blob: b6a4c6d2ca7b9bb4f6b0ccf03c48b3c71455caeb [file] [log] [blame]
// SECCOMP_MODE_STRICT
//
// minijail allowances for code coverage
// this is processed with generate.sh, so we can use appropriate directives
// size specific: __LP64__ for 64 bit, else 32 bit
// arch specific: __arm__, __aarch64__, __i386__, __x86_64__
// includes *all* syscalls used during the coverage dumping
// no skipping just because they might have been in another policy file.
// coverage tool uses different operations on different passes
// 1st: uses write() to fill the file
// 2nd-Nth: uses mmap() to update in place
close: 1
// fchmod allowed to set libprofile-clang-extras, which wraps `open` calls, to
// set correct permission for coverage files.
fchmod: 1
mkdirat: 1
msync: 1
munmap: 1
openat: 1
write: 1
#if defined(__LP64__)
fcntl: 1
fstat: 1
ftruncate: 1
geteuid: 1
lseek: 1
mmap: 1
rt_sigreturn: 1
#else
fcntl64: 1
fstat64: 1
ftruncate64: 1
geteuid32: 1
_llseek: 1
mmap2: 1
sigreturn: 1
#endif
#if defined(__arm__)
gettimeofday: 1
#endif
#if defined(__i386__)
madvise: 1
#endif
#if defined(__arm__)
prctl: 1
#elif defined(__aarch64__)
prctl: 1
#endif