| Paul Lawrence | 3dd3d55 | 2017-04-12 10:02:54 -0700 | [diff] [blame^] | 1 | # This file is used to populate seccomp's whitelist policy in combination with SYSCALLS.TXT. |
| 2 | # Note that the resultant policy is applied only to zygote spawned processes. |
| 3 | # |
| 4 | # The final seccomp whitelist is SYSCALLS.TXT - SECCOMP_BLACKLIST.TXT + SECCOMP_WHITELIST.TXT |
| 5 | # Any entry in the blacklist must be in the syscalls file and not be in the whitelist file |
| 6 | # |
| 7 | # Each non-blank, non-comment line has the following format: |
| 8 | # |
| 9 | # return_type func_name[|alias_list][:syscall_name[:socketcall_id]]([parameter_list]) arch_list |
| 10 | # |
| 11 | # where: |
| 12 | # arch_list ::= "all" | arch+ |
| 13 | # arch ::= "arm" | "arm64" | "mips" | "mips64" | "x86" | "x86_64" |
| 14 | # |
| 15 | # Note: |
| 16 | # - syscall_name corresponds to the name of the syscall, which may differ from |
| 17 | # the exported function name (example: the exit syscall is implemented by the _exit() |
| 18 | # function, which is not the same as the standard C exit() function which calls it) |
| 19 | |
| 20 | # - alias_list is optional comma separated list of function aliases |
| 21 | # |
| 22 | # - The call_id parameter, given that func_name and syscall_name have |
| 23 | # been provided, allows the user to specify dispatch style syscalls. |
| 24 | # For example, socket() syscall on i386 actually becomes: |
| 25 | # socketcall(__NR_socket, 1, *(rest of args on stack)). |
| 26 | # |
| 27 | # - Each parameter type is assumed to be stored in 32 bits. |
| 28 | # |
| 29 | # This file is processed by a python script named gensyscalls.py. |
| 30 | |
| 31 | int swapon(const char*, int) all |
| 32 | int swapoff(const char*) all |