diff options
Diffstat (limited to 'rng_device.policy')
-rw-r--r-- | rng_device.policy | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/rng_device.policy b/rng_device.policy new file mode 100644 index 0000000..f270509 --- /dev/null +++ b/rng_device.policy @@ -0,0 +1,19 @@ +close: 1 +exit_group: 1 +futex: 1 +# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit +# negation, thus the manually negated mask constant. +mmap: arg2 in 0xfffffffb +mprotect: arg2 in 0xfffffffb +munmap: 1 +read: 1 +recvfrom: 1 +sched_getaffinity: 1 +set_robust_list: 1 +sigaltstack: 1 +# Disallow clone's other than new threads. +clone: arg0 & 0x00010000 +write: 1 +eventfd2: 1 +dup: 1 +poll: 1 |