1 # This file is used to populate seccomp's whitelist policy in combination with SYSCALLS.TXT. 2 # Note that the resultant policy is applied only to zygote spawned processes. 3 # 4 # The final seccomp whitelist is SYSCALLS.TXT - SECCOMP_BLACKLIST.TXT + SECCOMP_WHITELIST.TXT 5 # Any entry in the blacklist must be in the syscalls file and not be in the whitelist file 6 # 7 # Each non-blank, non-comment line has the following format: 8 # 9 # return_type func_name[|alias_list][:syscall_name[:socketcall_id]]([parameter_list]) arch_list 10 # 11 # where: 12 # arch_list ::= "all" | arch+ 13 # arch ::= "arm" | "arm64" | "mips" | "mips64" | "x86" | "x86_64" 14 # 15 # Note: 16 # - syscall_name corresponds to the name of the syscall, which may differ from 17 # the exported function name (example: the exit syscall is implemented by the _exit() 18 # function, which is not the same as the standard C exit() function which calls it) 19 20 # - alias_list is optional comma separated list of function aliases 21 # 22 # - The call_id parameter, given that func_name and syscall_name have 23 # been provided, allows the user to specify dispatch style syscalls. 24 # For example, socket() syscall on i386 actually becomes: 25 # socketcall(__NR_socket, 1, *(rest of args on stack)). 26 # 27 # - Each parameter type is assumed to be stored in 32 bits. 28 # 29 # This file is processed by a python script named genseccomp.py. 30 31 int swapon(const char*, int) all 32 int swapoff(const char*) all 33