1# Copyright (c) 2022 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14@arch 15arm 16 17@returnValue 18KILL_PROCESS 19 20@headFiles 21"time.h" 22"sys/ioctl.h" 23"linux/futex.h" 24"sys/resource.h" 25"sys/prctl.h" 26"sys/mman.h" 27"sched.h" 28"fcntl.h" 29"sys/random.h" 30"sys/types.h" 31"sys/socket.h" 32 33@priority 34futex 35 36@allowList 37fdatasync 38fsync 39ftruncate 40ftruncate64 41setrlimit 42ugetrlimit 43mremap 44pwrite64 45sched_get_priority_max 46sched_get_priority_min 47getpriority 48setpriority 49sysinfo 50times 51uname 52get_robust_list 53set_robust_list 54sched_getaffinity 55sigaltstack 56futex_time64 57brk 58mlock 59munlock 60munmap 61mmap2 62sched_yield 63pause 64nanosleep 65epoll_create 66epoll_wait 67epoll_pwait 68epoll_create1 69epoll_ctl 70eventfd 71eventfd2 72fstat 73fstat64 74lseek 75_llseek 76poll 77ppoll 78pselect6 79read 80readv 81pread64 82recvfrom 83recvmsg 84_newselect 85send 86sendmsg 87sendto 88write 89writev 90pipe 91pipe2 92gettimeofday 93exit 94exit_group 95wait4 96waitid 97rt_sigaction 98rt_sigprocmask 99rt_sigreturn 100rt_sigtimedwait 101capget 102getegid 103getegid32 104geteuid 105geteuid32 106getgid 107getgid32 108getgroups 109getgroups32 110getpid 111getppid 112getresgid 113getresgid32 114getsid 115gettid 116getuid 117getuid32 118getresuid 119getresuid32 120restart_syscall 121close 122dup 123dup2 124dup3 125shutdown 126mincore 127memfd_create 128faccessat 129access 130prctl 131fcntl 132fcntl64 133clone 134setsockopt 135 136setgroups 137setgroups32 138setresgid 139setresgid32 140setresuid 141setresuid32 142capset 143openat 144open 145socket 146connect 147readlinkat 148readlink 149unlink 150unlinkat 151ioctl 152mprotect 153mkdirat 154set_tid_address 155getdents64 156madvise 157getrandom 158clock_gettime64 159statx 160prlimit64 161cacheflush 162set_tls 163sched_setscheduler 164mkdir 165setitimer 166execve 167sched_getscheduler 168fstatfs 169setsid 170rt_tgsigqueueinfo 171ptrace 172membarrier 173 174@allowListWithArgs 175getrusage:if arg0 == RUSAGE_SELF || arg0 == RUSAGE_THREAD; return ALLOW; else return KILL_PROCESS; 176clock_getres:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS; 177clock_gettime:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS; 178clock_nanosleep:if arg0 >= CLOCK_REALTIME && arg0 <= CLOCK_BOOTTIME; return ALLOW; else return KILL_PROCESS; 179socketpair:if arg0 == AF_UNIX; return ALLOW; else return KILL_PROCESS; 180getsockopt:if arg1 == SOL_SOCKET || arg2 == SO_PEEK_OFF; return ALLOW; else return KILL_PROCESS; 181