1# Minijail Seccomp Policy for isolated_app processes on all architectures 2# except I386. 3# This policy is appended to the architecture-specific policy. 4 5# These are system calls in their own right for everything but i386, 6# which uses https://man7.org/linux/man-pages/man2/socketcall.2.html. 7accept4: return EPERM 8accept: return EPERM 9bind: return EPERM 10connect: 1 11getsockopt: 1 12listen: return EPERM 13recvfrom: 1 14recvmsg: 1 15sendmsg: 1 16sendto: 1 17# setsockopt: level==SOL_SOCKET && optname==SO_PEEK_OFF 18setsockopt: arg1 == 1 && arg2 == 42 19shutdown: 1 20# socket: domain==AF_UNIX && protocol == 0 21socket: arg0 == 1 && arg2 == 0 22# socketpair: domain==AF_UNIX 23socketpair: arg0 == 1 24 25# Similarly, these are syscalls in their own right for everything but i386, 26# which uses https://man7.org/linux/man-pages/man2/ipc.2.html. 27msgctl: return EPERM 28msgget: return EPERM 29msgrcv: return EPERM 30msgsnd: return EPERM 31semctl: return EPERM 32semget: return EPERM 33semop: return EPERM 34semtimedop: return EPERM 35shmat: return EPERM 36shmctl: return EPERM 37shmdt: return EPERM 38shmget: return EPERM 39