mrrl

Minimal Reliable Reproducible Linux
git clone https://ccx.te2000.cz/git/mrrl
Log | Files | Refs | Submodules | README

default-policy.easyseccomp (4764B)

      1 $syscall in (
      2 	@bind, @connect, @execve, @execveat, @fallocate, @fanotify_mark,
      3 	@inotify_add_watch, @kill, @memfd_create, @socket, @statfs, @statfs64,
      4 	@sysinfo, @uname, @breakpoint, @cachestat, @mseal,
      5 	@rt_sigtimedwait_time64, @set_tls, @riscv_flush_icache, @cacheflush,
      6 	@capset, @fanotify_init, @set_robust_list, @setdomainname,
      7 	@sethostname, @setsockopt, @pidfd_send_signal, @fchown, @fchownat,
      8 	@chown32, @lchown32, @chown, @fchown32, @lchown, @clone3, @clone,
      9 	@utimensat_time64, @fchmodat2, @removexattrat, @setxattrat, @chmod,
     10 	@fchmod, @fchmodat, @link, @linkat, @mkdir, @mkdirat, @creat, @open,
     11 	@openat, @openat2, @fremovexattr, @lremovexattr, @removexattr, @rename,
     12 	@renameat, @renameat2, @rmdir, @fsetxattr, @lsetxattr, @setxattr,
     13 	@symlink, @symlinkat, @unlink, @unlinkat, @utime, @utimes, @utimensat,
     14 	@fcntl, @fcntl64, @ioctl, @prctl, @socketcall, @setpriority,
     15 	@ioprio_set, @sched_setattr, @sched_setparam, @sched_setscheduler,
     16 	@brk, @mremap, @process_mrelease, @membarrier, @process_madvise, @mmap,
     17 	@mmap2, @futex_requeue, @futex_time64, @futex_wait, @futex_waitv,
     18 	@futex_wake, @futex, @getxattrat, @listxattrat, @accept, @accept4,
     19 	@access, @faccessat, @faccessat2, @chdir, @fchdir, @getdents64,
     20 	@prlimit64, @setrlimit, @getsockname, @fgetxattr, @getxattr,
     21 	@lgetxattr, @flistxattr, @listxattr, @llistxattr, @rt_sigqueueinfo,
     22 	@rt_tgsigqueueinfo, @sendmsg, @sendto, @sendmmsg, @rt_sigaction,
     23 	@sigaction, @fstat, @fstat64, @fstatat64, @lstat, @newfstatat, @stat,
     24 	@stat64, @fstatfs, @fstatfs64, @statx, @tgkill, @ftruncate, @truncate,
     25 	@rseq, @exit, @capget, @clock_getres, @clock_gettime, @clock_nanosleep,
     26 	@close, @close_range, @copy_file_range, @dup, @dup2, @dup3,
     27 	@epoll_create, @epoll_create1, @epoll_ctl, @epoll_pwait, @epoll_pwait2,
     28 	@epoll_wait, @eventfd, @eventfd2, @exit_group, @flock, @fork,
     29 	@fdatasync, @fsync, @get_robust_list, @getcpu, @getcwd, @getgroups,
     30 	@getitimer, @setitimer, @getpagesize, @getpeername, @getpid, @getppid,
     31 	@getpriority, @getrandom, @getresgid, @getresuid, @getrusage, @getsid,
     32 	@getsockopt, @gettid, @gettimeofday, @inotify_init, @inotify_init1,
     33 	@inotify_rm_watch, @ioprio_get, @listen, @lseek, @madvise, @mlock,
     34 	@mlock2, @mlockall, @munlock, @munlockall, @munmap, @mprotect, @msync,
     35 	@nanosleep, @pause, @pidfd_getfd, @pipe, @pipe2, @poll, @ppoll,
     36 	@fadvise64, @pread64, @pwrite64, @read, @readahead, @readlink,
     37 	@readlinkat, @preadv, @preadv2, @pwritev, @pwritev2, @readv, @writev,
