# Copyright 2017 The ChromiumOS Authors # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. close: 1 dup: 1 dup2: 1 execve: 1 exit_group: 1 futex: 1 kill: 1 lseek: 1 mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE munmap: 1 read: 1 recvfrom: 1 sched_getaffinity: 1 set_robust_list: 1 sigaltstack: 1 # Disallow clone's other than new threads. clone: arg0 & 0x00010000 clone3: 1 write: 1 eventfd2: 1 poll: 1 getpid: 1 getppid: 1 # Allow PR_SET_NAME only. prctl: arg0 == 15 rseq: 1 access: 1 arch_prctl: 1 brk: 1 exit: 1 fcntl: 1 fstat: 1 ftruncate: 1 getcwd: 1 getrlimit: 1 # TUNGETFEATURES ioctl: arg1 == 0x800454CF madvise: 1 memfd_create: 1 mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE open: 1 openat: 1 prlimit64: arg2 == 0 && arg3 != 0 recvmsg: 1 restart_syscall: 1 rt_sigaction: 1 rt_sigprocmask: 1 sendmsg: 1 set_tid_address: 1 stat: 1 writev: 1