tests/tests/os/assets/minijail/isolated-i386.policy - platform/cts - Gitiles

 # Minijail Seccomp Policy for isolated_app processes on I386.

 access: return EPERM
 chmod: return EPERM
 chown32: return EPERM
 chown: return EPERM
 creat: return EPERM
 dup2: 1
 epoll_create: 1
 epoll_wait: 1
 fchown32: return EPERM

 # fnctl64: restrict cmd
 fcntl64: arg1 == F_GETFL || arg1 == F_GETFD || arg1 == F_SETFD || arg1 == F_SETLK || arg1 == F_SETLKW || arg1 == F_GETLK || arg1 == F_DUPFD

 fork: return EPERM
 fstat64: 1
 fstatat64: 1
 ftruncate64: 1
 futimesat: return EPERM
 getdents: 1
 getdents64: return EPERM
 getegid32: 1
 geteuid32: 1
 getgid32: 1
 getgroups32: 1
 getresgid32: 1
 getresuid32: 1
 getuid32: 1
 ioperm: return EPERM
 iopl: return EPERM
 ipc: return EPERM
 lchown32: return EPERM
 lchown: return EPERM
 link: return EPERM
 _llseek: 1
 lstat64: return EPERM
 lstat: return EPERM
 mkdir: return EPERM
 mknod: return EPERM

 # mmap2: flags in {MAP_SHARED|MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK|MAP_NORESERVE|MAP_FIXED|MAP_DENYWRITE}
 mmap2: arg3 in 0x24833
 mmap: arg3 in 0x24833

 _newselect: 1
 oldlstat: return EPERM
 oldstat: return EPERM
 open: 1
 pause: 1
 pipe: 1
 poll: 1
 readdir: return EPERM
 readlink: return EPERM
 rename: return EPERM
 rmdir: return EPERM
 select: 1
 set_thread_area: 1
 setfsgid32: return EPERM
 setfsuid32: return EPERM
 setgid32: return EPERM
 setgroups32: return EPERM
 setregid32: return EPERM
 setresgid32: return EPERM
 setresuid32: return EPERM
 setreuid32: return EPERM
 setuid32: return EPERM
 sigaction: 1
 sigprocmask: 1
 sigreturn: 1

 # socketcall: call=={SYS_CONNECT,SYS_SOCKET,SYS_GETSOCKOPT}
 socketcall: arg0 == 1 || arg0 == 3 || arg0 == 15; return EPERM

 stat64: return EPERM
 statfs64: return EPERM
 stat: return EPERM
 symlink: return EPERM
 time: 1
 truncate64: return EPERM
 ugetrlimit: 1
 unlink: return EPERM
 uselib: return EPERM
 ustat: return EPERM
 utime: return EPERM
 utimes: return EPERM
 waitpid: 1
	# Minijail Seccomp Policy for isolated_app processes on I386.

	access: return EPERM
	chmod: return EPERM
	chown32: return EPERM
	chown: return EPERM
	creat: return EPERM
	dup2: 1
	epoll_create: 1
	epoll_wait: 1
	fchown32: return EPERM

	# fnctl64: restrict cmd
	fcntl64: arg1 == F_GETFL \|\| arg1 == F_GETFD \|\| arg1 == F_SETFD \|\| arg1 == F_SETLK \|\| arg1 == F_SETLKW \|\| arg1 == F_GETLK \|\| arg1 == F_DUPFD

	fork: return EPERM
	fstat64: 1
	fstatat64: 1
	ftruncate64: 1
	futimesat: return EPERM
	getdents: 1
	getdents64: return EPERM
	getegid32: 1
	geteuid32: 1
	getgid32: 1
	getgroups32: 1
	getresgid32: 1
	getresuid32: 1
	getuid32: 1
	ioperm: return EPERM
	iopl: return EPERM
	ipc: return EPERM
	lchown32: return EPERM
	lchown: return EPERM
	link: return EPERM
	_llseek: 1
	lstat64: return EPERM
	lstat: return EPERM
	mkdir: return EPERM
	mknod: return EPERM

	# mmap2: flags in {MAP_SHARED\|MAP_PRIVATE\|MAP_ANONYMOUS\|MAP_STACK\|MAP_NORESERVE\|MAP_FIXED\|MAP_DENYWRITE}
	mmap2: arg3 in 0x24833
	mmap: arg3 in 0x24833

	_newselect: 1
	oldlstat: return EPERM
	oldstat: return EPERM
	open: 1
	pause: 1
	pipe: 1
	poll: 1
	readdir: return EPERM
	readlink: return EPERM
	rename: return EPERM
	rmdir: return EPERM
	select: 1
	set_thread_area: 1
	setfsgid32: return EPERM
	setfsuid32: return EPERM
	setgid32: return EPERM
	setgroups32: return EPERM
	setregid32: return EPERM
	setresgid32: return EPERM
	setresuid32: return EPERM
	setreuid32: return EPERM
	setuid32: return EPERM
	sigaction: 1
	sigprocmask: 1
	sigreturn: 1

	# socketcall: call=={SYS_CONNECT,SYS_SOCKET,SYS_GETSOCKOPT}
	socketcall: arg0 == 1 \|\| arg0 == 3 \|\| arg0 == 15; return EPERM

	stat64: return EPERM
	statfs64: return EPERM
	stat: return EPERM
	symlink: return EPERM
	time: 1
	truncate64: return EPERM
	ugetrlimit: 1
	unlink: return EPERM
	uselib: return EPERM
	ustat: return EPERM
	utime: return EPERM
	utimes: return EPERM
	waitpid: 1