| Chirantan Ekbote | 41d5b5b | 2017-08-23 11:20:36 -0700 | [diff] [blame] | 1 | # Copyright 2017 The Chromium OS Authors. All rights reserved. |
| 2 | # Use of this source code is governed by a BSD-style license that can be |
| 3 | # found in the LICENSE file. |
| 4 | |
| Stephen Barber | 5e77e88 | 2017-08-07 17:13:38 -0700 | [diff] [blame] | 5 | close: 1 |
| Dylan Reid | d37aa9f | 2017-09-26 13:49:42 -0700 | [diff] [blame] | 6 | dup: 1 |
| 7 | dup2: 1 |
| Stephen Barber | 5e77e88 | 2017-08-07 17:13:38 -0700 | [diff] [blame] | 8 | exit_group: 1 |
| 9 | futex: 1 |
| 10 | # Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit |
| 11 | # negation, thus the manually negated mask constant. |
| 12 | mmap: arg2 in 0xfffffffb |
| 13 | mprotect: arg2 in 0xfffffffb |
| 14 | munmap: 1 |
| 15 | poll: 1 |
| 16 | read: 1 |
| 17 | recvfrom: 1 |
| 18 | sched_getaffinity: 1 |
| 19 | set_robust_list: 1 |
| 20 | sigaltstack: 1 |
| 21 | # Disallow clone's other than new threads. |
| 22 | # arg0 is flags. Because kernel. |
| 23 | clone: arg0 & 0x00010000 |
| 24 | write: 1 |
| Zach Reizner | 1f77a0d | 2017-09-04 15:59:08 -0700 | [diff] [blame] | 25 | getpid: 1 |
| Stephen Barber | ce37479 | 2017-10-29 23:13:48 -0700 | [diff] [blame] | 26 | # Allow PR_SET_NAME only. |
| 27 | prctl: arg0 == 15 |
| Stephen Barber | 8b0d12c | 2017-11-01 19:05:29 -0700 | [diff] [blame] | 28 | restart_syscall: 1 |