summary refs log tree commit diff
path: root/seccomp/x86_64
diff options
context:
space:
mode:
Diffstat (limited to 'seccomp/x86_64')
-rw-r--r--seccomp/x86_64/balloon_device.policy4
1 files changed, 1 insertions, 3 deletions
diff --git a/seccomp/x86_64/balloon_device.policy b/seccomp/x86_64/balloon_device.policy
index 8060374..b10f9ef 100644
--- a/seccomp/x86_64/balloon_device.policy
+++ b/seccomp/x86_64/balloon_device.policy
@@ -5,13 +5,11 @@
 close: 1
 exit_group: 1
 futex: 1
-madvise: 1
 # Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
 # negation, thus the manually negated mask constant.
 mmap: arg2 in 0xfffffffb
 mprotect: arg2 in 0xfffffffb
-# Allow MADV_DONTDUMP only.
-madvise: arg2 == 0x00000010
+madvise: arg2 == MADV_DONTDUMP || arg2 == MADV_DONTNEED || arg2 == MADV_REMOVE
 munmap: 1
 read: 1
 recvfrom: 1
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-24 16:42:58 +0000