1// SECCOMP_MODE_STRICT
2read: 1
3write: 1
4exit: 1
5rt_sigreturn: 1
6#if !defined(__LP64__)
7sigreturn: 1
8#endif
9
10exit_group: 1
11clock_gettime: 1
12gettimeofday: 1
13futex: 1
14getrandom: 1
15getpid: 1
16gettid: 1
17
18ppoll: 1
19pipe2: 1
20openat: 1
21dup: 1
22close: 1
23lseek: 1
24getdents64: 1
25faccessat: 1
26recvmsg: 1
27recvfrom: 1
28setsockopt: 1
29sysinfo: 1
30
31process_vm_readv: 1
32
33tgkill: 1
34rt_sigprocmask: 1
35rt_sigaction: 1
36rt_tgsigqueueinfo: 1
37
38// this is referenced from mainline modules running on Q devices, where not all
39// of the constants used here are defined in headers, so minijail rejects them.
40// we define them here to avoid those errors.
41        // constants introduced in R
42#define PR_SET_VMA 0x53564d41
43#define PR_GET_TAGGED_ADDR_CTRL 56
44        // constants introduced in S
45#define PR_PAC_GET_ENABLED_KEYS 61
46
47#if defined(__aarch64__)
48// PR_PAC_RESET_KEYS happens on aarch64 in pthread_create path.
49prctl: arg0 == PR_GET_NO_NEW_PRIVS || arg0 == PR_SET_VMA || arg0 == PR_PAC_RESET_KEYS || arg0 == PR_GET_TAGGED_ADDR_CTRL || arg0 == PR_PAC_GET_ENABLED_KEYS
50#else
51prctl: arg0 == PR_GET_NO_NEW_PRIVS || arg0 == PR_SET_VMA
52#endif
53
54#if 0
55libminijail on vendor partitions older than P does not have constants from <sys/mman.h>.
56Define values for PROT_READ, PROT_WRITE and PROT_MTE ourselves to maintain backwards compatibility.
57#else
58#define PROT_READ 0x1
59#define PROT_WRITE 0x2
60#define PROT_MTE 0x20
61#endif
62
63madvise: 1
64#if defined(__aarch64__)
65mprotect: arg2 in PROT_READ|PROT_WRITE|PROT_MTE
66#else
67mprotect: arg2 in PROT_READ|PROT_WRITE
68#endif
69munmap: 1
70
71#if defined(__LP64__)
72getuid: 1
73fstat: 1
74#if defined(__aarch64__)
75mmap: arg2 in PROT_READ|PROT_WRITE|PROT_MTE
76#else
77mmap: arg2 in PROT_READ|PROT_WRITE
78#endif
79#else
80getuid32: 1
81fstat64: 1
82mmap2: arg2 in PROT_READ|PROT_WRITE
83#endif
84
85// Needed for logging.
86#if defined(__LP64__)
87geteuid: 1
88getgid: 1
89getegid: 1
90getgroups: 1
91#else
92geteuid32: 1
93getgid32: 1
94getegid32: 1
95getgroups32: 1
96#endif
97