1# Copyright 2017 The ChromiumOS Authors 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5close: 1 6dup: 1 7dup2: 1 8execve: 1 9exit_group: 1 10futex: 1 11kill: 1 12lseek: 1 13mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE 14munmap: 1 15read: 1 16recvfrom: 1 17sched_getaffinity: 1 18set_robust_list: 1 19sigaltstack: 1 20# Disallow clone's other than new threads. 21clone: arg0 & 0x00010000 22clone3: 1 23write: 1 24eventfd2: 1 25poll: 1 26getpid: 1 27getppid: 1 28# Allow PR_SET_NAME only. 29prctl: arg0 == 15 30rseq: 1 31access: 1 32arch_prctl: 1 33brk: 1 34exit: 1 35fcntl: 1 36fstat: 1 37ftruncate: 1 38getcwd: 1 39getrlimit: 1 40# TUNGETFEATURES 41ioctl: arg1 == 0x800454CF 42madvise: 1 43memfd_create: 1 44mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE 45open: 1 46openat: 1 47prlimit64: arg2 == 0 && arg3 != 0 48recvmsg: 1 49restart_syscall: 1 50rt_sigaction: 1 51rt_sigprocmask: 1 52sendmsg: 1 53set_tid_address: 1 54stat: 1 55writev: 1 56