     38 	@recvfrom, @recvmsg, @recvmmsg, @restart_syscall,
     39 	@sched_get_priority_max, @sched_get_priority_min,
     40 	@sched_rr_get_interval, @sched_getaffinity, @sched_setaffinity,
     41 	@sched_getattr, @sched_getparam, @sched_getscheduler, @sched_yield,
     42 	@pselect6, @select, @sendfile, @set_tid_address, @getpgid, @getpgrp,
     43 	@setpgid, @setsid, @shutdown, @sigaltstack, @signalfd, @signalfd4,
     44 	@rt_sigpending, @rt_sigprocmask, @rt_sigsuspend, @rt_sigtimedwait,
     45 	@socketpair, @splice, @arm_sync_file_range, @sync_file_range, @tee,
     46 	@time, @timer_create, @timer_delete, @timer_getoverrun, @timer_gettime,
     47 	@timer_settime, @timerfd_create, @timerfd_gettime, @timerfd_settime,
     48 	@times, @umask, @vfork, @waitid, @wait4, @write, @getegid32, @getgid32,
     49 	@getresgid32, @getresuid32, @geteuid32, @getuid32, @sigreturn,
     50 	@lstat64, @sync_file_range2, @swapcontext, @ftruncate64, @truncate64,
     51 	@atomic_barrier, @atomic_cmpxchg_32, @clock_getres_time64,
     52 	@clock_gettime64, @clock_nanosleep_time64, @epoll_ctl_old,
     53 	@epoll_wait_old, @ppoll_time64, @pselect6_time64, @recvmmsg_time64,
     54 	@sched_rr_get_interval_time64, @timer_gettime64, @timer_settime64,
     55 	@timerfd_gettime64, @timerfd_settime64, @alarm, @arch_prctl,
     56 	@getgroups32, @getrlimit, @ugetrlimit, @_llseek, @arm_fadvise64_64,
     57 	@fadvise64_64, @recv, @s390_pci_mmio_read, @s390_pci_mmio_write,
     58 	@s390_runtime_instr, @_newselect, @send, @sendfile64, @get_thread_area,
     59 	@set_thread_area, @signal, @sigpending, @sigsuspend, @waitpid,
     60 	@getdents, @getegid, @getgid, @geteuid, @getuid, @shmctl, @shmget,
     61 	@shmat, @shmdt, @setgroups32, @setfsgid32, @setfsuid32, @setgroups,
     62 	@setfsgid, @setfsuid
     63 ) => ALLOW();
     64 
     65 $syscall in (
     66 	@mknod, @mknodat,
     67 	@rt_sigreturn,  // zsh
     68 	@sync, @syncfs
     69 ) => ALLOW();
     70 
     71 #ifdef ALLOW_PTRACE
     72 $syscall in (
     73 	@pidfd_open,
     74 	@process_vm_readv,
     75 	@process_vm_writev,
     76 	@ptrace,
     77 	@kcmp
     78 ) => ALLOW();
     79 #endif
     80 
     81 #ifdef ALLOW_SECCOMP
     82 $syscall == @seccomp => ALLOW();
     83 #endif
     84 
     85 #ifdef ALLOW_LANDLOCK
     86 $syscall in (
     87 	@landlock_add_rule,
     88 	@landlock_create_ruleset,
     89 	@landlock_restrict_self
     90 ) => ALLOW();
     91 #endif
     92 
     93 #ifdef ALLOW_SETUID_SETGID
     94 $syscall in (
     95 	@setgid,
     96 	@setresgid,
     97 	@setresuid,
     98 	@setregid,
     99 	@setreuid,
    100 	@setuid,
    101 	@setgid32,
    102 	@setresgid32,
    103 	@setresuid32,
    104 	@setregid32,
    105 	@setreuid32,
    106 	@setuid32
    107 ) => ALLOW();
    108 #endif
    109 
    110 $syscall in KERNEL(5.3) => ERRNO(EPERM);
    111 => ERRNO(ENOSYS);