1# Copyright (C) 2019 The Android Open Source Project 2# 3# Licensed under the Apache License, Version 2.0 (the "License"); 4# you may not use this file except in compliance with the License. 5# You may obtain a copy of the License at 6# 7# http://www.apache.org/licenses/LICENSE-2.0 8# 9# Unless required by applicable law or agreed to in writing, software 10# distributed under the License is distributed on an "AS IS" BASIS, 11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12# See the License for the specific language governing permissions and 13# limitations under the License. 14 15futex: 1 16# ioctl calls are filtered via the selinux policy. 17ioctl: 1 18sched_yield: 1 19close: 1 20dup: 1 21ppoll: 1 22mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE 23mmap2: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE 24memfd_create: 1 25ftruncate: 1 26ftruncate64: 1 27 28# mremap: Ensure |flags| are (MREMAP_MAYMOVE | MREMAP_FIXED) TODO: Once minijail 29# parser support for '<' is in this needs to be modified to also prevent 30# |old_address| and |new_address| from touching the exception vector page, which 31# on ARM is statically loaded at 0xffff 0000. See 32# http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0211h/Babfeega.html 33# for more details. 34mremap: arg3 == 3 35munmap: 1 36prctl: 1 37getuid32: 1 38writev: 1 39sigaltstack: 1 40clone: 1 41exit: 1 42lseek: 1 43rt_sigprocmask: 1 44openat: 1 45open: 1 46fstat64: 1 47write: 1 48nanosleep: 1 49setpriority: 1 50set_tid_address: 1 51getdents64: 1 52readlinkat: 1 53readlink: 1 54read: 1 55pread64: 1 56fstatfs64: 1 57gettimeofday: 1 58faccessat: 1 59_llseek: 1 60fstatat64: 1 61ugetrlimit: 1 62exit_group: 1 63restart_syscall: 1 64rt_sigreturn: 1 65getrandom: 1 66madvise: 1 67 68# crash dump policy additions 69sigreturn: 1 70clock_gettime: 1 71futex: 1 72getpid: 1 73gettid: 1 74pipe2: 1 75recvmsg: 1 76process_vm_readv: 1 77tgkill: 1 78rt_sigaction: 1 79rt_tgsigqueueinfo: 1 80#prctl: arg0 == PR_GET_NO_NEW_PRIVS || arg0 == 0x53564d41 81#mprotect: arg2 in 0x1|0x2 82#mmap2: arg2 in 0x1|0x2 83geteuid32: 1 84getgid32: 1 85getegid32: 1 86getgroups32: 1 87