1// SECCOMP_MODE_STRICT 2read: 1 3write: 1 4exit: 1 5rt_sigreturn: 1 6#if !defined(__LP64__) 7sigreturn: 1 8#endif 9 10exit_group: 1 11clock_gettime: 1 12gettimeofday: 1 13futex: 1 14getrandom: 1 15getpid: 1 16gettid: 1 17 18ppoll: 1 19pipe2: 1 20openat: 1 21dup: 1 22close: 1 23lseek: 1 24getdents64: 1 25faccessat: 1 26recvmsg: 1 27recvfrom: 1 28sysinfo: 1 29 30process_vm_readv: 1 31 32tgkill: 1 33rt_sigprocmask: 1 34rt_sigaction: 1 35rt_tgsigqueueinfo: 1 36 37// this is referenced from mainline modules running on Q devices, where not all 38// of the constants used here are defined in headers, so minijail rejects them. 39// we define them here to avoid those errors. 40 // constants introduced in R 41#define PR_SET_VMA 0x53564d41 42#define PR_GET_TAGGED_ADDR_CTRL 56 43 // constants introduced in S 44#define PR_PAC_GET_ENABLED_KEYS 61 45 46#if defined(__aarch64__) 47// PR_PAC_RESET_KEYS happens on aarch64 in pthread_create path. 48prctl: arg0 == PR_GET_NO_NEW_PRIVS || arg0 == PR_SET_VMA || arg0 == PR_PAC_RESET_KEYS || arg0 == PR_GET_TAGGED_ADDR_CTRL || arg0 == PR_PAC_GET_ENABLED_KEYS 49#else 50prctl: arg0 == PR_GET_NO_NEW_PRIVS || arg0 == PR_SET_VMA 51#endif 52 53#if 0 54libminijail on vendor partitions older than P does not have constants from <sys/mman.h>. 55Define the values of PROT_READ and PROT_WRITE ourselves to maintain backwards compatibility. 56#else 57#define PROT_READ 0x1 58#define PROT_WRITE 0x2 59#endif 60 61madvise: 1 62mprotect: arg2 in PROT_READ|PROT_WRITE 63munmap: 1 64 65#if defined(__LP64__) 66getuid: 1 67fstat: 1 68mmap: arg2 in PROT_READ|PROT_WRITE 69#else 70getuid32: 1 71fstat64: 1 72mmap2: arg2 in PROT_READ|PROT_WRITE 73#endif 74 75// Needed for logging. 76#if defined(__LP64__) 77geteuid: 1 78getgid: 1 79getegid: 1 80getgroups: 1 81#else 82geteuid32: 1 83getgid32: 1 84getegid32: 1 85getgroups32: 1 86#endif 87