1// SECCOMP_MODE_STRICT
2read: 1
3write: 1
4exit: 1
5rt_sigreturn: 1
6#if !defined(__LP64__)
7sigreturn: 1
8#endif
9
10exit_group: 1
11clock_gettime: 1
12gettimeofday: 1
13futex: 1
14getrandom: 1
15getpid: 1
16gettid: 1
17
18ppoll: 1
19pipe2: 1
20openat: 1
21dup: 1
22close: 1
23lseek: 1
24getdents64: 1
25faccessat: 1
26recvmsg: 1
27recvfrom: 1
28
29process_vm_readv: 1
30
31tgkill: 1
32rt_sigprocmask: 1
33rt_sigaction: 1
34rt_tgsigqueueinfo: 1
35
36#define PR_SET_VMA 0x53564d41
37#if defined(__aarch64__)
38// PR_PAC_RESET_KEYS happens on aarch64 in pthread_create path.
39prctl: arg0 == PR_GET_NO_NEW_PRIVS || arg0 == PR_SET_VMA || arg0 == PR_PAC_RESET_KEYS
40#else
41prctl: arg0 == PR_GET_NO_NEW_PRIVS || arg0 == PR_SET_VMA
42#endif
43
44#if 0
45libminijail on vendor partitions older than P does not have constants from <sys/mman.h>.
46Define the values of PROT_READ and PROT_WRITE ourselves to maintain backwards compatibility.
47#else
48#define PROT_READ 0x1
49#define PROT_WRITE 0x2
50#endif
51
52madvise: 1
53mprotect: arg2 in PROT_READ|PROT_WRITE
54munmap: 1
55
56#if defined(__LP64__)
57getuid: 1
58fstat: 1
59mmap: arg2 in PROT_READ|PROT_WRITE
60#else
61getuid32: 1
62fstat64: 1
63mmap2: arg2 in PROT_READ|PROT_WRITE
64#endif
65
66// Needed for logging.
67#if defined(__LP64__)
68geteuid: 1
69getgid: 1
70getegid: 1
71getgroups: 1
72#else
73geteuid32: 1
74getgid32: 1
75getegid32: 1
76getgroups32: 1
77#endif
78