
| |
| # fnctl64: restrict cmd |
| fcntl64: arg1 == F_GETFL || arg1 == F_GETFD || arg1 == F_SETFD || arg1 == F_SETLK || arg1 == F_SETLKW || arg1 == F_GETLK || arg1 == F_DUPFD |
| |
| fork: return EPERM |
| fstat64: 1 |
| fstatat64: 1 |
| ftruncate64: 1 |
| futimesat: return EPERM |
| getdents: 1 |
| getdents64: return EPERM |
| getegid32: 1 |
| geteuid32: 1 |
| getgid32: 1 |
| getgroups32: 1 |
| getresgid32: 1 |
| getresuid32: 1 |
| getuid32: 1 |
| lchown32: return EPERM |
| lchown: return EPERM |
| link: return EPERM |
| _llseek: 1 |
| lstat64: return EPERM |
| lstat: return EPERM |
| mkdir: return EPERM |
| mknod: return EPERM |
| |
| # mmap2: flags in {MAP_SHARED|MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK|MAP_NORESERVE|MAP_FIXED|MAP_DENYWRITE} |
| mmap2: arg3 in 0x24833 |
| |
| _newselect: 1 |
| open: 1 |
| pause: 1 |
| pipe: 1 |
| poll: 1 |
| readlink: return EPERM |
| recv: 1 |
| rename: return EPERM |
| rmdir: return EPERM |
| send: 1 |
| setfsgid32: return EPERM |
| setfsuid32: return EPERM |
| setgid32: return EPERM |
| setgroups32: return EPERM |
| setregid32: return EPERM |
| setresgid32: return EPERM |
| setresuid32: return EPERM |
| setreuid32: return EPERM |
| setuid32: return EPERM |
| sigaction: 1 |
| sigprocmask: 1 |
| sigreturn: 1 |
| stat64: return EPERM |
| statfs64: return EPERM |
| stat: return EPERM |
| symlink: return EPERM |
| truncate64: return EPERM |
| ugetrlimit: 1 |
| unlink: return EPERM |
| uselib: return EPERM |
| ustat: return EPERM |
| utimes: return EPERM |