1# Copyright (C) 2018 The Android Open Source Project 2# 3# Licensed under the Apache License, Version 2.0 (the "License"); 4# you may not use this file except in compliance with the License. 5# You may obtain a copy of the License at 6# 7# http://www.apache.org/licenses/LICENSE-2.0 8# 9# Unless required by applicable law or agreed to in writing, software 10# distributed under the License is distributed on an "AS IS" BASIS, 11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12# See the License for the specific language governing permissions and 13# limitations under the License. 14 15# Organized by frequency of systemcall - in descending order for 16# best performance. 17futex: 1 18ioctl: 1 19write: 1 20prctl: 1 21clock_gettime: 1 22getpriority: 1 23read: 1 24close: 1 25writev: 1 26dup: 1 27ppoll: 1 28mmap2: 1 29getrandom: 1 30 31# mremap: Ensure |flags| are (MREMAP_MAYMOVE | MREMAP_FIXED) TODO: Once minijail 32# parser support for '<' is in this needs to be modified to also prevent 33# |old_address| and |new_address| from touching the exception vector page, which 34# on ARM is statically loaded at 0xffff 0000. See 35# http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0211h/Babfeega.html 36# for more details. 37mremap: arg3 == 3 38munmap: 1 39mprotect: 1 40madvise: 1 41openat: 1 42sigaltstack: 1 43clone: 1 44setpriority: 1 45getuid32: 1 46fstat64: 1 47fstatfs64: 1 48pread64: 1 49faccessat: 1 50readlinkat: 1 51exit: 1 52rt_sigprocmask: 1 53set_tid_address: 1 54restart_syscall: 1 55exit_group: 1 56rt_sigreturn: 1 57pipe2: 1 58gettimeofday: 1 59sched_yield: 1 60nanosleep: 1 61lseek: 1 62_llseek: 1 63sched_get_priority_max: 1 64sched_get_priority_min: 1 65statfs64: 1 66sched_setscheduler: 1 67fstatat64: 1 68ugetrlimit: 1 69getdents64: 1 70getrandom: 1 71 72@include /system/etc/seccomp_policy/crash_dump.arm.policy 73 74