1# Minijail Seccomp Policy for isolated_app processes on ARM (32-bit). 2 3access: return EPERM 4ARM_breakpoint: 1 5ARM_cacheflush: 1 6ARM_set_tls: 1 7ARM_usr26: 1 8ARM_usr32: 1 9chmod: return EPERM 10chown32: return EPERM 11chown: return EPERM 12creat: return EPERM 13dup2: 1 14epoll_create: 1 15epoll_wait: 1 16fchown32: return EPERM 17 18# fnctl64: restrict cmd 19# F_DUPFD_CLOEXEC=1030 20fcntl64: arg1 == F_GETFL || arg1 == F_GETFD || arg1 == F_SETFD || arg1 == F_SETLK || arg1 == F_SETLKW || arg1 == F_GETLK || arg1 == F_DUPFD || arg1 == 1030 21 22fork: return EPERM 23fstat64: 1 24fstatat64: 1 25fstatfs64: 1 26ftruncate64: 1 27futimesat: return EPERM 28getdents: 1 29getdents64: return EPERM 30getegid32: 1 31geteuid32: 1 32getgid32: 1 33getgroups32: 1 34getresgid32: 1 35getresuid32: 1 36getuid32: 1 37lchown32: return EPERM 38lchown: return EPERM 39link: return EPERM 40_llseek: 1 41lstat64: return EPERM 42lstat: return EPERM 43mkdir: return EPERM 44mknod: return EPERM 45 46# mmap2: flags in {MAP_SHARED|MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK|MAP_NORESERVE|MAP_FIXED|MAP_DENYWRITE} 47mmap2: arg3 in 0x24833 48 49_newselect: 1 50open: 1 51pause: 1 52pipe: 1 53poll: 1 54readlink: return EPERM 55recv: 1 56rename: return EPERM 57rmdir: return EPERM 58send: 1 59setfsgid32: return EPERM 60setfsuid32: return EPERM 61setgid32: return EPERM 62setgroups32: return EPERM 63setregid32: return EPERM 64setresgid32: return EPERM 65setresuid32: return EPERM 66setreuid32: return EPERM 67setuid32: return EPERM 68sigaction: 1 69sigprocmask: 1 70sigreturn: 1 71stat64: return EPERM 72statfs64: return EPERM 73stat: return EPERM 74symlink: return EPERM 75truncate64: return EPERM 76ugetrlimit: 1 77unlink: return EPERM 78uselib: return EPERM 79ustat: return EPERM 80utimes: return EPERM 81