1# Minijail Seccomp Policy for isolated_app processes. 2# This architecture-agnostic policy is appended to every architecture-specific 3# policy. 4 5brk: 1 6capget: 1 7capset: return EPERM 8chdir: return EPERM 9 10# clock_gettime: clk_id=={CLOCK_BOOTTIME,CLOCK_MONOTONIC,CLOCK_MONOTONIC_COARSE,CLOCK_THREAD_CPUTIME_ID,CLOCK_PROCESS_CPUTIME_ID,CLOCK_REALTIME,CLOCK_REALTIME_COARSE} || (clk_id < 0) 11# clock_gettime accepts negative clk_id to access clock_posix_dynamic and clock_posix_cpu. 12# This policy assumes clk_id is at least 32-bit wide, where the MSB means it is negative. 13clock_gettime: arg0 == 0 || arg0 == 1 || arg0 == 2 || arg0 == 3 || arg0 == 5 || arg0 == 6 || arg0 == 7 || arg0 & 0x80000000 14 15clone: 1 16close: 1 17dup: 1 18dup3: 1 19epoll_create1: 1 20epoll_ctl: 1 21epoll_pwait: 1 22execve: return EPERM 23exit: 1 24exit_group: 1 25faccessat: return EPERM 26fallocate: return EPERM 27fchdir: return EPERM 28fchmodat: return EPERM 29fchmod: return EPERM 30fchownat: return EPERM 31fchown: return EPERM 32 33# fnctl: restrict cmd 34# F_DUPFD_CLOEXEC=1030 35fcntl: arg1 == F_GETFL || arg1 == F_GETFD || arg1 == F_SETFD || arg1 == F_SETLK || arg1 == F_SETLKW || arg1 == F_GETLK || arg1 == F_DUPFD || arg1 == 1030 36 37fdatasync: 1 38flock: 1 39fstat: 1 40fsync: 1 41ftruncate: 1 42 43# futex: TODO(rsesek): Restrict op (arg1) to {FUTEX_WAIT,FUTEX_WAKE,FUTEX_REQUEUE,FUTEX_CMP_REQUEUE, 44# FUTEX_WAKE_OP,FUTEX_WAIT_BITSET,FUTEX_WAKE_BITSET} with only these flags allowed: 45# (FUTEX_PRIVATE_FLAG | FUTEX_CLOCK_REALTIME). Unclear how to express this in minijail. 46futex: 1 47 48getcwd: return EPERM 49getegid: 1 50geteuid: 1 51getgid: 1 52getgroups: 1 53getpid: 1 54getppid: 1 55getpriority: 1 56 57# getrandom: flags==0 || flags & GRND_NONBLOCK 58getrandom: arg2 == 0 || arg2 & 1 59 60getresgid: 1 61getresuid: 1 62getsid: 1 63gettid: 1 64gettimeofday: 1 65getuid: 1 66ioctl: 1 67 68# kill: pid==getpid() 69kill: arg0 == $ 70 71linkat: return EPERM 72lookup_dcookie: return EPERM 73lseek: 1 74 75# madvise: advice==MADV_DONTNEED 76madvise: arg2 == 4; return EPERM 77 78membarrier: 1 79memfd_create: return EPERM 80mkdirat: return EPERM 81mknodat: return EPERM 82mlock: 1 83 84# mprotect: prot in {PROT_READ|PROT_WRITE|PROT_EXEC} 85mprotect: arg2 in 0x7 86 87mremap: 1 88msync: 1 89munlock: 1 90munmap: 1 91nanosleep: 1 92openat: 1 93pipe2: 1 94ppoll: 1 95 96# prctl: PR_SET_VMA=0x53564d41, PR_SET_TIMERSLACK_PID={41,43,127} depending on kernel version 97prctl: arg0 == PR_GET_NAME || arg0 == PR_SET_NAME || arg0 == PR_GET_DUMPABLE || arg0 == PR_SET_DUMPABLE || arg0 == PR_SET_PTRACER || arg0 == PR_SET_TIMERSLACK || arg0 == 0x53564d41 || arg0 == 41 || arg0 == 43 || arg0 == 127 98 99pread64: 1 100pselect6: 1 101ptrace: 1 102pwrite64: 1 103read: 1 104readlinkat: return EPERM 105readv: 1 106renameat: return EPERM 107renameat2: return EPERM 108restart_syscall: 1 109rt_sigaction: 1 110rt_sigprocmask: 1 111rt_sigreturn: 1 112rt_sigtimedwait: 1 113 114# rt_tgsigqueueinfo: tgid==getpid() 115rt_tgsigqueueinfo: arg0 == $ 116 117sched_getparam: 1 118sched_getscheduler: 1 119sched_setscheduler: 1 120sched_yield: 1 121seccomp: return EPERM 122setfsgid: return EPERM 123setfsuid: return EPERM 124setgid: return EPERM 125setgroups: return EPERM 126setpriority: 1 127setregid: return EPERM 128setresgid: return EPERM 129setresuid: return EPERM 130setreuid: return EPERM 131set_robust_list: return EPERM 132set_tid_address: 1 133setuid: return EPERM 134sigaltstack: 1 135statfs: return EPERM 136symlinkat: return EPERM 137 138# tgkill: tgid==getpid() 139tgkill: arg0 == $ 140 141truncate: return EPERM 142umask: return EPERM 143uname: 1 144unlinkat: return EPERM 145utimensat: return EPERM 146wait4: 1 147waitid: 1 148write: 1 149writev: 1 150