| Harish Mahendrakar | 350b359 | 2018-12-07 17:03:55 -0800 | [diff] [blame] | 1 | # Copyright (C) 2019 The Android Open Source Project |
| 2 | # |
| 3 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | # you may not use this file except in compliance with the License. |
| 5 | # You may obtain a copy of the License at |
| 6 | # |
| 7 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | # |
| 9 | # Unless required by applicable law or agreed to in writing, software |
| 10 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | # See the License for the specific language governing permissions and |
| 13 | # limitations under the License. |
| 14 | |
| 15 | futex: 1 |
| 16 | # ioctl calls are filtered via the selinux policy. |
| 17 | ioctl: 1 |
| 18 | sched_yield: 1 |
| 19 | close: 1 |
| 20 | dup: 1 |
| 21 | ppoll: 1 |
| 22 | mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE |
| 23 | mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE |
| 24 | getuid: 1 |
| 25 | getrlimit: 1 |
| 26 | fstat: 1 |
| 27 | newfstatat: 1 |
| 28 | fstatfs: 1 |
| Joel Fernandes | d648399 | 2018-12-22 18:11:34 -0800 | [diff] [blame] | 29 | memfd_create: 1 |
| Joel Fernandes | 3c49347 | 2018-12-22 18:11:34 -0800 | [diff] [blame^] | 30 | ftruncate: 1 |
| Joel Fernandes | d648399 | 2018-12-22 18:11:34 -0800 | [diff] [blame] | 31 | ftruncate64: 1 |
| Harish Mahendrakar | 350b359 | 2018-12-07 17:03:55 -0800 | [diff] [blame] | 32 | |
| 33 | # mremap: Ensure |flags| are (MREMAP_MAYMOVE | MREMAP_FIXED) TODO: Once minijail |
| 34 | # parser support for '<' is in this needs to be modified to also prevent |
| 35 | # |old_address| and |new_address| from touching the exception vector page, which |
| 36 | # on ARM is statically loaded at 0xffff 0000. See |
| 37 | # http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0211h/Babfeega.html |
| 38 | # for more details. |
| 39 | mremap: arg3 == 3 |
| 40 | munmap: 1 |
| 41 | prctl: 1 |
| 42 | writev: 1 |
| 43 | sigaltstack: 1 |
| 44 | clone: 1 |
| 45 | exit: 1 |
| 46 | lseek: 1 |
| 47 | rt_sigprocmask: 1 |
| 48 | openat: 1 |
| 49 | write: 1 |
| 50 | nanosleep: 1 |
| 51 | setpriority: 1 |
| 52 | set_tid_address: 1 |
| 53 | getdents64: 1 |
| 54 | readlinkat: 1 |
| 55 | read: 1 |
| 56 | pread64: 1 |
| 57 | gettimeofday: 1 |
| 58 | faccessat: 1 |
| 59 | exit_group: 1 |
| 60 | restart_syscall: 1 |
| 61 | rt_sigreturn: 1 |
| 62 | getrandom: 1 |
| 63 | madvise: 1 |
| 64 | |