1// SECCOMP_MODE_STRICT 2// 3// minijail allowances for code coverage 4// this is processed with generate.sh, so we can use appropriate directives 5// size specific: __LP64__ for 64 bit, else 32 bit 6// arch specific: __arm__, __aarch64__, __i386__, __x86_64__ 7 8// includes *all* syscalls used during the coverage dumping 9// no skipping just because they might have been in another policy file. 10 11// coverage tool uses different operations on different passes 12// 1st: uses write() to fill the file 13// 2nd-Nth: uses mmap() to update in place 14 15close: 1 16// fchmod allowed to set libprofile-clang-extras, which wraps `open` calls, to 17// set correct permission for coverage files. 18fchmod: 1 19mkdirat: 1 20msync: 1 21munmap: 1 22openat: 1 23write: 1 24 25#if defined(__LP64__) 26fcntl: 1 27fstat: 1 28ftruncate: 1 29geteuid: 1 30lseek: 1 31mmap: 1 32rt_sigreturn: 1 33#else 34fcntl64: 1 35fstat64: 1 36ftruncate64: 1 37geteuid32: 1 38_llseek: 1 39mmap2: 1 40sigreturn: 1 41#endif 42 43#if defined(__arm__) 44gettimeofday: 1 45#endif 46 47#if defined(__i386__) 48madvise: 1 49#endif 50 51#if defined(__arm__) 52prctl: 1 53#elif defined(__aarch64__) 54prctl: 1 55#endif 56 57