Home | History | Annotate | Download | only in seccomp_policy 
      1 # Copyright (C) 2019 The Android Open Source Project
      2 #
      3 # Licensed under the Apache License, Version 2.0 (the "License");
      4 # you may not use this file except in compliance with the License.
      5 # You may obtain a copy of the License at
      6 #
      7 #      http://www.apache.org/licenses/LICENSE-2.0
      8 #
      9 # Unless required by applicable law or agreed to in writing, software
     10 # distributed under the License is distributed on an "AS IS" BASIS,
     11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     12 # See the License for the specific language governing permissions and
     13 # limitations under the License.
     14 
     15 futex: 1
     16 # ioctl calls are filtered via the selinux policy.
     17 ioctl: 1
     18 sched_yield: 1
     19 close: 1
     20 dup: 1
     21 ppoll: 1
     22 mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
     23 mmap2: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
     24 memfd_create: 1
     25 ftruncate: 1
     26 ftruncate64: 1
     27 
     28 # mremap: Ensure |flags| are (MREMAP_MAYMOVE | MREMAP_FIXED) TODO: Once minijail
     29 # parser support for '<' is in this needs to be modified to also prevent
     30 # |old_address| and |new_address| from touching the exception vector page, which
     31 # on ARM is statically loaded at 0xffff 0000. See
     32 # http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0211h/Babfeega.html
     33 # for more details.
     34 mremap: arg3 == 3
     35 munmap: 1
     36 prctl: 1
     37 getuid32: 1
     38 writev: 1
     39 sigaltstack: 1
     40 clone: 1
     41 exit: 1
     42 lseek: 1
     43 rt_sigprocmask: 1
     44 openat: 1
     45 open: 1
     46 fstat64: 1
     47 write: 1
     48 nanosleep: 1
     49 setpriority: 1
     50 set_tid_address: 1
     51 getdents64: 1
     52 readlinkat: 1
     53 readlink: 1
     54 read: 1
     55 pread64: 1
     56 fstatfs64: 1
     57 gettimeofday: 1
     58 faccessat: 1
     59 _llseek: 1
     60 fstatat64: 1
     61 ugetrlimit: 1
     62 exit_group: 1
     63 restart_syscall: 1
     64 rt_sigreturn: 1
     65 getrandom: 1
     66 madvise: 1
     67 
     68 # crash dump policy additions
     69 sigreturn: 1
     70 clock_gettime: 1
     71 futex: 1
     72 getpid: 1
     73 gettid: 1
     74 pipe2: 1
     75 recvmsg: 1
     76 process_vm_readv: 1
     77 tgkill: 1
     78 rt_sigaction: 1
     79 rt_tgsigqueueinfo: 1
     80 #prctl: arg0 == PR_GET_NO_NEW_PRIVS || arg0 == 0x53564d41
     81 #mprotect: arg2 in 0x1|0x2
     82 #mmap2: arg2 in 0x1|0x2
     83 geteuid32: 1
     84 getgid32: 1
     85 getegid32: 1
     86 getgroups32: 1
     87