exe,euser,egroup,pidns,caps,filter
cloud-init,root,root,No,No,No
device_policy_m,root,root,No,No,No
ensure_gke_dock,root,root,No,No,No
first-boot,root,root,No,No,No
install_custom_,root,root,No,No,No
get_metadata_va,root,root,No,No,No
onboot,root,root,No,No,No
systemd-journal,root,root,No,No,No
systemd-logind,root,root,No,No,No
systemd,root,root,No,No,No
systemd-udevd,root,root,No,No,No

# TODO: We need better filters on these.
curl,root,root,No,No,No

# These processes won't run without network (which is the case for VMTests), but
# they also run as root and are not sandboxed. You will hit these if you try to
# run VMTests on your own KVM instance.
docker,root,root,No,No,No
containerd,root,root,No,No,No

# Processes that used by GCP compute image packages.
google_ip_forwa,root,root,No,No,No
google_accounts,root,root,No,No,No
google_clock_sk,root,root,No,No,No
google_metadata,root,root,No,No,No
google_instance,root,root,No,No,No
google_network_,root,root,No,No,No