seccomp/seccomp_policy/app_custom.seccomp.policy

# Copyright (c) 2025 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# For now, it supports architechture of ['arm', 'arm64', 'riscv64'].

@returnValue
TRAP

@headFiles
<linux/sched.h>
<stdint.h>

@priority
ioctl;all
futex;all

@allowList
io_setup;all
io_destroy;all
io_submit;all
io_cancel;all
io_getevents;all
setxattr;all
lsetxattr;all
fsetxattr;all
getxattr;all
lgetxattr;all
fgetxattr;all
listxattr;all
llistxattr;all
flistxattr;all
removexattr;all
lremovexattr;all
fremovexattr;all
getcwd;all
eventfd2;all
epoll_create1;all
epoll_ctl;all
epoll_pwait;all
dup;all
dup3;all
fcntl;all
inotify_init1;all
inotify_add_watch;all
inotify_rm_watch;all
ioctl;all
ioprio_set;arm64
ioprio_set;riscv64
ioprio_get;arm64
ioprio_get;riscv64
flock;all
mknodat;all
mkdirat;all
unlinkat;all
symlinkat;all
linkat;all
renameat;arm
renameat;arm64
pivot_root;riscv64
statfs;arm64
statfs;riscv64
fstatfs;arm64
fstatfs;riscv64
truncate;all
ftruncate;arm64
ftruncate;riscv64
fallocate;all
faccessat;all
chdir;all
fchdir;all
fchmod;all
fchmodat;all
fchownat;all
fchown;arm64
fchown;riscv64
openat;all
close;all
pipe2;all
quotactl;all
getdents64;all
lseek;all
read;all
write;all
readv;all
writev;all
pread64;all
pwrite64;all
preadv;all
pwritev;all
sendfile;all
pselect6;all
ppoll;all
signalfd4;all
vmsplice;all
splice;all
tee;all
readlinkat;all
newfstatat;arm64
newfstatat;riscv64
fstat;arm64
fstat;riscv64
sync;all
fsync;all
fdatasync;all
sync_file_range;arm64
sync_file_range;riscv64
timerfd_create;all
timerfd_settime;all
timerfd_gettime;all
utimensat;all
capget;all
capset;all
personality;all
exit;all
exit_group;all
waitid;all
set_tid_address;all
futex;all
nanosleep;all
getitimer;all
setitimer;all
timer_create;all
timer_gettime;all
timer_getoverrun;all
timer_settime;all
timer_delete;all
clock_gettime;all
clock_getres;all
clock_nanosleep;all
ptrace;all
sched_setparam;all
sched_setscheduler;all
sched_getscheduler;all
sched_getparam;all
sched_setaffinity;all
sched_getaffinity;all
sched_yield;all
sched_get_priority_max;all
sched_get_priority_min;all
sched_rr_get_interval;all
restart_syscall;all
kill;all
tkill;all
tgkill;all
sigaltstack;all
rt_sigsuspend;all
rt_sigaction;all
rt_sigprocmask;all
rt_sigpending;all
rt_sigtimedwait;all
rt_sigqueueinfo;all
rt_sigreturn;all
setpriority;all
getpriority;all
setresuid;arm64
setresuid;riscv64
getresuid;arm64
getresuid;riscv64
getresgid;arm64
getresgid;riscv64
times;all
setpgid;all
getpgid;all
getsid;all
setsid;all
getgroups;arm64
getgroups;riscv64
uname;all
getrlimit;arm64
getrlimit;riscv64
setrlimit;all
getrusage;all
umask;all
prctl;all
getcpu;all
gettimeofday;all
getpid;all
getppid;all
getuid;all
geteuid;arm64
geteuid;riscv64
getgid;arm64
getgid;riscv64
getegid;arm64
getegid;riscv64
gettid;all
sysinfo;all
socket;all
socketpair;all
bind;all
listen;all
accept;all
connect;all
getsockname;all
getpeername;all
sendto;all
recvfrom;all
setsockopt;all
getsockopt;all
shutdown;all
sendmsg;all
recvmsg;all
readahead;all
brk;all
munmap;all
mremap;all
execve;all
mmap;arm64
mmap;riscv64
fadvise64;arm64
fadvise64;riscv64
mprotect;all
msync;all
mlock;all
munlock;all
mlockall;all
munlockall;all
mincore;all
madvise;all
rt_tgsigqueueinfo;all
perf_event_open;all
accept4;all
recvmmsg;all
wait4;all
prlimit64;all
syncfs;all
sendmmsg;all
process_vm_readv;all
process_vm_writev;all
sched_setattr;all
sched_getattr;all
renameat2;all
seccomp;all
getrandom;all
memfd_create;all
execveat;all
userfaultfd;all
membarrier;all
mlock2;all
copy_file_range;all
preadv2;all
pwritev2;all
statx;all
pidfd_send_signal;all
pidfd_open;all
pidfd_getfd;all
faccessat2;all
process_madvise;all
set_robust_list;all
mbind;all
fork;arm
open;arm
creat;arm
link;arm
unlink;arm
chmod;arm
access;arm
rename;arm
mkdir;arm
rmdir;arm
pipe;arm
dup2;arm
sigaction;arm
symlink;arm
readlink;arm
sigreturn;arm
_llseek;arm
getdents;arm
_newselect;arm
poll;arm
vfork;arm
ugetrlimit;arm
mmap2;arm
truncate64;arm
ftruncate64;arm
stat64;arm
lstat64;arm
fstat64;arm
lchown32;arm
getuid32;arm
getgid32;arm
geteuid32;arm
getegid32;arm
getgroups32;arm
fchown32;arm
setresuid32;arm
getresuid32;arm
getresgid32;arm
chown32;arm
fcntl64;arm
sendfile64;arm
epoll_create;arm
epoll_wait;arm
remap_file_pages;arm
statfs64;arm
fstatfs64;arm
fadvise64_64;arm
inotify_init;arm
fstatat64;arm
sync_file_range2;arm
eventfd;arm
clock_gettime64;arm
clock_settime64;arm
clock_adjtime64;arm
clock_getres_time64;arm
clock_nanosleep_time64;arm
timer_gettime64;arm
timer_settime64;arm
timerfd_gettime64;arm
timerfd_settime64;arm
utimensat_time64;arm
pselect6_time64;arm
ppoll_time64;arm
recvmmsg_time64;arm
semtimedop_time64;arm
rt_sigtimedwait_time64;arm
futex_time64;arm
sched_rr_get_interval_time64;arm
cacheflush;arm
set_tls;arm
setuid;arm64
setuid32;arm
setgid;arm64
setgid32;arm
setgroups;arm64
setgroups32;arm
setresgid;arm64
setresgid32;arm
settimeofday;all
sethostname;all
syslog;all
io_uring_setup;all
shmctl;all
msgctl;all
semctl;all

@allowListWithArgs
clone: if (arg0 & (CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWNET | CLONE_NEWCGROUP | CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWUSER)) == 0 ; return ALLOW; else return TRAP;all