| # Minijail Seccomp Policy for isolated_app processes on X86-64. |
| |
| access: return EPERM |
| |
| # arch_prctl: arg0 == ARCH_SET_GS |
| arch_prctl: arg0 == 0x1001; return EPERM |
| |
| chmod: return EPERM |
| chown: return EPERM |
| creat: return EPERM |
| dup2: 1 |
| epoll_create: 1 |
| epoll_wait: 1 |
| fork: return EPERM |
| futimesat: return EPERM |
| getdents64: 1 |
| getdents: return EPERM |
| getrlimit: 1 |
| ioperm: return EPERM |
| iopl: return EPERM |
| lchown: return EPERM |
| link: return EPERM |
| lstat: return EPERM |
| mkdir: return EPERM |
| mknod: return EPERM |
| |
| # mmap: flags in {MAP_SHARED|MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK|MAP_NORESERVE|MAP_FIXED|MAP_DENYWRITE} |
| mmap: arg3 in 0x24833 |
| |
| newfstatat: 1 |
| open: 1 |
| pause: 1 |
| pipe: 1 |
| poll: 1 |
| readlink: return EPERM |
| rename: return EPERM |
| rmdir: return EPERM |
| select: 1 |
| stat: return EPERM |
| symlink: return EPERM |
| time: 1 |
| unlink: return EPERM |
| uselib: return EPERM |
| ustat: return EPERM |
| utime: return EPERM |
| utimes: return EPERM |